Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 249bc00ea0798f78…

MALICIOUS

Office (OLE) / .XLS

2.76 MB Created: 2015-04-03 14:52:53 Authoring application: Microsoft Excel
MD5: 65865d6f844d8ccd8aaea99e135904ea SHA-1: ba4f3d44425d75df006a910244a349132fb92fe9 SHA-256: 249bc00ea0798f78768dfd233be2f1eef51dc2e8c86677bb87f6cef59eb14cc9
416 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1218 System Binary Proxy Execution T1106 Native API

The presence of a Workbook_Open macro, combined with critical heuristics for WScript.Shell usage and Shell() calls, strongly indicates that this Excel file is designed to execute arbitrary code upon opening. The macro likely leverages WScript.Shell to download and execute a secondary payload, a common technique for initial access or further system compromise. No specific family could be identified, but the execution method is clear.

Heuristics 12

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
    URL https://nausp-wapp2188/Tools/CatReview/catreview2.aspx?id=
    • https://www.symbility.net/ux/site/#/claims;quickSearch=
    • https://github.com/VBA-tools/VBA-JSON
    • http://www.vbaccelerator.com/home/VB/Code/Techniques/RunTime_Debug_Tracing/VB6_Tracer_Utility_zip_cStringBuilder_cls.asp
    • https://github.com/VBA-tools/VBA-JSON/pull/82
    • https://github.com/VBA-tools/VBA-UtcConverter
    • http://schemas.microsoft.com/office/2006/metadata/contentType
    • http://schemas.microsoft.com/office/2006/metadata/properties/metaAttributes
    • http://schemas.microsoft.com/office/2006/metadata/properties
    • http://www.w3.org/2001/XMLSchema
    • http://schemas.microsoft.com/office/2006/documentManagement/types
    • http://schemas.microsoft.com/office/infopath/2007/PartnerControls
    • http://schemas.openxmlformats.org/package/2006/metadata/core-properties
    • http://www.w3.org/2001/XMLSchema-instance
    • http://purl.org/dc/elements/1.1/
    • http://purl.org/dc/terms/
    • http://schemas.microsoft.com/internal/obd
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsd
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsd
    • http://schemas.openxmlformats.org/officeDocument/2006/customXml
    • http://schemas.microsoft.com/sharepoint/v3/contenttype/forms
    • https://claimws.chubb.com/Chubb.Claims/Desktop/ClaimFolder/OpenClaim.aspx?UIC=M%3d1%26ClaimNum%3d
    • https://claimws.chubb.com/Chubb.Claims/Desktop/Claim/ClaimDetails.aspx?UIC=ClaimID%3d
    • https://claimws.chubb.com/Chubb.Claims/Desktop/Policy/PolicyDetails.aspx?UIC=ClaimID%3d
    • https://chubbgroup-my.sharepoint.com/personal/john_kube_chubb_com/Documents/Desktop/
    • https://naclaimsystem.aceins.com/PROD_AFS.Claims/Desktop/HomePage/HomePage.aspx
    • https://claimscommunications.chubb.com/api/claim/
    • http://www.opensource.org/licenses/mit-license.php)�
    • http://code.google.com/p/vba-json/
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms724421.aspx
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms724949.aspx
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms725485.aspx
    • http://support.microsoft.com/kb/269370
    • http://www.ietf.org/rfc/rfc4627.txt
    • https://support.microsoft.com/en-us/kb/272138
    • https://claimws.chubb.com/CHUBB.Claims/Desktop/FileNotes/FNViewAttachment.aspx?UIC=M%3d1%26FileNoteID%3d%26A%3d13%26ClaimID%3d%26AttachmentID%3d
    • https://claimscommunications.chubb.com/api/claims/
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
    URL https://nausp-wapp2188/Tools/CatReview/catreview2.aspx?id=
    • https://www.symbility.net/ux/site/#/claims;quickSearch=
    • https://github.com/VBA-tools/VBA-JSON
    • http://www.vbaccelerator.com/home/VB/Code/Techniques/RunTime_Debug_Tracing/VB6_Tracer_Utility_zip_cStringBuilder_cls.asp
    • https://github.com/VBA-tools/VBA-JSON/pull/82
    • https://github.com/VBA-tools/VBA-UtcConverter
    • http://schemas.microsoft.com/office/2006/metadata/contentType
    • http://schemas.microsoft.com/office/2006/metadata/properties/metaAttributes
    • http://schemas.microsoft.com/office/2006/metadata/properties
    • http://www.w3.org/2001/XMLSchema
    • http://schemas.microsoft.com/office/2006/documentManagement/types
    • http://schemas.microsoft.com/office/infopath/2007/PartnerControls
    • http://schemas.openxmlformats.org/package/2006/metadata/core-properties
    • http://www.w3.org/2001/XMLSchema-instance
    • http://purl.org/dc/elements/1.1/
    • http://purl.org/dc/terms/
