Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 15a27dab26f65e00…

MALICIOUS

Office (OLE)

554.0 KB Created: 2002-08-28 15:41:23 Authoring application: Microsoft Excel First seen: 2021-07-07
MD5: bc049f6d36f8ce30a0927f9300d5e06b SHA-1: 6fcbc536149ebb9536758c6c7052cc47bac1b9f6 SHA-256: 15a27dab26f65e004dacd95dfe1fd67c868fab11d93be4e42fae83a6eb341944
168 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is an Excel document containing a Workbook_Open VBA macro. This macro utilizes the Shell() function, a critical heuristic firing, indicating an attempt to execute external commands. The presence of VBA macros and the Workbook_Open auto-execution strongly suggests a malicious document designed to download and execute a secondary payload upon opening.

Heuristics 5

  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 154540 bytes
SHA-256: 9ac3425e582be172b92dccff8fccf0ff932a3460252af293a014102661f201c4
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "frmCHAR"
Attribute VB_Base = "0{A3F7DFEA-2AA9-47D8-AE47-91A1BDDA3F9A}{9E933AA2-9346-41B1-880B-B46AF1F6390B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
' ===================================================================================
' Contains subroutines for setting up the Characterization form and also
' routines for construction of the characterization sheet
' ===================================================================================
Option Explicit
Option Compare Text
Option Base 1

Dim element As Variant

Private Sub btnAll_Click()
    Dim i As Integer
    For i = 1 To Me.lsbLibComp.ListCount
        Me.lsbLibComp.Selected(i - 1) = True
    Next i
End Sub

Private Sub btnClear1_Click()
    Dim i As Integer
    Me.lsbPure.Clear
End Sub

Private Sub chkBIP_Click()
    If Me.chkBIP = True Then Me.chkLab = False
End Sub

Private Sub chkCorrBip_Click()
    If Me.chkCorrBip = True Then Me.chkLab = False
End Sub

Private Sub chkCorrelate_Click()
    If Me.chkCorrelate = True Then Me.chkLab = False
End Sub

Private Sub chkLab_Click()
    If (Me.chkLab = True) Then
        Me.chkBIP = False
        Me.chkCorrBip = False
        Me.chkCorrelate = False
    End If
End Sub

Private Sub cmbLib_Change()
    Call Fill_LsbLibComp
End Sub

Private Sub cmdLibClear_Click()
    Dim i As Integer
    For i = 1 To Me.lsbLibComp.ListCount
        Me.lsbLibComp.Selected(i - 1) = False
    Next i
End Sub

Private Sub UserForm_Activate()
' Actions to be taken when the user form is activated
    Call Fill_ComboBoxes
End Sub

Private Sub btnAdd1_Click()
' This button adds selected library components to the component list
    Dim i As Integer
   
    For i = 1 To Me.lsbLibComp.ListCount
        If (Me.lsbLibComp.Selected(i - 1) = True) Then
            Me.lsbPure.AddItem Me.lsbLibComp.List(i - 1)
            Me.lsbLibComp.Selected(i - 1) = False
        End If
    Next i

End Sub

Private Sub btnAdd2_Click()
' Add user specified component to the component list
    With Me.lsbPure
        .AddItem Me.txtUserComp.Value
    End With
End Sub

Private Sub btnRemove1_Click()
' This button should remove a selected component from the list
    Dim Index As Integer
    With Me.lsbPure
        Index = .ListIndex
        If Index = (-1) Then
            MsgBox Prompt:="Select component to remove.", _
            Title:="Component Removal", Buttons:=vbQuestion
            Exit Sub
        End If
        .RemoveItem (Index)
    End With
End Sub

Private Sub btnUp_Click()
' Moves a selected item upwards in the list
    Dim i As Integer
    Dim tmp As String
    With Me.lsbPure
        i = .ListIndex
        
        If i = (-1) Then
            MsgBox Prompt:="Select list entry to move.", _
            Title:="Component Removal", Buttons:=vbQuestion
            Exit Sub
        ElseIf (i = 0) Then
            Exit Sub
        End If
        
        tmp = .List(i - 1)
        .List(i - 1) = .List(i)
        .List(i) = tmp
        .ListIndex = .ListIndex - 1
    
    End With

End Sub

Private Sub btnDown_Click()
' Moves a selected item upwards in the list
    Dim i As Integer
    Dim tmp As String
    With Me.lsbPure
        i = .ListIndex
        
        If i = (-1) Then
            MsgBox Prompt:="Select list entry to move.", _
            Title:="Component Removal", Buttons:=vbQuestion
            Exit Sub
        ElseIf (i = .ListCount - 1) Then
            Exit Sub
        End If
        
        tmp = .List(i + 1)
        .List(i + 1) = .List(i)
        .List(i) = tmp
        .ListIndex = .ListIndex + 1
    
    End With

End Sub

Private Sub btnCancel_Click()
' This button cancels the whole user form
    Unload Me
End Sub

Private Sub btnOK_Click()
' Generate new CHR sheet when user click OK
  
    Dim chrShe
... (truncated)