Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 751a31e4705a4d0c…

MALICIOUS

Office (OLE)

192.5 KB Created: 2018-12-19 10:42:12 Authoring application: Microsoft Excel First seen: 2019-11-20
MD5: d3d2ec6c0e62b7d3a4b5f421851eda0c SHA-1: 155c985cf7151b44b16046e491d1a68380da925b SHA-256: 751a31e4705a4d0ccf08590ba4a1a50096651b6a045a6f5462716cff4d224c82
262 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file contains Excel 4.0 macros, specifically an Auto_Open defined name, which is a critical indicator of malicious intent. These macros are designed to execute msiexec.exe with URLs pointing to external payloads. The document body explicitly shows the construction of commands to download and execute payloads from 'http://lecmess.top/dat1' and 'http://engast.top/rt2'.

Heuristics 6

  • ClamAV: Xls.Dropper.Agent-7003827-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7003827-0
  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • URL reconstructed from XLM cell array (2 URLs) critical OLE_XLM_CELL_ARRAY_URL
    Excel 4.0 macro sheet stages its payload URL across the BIFF8 Shared String Table (one quoted-char SST entry concatenated with & at runtime), across individual numeric cells (one ASCII charcode per cell), or split across multi-char fragment cells a download formula concatenates by reference (=A1&A2&… / CONCATENATE(...)). The reconstructed URL is invisible to literal-bytes URL extraction because it is never contiguous in the workbook stream. URLs were recovered by walking the BIFF8 record stream and decoding SST entries, LABELSST/RK/NUMBER cells, and FORMULA cell-reference concatenation in token order.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://engast.top/rt2 Referenced by macro
    • http://lecmess.top/dat1Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 1852 bytes
SHA-256: c9b9d78dcd1a9fc6958870c174017989850ed71f5e020f73449a2ea278f33049
Preview script
First 1,000 lines of the extracted script
' 0085      9 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden -  
' 0085     13 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Page
' 0085     11 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -    
' 0018     31 LABEL : Cell Value, String Constant - breakout1 len=7 ptgRef3d  !E4 
' 0018     31 LABEL : Cell Value, String Constant - breakout2 len=7 ptgRef3d  !F10 
' 0018     28 LABEL : Cell Value, String Constant - Labos1 len=7 ptgRef3d  !E4 
' 0018     28 LABEL : Cell Value, String Constant - Labos2 len=7 ptgRef3d  !F10 
' 0018     28 LABEL : Cell Value, String Constant - Macro1 len=7 ptgRef3d  !E4 
' 0018     28 LABEL : Cell Value, String Constant - Macro2 len=7 ptgRef3d  !F10 
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  !D2 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'  ,D2,breakout1(),""
'  ,D3,HALT(),""
'  ,E5,breakout2(),""
'  ,E8,RETURN(),""
'  ,F11,IF(L2+M2>0),""
'  ,F13,"EXEC( !A32,2)",""
'  ,F14,"MESSAGE(TRUE,"Done")",""
'  ,F20,*STACKERROR* not enough arguments for function: ELSE,""
'  ,F21,PAUSE(),""
'  ,F23,*STACKERROR* not enough arguments for function: END.IF,""
'  ,F24,RETURN(),""
'  ,A33,HALT(),""