Office (OLE) malware analysis — malicious · 9280479d6e030e96

MALICIOUS

Office (OLE)

174.0 KB Created: 2020-07-08 02:35:04 Authoring application: Microsoft Excel First seen: 2020-09-15

MD5: fcb24994ece22f8d6a2902790ad97aa5 SHA-1: b3d54d0b90522c189c7f29ed260333c08c91ea08 SHA-256: 9280479d6e030e96b14aa0c2aa5e856f475e657d11d2d1596c082ff157d916c9

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains Excel 4.0 (XLM) macros, including an Auto_Open defined name, which is a strong indicator of malicious intent. The heuristics indicate the presence of dangerous formula APIs and environment evasion techniques within the macro. The macro sheet likely attempts to trick the user into enabling macros, a common lure for malware droppers.

Heuristics 5

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
XLM Auto_Open environment-evasion close gate critical OLE_XLM_ENVIRONMENT_EVASION_CLOSE

Excel 4.0 macro sheet auto-executes environment checks with GET.WORKSPACE / GET.WINDOW, then shows a fake corruption/error message and closes the workbook when the host fails those checks. This is a malware sandbox-evasion pattern, even when the later payload stage is hidden behind obfuscated defined-name flow.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 49549 bytes

Filename	Kind	Source	Size
`xlm_macros.txt`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	49549 bytes
SHA-256: `61a9fe4f1e099855f5f9103eb0ab59c60061618d0a954c1da097bcefe7341886`
Preview script First 1,000 lines of the extracted script ' 0085 9 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - ' 0085 24 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - opnsdXeIjUkoqiI ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Sheet ' 0085 15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Sheet1 ' 0085 15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Sheet1 ' 0085 15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Sheet1 ' 0085 15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Sheet1 ' 0085 15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Sheet1 ' 0085 15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Sheet1 ' 0085 15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Sheet1 ' 0085 15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Sheet1 ' 0085 15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Sheet1 ' 0085 15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Sheet1 ' 0085 15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Sheet2 ' 0085 15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Sheet2 ' 0085 15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Sheet2 ' 0085 15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Sheet2 ' 0085 15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Sheet2 ' 0085 15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Sheet2 ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d !BV5730 ' 0018 23 LABEL : Cell Value, String Constant - aWLfVMak len=0 ' 0018 17 LABEL : Cell Value, String Constant - aX len=0 ' 0018 22 LABEL : Cell Value, String Constant - axhrxtG len=0 ' 0018 38 LABEL : Cell Value, String Constant - bgdoGHcdmLrVkRXqyoUPQOT len=0 ' 0018 41 LABEL : Cell Value, String Constant - BgEWiWUOgdzjuzwIZavwGeLoEk len=0 ' 0018 44 LABEL : Cell Value, String Constant - BHPfGFVLOGeImkSHbRIWgPPCDdmyb len=0 ' 0018 22 LABEL : Cell Value, String Constant - bIOhpfL len=0 ' 0018 48 LABEL : Cell Value, String Constant - biyZYoehZxbGElaulbpziiVWwGSuOsRjv len=0 ' 0018 55 LABEL : Cell Value, String Constant - BLRNZpFMOXupTVCIbjZFzzyEovDTttJyCtSvaYGu len=0 ' 0018 42 LABEL : Cell Value, String Constant - bQkbSfpYYMMmvIkEjHZlZWQifDm len=0 ' 0018 31 LABEL : Cell Value, String Constant - BsRuZXFtOFvJTDCp len=0 ' 0018 50 LABEL : Cell Value, String Constant - bUbGTSilogGUNxfhCejwIcpdPqNMnVmYcDd len=0 ' 0018 23 LABEL : Cell Value, String Constant - bVnkHdCt len=0 ' 0018 22 LABEL : Cell Value, String Constant - BWJTqlP len=0 ' 0018 39 LABEL : Cell Value, String Constant - bWnlIdCuqCThEqBYTwxeyEMC len=0 ' 0018 51 LABEL : Cell Value, String Constant - CcbrhkcBeJHodxnesDllYYzIVwRvUlxmjdvs len=0 ' 0018 35 LABEL : Cell Value, String Constant - cDZYBhzlpPpBuNKgDbTP len=0 ' 0018 23 LABEL : Cell Value, String Constant - CGIzZogR len=0 ' 0018 19 LABEL : Cell Value, String Constant - chFM len=0 ' 0018 22 LABEL : Cell Value, String Constant - ChFXjXU len=0 ' 0018 28 LABEL : Cell Value, String Constant - CosSGExQNjGek l ... (truncated)

