Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 0cb8c0b9895889be…

MALICIOUS

Office (OOXML)

85.7 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 16.0300
MD5: 657a9ce584df68aab1fff99ee8d59cef SHA-1: 61466a51f805ef177bc9b16f395995943a711ae7 SHA-256: 0cb8c0b9895889bef78b32d10c92211f43350e3328aedbada85178dcb47f06a4
190 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample contains multiple Excel 4.0 macro sheets, including one with an Auto_Open defined name, indicating it's designed to execute automatically. The macros utilize dangerous functions like FORMULA and CALL to download a DLL from 'http://162.248.227.39/first.php' and save it as '..\yeieowur.dll', which is then likely executed. This points to a downloader or droppper functionality.

Heuristics 5

  • Excel 4.0 macro sheet (6 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: FORMULA, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.microsoft.com/office/excel/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml
cf1825a3b085e5c600f6e09c6c58c7f1fe259e14f9a0915f2ddf106a13735f1c		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml 5734 bytes
xlm_sheet_01.xml
eb4bc757f510fdbb709e0b0ba07a386090e1c129fe22ab3970899cf68507715f		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml 3904 bytes
xlm_sheet_02.xml
a8de137f82b4947672de2fe635459778026bf24dcdbfb1f0cb74494eefd29cdc		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1468 bytes
xlm_sheet_03.xml
b3ceb4b10c63c5884849d461bcfd49965268f16342b5582612850ead81276dd8		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.xml 1624 bytes
xlm_sheet_04.xml
ec2494eab5af22ebd0fab7196ed1fdd149d7271871742286d358e3c0d940ad71		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.xml 1693 bytes
xlm_sheet_05.xml
f625d4527df6181dc15064a8c07eb18e81a419a66786237111148022b3b8ee10		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet4.xml 1686 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.