Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 304200fb6fd71dc1…

MALICIOUS

Office (OOXML)

101.4 KB Created: 2021-02-03 15:28:44 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-05-26
MD5: c2e19b4ebe2c37b7892e80a9c0e1c7f3 SHA-1: 9e4f82c5ab3d995a80cba888f89462c2feeea779 SHA-256: 304200fb6fd71dc1fd035c1c202a7e7ba4b2679d14592676322b2e550c7223d3
184 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file contains Excel 4.0 macros, identified by multiple critical heuristics. These macros are designed to reassemble a payload and download a secondary executable from the URL 'https://beegtrading.com/doc.dll'. The reassembled payload appears to be a command to execute 'regsvr32 -s ', indicating an attempt to download and run a malicious file.

Heuristics 5

  • Excel 4.0 macro sheet (1 sheet(s)) critical 3 related findings OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • Excel 4.0 macro sheet stored under disguised package path critical OOXML_XLM_DISGUISED_RELATIONSHIP
    OOXML package declares an xlMacrosheet relationship whose target is outside the canonical xl/macrosheets/ path. Excel follows the relationship type, while path-only scanners can miss the macro execution surface.
  • XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOAD
    An Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.
  • XLM payload URL string (1 URL) info OOXML_XLM_PAYLOAD_URL
    An Excel 4.0 (XLM) macro-sheet workbook with download/execute evidence carries a literal http(s) URL stored as a (often UTF-16) string in the shared-string table or a cell. This is the next-stage payload host referenced by the macro download chain (URLDownloadToFile/ShellExecute); surfaced as an IOC.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://beegtrading.com/doc.dll Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin xlm-macrosheet OOXML XLM macro sheet: xl/dt/sheet1.bin 960240 bytes
SHA-256: 3c705b259a63a2bf9ee05ce0fef7e25f3815409e1bc11ab5515b5725b063da1e
Preview script
First 1,000 lines of the extracted script
�  �  �   @      ��������    �      [       X   �  �  �             @   � �         � $                                    �  �  %      ��    & �  q           �  <         q         < 	   	   U         < 
       q         <         �&        <         ��        <         q         <         ��        <         ��        <         q         <         �         <         �3        <     �?  q         �  �  %      ��    &           �            X         
         
         
         
         
             1         
         
         
     	   
     
   
         
         
     
   
         
         
         
         
         
         
         
         
         
         
         
         
         
         
         
         
         
         
         
     !   
     "   
     #   
     $   
     %   
     &   
     '   
     (   
     )   
     *   
     +   
     ,   
     -   
     .   
     /   
     0   
     1   
     2   
     3   
     4   
     5   
     6   
     7   
     8   
     9   
     :   
     ;   
     <   
     =   
     >   
     ?   
     @   
     A   
     B   
     C   
     D   
     E   
     F   
     G   
     H   
     I   
     J   
     K   
     L   
     M   
     N   
     O   
     P   
     Q         R         S         T         U         V         W         X       %      ��    &                        X         
         
         
         
         
         
         
         
         
     	   
     
   
         
         
     
   
         
         
         
         
         
         
         
         
         
         
         
         
         
         
         
         
         
         
         
     !   
     "   
     #   
     $   
     %   
     &   
     '   
     (   
     )   
     *   
     +   
     ,   
     -   
     .   
     /   
     0   
     1   
     2   
     3   
     4   
     5   
     6   
     7   
     8   
     9   
     :   
     ;   
     <   
     =   
         >   
     ?   
     @   
     A   
     B   
     C   
     D   
     E   
     F   
     G   
     H   
     I   
     J   
     K   
     L   
     M   
     N   
     O   
     P   
     Q         R         S         T         U         V         W         X       %      ��    &                        X         
         
         
         
         
         
         
         
         
     	   
     
   
         
         
     
   
         
         
         
         
         
         
         
         
         
         
         
         
         
         
         
         
         
         
         
     !   
     "   
     #   
     $   
     %   
     &   
     '   
     (   
     )   
     *   
     +   
     ,   
     -   
     .   
     /   
     0   
     1   
     2   
     3   
     4   
     5   
     6   
     7   
     8   
     9   
     :   
     ;   
     <   
     =   
     >   
     ?   
     @   
     A   
     B   
     C   
     D   
     E   
     F   
     G   
         H   
     I   
     J   
     K   
     L   
     M   
     N   
     O   
     P   
     Q         R         S         T         U         V         W         X       %      ��    &                        X         
         
         
         
         
         
         
         
         
     	   
     
   
         
         
     
   
         
         
         
         
         
         
         
         
         
         
         
         
         
         
         
         
         
         
         
     !   
     "   
     #   
     $   
     %   
     &   
     '   
     (   
     )   
     *   
     +   
     ,   
     -   
     .   
     /   
     0   
     1   
     2   
     3   
     4   
     5   
     6   
     7   
     8   
     9   
     :   
     ;   
     <   
     =   
     >   
     ?   
     @   
     A   
     B   
     C   
     D   
     E   
     F   
     G   
     H   
     I   
     J   
     K   
     L   
     M   
     N   
     O   
     P   
     Q         R         S     
... (truncated)