Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b8fc2fc0ce3e22ee…

MALICIOUS

Office (OLE)

132.0 KB Created: 2020-11-20 17:59:00 Authoring application: Microsoft Excel
MD5: 362dfb8885cfe2c010f4a9ad669729bd SHA-1: 2e7cb948e110bf32ed6e15d6243308f6fa8ac6cc SHA-256: b8fc2fc0ce3e22ee727e0523d29eef2ddb817a4349880c2e393310095d77eb72
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample contains Excel 4.0 macros, specifically an Auto_Open macro that executes a PowerShell command. This command downloads a file named 'gw.exe' from 'https://tinyurl.com/y8bcyly2' and then executes it. The macro also attempts to move the downloaded file to the user's AppData directory and establish persistence. The VBA project does not contain executable statements, indicating the primary malicious logic resides within the XLM macros.

Heuristics 4

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
1e403aeee5aa4f53871e2e4fac9e3dcbe6063fa1d76152eec5db58574f48d62c		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 1897 bytes
macros.bas
fed365d3401536fb63e11d0a36cc7c35338c0a8c74a96fb254c46366ad6287cd		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 642 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.