Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6fa436fb7ffa4dd2…

MALICIOUS

Office (OLE)

719.5 KB Created: 2019-08-30 09:14:50 Authoring application: Microsoft Excel First seen: 2020-05-25
MD5: ab1f2dc54c89ae49afb7004d87e734de SHA-1: d30ceabd921f88662eccd43485c98995fbf1f37b SHA-256: 6fa436fb7ffa4dd2b1fc8a18321a0349c00989203993db2b90c2100713560858
248 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The file is an Excel document containing VBA macros that trigger an embedded PE executable. Heuristics indicate the use of Windows API functions like VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress, commonly used by malware to load and execute payloads. The presence of an embedded executable strongly suggests the document's purpose is to download and run a secondary malicious component.

Heuristics 7

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • VBA project contains no executable statements low 1 related finding OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER
    The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2384 bytes
SHA-256: c3df04bae2ac770a14fe97de9a760e763f2e9fe0ada8e80525887e509c0003ae
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sem"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Page1"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
                                                                                                                                                                                                                                                                                                                                                                          
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{4518CCDC-4935-4A4A-9A66-D42BCAC9B512}{81F65DA7-83B9-48A3-BA3C-A74F7F675D03}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Module2"
                                                                                                                                                                                                                                                                                                                                                    
Attribute VB_Name = "Module3"



Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{BC421EBD-ABE3-4B18-85AC-0FE24D10C6DF}{B78B465E-6745-493B-87E4-69EA6C785F7D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Page11"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
embedded_office_00003186.exe embedded-pe Office MZ+PE at offset 0x3186 724090 bytes
SHA-256: ffe88afa42e8e4170497c8bbdcc167120bb52111ebe92210f03c4d5b537eaf57
ole10native_00.bin ole-package OLE Ole10Native stream: MBD005ECF78/Ole10Native 465961 bytes
SHA-256: a8495e5a8c78ae12825a93827d035cfd0943d668f08bb1749685155e912f29fc