Office (OLE) malware analysis — malicious · 6ecaffb8c341aa96

MALICIOUS

Office (OLE)

42.0 KB Created: 2002-02-08 00:21:04 Authoring application: Microsoft Excel First seen: 2021-06-13

MD5: 8b8502e1d4aff1387a85ffadc0cebec5 SHA-1: 741eea58dd21739f82fa386d51fd860cf517e6a6 SHA-256: 6ecaffb8c341aa96293893e7c8ef3f4458065eb18c5a1749f61f1cf8105e374b

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The file is an Excel document containing VBA macros. The Auto_Open macro is present and utilizes a Shell() call, indicating it's designed to execute arbitrary commands upon opening. This is a common technique for downloading and executing further malicious payloads.

Heuristics 5

VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6693 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6693 bytes
SHA-256: `a6c00c7587b18094a2cd823f29e07008e9f4a53b8c5c645e51f5c13316f2bcb3`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module1" 'Public constants Public Const HKEY_LOCAL_MACHINE = &H80000002 Public Const REG_SZ = 1 Public Const KEY_CREATE_SUB_KEY = &H4 Public Const KEY_ENUMERATE_SUB_KEYS = &H8 Public Const KEY_CREATE_LINK = &H20 Public Const KEY_NOTIFY = &H10 Public Const KEY_QUERY_VALUE = &H1 Public Const KEY_SET_VALUE = &H2 Public Const STANDARD_RIGHTS_ALL = &H1F0000 Public Const SYNCHRONIZE = &H100000 Public Const KEY_ALL_ACCESS = ((STANDARD_RIGHTS_ALL Or KEY_QUERY_VALUE _ Or KEY_SET_VALUE Or KEY_CREATE_SUB_KEY Or KEY_ENUMERATE_SUB_KEYS Or _ KEY_NOTIFY Or KEY_CREATE_LINK) And (Not SYNCHRONIZE)) 'Public API's Public Declare Function RegQueryValueEx Lib "advapi32.dll" Alias "RegQueryValueExA" _ (ByVal hKey As Long, ByVal lpValueName As String, ByVal lpReserved As Long, _ lpType As Long, ByVal lpData As Any, lpcbData As Long) As Long ' Note that if you declare the lpData parameter as String, you must pass it By Value. Public Declare Function RegQueryValueExStr Lib "advapi32.dll" Alias "RegQueryValueExA" _ (ByVal hKey As Long, ByVal lpValueName As String, ByVal lpReserved As Long, _ lpType As Long, ByVal lpData As String, lpcbData As Long) As Long Public Declare Function RegOpenKeyEx Lib "advapi32.dll" Alias "RegOpenKeyExA" _ (ByVal hKey As Long, ByVal lpSubKey As String, ByVal ulOptions As Long, _ ByVal samDesired As Long, phkResult As Long) As Long Public Declare Function RegCloseKey Lib "advapi32.dll" _ (ByVal hKey As Long) As Long Sub Auto_Open() On Error Resume Next SPInstall SetRegistry End Sub Sub SPInstall() On Error Resume Next Dim newButton As CommandBarButton Dim bSigmaPlot As Boolean bSigmaPlot = False Dim spButtonCheck As CommandBarControl Dim spCommandbar As CommandBarControl Set spCommandbar = CommandBars("Worksheet Menu Bar").Controls("Insert") Set spCommandbar = CommandBars(1).Controls(4) 'add this line for foreign OS For Each spButtonCheck In spCommandbar.Controls If spButtonCheck.Caption = "SigmaPlot Graph" Then bSigmaPlot = True 'enable button for XP OS spButtonCheck.Enabled = True Application.CommandBars("Standard").Controls(20).Enabled = True 'If in embedded mode, disable the sigmaplot buttons If Application.Visible = False Then spButtonCheck.Enabled = False Application.CommandBars("Standard").Controls(20).Enabled = False End If End If Next If bSigmaPlot = False Then Set newButton = CommandBars("Worksheet Menu Bar").Controls("Insert").Controls.Add Set newButton = CommandBars(1).Controls(4).Controls.Add 'add this line for foreign OS newButton.Move before:=8 newButton.Caption = "SigmaPlot Graph" ThisWorkbook.Sheets(1).DrawingObjects("Sigma").Copy newButton.PasteFace newButton.OnAction = ThisWorkb ... (truncated)

