Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8abe5c798b56f5fe…

MALICIOUS

Office (OLE)

372.5 KB Created: 2007-03-13 10:04:27 Authoring application: Microsoft Excel First seen: 2020-09-24
MD5: 236ae7570355447fef1f82e02c67db2a SHA-1: d6d1cc3b907bd2b6a53fe70fd66d3f07392896ba SHA-256: 8abe5c798b56f5fe4909e79f7b4b72b0b621a68a667065872befc5d2bed908dd
212 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

This Excel file contains obfuscated VBA macros, including a Workbook_Open auto-exec loader that uses CreateObject and execution sinks. The macros appear to be designed to download and execute a second-stage payload. The document body content relates to tax reporting, suggesting a lure for financial fraud or tax evasion.

Heuristics 8

  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/2001/XMLSchema In document text (OLE body)
    • http://www.w3.org/2001/XMLSchema-instanceIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 104133 bytes
SHA-256: df3cc41c0df40bba3dcfb8ad93ad0ec0f1a8df09b8f80a8f91c9fadc2e87b14e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Image1, 12, 0, MSForms, Image"
Attribute VB_Control = "VCommandButton1, 9, 1, MSForms, CommandButton"
Attribute VB_Control = "eDoc, 11, 2, MSForms, ComboBox"

Private Sub eDOC_Change()
  'Зміна форми документа та виділення-затінення потрібних полів
  Dim J_F As String, nc_doc As String
On Error GoTo handle_err
  c_doc = GetValFromExcel("C4")
  J_F = Left(c_doc, 1)
  nc_doc = Mid(c_doc, 2, 5)
  
  Call PrepareDoc(J_F, nc_doc)
  
On Error GoTo 0
  Exit Sub

handle_err:
  Call MsgBox(Err.Description, vbCritical + vbOKOnly)
End Sub

'Підготовка форми вводу в залежності від поточного коду документа
Private Sub PrepareDoc(J_F As String, nc_doc As String)
  Call HiddenAllHRanges
  
  Select Case J_F
    Case "F"
      Call NameRangeShowRows("DOC_01_151")
      Call NameRangeShowRows("DOC_04_F")
    
    Case "J"
      Select Case nc_doc
        Case "02151"
          Call NameRangeShowRows("DOC_01_151")
        Case "02092"
          Call NameRangeShowRows("DOC_01_092")
        Case "02942"
          Call NameRangeShowRows("DOC_01_942")
        Case "02851"
          Call NameRangeShowRows("DOC_01_851")
      End Select
      
      Call NameRangeShowRows("DOC_04_J")
      
  End Select
  
End Sub

' Зховати всі іменовані діапазони що ховаються або показуються
Private Sub HiddenAllHRanges()
  Call NameRangeHideRows("DOC_01_151")
  Call NameRangeHideRows("DOC_01_092")
  Call NameRangeHideRows("DOC_01_942")
  Call NameRangeHideRows("DOC_01_851")
  
  Call NameRangeHideRows("DOC_04_J")
  Call NameRangeHideRows("DOC_04_F")

  '...
End Sub
'Процедура, що показує описаний діапазон
Private Sub NameRangeShowRows(NameRange As String)
  Dim rng As Range
  
  Application.GoTo NameRange
  Set rng = Selection
  rng.Rows.Hidden = False
End Sub
'Процедура, що ховає описаний діапазон
Private Sub NameRangeHideRows(NameRange As String)
  Dim rng As Range
  
  Application.GoTo NameRange
  Set rng = Selection
  rng.Rows.Hidden = True
End Sub

Private Sub VCommandButton1_Click()
  If Worksheets("список").Visible = xlSheetVisible Then
    Worksheets("список").Visible = xlSheetHidden
  Else
    Worksheets("список").Visible = xlSheetVisible
  End If
End Sub

Attribute VB_Name = "Module1"
Private lTypes As XSDTypeList
Private blockLen As Long

'Формуваня повного імені коду документа
Function FormFullNameDoc(c_doc As String)
  sFullCodDoc = c_doc + "09"
  FormFullNameDoc = sFullCodDoc
End Function

'Настройка переліку полів поточного документа
Private Function SettingListXSDTypes() As XSDTypeList
  Set SettingListXSDTypes = CreateXSDTypeList()
  doc = GetValFromExcel("C4")
  
  SettingListXSDTypes.Add "HZ", "CH", "G7", "H"
  SettingListXSDTypes.Add "HZN", "CH", "G8", "H"
  SettingListXSDTypes.Add "HZU", "CH", "G9", "H"
  
  If doc = "J02092" Then
    SettingListXSDTypes.Add "HSG", "CH", "DOC_01_092.(3,8)", "H"
    SettingListXSDTypes.Add "HLG", "CH", "DOC_01_092.(4,8)", "H"
    SettingListXSDTypes.Add "HRB", "CH", "DOC_01_092.(5,8)", "H"
  End If
  
  SettingListXSDTypes.Add "HZY", "I", "C39", "H", True
  SettingListXSDTypes.Add "HZKV", "I", "D39", "H"
  SettingListXSDTypes.Add "HZM", "I", "E39", "H"
  SettingListXSDTypes.Add "HZYP", "I", "C42", "H"
  SettingListXSDTypes.Add "HZKVP", "I", "D42", "H"
  SettingListXSDTypes.Add "HZMP", "I", "E42", "H"
  
  If doc = "F02151" Then
    Sett
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.