Office (OLE) malware analysis — malicious · 2cd419acdfc664d7

MALICIOUS

Office (OLE)

1.54 MB Created: 2004-05-21 07:18:45 Authoring application: Microsoft Excel First seen: 2019-12-09

MD5: c383dd258f01e467063dedf9625d0040 SHA-1: 9fe0e1f8f67e48c9994bcaf74c430b169d288138 SHA-256: 2cd419acdfc664d7c0ddae5ab97c724e8e914fbd4f76155dfa8db5f5dc7fd5cd

182 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.005 Visual Basic

The sample is an Excel file containing VBA macros, triggered by the Workbook_Open event. It exploits CVE-2012-0158, indicating an attempt to execute arbitrary code. The macros use CreateObject and XMLHTTP, suggesting they download and execute a second-stage payload from one of the embedded URLs. The document body contains Russian regional names and form-related text, likely a lure.

Heuristics 6

MSCOMCTL.ListView — CVE-2012-0158 high CVE likely CVE_2012_0158

MSCOMCTL.ListView — CVE-2012-0158
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.fstrf.ru/regions/region/showlist In document text (OLE body)
- http://support.eias.ru/index.php?a=add&catid=5In document text (OLE body)
- http://eias.ru/?page=show_templatesIn document text (OLE body)
- http://eias.ru/?page=show_distrsYIn document text (OLE body)
- http://eias.ru/files/shablon/manual_loading_through_monitoring.pdfKIn document text (OLE body)
- https://tariff.eias.ru/procwsxls/In document text (OLE body)
- https://appsrv02.eias.ru/procwsxls/In document text (OLE body)
- https://appsrv01.eias.ru/procwsxls/In document text (OLE body)
- https://eias.fstrf.ru/disclo/get_file?p_guid=In document text (OLE body)
- https://tariff.eias.ru/disclo/get_file?p_guid=�In document text (OLE body)
- https://eias.fstrf.ru/disclo/get_file?p_guid=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXIn document text (OLE body)
- https://tariff.eias.ru/disclo/get_file?p_guid=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXIn document text (OLE body)
- http://www.eias.ru/templates/In document text (OLE body)
- https://tariff.eias.ru/disclo/get_file?p_guid=In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 363038 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	363038 bytes
SHA-256: `e6c545a5090d53488a9cd807143677aea7b8c23e87db77d0b758c3156d6743ee`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "xlsBook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Option Explicit Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean) modThisWorkbook.Workbook_BeforeSave_Handler SaveAsUI, Cancel, Me On Error GoTo ErrHandler Dim status As Integer status = Me.CustomDocumentProperties("Status") If status > 2 Then MsgBox "Документ подписан ЭЦП и не может быть изменен", vbExclamation + vbOKOnly, ThisWorkbook.name Cancel = True Exit Sub End If Exit Sub ErrHandler: MsgBox Err.Description, vbOKOnly + vbExclamation, ThisWorkbook.name End Sub Private Sub Workbook_Open() modThisWorkbook.Workbook_Open_Handler Me End Sub Attribute VB_Name = "modHTTPServerCaller" Option Explicit Option Base 1 ' Для реестров ' Для реестров Public Const STR_REESTR_TYPE As String = "FULL_OWNER" ''Public Const STR_REESTR_TYPE As String = "FULL" ' FULL - полная версия ' REDU_Y - без МР/МО/ОКТМО с видом деятельности ' REDU_N - без МР/МО/ОКТМО без вида деятельности ' STAT - статистика ' ENER - энергетика ' FULL_OWNER - полная версия с МР/МО