Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 66a143a574099e64…

MALICIOUS

Office (OLE)

261.5 KB Created: 2019-08-30 09:14:50 Authoring application: Microsoft Excel First seen: 2020-02-04
MD5: 3b69c9425493408b05c3c8a9c07aabfd SHA-1: 81e4f81fa86bb7e7f137dac10690e13f42f14e7d SHA-256: 66a143a574099e64d554ce6c8d0f610ce331c57744dc2c7969062d142c386950
88 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is an Office document containing an embedded PE executable, indicating a likely attempt to deliver a secondary payload. While the VBA macros themselves contain no executable statements, the presence of the embedded executable and a reference to the VirtualAlloc API strongly suggests that the document is designed to drop and execute this embedded file. The overall intent appears to be the execution of a malicious payload, likely delivered via spearphishing.

Heuristics 3

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1099 bytes
SHA-256: ed9902d3733f813ae9a7166bf8a52479490064df05a04e3ad07affaf0b8a90c2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "l1"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'Macro code was removed by Symantec Disarm

Attribute VB_Name = "bb"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
'Macro code was removed by Symantec Disarm

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{A09C7AA7-2425-484A-A217-44D76214A310}{C6DEB22C-F0C7-4B39-A094-FEA7943DEA2F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
'Macro code was removed by Symantec Disarm
embedded_office_0001b75f.exe embedded-pe Office MZ+PE at offset 0x1B75F 155297 bytes
SHA-256: 85d8b378d98e79b36043e09be33e065285821fcf98f9294ebb59a2c5ab1e3b39
ole10native_00.bin ole-package OLE Ole10Native stream: MBD0044C346/Ole10Native 156297 bytes
SHA-256: b3d6943736af7cf63d81d3096feac4b2e7db4813628f4caf5f41d9fbba258b1a

Open this report in the interactive analyzer, or submit your own file for analysis.