Office (OLE) malware analysis — malicious · 343ad49ec7ac679d

MALICIOUS

Office (OLE)

201.0 KB Created: 2020-07-16 08:15:40 Authoring application: Microsoft Excel First seen: 2020-09-15

MD5: aed4de7b0076ac964b872a413e441444 SHA-1: 6d5068772c2941a2b4fa53393c213fd21f4d92dc SHA-256: 343ad49ec7ac679dbcb0d5cead12c29fae23b379e5e520951359e9f170b3ec54

220 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1203 Exploitation for Client Execution

This Excel file contains Excel 4.0 (XLM) macros, specifically an Auto_Open macro, which is a known technique for executing malicious code upon opening the document. The presence of a 'Macro/content-enable lure' heuristic indicates the document likely prompts the user to enable macros. The XLM macros also contain environment evasion techniques. The specific IOC identified is the presence of the 'XLm Auto_Open' macro.

Heuristics 5

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
XLM Auto_Open environment-evasion close gate critical OLE_XLM_ENVIRONMENT_EVASION_CLOSE

Excel 4.0 macro sheet auto-executes environment checks with GET.WORKSPACE / GET.WINDOW, then shows a fake corruption/error message and closes the workbook when the host fails those checks. This is a malware sandbox-evasion pattern, even when the later payload stage is hidden behind obfuscated defined-name flow.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 85286 bytes

