Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8eb691cc2a15f036…

MALICIOUS

Office (OLE)

131.5 KB Created: 2008-03-01 17:19:58 Authoring application: Microsoft Excel First seen: 2016-09-01
MD5: 159f78b14e6a7cdec0169124d92dda9b SHA-1: 66740f1c26109a067529df91a4d0d828d7ec2821 SHA-256: 8eb691cc2a15f036fe875aa933f28c3e9f4285abbc6163e8252b91a9b3e4e588
270 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The VBA macro within the Excel file is designed to execute automatically upon opening the workbook, leveraging WScript.Shell to download content from 'http://socalscioly.org/?tab=home&page=bridgeb'. The script attempts to create an HTTP object using MSXML2.XMLHTTP or MSXML.XMLHTTPRequest to fetch content, indicating a downloader or initial stage of a multi-stage attack. The presence of WScript.Shell and obfuscated shell commands strongly suggests malicious intent.

Heuristics 8

  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
            Set objShell = CreateObject("Wscript.Shell")
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
    Matched line in script
            Set objShell = CreateObject("Wscript.Shell")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set oHttp = CreateObject("MSXML2.XMLHTTP")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://socalscioly.org/?tab=home&page=bridgeb Referenced by macro
    • http://soinc.orgReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2929 bytes
SHA-256: 60c50b447f89b044b727e71f3daf0318bb423d81b8aba3123a6f7b3af4bc1a58
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()

Dim sURL As String
Dim sHTML As String
Dim oHttp As Object
Dim lStart As Long
Dim lEnd As Long
Dim Version As String
Dim lFoundVer As Long
Dim intMessage As Integer
Dim objShell As Object

Version = " 1"
sURL = "http://socalscioly.org/?tab=home&page=bridgeb"
sURLdownload = "http://soinc.org"

On Error Resume Next
Set oHttp = CreateObject("MSXML2.XMLHTTP")
If Err.Number <> 0 Then
    Set oHttp = CreateObject("MSXML.XMLHTTPRequest")
End If
On Error GoTo 0
If oHttp Is Nothing Then
    Exit Sub
End If

On Error GoTo NoConnection
oHttp.Open "GET", sURL, False
oHttp.Send
On Error GoTo 0
sHTML = oHttp.responsetext

'vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
'NOTE!!!!!  IF YOU ARE SEEING THIS SCREEN ALONG WITH THIS ERROR MESSAGE:
'
'"COMPILE ERROR: CAN'T FIND PROJECT OR LIBRARY"
'
'HERE ARE THE STEPS TO RESOLVE THE ERROR (ONLY NEEDS TO BE DONE ONCE PER MACHINE)
'
'1. Clear the error by pressing END or the square stop/reset icon in the toolbar above
'2. Click on the Tools menu above then select the References option
'3. Look at the items that have checks next to them and one (or more) should say:
'ÒMissing:Ó. Uncheck that one (or more).
'4. Click on Ok, then Save and close this VBA window
'^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

lStart = InStr(1, sHTML, "Current version:", vbTextCompare)
lEnd = InStr(lStart, sHTML, "2015", vbTextCompare)
'intMessage = MsgBox("This is running")
If (lStart <> 0) And (lEnd <> 0) Then
    sHTML = Mid(sHTML, lStart, lEnd - lStart)
    lFoundVer = InStr(1, sHTML, Version, vbTextCompare)
    If lFoundVer = 0 Then
        Set objShell = CreateObject("Wscript.Shell")
        intMessage = MsgBox("A newer version of the scoresheet is available.  Would you like to go to the project website to download it?", vbYesNo, "Newer Version Available")
        If intMessage = vbYes Then
            objShell.Run (sURLdownload)
        End If
        Set objShell = Nothing
    End If
End If

Set oHttp = Nothing
Exit Sub

NoConnection:

Set oHttp = Nothing

End Sub



Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub Macro1()
Attribute Macro1.VB_ProcData.VB_Invoke_Func = " \n14"
'
' Macro1 Macro
'

'
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.