Office (OLE) malware analysis — malicious · 54f3740d0643bea9

MALICIOUS

Office (OLE)

1.71 MB Created: 2004-05-21 07:18:45 Authoring application: Microsoft Excel First seen: 2019-11-20

MD5: 4c9528d919c702c3ca726fba9648d504 SHA-1: 82c5b04c74dd76bed416051110e30d73d938ede5 SHA-256: 54f3740d0643bea91ef8f4cb2b2def64e1231a6a96236eb753bee10c2140ff2d

144 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an Excel file containing a large VBA macro, with a Workbook_Open subroutine that is configured to execute automatically. This macro uses CreateObject and XMLHTTP, indicating it likely downloads and executes a second-stage payload. The document body contains text related to data entry and reporting, suggesting a lure to encourage macro execution. The presence of obfuscated VBA code and the auto-execution of the Workbook_Open event are strong indicators of malicious intent.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.imagemagick.orgw9y In document text (OLE body)
- http://www.imagemagick.org��Q�In document text (OLE body)
- http://eias.ru/?page=show_distrsIn document text (OLE body)
- http://eias.ru/YIn document text (OLE body)
- https://tariff.eias.ru/procwsxls/�RIn document text (OLE body)
- https://tariff.eias.ru/procwsxls/In document text (OLE body)
- http://www.fstrf.ru/regions/region/s�In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- http://commons.wikimedia.org/wiki/File:Flag_of_Bryansk_Oblast.png�v�rIn document text (OLE body)
- http://www.imagemagick.orgIn document text (OLE body)
- http://commons.wikimedia.org/wiki/File:Flag_of_Kursk_Oblast.png��In document text (OLE body)
- http://commons.wikimedia.org/wiki/File:Coat_of_Arms_of_Pskov_oblast.pngIn document text (OLE body)
- http://commons.wikimedia.org/wiki/File:Flag_of_Ivanovo_Oblast.pngIn document text (OLE body)
- http://commons.wikimedia.org/wiki/File:Baikonur_seal.png��vYIn document text (OLE body)
- http://commons.wikimedia.org/wiki/File:Flag_of_Saratov_Oblast.pngIn document text (OLE body)
- http://commons.wikimedia.org/wiki/File:Flag_of_Yaroslavl_Oblast.pngT�In document text (OLE body)
- http://commons.wikimedia.org/wiki/File:Flag_of_Kostroma_oblast.gif`+��In document text (OLE body)
- http://commons.wikimedia.org/wiki/File:TomskOblastFlag.png�In document text (OLE body)
- http://commons.wikimedia.org/wiki/File:Flag_of_Ryazan_Oblast.pngIn document text (OLE body)
- http://commons.wikimedia.org/wiki/File:Flag_of_Moscow_Oblast.png/m8QIn document text (OLE body)
- http://www.alrosa.ru/about/production/social/rikk/2012/�In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	923960 bytes
SHA-256: `5293a1e6601be761a46e9dd049f3d0035d2e30802cb1ab6663a95d1b1db2f3e1`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ЭтаКнига" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Option Explicit Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean) Application.Calculate modThisWorkbook.ThisWorkbook_Workbook_BeforeSave On Error GoTo ErrHandler Dim status As Integer status = ThisWorkbook.CustomDocumentProperties("Status") If status > 2 Then MsgBox "Документ подписан ЭЦП и не может быть изменен", vbExclamation + vbOKOnly, ThisWorkbook.name Cancel = True GoTo cleanUp End If GoTo cleanUp ErrHandler: MsgBox Err.Description, vbOKOnly + vbExclamation, ThisWorkbook.name cleanUp: End Sub Private Sub Workbook_Open() modThisWorkbook.ThisWorkbook_Workbook_Open End Sub Private Sub Workbook_BeforePrint(Cancel As Boolean) modThisWorkbook.ThisWorkbook_Workbook_BeforePrint End Sub Attribute VB_Name = "modChange" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Option Base 1 Option Explicit ' Инструкция Public Sub WsInstrChange(Target As Range) If Target.Interior.ColorIndex = colorYellow Then Application.ThisWorkbook.Sheets(gstrInstructionSheetName).cmdApplyContactChanges.Enabled = True Application.ThisWorkbook.Sheets(gstrInstructionSheetName).cmdApplyContactChanges.Visible = True End If End Sub ' Титульный Public Sub WsTitChange(Target As Range) On Error GoTo ErrWsTitChange Dim wbBook As Workbook Dim wsTechSheet As Worksheet Dim wsSheet As Worksheet Dim wsTempSheet As Worksheet Dim wsHypSheet As Worksheet Dim wsCommentsSheet As Worksheet Dim intCounter As Integer Dim intVisibleSheetArray As Integer ' отображать /-1/ или нет /2/ листы /заданные списком/ Dim intVisibleSheetHyp As Integer ' отображать /-1/ или нет /2/ лист Ссылки на публикации Dim intNumStartRowForCheck As Integer Dim intNumEndRowForCheck As Integer Dim strMOName As String Dim strMRName As String Dim strOKTMOValue As String Dim strNameSheetArray(2) As String Dim rngRange As Range Dim rngRangeOne As Range Dim rngRangeTemp As Range Dim ISect blnValueEnableEvents = Application.EnableEvents blnValueScreenUpdating = Application.ScreenUpdating Application.EnableEvents = False Application.ScreenUpdating = False Set wbBook = Me.parent Set rngRange = wbBook.Names("MR_LIST").RefersToRange Set wsTechSheet = rngRange.parent Set wsSheet = Target.parent Set wsHypSheet = wbBook.Sheets(gstrHyperlinkSheetName) Set wsCommentsSheet = wbBook.Sheets(gstrCommentsSheetName) ' Какой сайт Set ISect = Application.Intersect(Target, wsSheet.Range("strPublication")) If Not ISect Is Nothing Then strNameSheetArray(1) = "ХВС доступ" strNameSheetArray(2) = "Ссылки на публикации" Set wsTempSheet = wbBook.Sheets(strNameSheetArray(2)) wsTempSheet.Activate modServiceModule.UNPROTECT_SHEET wsTempSheet ' остальные листы If InStr(LCase(Target.cells(1, 1).Value), "на сайте регулирующего органа") Then intVisibleSheetArray = -1 intVisibleSheetHyp = -1 wsTempSheet.Range("checkBC_2").Rows(1).EntireRow.Hidden = True wsTempSheet.Range("checkBC_2").Rows(1).Interior.ColorIndex = colorWhite wsTempSheet.Range("checkBC_2").Rows(1).Locked = True wsTempSheet.cells(wsTempSheet.Range("checkBC_2").cells(2, 1).Row, _ wsTempSheet.Range("Consecutive_number").cells(1, 1).Column).Value = "1.1" If InStr(wbBook.Names("region_name").RefersToRange.Value, strExceptionsRe ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.