Filename	Kind	Source	Size
`xlm_macros.txt`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	85286 bytes
SHA-256: `6d852ef48f8eb80bff7c44b8ad0afa72a80f94ae86d5590a80e46a68abee3d5b`
Preview script First 1,000 lines of the extracted script ' 0085 10 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - o ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Sheet ' 0085 16 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - swWwICU ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0018 31 LABEL : Cell Value, String Constant - ajHCfhOUnvlRMMLQ len=0 ' 0018 53 LABEL : Cell Value, String Constant - aKUaWizBWXgElPeLRksiOJKINxqxcDoFILDcFj len=0 ' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d o!DU53916 ' 0018 41 LABEL : Cell Value, String Constant - bhBJxdZZYcOUcsTSiYbTrVzxfU len=0 ' 0018 59 LABEL : Cell Value, String Constant - bIlBhoHPFkfgejVOVyaLbfiZybHqmbvlcqBjjWJjGThP len=0 ' 0018 38 LABEL : Cell Value, String Constant - BIPfGGVLOGeImkSHbSJWgQP len=0 ' 0018 46 LABEL : Cell Value, String Constant - BKFixRkEynTcdbgRLSvJIYcfWvLDnVX len=0 ' 0018 23 LABEL : Cell Value, String Constant - BsRgZJrt len=0 ' 0018 58 LABEL : Cell Value, String Constant - BuNKhDbTQbsHcQZxrVXEYdlbHQQPUqxFjwvMPSKixqa len=0 ' 0018 37 LABEL : Cell Value, String Constant - BuNKhDbUQbsHcQaxsWXEYd len=0 ' 0018 46 LABEL : Cell Value, String Constant - bVnXtdntpCThpqzXSvxekEMChcdbgRY len=0 ' 0018 21 LABEL : Cell Value, String Constant - CbCNHZ len=0 ' 0018 20 LABEL : Cell Value, String Constant - CDNWR len=0 ' 0018 24 LABEL : Cell Value, String Constant - CdxcBSsTe len=0 ' 0018 18 LABEL : Cell Value, String Constant - CFZ len=0 ' 0018 37 LABEL : Cell Value, String Constant - CGUQzNmmOWiLeKhzZzLFXH len=0 ' 0018 21 LABEL : Cell Value, String Constant - COefBD len=0 ' 0018 55 LABEL : Cell Value, String Constant - CriwHppcdENZCVzYqCqnhzwUEOUQcstPRaxfIYFL len=0 ' 0018 61 LABEL : Cell Value, String Constant - CRmnxHCfuOhBvkQZaYdOIPsGFVZbTsIzkSUpSWkuPdQDdz len=0 ' 0018 22 LABEL : Cell Value, String Constant - CrXSSRW len=0 ' 0018 20 LABEL : Cell Value, String Constant - DBGqj len=0 ' 0018 64 LABEL : Cell Value, String Constant - dbJxSIyNXGGssUcpRlQoGSHExQNjTekgrJKfhqOuYoVbuDrXT len=0 ' 0018 37 LABEL : Cell Value, String Constant - DDemybuaxQcQOIaXtdotpC len=0 ' 0018 62 LABEL : Cell Value, String Constant - DENXSvLdxRLBgpqoteXeJWVlorjJXQBikFhmzLfsgStQPqY len=0 ' 0018 38 LABEL : Cell Value, String Constant - DexdCTfTRLdawgrxtFWXstE len=0 ' 0018 49 LABEL : Cell Value, String Constant - DNkfJKqLQYOtDECHekrWjiyCFwWkdOvxSu len=0 ' 0018 30 LABEL : Cell Value, String Constant - dNYdalDRZajICfh len=0 ' 0018 59 LABEL : Cell Value, String Constant - DPfgCENkSvLrxRZPuppoteXeJjVlorjIlQzvkFvmzKts len=0 ' 0018 41 LABEL : Cell Value, String Constant - DpQmyNuMyDcQOIaXtQouqCFUpq len=0 ' 0018 22 LABEL : Cell Value, String Constant - dWdIiUk len=0 ' 0018 23 LABEL : Cell Value, String Constant - DyKbqxzJ len=0 ' 0018 22 LABEL : Cell Value, String Constant - DymHxoD len=0 ' 0018 24 LABEL : Cell Value, String Constant - dyzKTOrHa len=0 ' 0018 17 LABEL : Cell Value, String Constant - dz len=0 ' 0018 18 LABEL : Cell Value, String Constant - ejU len=0 ' 0018 19 LABEL : Cell Value, String Constant - eJWV len=0 ' 0018 56 LABEL : Cell Value, String Constant - embHDDCHrkrWwiyCFwVydNJxSJzNXGGtfHdpElDos len=0 ' 0018 21 LABEL : Cell Value, String Constant - EulyJs len=0 ' 0018 22 LABEL : Cell Value, String Constant - evhlLzw len=0 ' 0018 22 LABEL : Cell Value, String Constant - EvVxcNI len=0 ' 0018 41 LABEL : Cell Value, String Constant - EZxEzMPdyBKUPsIauOIxdmmlqb len=0 ' 0018 23 LABEL : Cell Value, String Constant - FikRXqyn len=0 ' 0018 23 LABEL : Cell Value, String Constant - FJiXUOgd len=0 ' 0018 ... (truncated)

