Office (OLE) malware analysis — malicious · b2ca2ad757620f45

MALICIOUS

Office (OLE)

178.0 KB Created: 2008-01-06 14:18:00 Authoring application: Microsoft Excel First seen: 2020-09-15

MD5: 9adfacc46085440fe2b6372c6076ee02 SHA-1: ab433a4b1f0f2c2a2cd408df4bc4fce4b6ddd604 SHA-256: b2ca2ad757620f4520942ab693eae848f2a714bb19ceac051ee61c376e524152

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The critical heuristic firing indicates the presence of an Excel 4.0 Auto_Open defined name, which is a strong indicator of malicious macro execution. The sample is an OLE Excel file containing XLM macros, suggesting it attempts to run arbitrary code when opened. No specific family could be identified from the available evidence.

Heuristics 2

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 91807 bytes

Filename	Kind	Source	Size
`xlm_macros.txt`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	91807 bytes
SHA-256: `67191450b32e8166e85260bddcc93e81eb81e5068851e3ae7e8c47efbe93d770`
Preview script First 1,000 lines of the extracted script ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 17 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - SqqaEHIl ' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!HZ61397 ' 0018 31 LABEL : Cell Value, String Constant - hidden len=11 ptgArea3d INCOMPLETE FORMULA PARSING Remaining, unparsed expression: b'\x00\x00\x06JhJR\x00R\x00' ' 0018 30 LABEL : Cell Value, String Constant - hidden len=11 ptgArea3d INCOMPLETE FORMULA PARSING Remaining, unparsed expression: b'\x00\x00\x0e\x0e\xb0\x0e\xd5\x00\xd5\x00' ' 0018 31 LABEL : Cell Value, String Constant - hidden len=7 ptgRef3d Sheet!HZ61402 ' 0018 29 LABEL : Cell Value, String Constant - hidden len=11 ptgArea3d INCOMPLETE FORMULA PARSING Remaining, unparsed expression: b'\x00\x00\x95\x12\xe6\x12\xe8\x00\xe8\x00' ' 0018 31 LABEL : Cell Value, String Constant - hidden len=11 ptgArea3d INCOMPLETE FORMULA PARSING Remaining, unparsed expression: b'\x00\x00\xcc\tU\nG\x00G\x00' ' 0018 30 LABEL : Cell Value, String Constant - hidden len=7 ptgRef3d Sheet!HZ61399 ' 0018 29 LABEL : Cell Value, String Constant - suTreHY hidden len=7 ptgRef3d Sheet!HZ61397 ' 0018 30 LABEL : Cell Value, String Constant - hidden len=7 ptgRef3d Sheet!HZ61401 ' 0018 29 LABEL : Cell Value, String Constant - hidden len=7 ptgRef3d Sheet!HZ61403 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, ... (truncated)

SHA-256: 67191450b32e8166e85260bddcc93e81eb81e5068851e3ae7e8c47efbe93d770

Preview script

First 1,000 lines of the extracted script

' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     17 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  SqqaEHIl
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d  Sheet!HZ61397 
' 0018     31 LABEL : Cell Value, String Constant -       hidden len=11 ptgArea3d  *INCOMPLETE FORMULA PARSING* Remaining, unparsed expression: b'\x00\x00\x06JhJR\x00R\x00'
' 0018     30 LABEL : Cell Value, String Constant -      hidden len=11 ptgArea3d  *INCOMPLETE FORMULA PARSING* Remaining, unparsed expression: b'\x00\x00\x0e\x0e\xb0\x0e\xd5\x00\xd5\x00'
' 0018     31 LABEL : Cell Value, String Constant -           hidden len=7 ptgRef3d  Sheet!HZ61402 
' 0018     29 LABEL : Cell Value, String Constant -     hidden len=11 ptgArea3d  *INCOMPLETE FORMULA PARSING* Remaining, unparsed expression: b'\x00\x00\x95\x12\xe6\x12\xe8\x00\xe8\x00'
' 0018     31 LABEL : Cell Value, String Constant -       hidden len=11 ptgArea3d  *INCOMPLETE FORMULA PARSING* Remaining, unparsed expression: b'\x00\x00\xcc\tU\nG\x00G\x00'
' 0018     30 LABEL : Cell Value, String Constant -          hidden len=7 ptgRef3d  Sheet!HZ61399 
' 0018     29 LABEL : Cell Value, String Constant - suTreHY hidden len=7 ptgRef3d  Sheet!HZ61397 
' 0018     30 LABEL : Cell Value, String Constant -          hidden len=7 ptgRef3d  Sheet!HZ61401 
' 0018     29 LABEL : Cell Value, String Constant -         hidden len=7 ptgRef3d  Sheet!HZ61403 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.