MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains Excel 4.0 macros, specifically an Auto_Open entry, which is indicative of malicious intent. Heuristics indicate an obfuscated execution chain designed to run automatically. ClamAV detection further confirms its malicious nature, identifying it as a dropper. The primary function appears to be executing a secondary payload.
Heuristics 4
-
ClamAV: Xls.Dropper.Agent-8831822-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-8831822-0
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
Obfuscated XLM Auto_Open execution chain critical OLE_XLM_OBFUSCATED_AUTOEXEC_CHAINExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and an obfuscated formula execution chain. The macro builds strings through FORMULA(CHAR(...)), primes state with SET.VALUE / GET.CELL / GOTO, and transfers control through RUN(). This is a high-confidence XLM malware pattern.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 127071 bytes |
SHA-256: 3794438238940cf43c12027ff08dfe63497f14c6d6c04b243a3571c2a8abbf70 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!CU10359 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,DN76,"",-0.06162464985994398070 ' Sheet,E117,"",0.15362318840579711199 ' Sheet,DG131,"",117.00000000000000000000 ' Sheet,HD144,"",128.00000000000000000000 ' Sheet,BQ155,"",415.00000000000000000000 ' Sheet,CG238,"",0.55172413793103447510 ' Sheet,IJ294,"",183.00000000000000000000 ' Sheet,ES337,"",-17.85000000000000142109 ' Sheet,JP387,"",-391.00000000000000000000 ' Sheet,JK405,"",344.50000000000000000000 ' Sheet,GT461,"",-0.02053140096618357585 ' Sheet,DW500,"",-0.18315018315018313788 ' Sheet,W541,"",-0.67317073170731711595 ' Sheet,ID544,"",-1.73913043478260864738 ' Sheet,FQ624,"",85.00000000000000000000 ' Sheet,CJ669,"",-2.43750000000000000000 ' Sheet,JU745,"",0.28078817733990146799 ' Sheet,HH747,"",-0.78102189781021902348 ' Sheet,CW822,"",8.75471698113207530412 ' Sheet,JF889,"",506.50000000000000000000 ' Sheet,HK974,"",109.60007812499999602096 ' Sheet,S1174,"",789.00000000000000000000 ' Sheet,DG1212,"",807.00000000000000000000 ' Sheet,CI1224,"",413.00000000000000000000 ' Sheet,BL1241,"",0.29275362318840580933 ' Sheet,FM1269,"",389.00000000000000000000 ' Sheet,JK1279,"",118.00000000000000000000 ' Sheet,D1300,"",94.00000000000000000000 ' Sheet,H1331,"",4.59405940594059369886 ' Sheet,BJ1334,"",401.00000000000000000000 ' Sheet,HS1372,"",12.35714285714285765039 ' Sheet,BG1529,"",321.00000000000000000000 ' Sheet,CA1591,"",0.33913043478260868069 ' Sheet,IO1599,"",-0.06521739130434782428 ' Sheet,T1614,"",-4.42857142857142882519 ' Sheet,JS1660,"",-2.64492753623188381340 ' Sheet,FF1713,"",-0.36956521739130432369 ' Sheet,JQ1714,"",-197.00000000000000000000 ' Sheet,EH1723,"",1.63380281690140849449 ' Sheet,GI1793,"",-514.50000000000000000000 ' Sheet,IC1819,"",7.38414634146341430920 ' Sheet,EM1820,"",0.08918249380677126248 ' Sheet,BE1821,"",-34.00000000000000000000 ' Sheet,IQ1843,"",114.00000000000000000000 ' Sheet,U1862,"",0.08257638315441784282 ' Sheet,CY1874,"",-150.00000000000000000000 ' Sheet,IY1877,"",2.12328767123287676100 ' Sheet,EK1885,"",138.00000000000000000000 ' Sheet,GR1917,"",-3.32926829268292667763 ' Sheet,GO1920,"",-0.82926829268292678865 ' Sheet,CC2007,"",392.00000000000000000000 ' Sheet,BF2048,"",-113.00000000000000000000 ' Sheet,HT2063,"",23.00000000000000000000 ' Sheet,BU2064,"",-2.70297029702970315057 ' Sheet,BO2066,"",-410.00000000000000000000 ' Sheet,FE2067,"",-62.00000000000000000000 ' Sheet,ES2121,"",76.00000000000000000000 ' Sheet,HO2177,"",145.90007812499999317879 ' Sheet,DE2186,"",79.00000000000000000000 ' Sheet,ED2189,"",-0.85897435897435892027 ' Sheet,IA2234,"",-121.00000000000000000000 ' Sheet,DY2256,"",0.88235294117647056211 ' Sheet,HQ2264,"",4.16666566666666682295 ' Sheet,T2310,"",2.94202898550724656346 ' Sheet,HB2318,"",0.12551610239471511221 ' Sheet,HF2402,"",-748.00000000000000000000 ' Sheet,EF2439,"",-1.59292035398230091836 ' Sheet,IL2449,"",-0.85000061035156249112 ' Sheet,BZ2459,"",-80.00000000000000000000 ' Sheet,JU2469,"",-132.00000000000000000000 ' Sheet,IH2497,"",0.29032258064516131002 ' Sheet,HE2520,"",-413.00000000000000000000 ' Sheet,JL2527,"",-104.00000000000000000000 ' Sheet,DZ2607,"",78.00000000000000000000 ' Sheet,S2623,"",-7.67741935483870996393 ' Sheet,EU2676,"",-9.78082191780821830207 ' Sheet,Z2706,"",-118.00000000000000000000 ' Sheet,FP2736,"",-0.36315789473684212396 ' Sheet,JL2753,"",136.00000000000000000000 ' Sheet,H2755,"",0.10971428571428570864 ' Sheet,BS2756,"",113.90007812499999317879 ' Sheet,BU2782,"",113.00000000000000000000 ' Sheet,BH2882,"",-1.44927536231884057649 ' Sheet,HF3025,"",0.262857142857142844 ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.