Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2c37bd24a17336a6…

MALICIOUS

Office (OLE)

995.0 KB Created: 2004-05-21 07:18:45 Authoring application: Microsoft Excel First seen: 2020-08-25
MD5: f4647fa4873587da7ba143b949d2f96d SHA-1: fa0e2cb8e8e6d67f9962b2b7f091200830f5545f SHA-256: 2c37bd24a17336a609e295ae9036e9e0a65c426aed1c7fe56a7ab735d72688bf
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an Excel file containing a Workbook_Open VBA macro that executes code. The macro utilizes CreateObject and XMLHTTP, indicating it likely attempts to download and execute a second-stage payload from a remote source. The document body contains Russian text related to regional data and reporting, suggesting a targeted lure. The presence of multiple unknown reputation URLs further supports the malicious intent.

Heuristics 5

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.fstrf.ru/regions/region/showlist In document text (OLE body)
    • http://eias.ru/files/shablon/manual_loading_through_monitoring.pdf#In document text (OLE body)
    • http://eias.ru/?page=show_templates›In document text (OLE body)
    • http://support.eias.ru/index.php?a=add&catid=5In document text (OLE body)
    • http://eias.ru/?page=show_distrsIn document text (OLE body)
    • http://eias.ru/?page=show_templates�In document text (OLE body)
    • https://tariff.eias.ru/procwsxls/In document text (OLE body)
    • https://appsrv02.eias.ru/procwsxls/In document text (OLE body)
    • https://appsrv01.eias.ru/procwsxls/In document text (OLE body)
    • https://eias.fstrf.ru/procwsxls/�In document text (OLE body)
    • https://eias.fstrf.ru/procwsxls/vIn document text (OLE body)
    • https://eias.fstrf.ru/disclo/get_file?p_guid=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXIn document text (OLE body)
    • https://tariff.eias.ru/disclo/get_file?p_guid=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXIn document text (OLE body)
    • https://tariff.eias.ru/disclo/get_file?p_guid=�In document text (OLE body)
    • https://eias.fstrf.ru/disclo/get_file?p_guid=In document text (OLE body)
    • http://www.eias.ru/templates/In document text (OLE body)
    • https://eias.fstrf.ru/procwsxls/In document text (OLE body)
    • https://tariff.eias.ru/disclo/get_file?p_guid=In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 226964 bytes
SHA-256: ae1d5b7cea36f76ea58ad2176a29f0859fd7d504c069f9ee6f8f135bbed841ab
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "xlsBook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

Private Const SAVE_STATUS_CRITICAL_IMPACT_WARNING As String = "Шаблон сохранен, но НЕ БУДЕТ ПРИНЯТ к рассмотрению из-за невыполнения ОБЯЗАТЕЛЬНЫХ условий. См. лист 'Проверка'!"
Private Const SAVE_STATUS_SUCCESS As String = "Шаблон готов к сохранению без замечаний"
Private Const SAVE_STATUS_LOW_IMPACT_WARNING As String = "Шаблон будет принят к рассмотрению, но обратите внимание на сообщения на листе 'Проверка'"
Private Const SAVE_MESSAGE_TITLE As String = "Результат проверки"

Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)
  Application.Calculate
  Application.ReferenceStyle = xlA1

  ' Если не выбран регион - нечего проверять
  If Len(CStr(Me.Names("region_name").RefersToRange.cells(1, 1).Value)) = 0 Then
    Exit Sub
  End If

  modListProv.WarningsBeforeSaving Me

  If modGlobals.glngCriticalImpactWarningsCounter > 0 Then
    Me.CustomDocumentProperties("Status") = 1  'ТРАНС
    MsgBox SAVE_STATUS_CRITICAL_IMPACT_WARNING, vbCritical + vbOKOnly, SAVE_MESSAGE_TITLE
    Me.Worksheets(gstrCheckSheetName).Activate
    Me.Worksheets(gstrCheckSheetName).cells(1, 1).Activate
  ElseIf modGlobals.glngLowImpactWarningsCounter > 0 Then
    Me.CustomDocumentProperties("Status") = 1  'ТРАНС
    MsgBox SAVE_STATUS_LOW_IMPACT_WARNING, vbExclamation + vbOKOnly, SAVE_MESSAGE_TITLE
    Me.Worksheets(gstrCheckSheetName).Activate
    Me.Worksheets(gstrCheckSheetName).cells(1, 1).Activate
  Else  'ТРАНС
    Me.CustomDocumentProperties("Status") = 2  'ТРАНС
    MsgBox SAVE_STATUS_SUCCESS, vbInformation, SAVE_MESSAGE_TITLE
  End If

  On Error GoTo ErrHandler

  Dim status As Integer

  status = Me.CustomDocumentProperties("Status")
  If status > 2 Then
    MsgBox "Документ подписан ЭЦП и не может быть изменен", vbExclamation + vbOKOnly, ThisWorkbook.name
    Cancel = True
    Exit Sub
  End If

  Exit Sub

ErrHandler:
  MsgBox Err.Description, vbOKOnly + vbExclamation, ThisWorkbook.name
End Sub

Private Sub Workbook_Open()
  Application.Calculation = xlCalculationAutomatic  ' чтобы пересчет формул осуществлялся автоматически
  Application.ReferenceStyle = xlA1  ' стиль ссылок - A1

  Dim wsSheet As Worksheet

  blnMsgBoxActualVersion = False

  If modServiceModule.blnIsDocumentProperty(Me, "Status") = True Then
    Me.CustomDocumentProperties("Status") = 1  'ТРАНС
  End If

  ' Для обновления
  If modServiceModule.IsNameExists(Me, "chkGetUpdatesValue") = True Then
    If Me.Names("chkGetUpdatesValue").RefersToRange.cells(1, 1).Value = "y" Then
      modUpdTemplMain.Check_Update_Execution Me
    End If
  End If

End Sub

Attribute VB_Name = "modUpd_Templ_Caller"
Option Explicit
Option Base 1

' Запросить описание последней версии по коду шаблона
Public Function Query_Last_Version_Info(ByVal strTemplateCode As String, _
                                        Optional blnShowMessage As Boolean = True) As TVersionInfo

  On Error GoTo ErrHandler

  Dim strXMLTagNames(4) As String

  If Len(strTemplateCode) = 0 Then
    GoTo CleanUp
  End If

  strXMLTagNames(1) = "VERSION"
  strXMLTagNames(2) = "DESCRIPTION_UPDATE"
  strXMLTagNames(3) = "FILE_UPDATE_SIZE"
  strXMLTagNames(4) = "NEW_VERSION_URL"

  Query_Last_Version_Info = modUpd_Templ_HTTP_Request.tviQuery_Update_Info(strXMLTagNames, strTemplateCode, blnShowMessage)

  GoTo CleanUp

ErrHandler:
  GoTo CleanUp
CleanUp:
End Function

' Запросить файл обновления
Public Function Query_Update(ByVal strTempFileName As String, _
                             ByVal strTemplateCode As String, _
                             ByVal strVersion As String) As String

  On Error GoTo ErrHandler

  If Len(strTemplateCode) = 0 Or _
     Len(strVersion) = 0 Then
  
... (truncated)