SHA-256: a6c00c7587b18094a2cd823f29e07008e9f4a53b8c5c645e51f5c13316f2bcb3

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
'Public constants
Public Const HKEY_LOCAL_MACHINE = &H80000002
Public Const REG_SZ = 1
Public Const KEY_CREATE_SUB_KEY = &H4
Public Const KEY_ENUMERATE_SUB_KEYS = &H8
Public Const KEY_CREATE_LINK = &H20
Public Const KEY_NOTIFY = &H10
Public Const KEY_QUERY_VALUE = &H1
Public Const KEY_SET_VALUE = &H2
Public Const STANDARD_RIGHTS_ALL = &H1F0000
Public Const SYNCHRONIZE = &H100000
Public Const KEY_ALL_ACCESS = ((STANDARD_RIGHTS_ALL Or KEY_QUERY_VALUE _
Or KEY_SET_VALUE Or KEY_CREATE_SUB_KEY Or KEY_ENUMERATE_SUB_KEYS Or _
KEY_NOTIFY Or KEY_CREATE_LINK) And (Not SYNCHRONIZE))

'Public API's
Public Declare Function RegQueryValueEx Lib "advapi32.dll" Alias "RegQueryValueExA" _
    (ByVal hKey As Long, ByVal lpValueName As String, ByVal lpReserved As Long, _
    lpType As Long, ByVal lpData As Any, lpcbData As Long) As Long
    ' Note that if you declare the lpData parameter as String, you must pass it By Value.
    
Public Declare Function RegQueryValueExStr Lib "advapi32.dll" Alias "RegQueryValueExA" _
    (ByVal hKey As Long, ByVal lpValueName As String, ByVal lpReserved As Long, _
    lpType As Long, ByVal lpData As String, lpcbData As Long) As Long
    
Public Declare Function RegOpenKeyEx Lib "advapi32.dll" Alias "RegOpenKeyExA" _
    (ByVal hKey As Long, ByVal lpSubKey As String, ByVal ulOptions As Long, _
    ByVal samDesired As Long, phkResult As Long) As Long
    
Public Declare Function RegCloseKey Lib "advapi32.dll" _
    (ByVal hKey As Long) As Long
Sub Auto_Open()
On Error Resume Next

SPInstall
SetRegistry
End Sub
Sub SPInstall()
On Error Resume Next

Dim newButton As CommandBarButton

Dim bSigmaPlot As Boolean
bSigmaPlot = False

Dim spButtonCheck As CommandBarControl
Dim spCommandbar As CommandBarControl

Set spCommandbar = CommandBars("Worksheet Menu Bar").Controls("Insert")
Set spCommandbar = CommandBars(1).Controls(4)      'add this line for foreign OS

For Each spButtonCheck In spCommandbar.Controls
If spButtonCheck.Caption = "SigmaPlot Graph" Then
    bSigmaPlot = True
    
    'enable button for XP OS
    spButtonCheck.Enabled = True
    Application.CommandBars("Standard").Controls(20).Enabled = True
    
    'If in embedded mode, disable the sigmaplot buttons
    If Application.Visible = False Then
        spButtonCheck.Enabled = False
        Application.CommandBars("Standard").Controls(20).Enabled = False
    End If
End If
Next

If bSigmaPlot = False Then
    Set newButton = CommandBars("Worksheet Menu Bar").Controls("Insert").Controls.Add
    Set newButton = CommandBars(1).Controls(4).Controls.Add        'add this line for foreign OS
    newButton.Move before:=8
    newButton.Caption = "SigmaPlot Graph"
    ThisWorkbook.Sheets(1).DrawingObjects("Sigma").Copy
    newButton.PasteFace
    newButton.OnAction = ThisWorkb
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.