Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2fff8a2727842e0a…

MALICIOUS

Office (OLE)

204.5 KB Created: 2020-06-24 17:08:55 Authoring application: Microsoft Excel First seen: 2020-07-24
MD5: 3e2b37dc16b0b315e4afdd2dd537e2d0 SHA-1: 6b2fa0e22f7708eeea6aeebb789da3a9068bf4ff SHA-256: 2fff8a2727842e0a531caf6a31078c9765f7d2da8f49eaa4bcd234d05034d48a
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file contains Excel 4.0 (XLM) macro sheets with an Auto_Open defined name, indicating automatic execution upon opening. Heuristics also indicate the use of dangerous formula APIs and environment evasion techniques within the XLM macros. While VBA macros are also detected, the critical XLM findings suggest the primary execution mechanism. The specific functionality of the XLM macros is not fully detailed, but the presence of dangerous functions and evasion tactics strongly suggests a downloader or initial execution stage for further malicious activity.

Heuristics 5

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • XLM Auto_Open environment-evasion close gate critical OLE_XLM_ENVIRONMENT_EVASION_CLOSE
    Excel 4.0 macro sheet auto-executes environment checks with GET.WORKSPACE / GET.WINDOW, then shows a fake corruption/error message and closes the workbook when the host fails those checks. This is a malware sandbox-evasion pattern, even when the later payload stage is hidden behind obfuscated defined-name flow.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 65238 bytes
SHA-256: 3d2e5265b70dbb3ba0d1ee08b2941f799c8122fe5d6f6409702c421a10b358ca
Preview script
First 1,000 lines of the extracted script
' 0085     26 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden -  GBpKBrFPyxlXyVhvd
' 0085     18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -    8 
' 0085     17 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  fjldDSKu
' 0085     18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -    8 
' 0085     18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -    8 
' 0085     18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -    8 
' 0085     18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -    8 
' 0085     18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -    8 
' 0085     18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -    8 
' 0085     18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -    8 
' 0085     20 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -    8 A
' 0085     20 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -    8 A
' 0085     20 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -    8 A
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0018     23 LABEL : Cell Value, String Constant - BaDhfOCX len=0 
' 0018     20 LABEL : Cell Value, String Constant - baquw len=0 
' 0018     23 LABEL : Cell Value, String Constant - BbCNHZIf len=0 
' 0018     20 LABEL : Cell Value, String Constant - BETop len=0 
' 0018     22 LABEL : Cell Value, String Constant - BfrrHLO len=0 
' 0018     22 LABEL : Cell Value, String Constant - bNoLXlT len=0 
' 0018     23 LABEL : Cell Value, String Constant - BTCZJTZV len=0 
' 0018     24 LABEL : Cell Value, String Constant - CQMuIhhJS len=0 
' 0018     24 LABEL : Cell Value, String Constant - cwCKzfoon len=0 
' 0018     24 LABEL : Cell Value, String Constant - eGaFdvVvH len=0 
' 0018     22 LABEL : Cell Value, String Constant - EgLvqfz len=0 
' 0018     23 LABEL : Cell Value, String Constant - etPDMjeI len=0 
' 0018     22 LABEL : Cell Value, String Constant - FivuLPR len=0 
' 0018     20 LABEL : Cell Value, String Constant - FPmTw len=0 
' 0018     22 LABEL : Cell Value, String Constant - GBCzFpj len=0 
' 0018     28 LABEL : Cell Value, String Constant - gkLywqJGcxXcY len=0 
' 0018     23 LABEL : Cell Value, String Constant - GNeFEUKN len=0 
' 0018     22 LABEL : Cell Value, String Constant - GStOsRj len=0 
' 0018     21 LABEL : Cell Value, String Constant - hkbBQJ len=0 
' 0018     20 LABEL : Cell Value, String Constant - hvoZH len=0 
' 0018     20 LABEL : Cell Value, String Constant - HvsmF len=0 
' 0018     21 LABEL : Cell Value, String Constant - ihJqIt len=0 
' 0018     21 LABEL : Cell Value, String Constant - IMakFT len=0 
' 0018     24 LABEL : Cell Value, String Constant - iUaiyZYoe len=0 
' 0018     22 LABEL : Cell Value, String Constant - JdGLYiE len=0 
' 0018     21 LABEL : Cell Value, String Constant - JDVSoY len=0 
' 0018     22 LABEL : Cell Value, String Constant - JefoytX len=0 
' 0018     23 LABEL : Cell Value, String Constant - JixpaIKf len=0 
' 0018     23 LABEL : Cell Value, String Constant - juoHEawV len=0 
' 0018     29 LABEL : Cell Value, String Constant - knDYZisnRgzTmh len=0 
' 0018     24 LABEL : Cell Value, String Constant - KqLQYNtCD len=0 
' 0018     22 LABEL : Cell Value, String Constant - lIgmitw len=0 
' 0018     24 LABEL : Cell Value, String Constant - LkNrpXMgX len=0 
' 0018     22 LABEL : Cell Value, String Constant - LZVESqr len=0 
' 0018     21 LABEL : Cell Value, String Constant - mGZsnc len=0 
' 0018     20 LABEL : Cell Value, String Constant - MKPmt len=0 
' 0018     24 LABEL : Cell Value, String Constant - mtjPKLJOz len=0 
' 0018     21 LABEL : Cell Value, String Constant - NJUlBW len=0 
' 0018     22 LABEL : Cell Value, String Constant - NszTbQv len=0 
' 0018     21 LABEL : Cell Value, String Constant - NwHNJV len=0 
' 0018     23 LABEL : Cell Value, String Constant - obOoLKmU len=0 
' 0018     21 LABEL : Cell Value, String Constant - OPZwdH len=0 
' 0
... (truncated)
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 717 bytes
SHA-256: be23b65a6fa29680599137f837eec0639785801749f6f7877198f0531b8d3b52
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub RectangleRoundedCorners5_Click()
    Selection.Font.Bold = True
End Sub

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.