Office (OLE) malware analysis — malicious · 22c9daf0ec60d91e

MALICIOUS

Office (OLE)

151.5 KB Created: 2020-06-22 16:20:38 Authoring application: Microsoft Excel First seen: 2020-07-24

MD5: 367d41992a9bb2b532d73e88fb423920 SHA-1: 0922233368dafb9528ba2230a831e1beaba66a9b SHA-256: 22c9daf0ec60d91ef4a5854a6f3f035d16e4462ffebc51024114e45bb52e3805

80 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file is an Excel document containing Excel 4.0 macros, indicated by the OLE_XLM_AUTOOPEN and OLE_XLM_AUTOOPEN_DEFINEDNAME heuristics. The document body displays a message prompting the user to 'Enable editing', which is a common lure for macro-enabled documents. The presence of an 'Auto_Open' defined name suggests that the embedded XLM macro will execute automatically when the workbook is opened.

Heuristics 2

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 86768 bytes

Filename	Kind	Source	Size
`xlm_macros.txt`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	86768 bytes
SHA-256: `466c5ae641def108fc33d6337c430da7dc002635738fab357545f6bfd00f989e`
Preview script First 1,000 lines of the extracted script ' 0085 10 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - K ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0018 20 LABEL : Cell Value, String Constant - aBmCG len=0 ' 0018 21 LABEL : Cell Value, String Constant - adVtWC len=0 ' 0018 63 LABEL : Cell Value, String Constant - aMQpebVnkIdCIEQThDFOYTvMeySMChqqpufYfKXWmpskJYRB len=0 ' 0018 43 LABEL : Cell Value, String Constant - aNnKXlSkWazolfxuRnMSOZcrNOYh len=0 ' 0018 35 LABEL : Cell Value, String Constant - apfiaycHFmbvmdqBkjXX len=0 ' 0018 61 LABEL : Cell Value, String Constant - aqXdwFtZVVUZKDKoPBRUXPnRvfbQkaRfpYYLxZvIWEVHLk len=0 ' 0018 25 LABEL : Cell Value, String Constant - aUmjGbBsoz len=0 ' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d K!J49324 ' 0018 18 LABEL : Cell Value, String Constant - avw len=0 ' 0018 21 LABEL : Cell Value, String Constant - axhrxt len=0 ' 0018 19 LABEL : Cell Value, String Constant - aZBi len=0 ' 0018 56 LABEL : Cell Value, String Constant - bcafRKRvWIXbeWuXDmiXrhYmwffSFgCPdLcOSrgdX len=0 ' 0018 34 LABEL : Cell Value, String Constant - bEJWTCPooQYlNgMkCcC len=0 ' 0018 62 LABEL : Cell Value, String Constant - bFHntNVKpllkoagnFfeuknfEhMKrgBqhvGoobcDMYzUyXpB len=0 ' 0018 45 LABEL : Cell Value, String Constant - bjZFzByEovDTutKzCtTvaYGuPGwLVE len=0 ' 0018 57 LABEL : Cell Value, String Constant - BKidGIoJOWMrBBzFbipUhgwzDuTibLtvQswLIqEddF len=0 ' 0018 32 LABEL : Cell Value, String Constant - BRHKCaEigODXOEScL len=0 ' 0018 20 LABEL : Cell Value, String Constant - bRUMk len=0 ' 0018 23 LABEL : Cell Value, String Constant - bwxHfMpF len=0 ' 0018 26 LABEL : Cell Value, String Constant - BxJaowxHfaD len=0 ' 0018 58 LABEL : Cell Value, String Constant - BygVpfWkuddQQrzNoJnMdpebVnkHqCIEPghDFOlSvMs len=0 ' 0018 22 LABEL : Cell Value, String Constant - CarErpj len=0 ' 0018 21 LABEL : Cell Value, String Constant - ccrvyq len=0 ' 0018 25 LABEL : Cell Value, String Constant - cgjbzPIrZc len=0 ' 0018 27 LABEL : Cell Value, String Constant - cGWoJcWMrBBy len=0 ' 0018 52 LABEL : Cell Value, String Constant - cIDECHslsXxiyDGwWyeOKyTJzOYHHtgHdqFmE len=0 ' 0018 59 LABEL : Cell Value, String Constant - cjzaapgiazcHFmbvmdqCkjXXyHTvPuSkwkicurOxJOLW len=0 ' 0018 20 LABEL : Cell Value, String Constant - ClhWq len=0 ' 0018 19 LABEL : Cell Value, String Constant - cmVV len=0 ' 0018 51 LABEL : Cell Value, String Constant - CNTParHOPZwrVXEKdlaGCCzFqwEVvuLBEvUx len=0 ' 0018 39 LABEL : Cell Value, String Constant - cNuwRtyNXrFseGcbDkCosSsE len=0 ' 0018 45 LABEL : Cell Value, String Constant - CobDZlzhykoODztMJgCagcorGbdmwr len=0 ' 0018 45 LABEL : Cell Value, String Constant - COcKbNRrfdXpmJfEJGRUjFGPZUxNgz len=0 ' 0018 35 LABEL : Cell Value, String Constant - CpyWRuwdxDLBgppnsQXe len=0 ' 0018 23 LABEL : Cell Value, String Constant - CteMOjMQ len=0 ' 0018 22 LABEL : Cell Value, String Constant - cUtIBlT len=0 ' 0018 20 LABEL : Cell Value, String Constant - CXLUr len=0 ' 0018 36 LABEL : Cell Value, String Constant - CXYirmQgyTmgWCKLJOzsz len=0 ' 0018 16 LABEL : Cell Value, String Constant - D len=0 ' 0018 35 LABEL : Cell Value, String Constant - dbJxSJzNXGGttUdpSlRo len=0 ' 0018 22 LABEL : Cell Value, String Constant - DDppRZm len=0 ' 0018 30 LABEL : Cell Value, String Constant - DEenzbvayRqRcWo len=0 ' 0018 38 LABEL : Cell Value, String Constant - DHVfBOBnPkjMtLwBaBMGYVs len=0 ' 0018 35 LABEL : Cell Value, String Constant - DKoPBRVXPoRvgbQkbSfq len=0 ' 0018 24 LABEL : Cell Value, String Constant - DLzfbbZeQ len=0 ' 0018 26 LABEL : Cell Value, String Constant - DmJsEJGRiwF len=0 ' 0018 21 LABEL : Cell Value, String Constant - DQppRZ len=0 ' 0018 28 LABEL : Cell Value, String Constant - DqqSamPiOlEQE len=0 ' 0018 58 LABEL : Cell Value, String Constant - DqqSamPiOmEQECvOLhRciepHIdeoMsWlSYrzpVQRPUF len=0 ' 0018 23 LABEL : Cel ... (truncated)

