Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 32eab0561847268e…

MALICIOUS

Office (OLE)

223.0 KB Created: 2020-06-01 07:18:20 Authoring application: Microsoft Excel First seen: 2020-07-24
MD5: 641b01cc90fabe53b1284deac87c87b2 SHA-1: 85d315befa1f236cf4687127750571d7a8df27ef SHA-256: 32eab0561847268edf71b045b15ae78c37476e0bd0f69310a763a1dd4c564858
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is an Excel workbook containing obfuscated Excel 4.0 macros. Critical heuristics indicate the presence of an Auto_Open execution chain, suggesting the macros are designed to run automatically upon opening the document. The specific obfuscation techniques used in the XLM macros prevent a more detailed analysis of the payload, but the intent is to execute arbitrary code.

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • Obfuscated XLM Auto_Open execution chain critical OLE_XLM_OBFUSCATED_AUTOEXEC_CHAIN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and an obfuscated formula execution chain. The macro builds strings through FORMULA(CHAR(...)), primes state with SET.VALUE / GET.CELL / GOTO, and transfers control through RUN(). This is a high-confidence XLM malware pattern.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 125141 bytes
SHA-256: f4c44016c5574d7ef179e3ca6a37cf94191371215354b41dd620da4038f5b21a
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Sheet
' 0018     28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d  Sheet!IA14527 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'  Sheet,JD32,"",-321.00000000000000000000
'  Sheet,HJ50,"",6.76470588235294112422
'  Sheet,CC78,"",0.13502935420743639172
'  Sheet,T120,"",-0.34317343173431735792
'  Sheet,HA129,"",-5.33333333333333303727
'  Sheet,GK135,"",234.00000000000000000000
'  Sheet,BE142,"",-4.95698924731182799519
'  Sheet,BJ167,"",-470.00000000000000000000
'  Sheet,DS167,"",0.41044776119402986980
'  Sheet,BX229,"",362.00000000000000000000
'  Sheet,DF298,"",16.60000000000000142109
'  Sheet,HB316,"",-109.00000000000000000000
'  Sheet,BR355,"",206.00000000000000000000
'  Sheet,JC414,"",-406.00000000000000000000
'  Sheet,HO473,"",-382.00000000000000000000
'  Sheet,FU515,"",-454.00000000000000000000
'  Sheet,H522,"",6.08974358974358942476
'  Sheet,BG643,"",-2491.00000000000000000000
'  Sheet,L704,"",-9.69999999999999928946
'  Sheet,BE745,"",-11.60000000000000142109
'  Sheet,DY772,"",-3.08181818181818201197
'  Sheet,GV870,"",-252.00000000000000000000
'  Sheet,JT873,"",577.00000000000000000000
'  Sheet,HJ877,"",3.79120879120879106239
'  Sheet,IK884,"",127.80007812499999886313
'  Sheet,DN940,"",6.63636363636363668661
'  Sheet,CJ954,"",0.10043668122270742182
'  Sheet,GP974,"",-5.54098260655737728797
'  Sheet,DQ1049,"",-0.24728850325379608810
'  Sheet,E1078,"",64.50000000000000000000
'  Sheet,CA1090,"",166.00000000000000000000
'  Sheet,J1098,"",292.00000000000000000000
'  Sheet,JA1124,"",1.12012987012987008661
'  Sheet,GY1137,"",0.19420289855072464524
'  Sheet,JI1172,"",-495.00000000000000000000
'  Sheet,HL1190,"",-631.00000000000000000000
'  Sheet,FR1222,"",-342.00000000000000000000
'  Sheet,W1261,"",-1.12612612612612617013
'  Sheet,GC1314,"",-370.00000000000000000000
'  Sheet,IM1329,"",1.25000000000000000000
'  Sheet,EN1338,"",618.00000000000000000000
'  Sheet,FK1564,"",-228.00000000000000000000
'  Sheet,EG1574,"",266.00000000000000000000
'  Sheet,DN1582,"",-4.04477611940298498183
'  Sheet,IJ1601,"",-403.00000000000000000000
'  Sheet,JD1690,"",-2491.00000000000000000000
'  Sheet,BB1697,"",-388.00000000000000000000
'  Sheet,GT1725,"",-10.10000488281250063949
'  Sheet,CY1729,"",-2.37719298245614041321
'  Sheet,EZ1739,"",-297.00000000000000000000
'  Sheet,JH1789,"",-23.00000000000000000000
'  Sheet,ET1794,"",-0.80869565217391303769
'  Sheet,HC1810,"",405.00000000000000000000
'  Sheet,CB1819,"",-0.42435424354243544975
'  Sheet,V1837,"",-315.00000000000000000000
'  Sheet,JD1846,"",125.80007812499999886313
'  Sheet,FE1940,"",4.86666666666666625218
'  Sheet,EM1960,"",-0.02268976897689769026
'  Sheet,IT1965,"",-0.13313609467455622681
'  Sheet,CG1978,"",0.15068493150684930670
'  Sheet,JA2021,"",-373.00000000000000000000
'  Sheet,FV2023,"",8.69620253164556977765
'  Sheet,IM2038,"",-0.04166666666666666435
'  Sheet,BP2059,"",-371.00000000000000000000
'  Sheet,B2230,"",-12.40000976562500056843
'  Sheet,F2293,"",-55.09090909090909349288
'  Sheet,ER2302,"",-599.00000000000000000000
'  Sheet,IZ2311,"",0.06986899563318776929
'  Sheet,S2373,"",7.40579710144927538806
'  Sheet,DS2433,"",26.00000000000000000000
'  Sheet,JH2509,"",0.06653620352250488867
'  Sheet,CC2520,"",0.07827788649706457491
'  Sheet,Q2550,"SET.VALUE(CU52378,GET.CELL(50,FD14200)+-10.00000000000000000000-2)",""
'  Sheet,Q2551,RUN(FJ25215),""
'  Sheet,IE2589,"",349.00000000000000000000
'  Sheet,D2751,GOTO(FL42819),""
'  Sheet,DN2777,"",364.00000000000000000000
'  Sheet,GV2795,"",-356.00000000000000000000
'  Sheet,DL2835,"",-0.18292682926829267887
'  Sheet,HL2837,"",-0.02062706270627062688
'  Sheet,BZ2856,"",388.00000000000000000000
'  Sheet,C2918,"",-6.54545454545454585826
'  Sheet,IC2972,"",-0.38400000000000000799
'  Sheet,J
... (truncated)