Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 602c6caf9127455a…

MALICIOUS

Office (OLE)

36.0 KB Created: 2020-11-25 10:38:27 Authoring application: Microsoft Excel First seen: 2021-07-07
MD5: 92cf8f803f2dd28e52f77765378fb3db SHA-1: 7438f137ad397e332845c30d922af454bc946676 SHA-256: 602c6caf9127455abc06439fe31b5c14ab0c569d5f15c78017b46b7145daa828
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file is an Excel 4.0 macro sheet that contains an Auto_Open defined name, indicating that it will execute macros automatically when opened. The heuristics indicate the use of dangerous formula APIs, specifically the RUN function, which is commonly used to execute arbitrary code or download additional payloads. The presence of an Auto_Open entry and the use of dangerous functions strongly suggest a malicious intent to execute code upon opening.

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6433 bytes
SHA-256: 25a8b31ee8c5758e16663677fead176131fd3921da5375d8b417149bbb2e8e5d
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     12 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  qiF
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  Sheet!D140 
' 0018     21 LABEL : Cell Value, String Constant - BJVngp len=0 
' 0018     23 LABEL : Cell Value, String Constant - CaTfxRQO len=0 
' 0018     24 LABEL : Cell Value, String Constant - CDmJHoqTv len=0 
' 0018     26 LABEL : Cell Value, String Constant - CIyVwDXjsAV len=0 
' 0018     20 LABEL : Cell Value, String Constant - DUtUi len=0 
' 0018     23 LABEL : Cell Value, String Constant - FOIxHSGy len=0 
' 0018     23 LABEL : Cell Value, String Constant - gKdyLGNK len=0 
' 0018     26 LABEL : Cell Value, String Constant - hGbNtlXMdRW len=0 
' 0018     26 LABEL : Cell Value, String Constant - pIoVCxCnDlP len=0 
' 0018     25 LABEL : Cell Value, String Constant - PuDvGnpkuj len=0 
' 0018     22 LABEL : Cell Value, String Constant - RjiQcfZ len=0 
' 0018     23 LABEL : Cell Value, String Constant - sLOMlrIt len=0 
' 0018     20 LABEL : Cell Value, String Constant - SqvIC len=0 
' 0018     21 LABEL : Cell Value, String Constant - sSscoE len=0 
' 0018     26 LABEL : Cell Value, String Constant - uukiXxGGypK len=0 
' 0018     23 LABEL : Cell Value, String Constant - wGAcTdJX len=0 
' 0018     24 LABEL : Cell Value, String Constant - WQxXfbrok len=0 
' 0018     27 LABEL : Cell Value, String Constant - yKzlAfHbuaJj len=0 
' 0018     20 LABEL : Cell Value, String Constant - YynXZ len=0 
' 0018     26 LABEL : Cell Value, String Constant - zUSDKPLMAyl len=0 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 
... (truncated)