    • http://schemas.microsoft.com/internal/obd
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsd
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsd
    • http://schemas.openxmlformats.org/officeDocument/2006/customXml
    • http://schemas.microsoft.com/sharepoint/v3/contenttype/forms
    • https://claimws.chubb.com/Chubb.Claims/Desktop/ClaimFolder/OpenClaim.aspx?UIC=M%3d1%26ClaimNum%3d
    • https://claimws.chubb.com/Chubb.Claims/Desktop/Claim/ClaimDetails.aspx?UIC=ClaimID%3d
    • https://claimws.chubb.com/Chubb.Claims/Desktop/Policy/PolicyDetails.aspx?UIC=ClaimID%3d
    • https://chubbgroup-my.sharepoint.com/personal/john_kube_chubb_com/Documents/Desktop/
    • https://naclaimsystem.aceins.com/PROD_AFS.Claims/Desktop/HomePage/HomePage.aspx
    • https://claimscommunications.chubb.com/api/claim/
    • http://www.opensource.org/licenses/mit-license.php)�
    • http://code.google.com/p/vba-json/
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms724421.aspx
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms724949.aspx
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms725485.aspx
    • http://support.microsoft.com/kb/269370
    • http://www.ietf.org/rfc/rfc4627.txt
    • https://support.microsoft.com/en-us/kb/272138
    • https://claimws.chubb.com/CHUBB.Claims/Desktop/FileNotes/FNViewAttachment.aspx?UIC=M%3d1%26FileNoteID%3d%26A%3d13%26ClaimID%3d%26AttachmentID%3d
    • https://claimscommunications.chubb.com/api/claims/
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x40 bytes
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
    URL https://nausp-wapp2188/Tools/CatReview/catreview2.aspx?id=
    • https://www.symbility.net/ux/site/#/claims;quickSearch=
    • https://github.com/VBA-tools/VBA-JSON
    • http://www.vbaccelerator.com/home/VB/Code/Techniques/RunTime_Debug_Tracing/VB6_Tracer_Utility_zip_cStringBuilder_cls.asp
    • https://github.com/VBA-tools/VBA-JSON/pull/82
    • https://github.com/VBA-tools/VBA-UtcConverter
    • http://schemas.microsoft.com/office/2006/metadata/contentType
    • http://schemas.microsoft.com/office/2006/metadata/properties/metaAttributes
    • http://schemas.microsoft.com/office/2006/metadata/properties
    • http://www.w3.org/2001/XMLSchema
    • http://schemas.microsoft.com/office/2006/documentManagement/types
    • http://schemas.microsoft.com/office/infopath/2007/PartnerControls
    • http://schemas.openxmlformats.org/package/2006/metadata/core-properties
    • http://www.w3.org/2001/XMLSchema-instance
    • http://purl.org/dc/elements/1.1/
    • http://purl.org/dc/terms/
    • http://schemas.microsoft.com/internal/obd
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsd
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsd
    • http://schemas.openxmlformats.org/officeDocument/2006/customXml
    • http://schemas.microsoft.com/sharepoint/v3/contenttype/forms
    • https://claimws.chubb.com/Chubb.Claims/Desktop/ClaimFolder/OpenClaim.aspx?UIC=M%3d1%26ClaimNum%3d
    • https://claimws.chubb.com/Chubb.Claims/Desktop/Claim/ClaimDetails.aspx?UIC=ClaimID%3d
    • https://claimws.chubb.com/Chubb.Claims/Desktop/Policy/PolicyDetails.aspx?UIC=ClaimID%3d
    • https://chubbgroup-my.sharepoint.com/personal/john_kube_chubb_com/Documents/Desktop/
    • https://naclaimsystem.aceins.com/PROD_AFS.Claims/Desktop/HomePage/HomePage.aspx
    • https://claimscommunications.chubb.com/api/claim/
    • http://www.opensource.org/licenses/mit-license.php)�
    • http://code.google.com/p/vba-json/
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms724421.aspx
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms724949.aspx
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms725485.aspx
    • http://support.microsoft.com/kb/269370
    • http://www.ietf.org/rfc/rfc4627.txt
    • https://support.microsoft.com/en-us/kb/272138
    • https://claimws.chubb.com/CHUBB.Claims/Desktop/FileNotes/FNViewAttachment.aspx?UIC=M%3d1%26FileNoteID%3d%26A%3d13%26ClaimID%3d%26AttachmentID%3d
    • https://claimscommunications.chubb.com/api/claims/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
d39cab652fd979c6c061ecfe496c482bc89e48c81d57469e4e4def42987351bb		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1068773 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 15 shell/COM execution token(s). Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 13 Chr/ChrW string-construction calls. Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.