SHA-256: 466c5ae641def108fc33d6337c430da7dc002635738fab357545f6bfd00f989e

Preview script

First 1,000 lines of the extracted script

' 0085     10 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  K
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0018     20 LABEL : Cell Value, String Constant - aBmCG len=0 
' 0018     21 LABEL : Cell Value, String Constant - adVtWC len=0 
' 0018     63 LABEL : Cell Value, String Constant - aMQpebVnkIdCIEQThDFOYTvMeySMChqqpufYfKXWmpskJYRB len=0 
' 0018     43 LABEL : Cell Value, String Constant - aNnKXlSkWazolfxuRnMSOZcrNOYh len=0 
' 0018     35 LABEL : Cell Value, String Constant - apfiaycHFmbvmdqBkjXX len=0 
' 0018     61 LABEL : Cell Value, String Constant - aqXdwFtZVVUZKDKoPBRUXPnRvfbQkaRfpYYLxZvIWEVHLk len=0 
' 0018     25 LABEL : Cell Value, String Constant - aUmjGbBsoz len=0 
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  K!J49324 
' 0018     18 LABEL : Cell Value, String Constant - avw len=0 
' 0018     21 LABEL : Cell Value, String Constant - axhrxt len=0 
' 0018     19 LABEL : Cell Value, String Constant - aZBi len=0 
' 0018     56 LABEL : Cell Value, String Constant - bcafRKRvWIXbeWuXDmiXrhYmwffSFgCPdLcOSrgdX len=0 
' 0018     34 LABEL : Cell Value, String Constant - bEJWTCPooQYlNgMkCcC len=0 
' 0018     62 LABEL : Cell Value, String Constant - bFHntNVKpllkoagnFfeuknfEhMKrgBqhvGoobcDMYzUyXpB len=0 
' 0018     45 LABEL : Cell Value, String Constant - bjZFzByEovDTutKzCtTvaYGuPGwLVE len=0 
' 0018     57 LABEL : Cell Value, String Constant - BKidGIoJOWMrBBzFbipUhgwzDuTibLtvQswLIqEddF len=0 
' 0018     32 LABEL : Cell Value, String Constant - BRHKCaEigODXOEScL len=0 
' 0018     20 LABEL : Cell Value, String Constant - bRUMk len=0 
' 0018     23 LABEL : Cell Value, String Constant - bwxHfMpF len=0 
' 0018     26 LABEL : Cell Value, String Constant - BxJaowxHfaD len=0 
' 0018     58 LABEL : Cell Value, String Constant - BygVpfWkuddQQrzNoJnMdpebVnkHqCIEPghDFOlSvMs len=0 
' 0018     22 LABEL : Cell Value, String Constant - CarErpj len=0 
' 0018     21 LABEL : Cell Value, String Constant - ccrvyq len=0 
' 0018     25 LABEL : Cell Value, String Constant - cgjbzPIrZc len=0 
' 0018     27 LABEL : Cell Value, String Constant - cGWoJcWMrBBy len=0 
' 0018     52 LABEL : Cell Value, String Constant - cIDECHslsXxiyDGwWyeOKyTJzOYHHtgHdqFmE len=0 
' 0018     59 LABEL : Cell Value, String Constant - cjzaapgiazcHFmbvmdqCkjXXyHTvPuSkwkicurOxJOLW len=0 
' 0018     20 LABEL : Cell Value, String Constant - ClhWq len=0 
' 0018     19 LABEL : Cell Value, String Constant - cmVV len=0 
' 0018     51 LABEL : Cell Value, String Constant - CNTParHOPZwrVXEKdlaGCCzFqwEVvuLBEvUx len=0 
' 0018     39 LABEL : Cell Value, String Constant - cNuwRtyNXrFseGcbDkCosSsE len=0 
' 0018     45 LABEL : Cell Value, String Constant - CobDZlzhykoODztMJgCagcorGbdmwr len=0 
' 0018     45 LABEL : Cell Value, String Constant - COcKbNRrfdXpmJfEJGRUjFGPZUxNgz len=0 
' 0018     35 LABEL : Cell Value, String Constant - CpyWRuwdxDLBgppnsQXe len=0 
' 0018     23 LABEL : Cell Value, String Constant - CteMOjMQ len=0 
' 0018     22 LABEL : Cell Value, String Constant - cUtIBlT len=0 
' 0018     20 LABEL : Cell Value, String Constant - CXLUr len=0 
' 0018     36 LABEL : Cell Value, String Constant - CXYirmQgyTmgWCKLJOzsz len=0 
' 0018     16 LABEL : Cell Value, String Constant - D len=0 
' 0018     35 LABEL : Cell Value, String Constant - dbJxSJzNXGGttUdpSlRo len=0 
' 0018     22 LABEL : Cell Value, String Constant - DDppRZm len=0 
' 0018     30 LABEL : Cell Value, String Constant - DEenzbvayRqRcWo len=0 
' 0018     38 LABEL : Cell Value, String Constant - DHVfBOBnPkjMtLwBaBMGYVs len=0 
' 0018     35 LABEL : Cell Value, String Constant - DKoPBRVXPoRvgbQkbSfq len=0 
' 0018     24 LABEL : Cell Value, String Constant - DLzfbbZeQ len=0 
' 0018     26 LABEL : Cell Value, String Constant - DmJsEJGRiwF len=0 
' 0018     21 LABEL : Cell Value, String Constant - DQppRZ len=0 
' 0018     28 LABEL : Cell Value, String Constant - DqqSamPiOlEQE len=0 
' 0018     58 LABEL : Cell Value, String Constant - DqqSamPiOmEQECvOLhRciepHIdeoMsWlSYrzpVQRPUF len=0 
' 0018     23 LABEL : Cel
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.