регистрации Public Const STR_ACTIVITY_SPHERE As String = "WARM" '-------------- '-----FULL----- '-------------- ' ALL ' VS ' VO ' TBO ' HOT_VS ' VS_VO ' VS_VO_TBO ' EE ' GAS ' JKH_EE ' WARM '-------------- '-----REDU----- '-------------- ' WARM ' VS ' HOT_VS ' VS_VO ' VO ' TBO ' EE '-------------- Public Const STR_ADDITIONAL_REGIONS As String = "" 'дополнительные субъекты через ; Public Const STR_REESTR_MR_MO_TYPE As String = "MRMO" Public Const STR_RANGE_NAME As String = "REESTR_ORG_RANGE" Public Const STR_REESTR_SHEET_NAME As String = "REESTR_ORG" Public STR_REESTR_MO_SHEET_NAME As String ''Public Const STR_REESTR_MO_SHEET_NAME As String = "REESTR_MO" ' Адреса DNS, именно в этом порядке производится опрос Public Const STR_HTTP_REQUEST_BASE_URL_1 As String = "https://tariff.eias.ru/procwsxls/" Public Const STR_HTTP_REQUEST_BASE_URL_2 As String = "https://appsrv02.eias.ru/procwsxls/" Public Const STR_HTTP_REQUEST_BASE_URL_3 As String = "https://appsrv01.eias.ru/procwsxls/" ' TBD Public Const STR_HTTP_REQUEST_BASE_URL_4 As String = "https://tariff.eias.ru/procwsxls/" ' TBD Public Const STR_HTTP_REQUEST_PROC_MR_MO_OKTMO_NAME As String = "MO_REESTR?" Public Const STR_HTTP_REQUEST_PROC_MR_MO_OKTMO_PARAM_1 As String = "p_NSRF=" Public Const STR_HTTP_REQUEST_PROC_MR_MO_OKTMO_PARAM_2 As String = "p_TC=" Public Const STR_HTTP_REQUEST_PROC_ORG_FULL As String = "ORG_REESTR?" Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_1 As String = "p_NSRF=" Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_2 As String = "p_AS=" Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_3 As String = "p_VDET=" Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_4 As String = "p_TC=" Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_OWNER As String = "ORG_REESTR_OWNER?" Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_OWNER_1 As String = "p_NSRF=" Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_OWNER_2 As String = "p_AS=" Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_OWNER_3 As String = "p_VDET=" Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_OWNER_4 As String = "p_TC=" Public Const STR_HTTP_REQUEST_PROC_ORG_STAT As String = "ORG_STAT_REESTR?" Public Const STR_HTTP_REQUEST_PROC_ORG_STAT_1 As String = "p_NSRF=" Public Const STR_HTTP_REQUEST_PROC_ORG_STAT_2 As String = "p_TC=" Public Const STR_HTTP_REQUEST_PROC_ORG_REDU As String = "ORG_REESTR_REDUCED?" Public Const STR_HTTP_REQUEST_PROC_ORG_REDU_1 As String = "p_NSRF=" Public Const STR_HTTP_REQUEST_PROC_ORG_REDU_2 As String = "p_AS=" Public Const STR_HTTP_REQUEST_PROC_ORG_REDU_3 As String = "P_INCL_VDET=" Public Const STR_HTTP_REQUEST_PROC_ORG_REDU_4 As String = "p_TC=" Public ... (truncated)

SHA-256: e6c545a5090d53488a9cd807143677aea7b8c23e87db77d0b758c3156d6743ee

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "xlsBook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)
  
  modThisWorkbook.Workbook_BeforeSave_Handler SaveAsUI, Cancel, Me

  On Error GoTo ErrHandler

  Dim status As Integer

  status = Me.CustomDocumentProperties("Status")
  If status > 2 Then
    MsgBox "Документ подписан ЭЦП и не может быть изменен", vbExclamation + vbOKOnly, ThisWorkbook.name
    Cancel = True
    Exit Sub
  End If

  Exit Sub

ErrHandler:
  MsgBox Err.Description, vbOKOnly + vbExclamation, ThisWorkbook.name
End Sub

