Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 147ad346582aae62…

MALICIOUS

Office (OLE)

445.0 KB Created: 2001-04-10 23:19:41 Authoring application: Microsoft Excel First seen: 2016-03-27
MD5: 444a7acc94a991b031eba36dea444867 SHA-1: ff0fac311a35075c38889ffd922d83310af4a40a SHA-256: 147ad346582aae62affad72b25ae035fe535d204a4ed57ab95a98bc777a527ff
170 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1140 Deobfuscate/Decode Files or Information

This Excel document contains VBA macros, including an Auto_Open macro, which is a common technique for executing malicious code upon opening. The document body presents a lure related to tax tracking summaries and explicitly instructs the user to enable macros, indicating a social engineering attempt to bypass security. The presence of CreateObject calls and the Auto_Open execution token strongly suggest the macro is designed to download and execute a second-stage payload.

Heuristics 7

  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.thawte.com0 In document text (OLE body)
    • http://ts-ocsp.ws.symantec.com07In document text (OLE body)
    • http://ocsp.verisign.com0In document text (OLE body)
    • http://crl.thawte.com/ThawteTimestampingCA.crl0In document text (OLE body)
    • http://ts-aia.ws.symantec.com/tss-ca-g2.cer0In document text (OLE body)
    • http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(In document text (OLE body)
    • http://logo.verisign.com/vslogo.gif0In document text (OLE body)
    • https://www.verisign.com/rpaIn document text (OLE body)
    • http://csc3-2010-crl.verisign.com/CSC3-2010.crl0DIn document text (OLE body)
    • https://www.verisign.com/rpa0In document text (OLE body)
    • http://csc3-2010-aia.verisign.com/CSC3-2010.cer0In document text (OLE body)
    • https://www.verisign.com/cps0*In document text (OLE body)
    • http://logo.verisign.com/vslogo.gif04In document text (OLE body)
    • http://crl.verisign.com/pca3-g5.crl04In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 89966 bytes
SHA-256: 09912137f566a705e19d102a2ab726535b0473c727720c845c736a9a325a4443
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True



Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

Private Sub Workbook_Activate()
    commandBarCreate
End Sub

Private Sub Workbook_BeforeClose(Cancel As Boolean)
    Dim myRes As Long, fileName As Variant
    On Error Resume Next
    If ThisWorkbook.Saved = False Then
        'my_Before_Force_Close
        If ThisWorkbook.Path = "" Then
            myRes = MsgBox("You've updated this workbook. If you want to save your changes, save this workbook now." & vbCrLf & vbCrLf & _
                            "Later, you can open it in Excel and connect to QuickBooks to update the payroll reports contained" & vbCrLf & _
                            "in the workbook. You can also re-run the reports (without the changes you just made) from QuickBooks." & vbCrLf & vbCrLf & _
                            "Do you want to save this workbook?", vbYesNoCancel + vbExclamation)
        
            If myRes = vbYes Then
                my_Before_Force_Close False
                fileName = Application.GetSaveAsFilename
                If fileName = False Then
                    Cancel = True  'abort the shutdown
                Else 'have a file
                    If Right(fileName, 1) = "." Then
                        If getAppVerNumber <= 11 Then 'don't do anything with the new XL 2007 or greater
                            fileName = fileName & "xls"
                        End If
                    End If
                    
                    ThisWorkbook.SaveAs fileName, , , , , , , , True
                End If
            ElseIf myRes = vbNo Then
                my_Before_Force_Close True
                ThisWorkbook.Saved = True 'fake it out so it closes silently
            ElseIf myRes = vbCancel Then
               Cancel = True  'abort the shutdown
            End If
        Else 'has a path
            myRes = MsgBox("Do you want to save the changes you made to this file (" & ThisWorkbook.Name & ")?", vbYesNoCancel + vbExclamation)
            If myRes = vbYes Then
                my_Before_Force_Close False
                ThisWorkbook.Save
            ElseIf myRes = vbNo Then 'end yes
                my_Before_Force_Close True
                ThisWorkbook.Saved = True 'fake it out so it closes silently
            ElseIf myRes = vbCancel Then
               Cancel = True  'abort the shutdown
            End If
        End If
    ElseIf ThisWorkbook.Saved = True Then
        my_Before_Force_Close True
        ThisWorkbook.Saved = True 'just in case. Fake it out so it closes silently
    End If
End Sub





Attribute VB_Name = "Sheet18"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True



Attribute VB_Name = "formatCode"
Option Explicit
Option Private Module

Sub formatRange(rng As Range, style As String, Optional indent As Long)
    Dim cl As Range
    
    If style = "defaultFormat" Then
        With rng
            .HorizontalAlignment = xlLeft
            .IndentLevel = indent
        End With
    ElseIf style = "dividerRow" Then
        With rng
            .RowHeight = 5
        End With
    ElseIf style = "bodyTitleRight" Or style = "bodyTitleleft" Then
        With rng
            If style = "bodyTitleRight" Then
                .HorizontalAlignment = xl
... (truncated)