Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1aa1d531348a8e9f…

MALICIOUS

Office (OLE)

57.5 KB Created: 2013-10-25 10:44:34 Authoring application: Microsoft Excel First seen: 2014-07-20
MD5: 2c5b3a3953f888874f86236d84a1def9 SHA-1: 58da5018b07147d03d7a04c317ddfee8a679f01a SHA-256: 1aa1d531348a8e9fbb5997911858f97911b78ee4db72c438c81023e5f77649e7
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is identified as a legacy Excel formula macro virus, specifically mentioning 'Poppy by VicodinES' and 'Narkotic Network'. The embedded VBA macros, while truncated, contain code that manipulates sheet protection and inserts/clears data, consistent with a macro-based threat. The presence of these markers and macro code strongly suggests an attempt to execute arbitrary commands or download additional malicious content.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3138 bytes
SHA-256: 435643a0be0684c751a7482a7812f71ee77ad1b078ede0b19d2e92722358ce44
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "模块1"
Sub 新增1行()
Attribute 新增1行.VB_Description = "宏由 cwzg 录制,时间: 2013-10-30"
Attribute 新增1行.VB_ProcData.VB_Invoke_Func = " \n14"
'
' 新增1行 Macro
' 宏由 patrick(戴和辉) 录制,时间: 2013-10-30
'

'
    ActiveSheet.Unprotect Password:="daihepin"

    Range("XZYH").Select
    Selection.Insert Shift:=xlDown
    Selection.FillDown
    
    Range("PAT").Offset(-1, 15).Select
    Selection.ClearContents
    Range("PAT").Offset(-1, 16).Select
    Selection.ClearContents
    Range("PAT").Offset(-1, 18).Select
    Selection.ClearContents
    Range("PAT").Offset(-1, 19).Select
    Selection.ClearContents
    Range("PAT").Offset(-1, 20).Select
    Selection.ClearContents
    Range("PAT").Offset(-1, 0).Select
    Selection.ClearContents
    
    ActiveSheet.Protect Password:="daihepin"

End Sub
Sub 锁定明细表()
Attribute 锁定明细表.VB_Description = "宏由 cwzg 录制,时间: 2013-10-30"
Attribute 锁定明细表.VB_ProcData.VB_Invoke_Func = " \n14"
'
' 锁定明细表 Macro
' 宏由 patrick(戴和辉) 录制,时间: 2013-10-30
'

'
    Dim i As Integer
    For i = 1 To Range("B5").Value
        Sheets(Trim(Str(i))).Protect Password:="daihepin"
    Next
    
    Sheets("样").Select
    ActiveSheet.Protect Password:="daihepin"
    
    Sheets("目录").Select
    Range("G6").Select

End Sub
Sub 明细表解锁()
Attribute 明细表解锁.VB_Description = "宏由 cwzg 录制,时间: 2013-10-30"
Attribute 明细表解锁.VB_ProcData.VB_Invoke_Func = " \n14"
'
' 明细表解锁 Macro
' 宏由 cwzg 录制,时间: 2013-10-30
'

'
    Dim i As Integer
    For i = 1 To Range("B5").Value
        Sheets(Trim(Str(i))).Unprotect Password:="daihepin"
    Next
    
    Sheets("样").Select
    ActiveSheet.Unprotect Password:="daihepin"
    
    Sheets("目录").Select
    Range("G6").Select

End Sub

Attribute VB_Name = "模块2"
Sub 收列()
Attribute 收列.VB_Description = "宏由 cwzg 录制,时间: 2013-11-5"
Attribute 收列.VB_ProcData.VB_Invoke_Func = " \n14"
'
' 收列 Macro
' 宏由 patrick(戴和辉) 录制,时间: 2013-11-5
'

'
    ActiveSheet.Unprotect Password:="daihepin"
    ActiveSheet.Outline.ShowLevels RowLevels:=0, ColumnLevels:=1
    ActiveSheet.Protect Password:="daihepin"
    Range("G6").Select

End Sub
Sub 开列()
Attribute 开列.VB_Description = "宏由 cwzg 录制,时间: 2013-11-5"
Attribute 开列.VB_ProcData.VB_Invoke_Func = " \n14"
'
' 开列 Macro
' 宏由 cwzg 录制,时间: 2013-11-5
'

'
    ActiveSheet.Unprotect Password:="daihepin"
    ActiveSheet.Outline.ShowLevels RowLevels:=0, ColumnLevels:=2
    ActiveSheet.Protect Password:="daihepin"
    Range("G6").Select

End Sub