Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2cd419acdfc664d7…

MALICIOUS

Office (OLE)

1.54 MB Created: 2004-05-21 07:18:45 Authoring application: Microsoft Excel First seen: 2019-12-09
MD5: c383dd258f01e467063dedf9625d0040 SHA-1: 9fe0e1f8f67e48c9994bcaf74c430b169d288138 SHA-256: 2cd419acdfc664d7c0ddae5ab97c724e8e914fbd4f76155dfa8db5f5dc7fd5cd
182 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic

The sample is an Excel file containing VBA macros, triggered by the Workbook_Open event. It exploits CVE-2012-0158, indicating an attempt to execute arbitrary code. The macros use CreateObject and XMLHTTP, suggesting they download and execute a second-stage payload from one of the embedded URLs. The document body contains Russian regional names and form-related text, likely a lure.

Heuristics 6

  • MSCOMCTL.ListView — CVE-2012-0158 high CVE likely CVE_2012_0158
    MSCOMCTL.ListView — CVE-2012-0158
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.fstrf.ru/regions/region/showlist In document text (OLE body)
    • http://support.eias.ru/index.php?a=add&catid=5In document text (OLE body)
    • http://eias.ru/?page=show_templatesIn document text (OLE body)
    • http://eias.ru/?page=show_distrsYIn document text (OLE body)
    • http://eias.ru/files/shablon/manual_loading_through_monitoring.pdfKIn document text (OLE body)
    • https://tariff.eias.ru/procwsxls/In document text (OLE body)
    • https://appsrv02.eias.ru/procwsxls/In document text (OLE body)
    • https://appsrv01.eias.ru/procwsxls/In document text (OLE body)
    • https://eias.fstrf.ru/disclo/get_file?p_guid=In document text (OLE body)
    • https://tariff.eias.ru/disclo/get_file?p_guid=�In document text (OLE body)
    • https://eias.fstrf.ru/disclo/get_file?p_guid=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXIn document text (OLE body)
    • https://tariff.eias.ru/disclo/get_file?p_guid=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXIn document text (OLE body)
    • http://www.eias.ru/templates/In document text (OLE body)
    • https://tariff.eias.ru/disclo/get_file?p_guid=In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 363038 bytes
SHA-256: e6c545a5090d53488a9cd807143677aea7b8c23e87db77d0b758c3156d6743ee
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "xlsBook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)
  
  modThisWorkbook.Workbook_BeforeSave_Handler SaveAsUI, Cancel, Me

  On Error GoTo ErrHandler

  Dim status As Integer

  status = Me.CustomDocumentProperties("Status")
  If status > 2 Then
    MsgBox "Документ подписан ЭЦП и не может быть изменен", vbExclamation + vbOKOnly, ThisWorkbook.name
    Cancel = True
    Exit Sub
  End If

  Exit Sub

ErrHandler:
  MsgBox Err.Description, vbOKOnly + vbExclamation, ThisWorkbook.name
End Sub

Private Sub Workbook_Open()
  modThisWorkbook.Workbook_Open_Handler Me
End Sub

Attribute VB_Name = "modHTTPServerCaller"
Option Explicit
Option Base 1

' Для реестров
' Для реестров
Public Const STR_REESTR_TYPE As String = "FULL_OWNER"
''Public Const STR_REESTR_TYPE As String = "FULL"
' FULL    - полная версия
' REDU_Y  - без МР/МО/ОКТМО с видом деятельности
' REDU_N  - без МР/МО/ОКТМО без вида деятельности
' STAT    - статистика
' ENER    - энергетика
' FULL_OWNER    - полная версия с МР/МО регистрации

Public Const STR_ACTIVITY_SPHERE As String = "WARM"
'--------------
'-----FULL-----
'--------------
'   ALL
'   VS
'   VO
'   TBO
'   HOT_VS
'   VS_VO
'   VS_VO_TBO
'   EE
'   GAS
'   JKH_EE
'   WARM
'--------------
'-----REDU-----
'--------------
'   WARM
'   VS
'   HOT_VS
'   VS_VO
'   VO
'   TBO
'   EE
'--------------

Public Const STR_ADDITIONAL_REGIONS As String = ""      'дополнительные субъекты через ;
Public Const STR_REESTR_MR_MO_TYPE As String = "MRMO"


Public Const STR_RANGE_NAME As String = "REESTR_ORG_RANGE"
Public Const STR_REESTR_SHEET_NAME As String = "REESTR_ORG"
Public STR_REESTR_MO_SHEET_NAME As String
''Public Const STR_REESTR_MO_SHEET_NAME As String = "REESTR_MO"

' Адреса DNS, именно в этом порядке производится опрос
Public Const STR_HTTP_REQUEST_BASE_URL_1 As String = "https://tariff.eias.ru/procwsxls/"
Public Const STR_HTTP_REQUEST_BASE_URL_2 As String = "https://appsrv02.eias.ru/procwsxls/"
Public Const STR_HTTP_REQUEST_BASE_URL_3 As String = "https://appsrv01.eias.ru/procwsxls/"  ' TBD
Public Const STR_HTTP_REQUEST_BASE_URL_4 As String = "https://tariff.eias.ru/procwsxls/"    ' TBD

Public Const STR_HTTP_REQUEST_PROC_MR_MO_OKTMO_NAME As String = "MO_REESTR?"
Public Const STR_HTTP_REQUEST_PROC_MR_MO_OKTMO_PARAM_1 As String = "p_NSRF="
Public Const STR_HTTP_REQUEST_PROC_MR_MO_OKTMO_PARAM_2 As String = "p_TC="

Public Const STR_HTTP_REQUEST_PROC_ORG_FULL As String = "ORG_REESTR?"
Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_1 As String = "p_NSRF="
Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_2 As String = "p_AS="
Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_3 As String = "p_VDET="
Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_4 As String = "p_TC="

Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_OWNER As String = "ORG_REESTR_OWNER?"
Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_OWNER_1 As String = "p_NSRF="
Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_OWNER_2 As String = "p_AS="
Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_OWNER_3 As String = "p_VDET="
Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_OWNER_4 As String = "p_TC="

Public Const STR_HTTP_REQUEST_PROC_ORG_STAT As String = "ORG_STAT_REESTR?"
Public Const STR_HTTP_REQUEST_PROC_ORG_STAT_1 As String = "p_NSRF="
Public Const STR_HTTP_REQUEST_PROC_ORG_STAT_2 As String = "p_TC="

Public Const STR_HTTP_REQUEST_PROC_ORG_REDU As String = "ORG_REESTR_REDUCED?"
Public Const STR_HTTP_REQUEST_PROC_ORG_REDU_1 As String = "p_NSRF="
Public Const STR_HTTP_REQUEST_PROC_ORG_REDU_2 As String = "p_AS="
Public Const STR_HTTP_REQUEST_PROC_ORG_REDU_3 As String = "P_INCL_VDET="
Public Const STR_HTTP_REQUEST_PROC_ORG_REDU_4 As String = "p_TC="

Public
... (truncated)