Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6c657771f0db400d…

MALICIOUS

Office (OLE)

49.5 KB Created: 2018-09-27 05:48:59 Authoring application: Microsoft Excel First seen: 2019-06-27
MD5: 1a71ebdae3ce039fe27be0c856cf0525 SHA-1: 96ebd2d2e81b101f35791d078eb1b9bb0a824897 SHA-256: 6c657771f0db400ddc5824ff0fca000f16e86aa51e49390d11683e29fbb2f65f
320 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

This Excel file contains heavily obfuscated VBA macros, including a Workbook_Open event and CreateObject calls, indicative of a loader. The presence of XLM macros further suggests a multi-stage attack. The ClamAV detection name 'Doc.Malware.Sload-6699713-0' points towards a known malware family, likely a downloader or dropper.

Heuristics 8

  • ClamAV: Doc.Malware.Sload-6699713-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Sload-6699713-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 228 bytes
SHA-256: 962aaf1d57f0a7207e98bd37b3a4cfa339dc6a87bd287090a5d69186204feb4a
Preview script
First 1,000 lines of the extracted script
' 0085     12 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Top
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9277 bytes
SHA-256: 7acbcab01642d7fa21477bac8a7b6b260413c7c5f4b4f06e37c805e9b803e85f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Sub LoadAndPrintBoard()
Dim CurrentBoardMember As CEmployee
Dim PrintBoardMember As CEmployee
Dim arrayBoardMemebrs() As CEmployee
Dim WSBoardMembers As Worksheet
Dim lngTotalRecords As Long
Dim lngRecordCounter As Long
Dim strFullNameAndTitle As String
Set WSBoardMembers = Worksheets(“EmployeeInfo.xlsm”)
lngTotalRecords = WSBoardMembers.UsedRange.Rows.Count
For lngRecordCounter = 1 To lngTotalRecords
Set CurrentBoardMember = New CEmployee
CurrentBoardMember.FirstName = WSBoardMembers.Range(WSBoardMembers.Cells(lngRecordCounter, 1), WSBoardMembers.Cells(lngRecordCounter, 1)).Value
CurrentBoardMember.LastName = WSBoardMembers.Range(WSBoardMembers.Cells(lngRecordCounter, 2), WSBoardMembers.Cells(lngRecordCounter, 2)).Value
CurrentBoardMember.Title = WSBoardMembers.Range(WSBoardMembers.Cells(lngRecordCounter, 3), WSBoardMembers.Cells(lngRecordCounter, 3)).Value
ReDim Preserve arrayBoardMemebrs(1 To lngRecordCounter)
Set arrayBoardMemebrs(lngRecordCounter) = CurrentBoardMember
Set CurrentBoardMember = Nothing
Next lngRecordCounter
For lngRecordCounter = 1 To lngTotalRecords
Set PrintBoardMember = arrayBoardMemebrs(lngRecordCounter)
Debug.Print PrintBoardMember.EmployeeFullInfo()
Set PrintBoardMember = Nothing
Next lngRecordCounter
For lngRecordCounter = 1 To lngTotalRecords
Set arrayBoardMemebrs(lngRecordCounter) = Nothing
Next lngRecordCounter
Set WSBoardMembers = Nothing

End Sub
Private pWorkLogItems As Collection

Public Property Get WorkLogItems() As Collection
    Set WorkLogItems = pWorkLogItems
End Property

Public Property Set WorkLogItems(lWorkLogItem As Collection)
    Set pWorkLogItems = lWorkLogItem
End Property

Function GetHoursWorked(strPersonName As String) As Double
    On Error GoTo Handle_Errors
    Dim wli As WorkLogItem
    Dim doubleTotal As Double
    doubleTotal = 0
    For Each wli In WorkLogItems
        If strPersonName = wli.PersonName Then
            doubleTotal = doubleTotal + wli.HoursWorked
        End If
    Next wli

Exit_Here:
    GetHoursWorked = doubleTotal
        Exit Function

Handle_Errors:
        'You will probably want to catch the error that will '
        'occur if WorkLogItems has not been set '
        Resume Exit_Here


End Function
Sub CalculateRunTime_Minutes()
Dim StartTime As Double
Dim MinutesElapsed As String
StartTime = Timer
  MinutesElapsed = Format((Timer - StartTime) / 86400, "hh:mm:ss")
  MsgBox "This code ran successfully in " & MinutesElapsed & " minutes", vbInformation
End Sub
Sub Advanced_Filtering()

CriteriaLastRow = 4 'Last Row you have in the Criteria range

For i = 3 To CriteriaLastRow 'Loops through until the last Row
  RowsCount = Application.WorksheetFunction.CountA(Range("C" & i & ":F" & i))
  If RowsCount = 0 Then CriteriaRowsSet = i - 1 Else CriteriaRowsSet = CriteriaLastRow 'Checks to see if any row returns 0 and sets it to the row above's number
Next i

Range("C6:F23").AdvancedFilter _
Action:=xlFilterInPlace, _
CriteriaRange:=Range("C2:F" & CriteriaRowsSet), _ CopyToRange:=Sheets("Sheet2").Range("A1:D1")

End Sub
Sub SolverMacro()
' Example Solver VBA Macro
    SolverReset
    SolverOk SetCell:="$B$24", _
             MaxMinVal:=2, _
             ValueOf:="0", _
             ByChange:="$B$16:$B$17"
    SolverSolve userFinish:=True
End Sub
Function Pos_nonalpha() As Integer
  'posted misc 2001-07-23 David McRitchie
  Dim i As Integer
  For i = 1 To Len(cell)
    Dim Number
    Select Case Asc(Mid(cell, i, 1))
        Case 0 To 64, 91 To 96, 123 To 191
           Pos_nonalpha = i
           Exit Function
        End Select
  Next i
  Pos_nonalpha = 0
End Function
Function AgeInYears(start_date As Variant, end_date As Variant) As
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.