Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 526a7941241856a6…

MALICIOUS

Office (OLE)

36.0 KB Created: 2020-11-27 11:43:05 Authoring application: Microsoft Excel First seen: 2020-12-25
MD5: e74e8f2361d32e837ff85b2b277e8f1c SHA-1: 9c10f5a626d7fb81afcb659f62d48e66d0727b34 SHA-256: 526a7941241856a67b589a0531fbb59f849f2d1626b5738a982fe4571f73d310
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is an Excel file containing Excel 4.0 (XLM) macros, specifically an Auto_Open macro. This indicates an attempt to automatically execute malicious code when the workbook is opened. The presence of dangerous formula APIs like RUN suggests the macro's intent is to download and execute a secondary payload, which is a common technique for initial execution and payload delivery.

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6889 bytes
SHA-256: c4b52c212e133d2f4a5324d36f5edecc9f8013cd689d1cb68cb8f470068ae814
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     20 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  pnAtohGxJZv
' 0018     26 LABEL : Cell Value, String Constant - AgEGwIPmBRu len=0 
' 0018     26 LABEL : Cell Value, String Constant - aHTwdKAhMgH len=0 
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  Sheet!I142 
' 0018     20 LABEL : Cell Value, String Constant - cIoaz len=0 
' 0018     24 LABEL : Cell Value, String Constant - dJJebKBDv len=0 
' 0018     23 LABEL : Cell Value, String Constant - EJmHSspJ len=0 
' 0018     22 LABEL : Cell Value, String Constant - EVpncbv len=0 
' 0018     25 LABEL : Cell Value, String Constant - GKMyLqLfUN len=0 
' 0018     21 LABEL : Cell Value, String Constant - hgZMfp len=0 
' 0018     20 LABEL : Cell Value, String Constant - jbdCH len=0 
' 0018     25 LABEL : Cell Value, String Constant - JHtGYFlUrN len=0 
' 0018     23 LABEL : Cell Value, String Constant - jviViSlz len=0 
' 0018     23 LABEL : Cell Value, String Constant - sfNtwAkQ len=0 
' 0018     23 LABEL : Cell Value, String Constant - tdMQXmjT len=0 
' 0018     26 LABEL : Cell Value, String Constant - TgYWLcMxtgL len=0 
' 0018     21 LABEL : Cell Value, String Constant - TpPFaD len=0 
' 0018     25 LABEL : Cell Value, String Constant - UgXijwDOrs len=0 
' 0018     24 LABEL : Cell Value, String Constant - UncMuZCNV len=0 
' 0018     23 LABEL : Cell Value, String Constant - wNZDzawW len=0 
' 0018     21 LABEL : Cell Value, String Constant - XzmASZ len=0 
' 0018     20 LABEL : Cell Value, String Constant - ZLwsM len=0 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 
... (truncated)