SHA-256: 6d852ef48f8eb80bff7c44b8ad0afa72a80f94ae86d5590a80e46a68abee3d5b

Preview script

First 1,000 lines of the extracted script

' 0085     10 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  o
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Sheet
' 0085     16 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  swWwICU
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0018     31 LABEL : Cell Value, String Constant - ajHCfhOUnvlRMMLQ len=0 
' 0018     53 LABEL : Cell Value, String Constant - aKUaWizBWXgElPeLRksiOJKINxqxcDoFILDcFj len=0 
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  o!DU53916 
' 0018     41 LABEL : Cell Value, String Constant - bhBJxdZZYcOUcsTSiYbTrVzxfU len=0 
' 0018     59 LABEL : Cell Value, String Constant - bIlBhoHPFkfgejVOVyaLbfiZybHqmbvlcqBjjWJjGThP len=0 
' 0018     38 LABEL : Cell Value, String Constant - BIPfGGVLOGeImkSHbSJWgQP len=0 
' 0018     46 LABEL : Cell Value, String Constant - BKFixRkEynTcdbgRLSvJIYcfWvLDnVX len=0 
' 0018     23 LABEL : Cell Value, String Constant - BsRgZJrt len=0 
' 0018     58 LABEL : Cell Value, String Constant - BuNKhDbTQbsHcQZxrVXEYdlbHQQPUqxFjwvMPSKixqa len=0 
' 0018     37 LABEL : Cell Value, String Constant - BuNKhDbUQbsHcQaxsWXEYd len=0 
' 0018     46 LABEL : Cell Value, String Constant - bVnXtdntpCThpqzXSvxekEMChcdbgRY len=0 
' 0018     21 LABEL : Cell Value, String Constant - CbCNHZ len=0 
' 0018     20 LABEL : Cell Value, String Constant - CDNWR len=0 
' 0018     24 LABEL : Cell Value, String Constant - CdxcBSsTe len=0 
' 0018     18 LABEL : Cell Value, String Constant - CFZ len=0 
' 0018     37 LABEL : Cell Value, String Constant - CGUQzNmmOWiLeKhzZzLFXH len=0 
' 0018     21 LABEL : Cell Value, String Constant - COefBD len=0 
' 0018     55 LABEL : Cell Value, String Constant - CriwHppcdENZCVzYqCqnhzwUEOUQcstPRaxfIYFL len=0 
' 0018     61 LABEL : Cell Value, String Constant - CRmnxHCfuOhBvkQZaYdOIPsGFVZbTsIzkSUpSWkuPdQDdz len=0 
' 0018     22 LABEL : Cell Value, String Constant - CrXSSRW len=0 
' 0018     20 LABEL : Cell Value, String Constant - DBGqj len=0 
' 0018     64 LABEL : Cell Value, String Constant - dbJxSIyNXGGssUcpRlQoGSHExQNjTekgrJKfhqOuYoVbuDrXT len=0 
' 0018     37 LABEL : Cell Value, String Constant - DDemybuaxQcQOIaXtdotpC len=0 
' 0018     62 LABEL : Cell Value, String Constant - DENXSvLdxRLBgpqoteXeJWVlorjJXQBikFhmzLfsgStQPqY len=0 
' 0018     38 LABEL : Cell Value, String Constant - DexdCTfTRLdawgrxtFWXstE len=0 
' 0018     49 LABEL : Cell Value, String Constant - DNkfJKqLQYOtDECHekrWjiyCFwWkdOvxSu len=0 
' 0018     30 LABEL : Cell Value, String Constant - dNYdalDRZajICfh len=0 
' 0018     59 LABEL : Cell Value, String Constant - DPfgCENkSvLrxRZPuppoteXeJjVlorjIlQzvkFvmzKts len=0 
' 0018     41 LABEL : Cell Value, String Constant - DpQmyNuMyDcQOIaXtQouqCFUpq len=0 
' 0018     22 LABEL : Cell Value, String Constant - dWdIiUk len=0 
' 0018     23 LABEL : Cell Value, String Constant - DyKbqxzJ len=0 
' 0018     22 LABEL : Cell Value, String Constant - DymHxoD len=0 
' 0018     24 LABEL : Cell Value, String Constant - dyzKTOrHa len=0 
' 0018     17 LABEL : Cell Value, String Constant - dz len=0 
' 0018     18 LABEL : Cell Value, String Constant - ejU len=0 
' 0018     19 LABEL : Cell Value, String Constant - eJWV len=0 
' 0018     56 LABEL : Cell Value, String Constant - embHDDCHrkrWwiyCFwVydNJxSJzNXGGtfHdpElDos len=0 
' 0018     21 LABEL : Cell Value, String Constant - EulyJs len=0 
' 0018     22 LABEL : Cell Value, String Constant - evhlLzw len=0 
' 0018     22 LABEL : Cell Value, String Constant - EvVxcNI len=0 
' 0018     41 LABEL : Cell Value, String Constant - EZxEzMPdyBKUPsIauOIxdmmlqb len=0 
' 0018     23 LABEL : Cell Value, String Constant - FikRXqyn len=0 
' 0018     23 LABEL : Cell Value, String Constant - FJiXUOgd len=0 
' 0018     
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.