Office (OLE) malware analysis — malicious · ced72b8ec22d8d2e

MALICIOUS

Office (OLE)

232.0 KB Created: 2020-05-15 07:15:16 Authoring application: Microsoft Excel First seen: 2020-09-15

MD5: 138c86c1498c7b928d57d597854b8825 SHA-1: 4cde7a9a6da27f1695eaea56cbf95ed511493846 SHA-256: ced72b8ec22d8d2e211cefb60b49347993a004b9f40b37c17f0c251c92fad38f

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The critical heuristics indicate the presence of an obfuscated Excel 4.0 Auto_Open macro. The macro sheet contains a RUN function call, which is typically used to execute external commands or download additional payloads. The obfuscation suggests an attempt to evade detection. The file is likely delivered as a spearphishing attachment.

Heuristics 3

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
Obfuscated XLM Auto_Open execution chain critical OLE_XLM_OBFUSCATED_AUTOEXEC_CHAIN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and an obfuscated formula execution chain. The macro builds strings through FORMULA(CHAR(...)), primes state with SET.VALUE / GET.CELL / GOTO, and transfers control through RUN(). This is a high-confidence XLM malware pattern.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 129943 bytes

Filename	Kind	Source	Size
`xlm_macros.txt`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	129943 bytes
SHA-256: `0e2b4006c315204ea8833a248a842a53a5203f623602063915a70383b7e39a0d`
Preview script First 1,000 lines of the extracted script ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!CH44069 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,GG22,RUN(IO23375),"" ' Sheet,EV61,"",-92.00000000000000000000 ' Sheet,DV124,"",132.00000000000000000000 ' Sheet,JD125,"",-0.11764705882352941013 ' Sheet,CU137,"",-7.63265306122448983217 ' Sheet,CI138,"",-288.00000000000000000000 ' Sheet,JG151,"",520.00000000000000000000 ' Sheet,IS207,"",26.60001953124999829470 ' Sheet,GS229,"",6.67164179104477650384 ' Sheet,HI267,"",-0.09297052154195011020 ' Sheet,HJ330,"",-0.05141843971631205462 ' Sheet,CE446,"",-1.40000122070312493783 ' Sheet,IG461,"",-1.66071428571428580945 ' Sheet,DQ508,"",-523.00000000000000000000 ' Sheet,GE517,"",-423.00000000000000000000 ' Sheet,CS553,"",536.00000000000000000000 ' Sheet,CG557,"",-0.03581914268937169687 ' Sheet,GN573,"",-4.84615384615384581224 ' Sheet,HG620,"",-24.68115942028985543288 ' Sheet,GJ635,"",47.00000000000000000000 ' Sheet,CX663,"",-0.26291079812206574751 ' Sheet,DS671,"",601.00000000000000000000 ' Sheet,GY674,"",-7.79166666666666696273 ' Sheet,W693,"",240.00000000000000000000 ' Sheet,IZ699,"",-3.24175824175824178752 ' Sheet,EF711,"",-394.00000000000000000000 ' Sheet,GB722,"",-0.34615384615384614531 ' Sheet,HT733,"",1794.00000000000000000000 ' Sheet,BW738,"",-0.61538461538461541878 ' Sheet,GU759,"",409.00000000000000000000 ' Sheet,EQ763,"",47.60003906250000227374 ' Sheet,HD780,"",-3.52066115702479320859 ' Sheet,BC783,"",-3.94444444444444464182 ' Sheet,BC803,"",-365.00000000000000000000 ' Sheet,IT828,"",0.17857142857142857539 ' Sheet,HX946,"",3.06666666666666687391 ' Sheet,CG958,"",-0.24483471074380164234 ' Sheet,IQ958,"",547.00000000000000000000 ' Sheet,HL1005,"",-3.22413793103448265143 ' Sheet,HM1026,"",0.30000015258789064498 ' Sheet,IB1050,"",1.18666666666666653640 ' Sheet,JA1073,"",320.00000000000000000000 ' Sheet,CN1083,"",-371.00000000000000000000 ' Sheet,IJ1104,"",-1.21739130434782616419 ' Sheet,CU1115,"",175.00000000000000000000 ' Sheet,DQ1134,"",6.49122807017543834718 ' Sheet,K1169,"",0.48545454545454541639 ' Sheet,FO1169,"",5.73076923076923083755 ' Sheet,HY1260,"",-23.50000000000000000000 ' Sheet,EU1287,"",0.51533742331288345806 ' Sheet,BM1314,"",355.00000000000000000000 ' Sheet,JD1330,"",-557.00000000000000000000 ' Sheet,EX1348,"",159.00000000000000000000 ' Sheet,HY1352,"",-0.39133473095737247860 ' Sheet,FB1399,"",433.00000000000000000000 ' Sheet,FG1406,"",-47.00000000000000000000 ' Sheet,CY1493,"",-47.00000000000000000000 ' Sheet,GC1560,"",402.00000000000000000000 ' Sheet,EN1642,"",-0.02759835584263065078 ' Sheet,DU1662,"",0.49275362318840582043 ' Sheet,FH1670,"",-1.17117117117117119918 ' Sheet,GW1674,"",-3.70297029702970315057 ' Sheet,HX1732,"",0.44202898550724639692 ' Sheet,HH1765,"",0.63571428571428567622 ' Sheet,DT1804,"",388.00000000000000000000 ' Sheet,EH1833,"",-5.13043478260869534324 ' Sheet,FZ1843,"",212.00000000000000000000 ' Sheet,CV1883,"",-107.00000000000000000000 ' Sheet,JT1898,"",-0.70000061035156246891 ' Sheet,E1903,"",-1.19642857142857139685 ' Sheet,HH1915,"",-1.19148936170212760288 ' Sheet,A1940,"",339.00000000000000000000 ' Sheet,BI1963,"",-396.00000000000000000000 ' Sheet,IH2024,"",116.00000000000000000000 ' Sheet,HJ2034,"",-0.15873015873015872135 ' Sheet,W2107,"",0.10961968680089485828 ' Sheet,BY2108,"",197.00000000000000000000 ' Sheet,ID2182,"",-0.10169491525423729472 ' Sheet,JH2198,"",-4.78378378378378421587 ' Sheet,FA2200,"",-9.21875000000000000000 ' Sheet,BJ2257,"",-377.20031249999999545253 ' Sheet,M2276,"",-352.00000000000000000000 ' Sheet,FU2308,"",-112.00000000000000000000 ' Sheet,HW2345,"",537.00000000000000000000 ' Sheet,DC242 ... (truncated)

