Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ef4b7242b6449522…

MALICIOUS

Office (OLE)

252.5 KB Created: 2020-06-24 17:08:55 Authoring application: Microsoft Excel First seen: 2020-09-07
MD5: bd0a2cd23a57a016723b61480fd37474 SHA-1: a3e1f210127a14b7f2a2432240835370edd1c5d6 SHA-256: ef4b7242b64495229e4c1cd599669d9645d9f163806a50cabb403f1cd2b0a0e6
280 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains critical heuristics indicating the presence of Excel 4.0 macros with Auto_Open functionality, including dangerous API calls and environment evasion techniques. ClamAV also identifies it as a dropper. While VBA macros are present, the primary threat appears to stem from the XLM macros, which are designed to execute automatically upon opening the workbook. The specific actions of the XLM macros are not fully detailed in the provided evidence, but their nature suggests they are intended to download and execute a secondary payload.

Heuristics 6

  • ClamAV: Xls.Dropper.Agent-8915745-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-8915745-0
  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • XLM Auto_Open environment-evasion close gate critical OLE_XLM_ENVIRONMENT_EVASION_CLOSE
    Excel 4.0 macro sheet auto-executes environment checks with GET.WORKSPACE / GET.WINDOW, then shows a fake corruption/error message and closes the workbook when the host fails those checks. This is a malware sandbox-evasion pattern, even when the later payload stage is hidden behind obfuscated defined-name flow.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 118069 bytes
SHA-256: b8018481a1f70a6bb1c2e06f0e3d3b738251ee70a02c4e08c4aa1026952ff46f
Preview script
First 1,000 lines of the extracted script
' 0085      9 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  
' 0085     18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -    8 
' 0085     18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -    8 
' 0085     21 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  uranNNowJlFk
' 0085     18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -    8 
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0018     20 LABEL : Cell Value, String Constant - BcyxZ len=0 
' 0018     23 LABEL : Cell Value, String Constant - BgppoteX len=0 
' 0018     21 LABEL : Cell Value, String Constant - BVxDQN len=0 
' 0018     20 LABEL : Cell Value, String Constant - cDoFI len=0 
' 0018     22 LABEL : Cell Value, String Constant - CZgnRed len=0 
' 0018     21 LABEL : Cell Value, String Constant - Dirrpu len=0 
' 0018     21 LABEL : Cell Value, String Constant - dTyIIH len=0 
' 0018     24 LABEL : Cell Value, String Constant - DwPMiFdVR len=0 
' 0018     20 LABEL : Cell Value, String Constant - eJWVl len=0 
' 0018     21 LABEL : Cell Value, String Constant - eqTmSp len=0 
' 0018     22 LABEL : Cell Value, String Constant - eVMZjTS len=0 
' 0018     29 LABEL : Cell Value, String Constant - FtOFvJTCCpbDZl len=0 
' 0018     24 LABEL : Cell Value, String Constant - fzqhuFnnb len=0 
' 0018     20 LABEL : Cell Value, String Constant - GExQN len=0 
' 0018     23 LABEL : Cell Value, String Constant - GGhpCexd len=0 
' 0018     20 LABEL : Cell Value, String Constant - gZgLX len=0 
' 0018     23 LABEL : Cell Value, String Constant - htifZroL len=0 
' 0018     24 LABEL : Cell Value, String Constant - huJpItxXL len=0 
' 0018     22 LABEL : Cell Value, String Constant - HWdfoMH len=0 
' 0018     24 LABEL : Cell Value, String Constant - iIitnGDav len=0 
' 0018     24 LABEL : Cell Value, String Constant - IRpkNPvQV len=0 
' 0018     24 LABEL : Cell Value, String Constant - iVwSRtbse len=0 
' 0018     21 LABEL : Cell Value, String Constant - jBmqRr len=0 
' 0018     22 LABEL : Cell Value, String Constant - jcMtwRt len=0 
' 0018     24 LABEL : Cell Value, String Constant - JDVSoLjpl len=0 
' 0018     21 LABEL : Cell Value, String Constant - jGekgr len=0 
' 0018     21 LABEL : Cell Value, String Constant - jHqBHD len=0 
' 0018     23 LABEL : Cell Value, String Constant - jmeDgLJq len=0 
' 0018     21 LABEL : Cell Value, String Constant - kmTZsB len=0 
' 0018     23 LABEL : Cell Value, String Constant - KNQIgKoY len=0 
' 0018     21 LABEL : Cell Value, String Constant - KyTKBO len=0 
' 0018     23 LABEL : Cell Value, String Constant - LDbFjTPE len=0 
' 0018     22 LABEL : Cell Value, String Constant - LiScieq len=0 
' 0018     23 LABEL : Cell Value, String Constant - MaijtRMp len=0 
' 0018     22 LABEL : Cell Value, String Constant - mzZZzJV len=0 
' 0018     23 LABEL : Cell Value, String Constant - nIkoDNiv len=0 
' 0018     21 LABEL : Cell Value, String Constant - NQfBCM len=0 
' 0018     23 LABEL : Cell Value, String Constant - nQVisObP len=0 
' 0018     23 LABEL : Cell Value, String Constant - NRDvDhIt len=0 
' 0018     23 LABEL : Cell Value, String Constant - OcYHVuuV len=0 
' 0018     24 LABEL : Cell Value, String Constant - OfgCENkRu len=0 
' 0018     22 LABEL : Cell Value, String Constant - OuBUcRw len=0 
' 0018     22 LABEL : Cell Value, String Constant - pEkDosS len=0 
' 0018     22 LABEL : Cell Value, String Constant - qUjDWpk len=0 
' 0018     20 LABEL : Cell Value, String Constant - qXdwF len=0 
' 0018     45 LABEL : Cell Value, String Constant - RectangleRoundedCorners5_Click len=0 
' 0018     23 LABEL : Cell Value, String Constant - RJhLpnVK len=0 
' 0018     22 LABEL : Cell Value, String Constant - RuLdxRL len=0 
' 0018     23 LABEL : Cell Value, String Constant - SDvDhutK len=0 
' 0018     23 LABEL : Cell Value, String Constant - SpWzQwDW len=0 
' 0018     21 LABEL : Cell Value, String Constant - uaVWUZ len=0 
' 0018     23 LABEL : Cell Value, String Constant - UbGTSilo len=0 
' 0018     24 LABEL : Cell Value, Str
... (truncated)
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 717 bytes
SHA-256: be23b65a6fa29680599137f837eec0639785801749f6f7877198f0531b8d3b52
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub RectangleRoundedCorners5_Click()
    Selection.Font.Bold = True
End Sub

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.