Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 880d32a9cb2123c0…

MALICIOUS

Office (OLE)

230.5 KB Created: 2020-05-15 06:54:53 Authoring application: Microsoft Excel First seen: 2020-09-15
MD5: 39a7bda162b981b8c17c842afe104afa SHA-1: 5eb9000254684eab10e3255f3b217b769242e375 SHA-256: 880d32a9cb2123c01f5c156f904b983ba61456109954e5c0a50e152be5f58ffe
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains Excel 4.0 macros, specifically an obfuscated Auto_Open execution chain. The `RUN(BI25851)` function call within the macro indicates an attempt to execute a secondary payload or command. This suggests a macro-based attack vector, likely delivered as a spearphishing attachment.

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • Obfuscated XLM Auto_Open execution chain critical OLE_XLM_OBFUSCATED_AUTOEXEC_CHAIN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and an obfuscated formula execution chain. The macro builds strings through FORMULA(CHAR(...)), primes state with SET.VALUE / GET.CELL / GOTO, and transfers control through RUN(). This is a high-confidence XLM malware pattern.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 128196 bytes
SHA-256: 190efa253658a4b0cf0504a6b0f3b8acbba0084a4bfdbf25a6bb1f386dd65abd
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Sheet
' 0018     28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d  Sheet!EN14751 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'  Sheet,ER17,"",-174.00000000000000000000
'  Sheet,CL36,"",132.00000000000000000000
'  Sheet,CQ43,"",306.00000000000000000000
'  Sheet,CX52,"",0.33173076923076921796
'  Sheet,IK79,"",-155.00000000000000000000
'  Sheet,G104,"",277.00000000000000000000
'  Sheet,ES113,"",1.83243243243243281171
'  Sheet,DZ116,"",-2739.00000000000000000000
'  Sheet,GN147,"",-0.74647887323943662441
'  Sheet,HR150,"",-4.20370370370370327606
'  Sheet,GX151,"",-14.00000000000000000000
'  Sheet,HT153,"",0.40476190476190476719
'  Sheet,IY156,RUN(BI25851),""
'  Sheet,FE166,"",0.92592592592592593004
'  Sheet,BP246,"",-185.00000000000000000000
'  Sheet,BG260,"",-1.00000000000000000000
'  Sheet,GB267,"",-177.80015624999998635758
'  Sheet,FA277,"",-14.00000000000000000000
'  Sheet,IB288,"",-23.72972972972972982575
'  Sheet,IR304,"",-284.00000000000000000000
'  Sheet,IY384,"",5.00000000000000000000
'  Sheet,DE386,"",-271.00000000000000000000
'  Sheet,IV394,"",-7.00000000000000000000
'  Sheet,BK427,"",-1.12871287128712860515
'  Sheet,Q507,"",-0.33064516129032256453
'  Sheet,IP515,"",0.29326923076923078204
'  Sheet,GT583,"",1177.00000000000000000000
'  Sheet,DT602,"",-0.56250000000000000000
'  Sheet,ER611,"",0.23850574712643676789
'  Sheet,O617,"",-6.25000000000000000000
'  Sheet,BN635,"",296.00000000000000000000
'  Sheet,DK650,"",1180.00000000000000000000
'  Sheet,E701,"",-1.96039603960396036086
'  Sheet,CG785,"",-193.00000000000000000000
'  Sheet,GW801,"",294.00000000000000000000
'  Sheet,CG859,"",4.32000244140624989342
'  Sheet,CN871,"",0.84808259587020640158
'  Sheet,CT921,"",-121.00000000000000000000
'  Sheet,FD926,"",-2746.00000000000000000000
'  Sheet,EW1003,"",-264.00000000000000000000
'  Sheet,ES1033,"",-2750.00000000000000000000
'  Sheet,GX1050,"",-1.61363636363636353543
'  Sheet,EY1127,"",0.23076923076923078204
'  Sheet,FR1164,"",2.11538461538461541878
'  Sheet,EW1268,"",-133.00000000000000000000
'  Sheet,FQ1292,"",0.03357903357903357922
'  Sheet,IJ1300,"",2.08000122070312487566
'  Sheet,GZ1317,"",94.00000000000000000000
'  Sheet,JM1402,"",2.73417721518987333340
'  Sheet,JU1405,"",-120.00000000000000000000
'  Sheet,IL1411,"",-0.35964912280701755165
'  Sheet,BG1466,"",-0.13600000000000000977
'  Sheet,FI1501,"",148.00000000000000000000
'  Sheet,IO1506,"",4.01315789473684247923
'  Sheet,CI1522,"",-35.00000000000000000000
'  Sheet,HB1548,"",0.66666666666666662966
'  Sheet,IS1688,"",-21.00000000000000000000
'  Sheet,CV1690,"",1.96428571428571419055
'  Sheet,FM1729,"",-0.74853801169590639120
'  Sheet,GS1770,"",-25.60000000000002273737
'  Sheet,HB1832,"",339.00000000000000000000
'  Sheet,IF1896,"",247.00000000000000000000
'  Sheet,HB2012,"",-0.96111111111111124927
'  Sheet,BQ2032,"",124.00000000000000000000
'  Sheet,CF2032,"",0.97530864197530864335
'  Sheet,B2037,"",-2.78048780487804858552
'  Sheet,EM2109,"",0.25000000000000000000
'  Sheet,JM2137,"",-215.00000000000000000000
'  Sheet,IK2140,"",-1.92222222222222249854
'  Sheet,E2160,"",137.00000000000000000000
'  Sheet,T2170,"",-1.91812865497076012744
'  Sheet,ET2230,"",30.00000000000000000000
'  Sheet,GD2258,"",0.47878787878787876231
'  Sheet,JP2263,"",117.00000000000000000000
'  Sheet,BE2435,"",0.73333433333333331028
'  Sheet,IZ2449,"",0.31018518518518517491
'  Sheet,CG2460,"",-0.42326732673267325469
'  Sheet,FS2517,"",2.34782508695652181174
'  Sheet,BT2576,"",-0.94363636363636371751
'  Sheet,FV2585,"",-24.50000000000000000000
'  Sheet,JO2673,"",41.00000000000000000000
'  Sheet,CE2692,"",-280.00000000000000000000
'  Sheet,N2708,"",196.80015624999998635758
'  Sheet,FP2721,"",-107.00000000000000000000
'  Sheet,D2796,"",97
... (truncated)