Private Sub Workbook_Open()
  modThisWorkbook.Workbook_Open_Handler Me
End Sub

Attribute VB_Name = "modHTTPServerCaller"
Option Explicit
Option Base 1

' Для реестров
' Для реестров
Public Const STR_REESTR_TYPE As String = "FULL_OWNER"
''Public Const STR_REESTR_TYPE As String = "FULL"
' FULL    - полная версия
' REDU_Y  - без МР/МО/ОКТМО с видом деятельности
' REDU_N  - без МР/МО/ОКТМО без вида деятельности
' STAT    - статистика
' ENER    - энергетика
' FULL_OWNER    - полная версия с МР/МО регистрации

Public Const STR_ACTIVITY_SPHERE As String = "WARM"
'--------------
'-----FULL-----
'--------------
'   ALL
'   VS
'   VO
'   TBO
'   HOT_VS
'   VS_VO
'   VS_VO_TBO
'   EE
'   GAS
'   JKH_EE
'   WARM
'--------------
'-----REDU-----
'--------------
'   WARM
'   VS
'   HOT_VS
'   VS_VO
'   VO
'   TBO
'   EE
'--------------

Public Const STR_ADDITIONAL_REGIONS As String = ""      'дополнительные субъекты через ;
Public Const STR_REESTR_MR_MO_TYPE As String = "MRMO"


Public Const STR_RANGE_NAME As String = "REESTR_ORG_RANGE"
Public Const STR_REESTR_SHEET_NAME As String = "REESTR_ORG"
Public STR_REESTR_MO_SHEET_NAME As String
''Public Const STR_REESTR_MO_SHEET_NAME As String = "REESTR_MO"

' Адреса DNS, именно в этом порядке производится опрос
Public Const STR_HTTP_REQUEST_BASE_URL_1 As String = "https://tariff.eias.ru/procwsxls/"
Public Const STR_HTTP_REQUEST_BASE_URL_2 As String = "https://appsrv02.eias.ru/procwsxls/"
Public Const STR_HTTP_REQUEST_BASE_URL_3 As String = "https://appsrv01.eias.ru/procwsxls/"  ' TBD
Public Const STR_HTTP_REQUEST_BASE_URL_4 As String = "https://tariff.eias.ru/procwsxls/"    ' TBD

Public Const STR_HTTP_REQUEST_PROC_MR_MO_OKTMO_NAME As String = "MO_REESTR?"
Public Const STR_HTTP_REQUEST_PROC_MR_MO_OKTMO_PARAM_1 As String = "p_NSRF="
Public Const STR_HTTP_REQUEST_PROC_MR_MO_OKTMO_PARAM_2 As String = "p_TC="

Public Const STR_HTTP_REQUEST_PROC_ORG_FULL As String = "ORG_REESTR?"
Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_1 As String = "p_NSRF="
Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_2 As String = "p_AS="
Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_3 As String = "p_VDET="
Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_4 As String = "p_TC="

Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_OWNER As String = "ORG_REESTR_OWNER?"
Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_OWNER_1 As String = "p_NSRF="
Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_OWNER_2 As String = "p_AS="
Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_OWNER_3 As String = "p_VDET="
Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_OWNER_4 As String = "p_TC="

Public Const STR_HTTP_REQUEST_PROC_ORG_STAT As String = "ORG_STAT_REESTR?"
Public Const STR_HTTP_REQUEST_PROC_ORG_STAT_1 As String = "p_NSRF="
Public Const STR_HTTP_REQUEST_PROC_ORG_STAT_2 As String = "p_TC="

Public Const STR_HTTP_REQUEST_PROC_ORG_REDU As String = "ORG_REESTR_REDUCED?"
Public Const STR_HTTP_REQUEST_PROC_ORG_REDU_1 As String = "p_NSRF="
Public Const STR_HTTP_REQUEST_PROC_ORG_REDU_2 As String = "p_AS="
Public Const STR_HTTP_REQUEST_PROC_ORG_REDU_3 As String = "P_INCL_VDET="
Public Const STR_HTTP_REQUEST_PROC_ORG_REDU_4 As String = "p_TC="

Public
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.