Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6023264ef7750dce…

MALICIOUS

Office (OLE)

131.5 KB Created: 2008-03-01 17:19:58 Authoring application: Microsoft Excel First seen: 2016-09-01
MD5: 5c4b6a8efa9f571c1af8e7cc05269e81 SHA-1: 063dce89e33e7593597023a79da4f766dcbc5466 SHA-256: 6023264ef7750dce20b23a5a54ad830b898c03b5cc6438167f7dd786c70bf815
270 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an Excel document containing VBA macros that execute upon opening. The Workbook_Open macro attempts to download content from 'http://socalscioly.org/?tab=home&page=bridgeb' and potentially execute it using WScript.Shell. The macro also references 'http://soinc.org' and exhibits obfuscation, indicating a downloader or droppper functionality.

Heuristics 8

  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
            Set objShell = CreateObject("Wscript.Shell")
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
    Matched line in script
            Set objShell = CreateObject("Wscript.Shell")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set oHttp = CreateObject("MSXML2.XMLHTTP")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://socalscioly.org/?tab=home&page=bridgeb Referenced by macro
    • http://soinc.orgReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2929 bytes
SHA-256: 60c50b447f89b044b727e71f3daf0318bb423d81b8aba3123a6f7b3af4bc1a58
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()

Dim sURL As String
Dim sHTML As String
Dim oHttp As Object
Dim lStart As Long
Dim lEnd As Long
Dim Version As String
Dim lFoundVer As Long
Dim intMessage As Integer
Dim objShell As Object

Version = " 1"
sURL = "http://socalscioly.org/?tab=home&page=bridgeb"
sURLdownload = "http://soinc.org"

On Error Resume Next
Set oHttp = CreateObject("MSXML2.XMLHTTP")
If Err.Number <> 0 Then
    Set oHttp = CreateObject("MSXML.XMLHTTPRequest")
End If
On Error GoTo 0
If oHttp Is Nothing Then
    Exit Sub
End If

On Error GoTo NoConnection
oHttp.Open "GET", sURL, False
oHttp.Send
On Error GoTo 0
sHTML = oHttp.responsetext

'vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
'NOTE!!!!!  IF YOU ARE SEEING THIS SCREEN ALONG WITH THIS ERROR MESSAGE:
'
'"COMPILE ERROR: CAN'T FIND PROJECT OR LIBRARY"
'
'HERE ARE THE STEPS TO RESOLVE THE ERROR (ONLY NEEDS TO BE DONE ONCE PER MACHINE)
'
'1. Clear the error by pressing END or the square stop/reset icon in the toolbar above
'2. Click on the Tools menu above then select the References option
'3. Look at the items that have checks next to them and one (or more) should say:
'ÒMissing:Ó. Uncheck that one (or more).
'4. Click on Ok, then Save and close this VBA window
'^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

lStart = InStr(1, sHTML, "Current version:", vbTextCompare)
lEnd = InStr(lStart, sHTML, "2015", vbTextCompare)
'intMessage = MsgBox("This is running")
If (lStart <> 0) And (lEnd <> 0) Then
    sHTML = Mid(sHTML, lStart, lEnd - lStart)
    lFoundVer = InStr(1, sHTML, Version, vbTextCompare)
    If lFoundVer = 0 Then
        Set objShell = CreateObject("Wscript.Shell")
        intMessage = MsgBox("A newer version of the scoresheet is available.  Would you like to go to the project website to download it?", vbYesNo, "Newer Version Available")
        If intMessage = vbYes Then
            objShell.Run (sURLdownload)
        End If
        Set objShell = Nothing
    End If
End If

Set oHttp = Nothing
Exit Sub

NoConnection:

Set oHttp = Nothing

End Sub



Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub Macro1()
Attribute Macro1.VB_ProcData.VB_Invoke_Func = " \n14"
'
' Macro1 Macro
'

'
End Sub