SHA-256: 61a9fe4f1e099855f5f9103eb0ab59c60061618d0a954c1da097bcefe7341886

Preview script

First 1,000 lines of the extracted script

' 0085      9 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  
' 0085     24 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  opnsdXeIjUkoqiI
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Sheet
' 0085     15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Sheet1
' 0085     15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Sheet1
' 0085     15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Sheet1
' 0085     15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Sheet1
' 0085     15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Sheet1
' 0085     15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Sheet1
' 0085     15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Sheet1
' 0085     15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Sheet1
' 0085     15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Sheet1
' 0085     15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Sheet1
' 0085     15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Sheet2
' 0085     15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Sheet2
' 0085     15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Sheet2
' 0085     15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Sheet2
' 0085     15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Sheet2
' 0085     15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Sheet2
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  !BV5730 
' 0018     23 LABEL : Cell Value, String Constant - aWLfVMak len=0 
' 0018     17 LABEL : Cell Value, String Constant - aX len=0 
' 0018     22 LABEL : Cell Value, String Constant - axhrxtG len=0 
' 0018     38 LABEL : Cell Value, String Constant - bgdoGHcdmLrVkRXqyoUPQOT len=0 
' 0018     41 LABEL : Cell Value, String Constant - BgEWiWUOgdzjuzwIZavwGeLoEk len=0 
' 0018     44 LABEL : Cell Value, String Constant - BHPfGFVLOGeImkSHbRIWgPPCDdmyb len=0 
' 0018     22 LABEL : Cell Value, String Constant - bIOhpfL len=0 
' 0018     48 LABEL : Cell Value, String Constant - biyZYoehZxbGElaulbpziiVWwGSuOsRjv len=0 
' 0018     55 LABEL : Cell Value, String Constant - BLRNZpFMOXupTVCIbjZFzzyEovDTttJyCtSvaYGu len=0 
' 0018     42 LABEL : Cell Value, String Constant - bQkbSfpYYMMmvIkEjHZlZWQifDm len=0 
' 0018     31 LABEL : Cell Value, String Constant - BsRuZXFtOFvJTDCp len=0 
' 0018     50 LABEL : Cell Value, String Constant - bUbGTSilogGUNxfhCejwIcpdPqNMnVmYcDd len=0 
' 0018     23 LABEL : Cell Value, String Constant - bVnkHdCt len=0 
' 0018     22 LABEL : Cell Value, String Constant - BWJTqlP len=0 
' 0018     39 LABEL : Cell Value, String Constant - bWnlIdCuqCThEqBYTwxeyEMC len=0 
' 0018     51 LABEL : Cell Value, String Constant - CcbrhkcBeJHodxnesDllYYzIVwRvUlxmjdvs len=0 
' 0018     35 LABEL : Cell Value, String Constant - cDZYBhzlpPpBuNKgDbTP len=0 
' 0018     23 LABEL : Cell Value, String Constant - CGIzZogR len=0 
' 0018     19 LABEL : Cell Value, String Constant - chFM len=0 
' 0018     22 LABEL : Cell Value, String Constant - ChFXjXU len=0 
' 0018     28 LABEL : Cell Value, String Constant - CosSGExQNjGek l
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.