Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 54f3740d0643bea9…

MALICIOUS

Office (OLE)

1.71 MB Created: 2004-05-21 07:18:45 Authoring application: Microsoft Excel First seen: 2019-11-20
MD5: 4c9528d919c702c3ca726fba9648d504 SHA-1: 82c5b04c74dd76bed416051110e30d73d938ede5 SHA-256: 54f3740d0643bea91ef8f4cb2b2def64e1231a6a96236eb753bee10c2140ff2d
144 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an Excel file containing a large VBA macro, with a Workbook_Open subroutine that is configured to execute automatically. This macro uses CreateObject and XMLHTTP, indicating it likely downloads and executes a second-stage payload. The document body contains text related to data entry and reporting, suggesting a lure to encourage macro execution. The presence of obfuscated VBA code and the auto-execution of the Workbook_Open event are strong indicators of malicious intent.

Heuristics 6

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.imagemagick.orgw9y In document text (OLE body)
    • http://www.imagemagick.org��Q�In document text (OLE body)
    • http://eias.ru/?page=show_distrsIn document text (OLE body)
    • http://eias.ru/YIn document text (OLE body)
    • https://tariff.eias.ru/procwsxls/�RIn document text (OLE body)
    • https://tariff.eias.ru/procwsxls/In document text (OLE body)
    • http://www.fstrf.ru/regions/region/s�In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
    • http://commons.wikimedia.org/wiki/File:Flag_of_Bryansk_Oblast.png�v�rIn document text (OLE body)
    • http://www.imagemagick.orgIn document text (OLE body)
    • http://commons.wikimedia.org/wiki/File:Flag_of_Kursk_Oblast.png����In document text (OLE body)
    • http://commons.wikimedia.org/wiki/File:Coat_of_Arms_of_Pskov_oblast.pngIn document text (OLE body)
    • http://commons.wikimedia.org/wiki/File:Flag_of_Ivanovo_Oblast.pngIn document text (OLE body)
    • http://commons.wikimedia.org/wiki/File:Baikonur_seal.png��vYIn document text (OLE body)
    • http://commons.wikimedia.org/wiki/File:Flag_of_Saratov_Oblast.pngIn document text (OLE body)
    • http://commons.wikimedia.org/wiki/File:Flag_of_Yaroslavl_Oblast.pngT�In document text (OLE body)
    • http://commons.wikimedia.org/wiki/File:Flag_of_Kostroma_oblast.gif`+��In document text (OLE body)
    • http://commons.wikimedia.org/wiki/File:TomskOblastFlag.png�In document text (OLE body)
    • http://commons.wikimedia.org/wiki/File:Flag_of_Ryazan_Oblast.pngIn document text (OLE body)
    • http://commons.wikimedia.org/wiki/File:Flag_of_Moscow_Oblast.png/m8QIn document text (OLE body)
    • http://www.alrosa.ru/about/production/social/rikk/2012/�In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 923960 bytes
SHA-256: 5293a1e6601be761a46e9dd049f3d0035d2e30802cb1ab6663a95d1b1db2f3e1
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)

    Application.Calculate
    
    modThisWorkbook.ThisWorkbook_Workbook_BeforeSave
    
    On Error GoTo ErrHandler
    
    Dim status As Integer
    status = ThisWorkbook.CustomDocumentProperties("Status")
    If status > 2 Then
      MsgBox "Документ подписан ЭЦП и не может быть изменен", vbExclamation + vbOKOnly, ThisWorkbook.name
      Cancel = True
      GoTo cleanUp
    End If
    
    GoTo cleanUp

ErrHandler:
    MsgBox Err.Description, vbOKOnly + vbExclamation, ThisWorkbook.name

cleanUp:

End Sub

Private Sub Workbook_Open()
  modThisWorkbook.ThisWorkbook_Workbook_Open
End Sub

Private Sub Workbook_BeforePrint(Cancel As Boolean)
  modThisWorkbook.ThisWorkbook_Workbook_BeforePrint
End Sub

Attribute VB_Name = "modChange"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Base 1
Option Explicit

' Инструкция
Public Sub WsInstrChange(Target As Range)
  If Target.Interior.ColorIndex = colorYellow Then
    Application.ThisWorkbook.Sheets(gstrInstructionSheetName).cmdApplyContactChanges.Enabled = True
    Application.ThisWorkbook.Sheets(gstrInstructionSheetName).cmdApplyContactChanges.Visible = True
  End If
End Sub

' Титульный
Public Sub WsTitChange(Target As Range)
  On Error GoTo ErrWsTitChange
  
  Dim wbBook As Workbook
  
  Dim wsTechSheet As Worksheet
  Dim wsSheet As Worksheet
  Dim wsTempSheet As Worksheet
  Dim wsHypSheet As Worksheet
  Dim wsCommentsSheet As Worksheet
    
  Dim intCounter As Integer
  Dim intVisibleSheetArray As Integer     ' отображать /-1/ или нет /2/ листы /заданные списком/
  Dim intVisibleSheetHyp As Integer       ' отображать /-1/ или нет /2/ лист Ссылки на публикации
  Dim intNumStartRowForCheck As Integer
  Dim intNumEndRowForCheck As Integer
  
  Dim strMOName As String
  Dim strMRName As String
  Dim strOKTMOValue As String
  Dim strNameSheetArray(2) As String
    
  Dim rngRange As Range
  Dim rngRangeOne As Range
  Dim rngRangeTemp As Range
  Dim ISect

  blnValueEnableEvents = Application.EnableEvents
  blnValueScreenUpdating = Application.ScreenUpdating
  
  Application.EnableEvents = False
  Application.ScreenUpdating = False

  Set wbBook = Me.parent
  Set rngRange = wbBook.Names("MR_LIST").RefersToRange
  Set wsTechSheet = rngRange.parent

  Set wsSheet = Target.parent
  Set wsHypSheet = wbBook.Sheets(gstrHyperlinkSheetName)
  Set wsCommentsSheet = wbBook.Sheets(gstrCommentsSheetName)
  
  ' Какой сайт
  Set ISect = Application.Intersect(Target, wsSheet.Range("strPublication"))
  If Not ISect Is Nothing Then

    strNameSheetArray(1) = "ХВС доступ"
    strNameSheetArray(2) = "Ссылки на публикации"

    
    Set wsTempSheet = wbBook.Sheets(strNameSheetArray(2))
    wsTempSheet.Activate
    modServiceModule.UNPROTECT_SHEET wsTempSheet
    
    ' остальные листы
    If InStr(LCase(Target.cells(1, 1).Value), "на сайте регулирующего органа") Then
      intVisibleSheetArray = -1
      intVisibleSheetHyp = -1
      wsTempSheet.Range("checkBC_2").Rows(1).EntireRow.Hidden = True
      wsTempSheet.Range("checkBC_2").Rows(1).Interior.ColorIndex = colorWhite
      wsTempSheet.Range("checkBC_2").Rows(1).Locked = True
      wsTempSheet.cells(wsTempSheet.Range("checkBC_2").cells(2, 1).Row, _
                        wsTempSheet.Range("Consecutive_number").cells(1, 1).Column).Value = "1.1"
      If InStr(wbBook.Names("region_name").RefersToRange.Value, strExceptionsRe
... (truncated)