SHA-256: 0e2b4006c315204ea8833a248a842a53a5203f623602063915a70383b7e39a0d

Preview script

First 1,000 lines of the extracted script

' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Sheet
' 0018     28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d  Sheet!CH44069 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'  Sheet,GG22,RUN(IO23375),""
'  Sheet,EV61,"",-92.00000000000000000000
'  Sheet,DV124,"",132.00000000000000000000
'  Sheet,JD125,"",-0.11764705882352941013
'  Sheet,CU137,"",-7.63265306122448983217
'  Sheet,CI138,"",-288.00000000000000000000
'  Sheet,JG151,"",520.00000000000000000000
'  Sheet,IS207,"",26.60001953124999829470
'  Sheet,GS229,"",6.67164179104477650384
'  Sheet,HI267,"",-0.09297052154195011020
'  Sheet,HJ330,"",-0.05141843971631205462
'  Sheet,CE446,"",-1.40000122070312493783
'  Sheet,IG461,"",-1.66071428571428580945
'  Sheet,DQ508,"",-523.00000000000000000000
'  Sheet,GE517,"",-423.00000000000000000000
'  Sheet,CS553,"",536.00000000000000000000
'  Sheet,CG557,"",-0.03581914268937169687
'  Sheet,GN573,"",-4.84615384615384581224
'  Sheet,HG620,"",-24.68115942028985543288
'  Sheet,GJ635,"",47.00000000000000000000
'  Sheet,CX663,"",-0.26291079812206574751
'  Sheet,DS671,"",601.00000000000000000000
'  Sheet,GY674,"",-7.79166666666666696273
'  Sheet,W693,"",240.00000000000000000000
'  Sheet,IZ699,"",-3.24175824175824178752
'  Sheet,EF711,"",-394.00000000000000000000
'  Sheet,GB722,"",-0.34615384615384614531
'  Sheet,HT733,"",1794.00000000000000000000
'  Sheet,BW738,"",-0.61538461538461541878
'  Sheet,GU759,"",409.00000000000000000000
'  Sheet,EQ763,"",47.60003906250000227374
'  Sheet,HD780,"",-3.52066115702479320859
'  Sheet,BC783,"",-3.94444444444444464182
'  Sheet,BC803,"",-365.00000000000000000000
'  Sheet,IT828,"",0.17857142857142857539
'  Sheet,HX946,"",3.06666666666666687391
'  Sheet,CG958,"",-0.24483471074380164234
'  Sheet,IQ958,"",547.00000000000000000000
'  Sheet,HL1005,"",-3.22413793103448265143
'  Sheet,HM1026,"",0.30000015258789064498
'  Sheet,IB1050,"",1.18666666666666653640
'  Sheet,JA1073,"",320.00000000000000000000
'  Sheet,CN1083,"",-371.00000000000000000000
'  Sheet,IJ1104,"",-1.21739130434782616419
'  Sheet,CU1115,"",175.00000000000000000000
'  Sheet,DQ1134,"",6.49122807017543834718
'  Sheet,K1169,"",0.48545454545454541639
'  Sheet,FO1169,"",5.73076923076923083755
'  Sheet,HY1260,"",-23.50000000000000000000
'  Sheet,EU1287,"",0.51533742331288345806
'  Sheet,BM1314,"",355.00000000000000000000
'  Sheet,JD1330,"",-557.00000000000000000000
'  Sheet,EX1348,"",159.00000000000000000000
'  Sheet,HY1352,"",-0.39133473095737247860
'  Sheet,FB1399,"",433.00000000000000000000
'  Sheet,FG1406,"",-47.00000000000000000000
'  Sheet,CY1493,"",-47.00000000000000000000
'  Sheet,GC1560,"",402.00000000000000000000
'  Sheet,EN1642,"",-0.02759835584263065078
'  Sheet,DU1662,"",0.49275362318840582043
'  Sheet,FH1670,"",-1.17117117117117119918
'  Sheet,GW1674,"",-3.70297029702970315057
'  Sheet,HX1732,"",0.44202898550724639692
'  Sheet,HH1765,"",0.63571428571428567622
'  Sheet,DT1804,"",388.00000000000000000000
'  Sheet,EH1833,"",-5.13043478260869534324
'  Sheet,FZ1843,"",212.00000000000000000000
'  Sheet,CV1883,"",-107.00000000000000000000
'  Sheet,JT1898,"",-0.70000061035156246891
'  Sheet,E1903,"",-1.19642857142857139685
'  Sheet,HH1915,"",-1.19148936170212760288
'  Sheet,A1940,"",339.00000000000000000000
'  Sheet,BI1963,"",-396.00000000000000000000
'  Sheet,IH2024,"",116.00000000000000000000
'  Sheet,HJ2034,"",-0.15873015873015872135
'  Sheet,W2107,"",0.10961968680089485828
'  Sheet,BY2108,"",197.00000000000000000000
'  Sheet,ID2182,"",-0.10169491525423729472
'  Sheet,JH2198,"",-4.78378378378378421587
'  Sheet,FA2200,"",-9.21875000000000000000
'  Sheet,BJ2257,"",-377.20031249999999545253
'  Sheet,M2276,"",-352.00000000000000000000
'  Sheet,FU2308,"",-112.00000000000000000000
'  Sheet,HW2345,"",537.00000000000000000000
'  Sheet,DC242
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.