Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 2e5458917b858dcd…

MALICIOUS

Office (OLE) / .XLSX

136.0 KB Created: 2021-10-27 10:31:49 Authoring application: Microsoft Excel
MD5: 4e45a553e005ee4e8c225f74d01ab98c SHA-1: c17900161b83e25ff8bd3f82c3a3726fec7434cd SHA-256: 2e5458917b858dcdf65182a597704ee57a33f1cb0ed385665e021f7f0895fba9
82 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains Excel 4.0 macros, indicated by the OLE_XLM_AUTOOPEN heuristic. The macros reconstruct a file path 'C:\Pr.ogramData\DTFdfNmqP.vb.s' and attempt to execute it using the EXEC function. Additionally, three URLs were extracted from the macro, likely serving as download locations for the secondary payload. The URLs themselves were flagged as confirmed benign, but the macro's intent to download and execute is clear.

Heuristics 3

  • URL reconstructed from XLM cell array (3 URLs) critical OLE_XLM_CELL_ARRAY_URL
    Excel 4.0 macro sheet stages its payload URL across the BIFF8 Shared String Table (one quoted-char SST entry concatenated with & at runtime) or across individual numeric cells (one ASCII charcode per cell). The reconstructed URL is invisible to literal-bytes URL extraction because it is never contiguous in the workbook stream. URLs were recovered by walking the BIFF8 record stream and decoding SST entries plus LABELSST/RK/NUMBER cells.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cdn.discordapp.com/attachments/911255825308348439/917344555379085402/efrXXwhatsupmotherfuckers.bin
    • https://cdn.discordapp.com/attachments/911255825308348439/917344568125562890/GuJPZwmNijUwhatsupmotherfuckers.bin
    • https://cdn.discordapp.com/attachments/911255825308348439/917344562354221086/bfugrKhVwhatsupmotherfuckers.bin

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
4740710ff7329ee8b2fe6ff10a513622fdd3cef9734f85d2036235a854a66cd1		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 2167 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.