Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1e45b0258fbed1ed…

MALICIOUS

Office (OLE)

233.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2020-09-07
MD5: d00bbb3feafc248040b63a64bdf96c25 SHA-1: 72a16b47ae70d3e80afd92fb311fdddf0cd0518b SHA-256: 1e45b0258fbed1edea3d0d1988f3a594b04677b830e16e27c636a79acc0c8e88
240 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample is an Excel 4.0 macro-enabled workbook that uses an Auto_Open macro to execute. The document body attempts to socially engineer the user into enabling content. The XLM macro sheet contains heuristics indicating dangerous API usage and environment evasion, consistent with a dropper or downloader.

Heuristics 5

  • ClamAV: Xls.Dropper.Agent-9697950-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-9697950-0
  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • XLM Auto_Open environment-evasion HALT gate high OLE_XLM_ENVIRONMENT_EVASION_HALT
    Excel 4.0 macro sheet auto-executes multiple GET.WORKSPACE / GET.WINDOW environment checks and halts execution when the host does not match the expected user environment. This is a common sandbox-evasion pattern in XLM malware and is stronger than a bare XLM macro-sheet indicator.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 331072 bytes
SHA-256: 346486385c13ff41662dd1f9f21af1177f1ce79af993c8d9ff16ee83069e1f9f
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     12 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  gKJ
' 0018     27 LABEL : Cell Value, String Constant - ArqNhxFHXwTL len=0 
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgNameX  NAMEIDX 5 
' 0018     22 LABEL : Cell Value, String Constant - BHJisut len=0 
' 0018     25 LABEL : Cell Value, String Constant - cWTAazKiLs len=0 
' 0018     28 LABEL : Cell Value, String Constant -        hidden len=7 ptgRef3d  Sheet!K1529 
' 0018     22 LABEL : Cell Value, String Constant - HaPrAWz len=0 
' 0018     27 LABEL : Cell Value, String Constant - lnmQJMsbDrPo len=0 
' 0018     20 LABEL : Cell Value, String Constant - PaNcj len=0 
' 0018     22 LABEL : Cell Value, String Constant - pqeemMO len=0 
' 0018     21 LABEL : Cell Value, String Constant - sPmzWY len=0 
' 0018     24 LABEL : Cell Value, String Constant - ThXoorGnm len=0 
' 0018     26 LABEL : Cell Value, String Constant - TSQqpNxFcSC len=0 
' 0018     25 LABEL : Cell Value, String Constant - tSvyfLisWw len=0 
' 0018     23 LABEL : Cell Value, String Constant - UBnlYSzL len=0 
' 0018     22 LABEL : Cell Value, String Constant - vCJWsGn len=0 
' 0018     26 LABEL : Cell Value, String Constant - wdRCvPeZkWt len=0 
' 0018     24 LABEL : Cell Value, String Constant - ykrrpbbef len=0 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABEL
... (truncated)