Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9210534caaf76026…

MALICIOUS

Office (OLE)

103.7 KB Authoring application: Microsoft Excel First seen: 2015-09-18
MD5: 45683375cb148535f903a0e65e5cf3a0 SHA-1: e5be1c15050bfaf2c3b60c4a87efa11e32cae5aa SHA-256: 9210534caaf76026533d30ed4c3dce3df022e66d20c67bc49846c81c84cd5d05
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1027 Obfuscated Files or Information T1105 Ingress Tool Transfer

The file is an Office document containing VBA macros. Heuristics indicate the presence of XOR-encoded strings and a reference to the VirtualAlloc API, commonly used by malware to allocate memory for payloads. Although the VBA code itself is minimal, the encoding and API call suggest an attempt to obfuscate and execute a secondary malicious component, likely a downloader.

Heuristics 3

  • XOR-encoded strings (key 0xDE) critical SC_XOR_ENCODED
    Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xDE: 'GetProcAddress', 'CreateProcessA', 'ExitProcess', 'CreateFileA', 'CreateFileW'
    Disassembly
    Attempted x86 opcode disassembly
    00010BFD  99                cdq
00010BFE  bbaa8eacb1        mov ebx, 0xb1ac8eaa
00010C03  bd9fbabaac        mov ebp, 0xacbaba9f
00010C08  bbadadde99        mov ebx, 0x99deadad
00010C0D  bbaa8abbb3        mov ebx, 0xb3bb8aaa
00010C12  ae                scasb al, byte ptr es:[edi]
00010C13  8e                .byte 0x8e
00010C14  bfaab69fde        mov edi, 0xde9fb6aa
00010C19  9d                popfd
00010C1A  ac                lodsb al, byte ptr [esi]
00010C1B  bbbfaabb98        mov ebx, 0x98bbaabf
00010C20  b7b2              mov bh, 0xb2
00010C22  bb9fde99bb        mov ebx, 0xbb99de9f
00010C27  aa                stosb byte ptr es:[edi], al
00010C28  98                cwde
00010C29  b7b2              mov bh, 0xb2
00010C2B  bb8db7a4bb        mov ebx, 0xbba4b78d
00010C30  de8dbbaa98b7      fimul word ptr [ebp - 0x48675545]
00010C36  b2bb              mov dl, 0xbb
00010C38  8e                .byte 0x8e
00010C39  b1b7              mov cl, 0xb7
00010C3B  b0aa              mov al, 0xaa
00010C3D  bbacde8cbb        mov ebx, 0xbb8cdeac
00010C42  bfba98b7b2        mov edi, 0xb2b798ba
00010C47  bbde89acb7        mov ebx, 0xb7ac89de
00010C4C  aa                stosb byte ptr es:[edi], al
00010C4D  bb98b7b2bb        mov ebx, 0xbbb2b798
00010C52  de9db2b1adbb      ficomp word ptr [ebp - 0x44524e4e]
00010C58  96                xchg esi, eax
00010C59  bf                .byte 0xbf
00010C5A  b0ba              mov al, 0xba
00010C5C  b2                .byte 0xb2
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 606 bytes
SHA-256: 481031c20227961d1e7d207d0bb17c79a9001efbdb37ac509a4ff93acb047bf0
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.