Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 96467efb8f469ad1…

MALICIOUS

Office (OLE)

60.5 KB Created: 1998-01-23 23:57:24 Authoring application: Microsoft Excel First seen: 2020-09-24
MD5: 623858f9aab9a3cb6bd5e581029fb5c1 SHA-1: 71b3aad8d77e8151fe182d901d5ddd8e0d6becf5 SHA-256: 96467efb8f469ad131c5553c6a4f9c9c86abfd37219173b323545ec95549e327
130 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file contains a VBA macro with an Auto_Open subroutine that references ShellExecute, indicating an attempt to execute arbitrary code. The macro is likely designed to download and execute a second-stage payload from one of the embedded URLs. The ClamAV detection 'Doc.Dropper.Agent-6342201-0' further supports its malicious nature as a dropper.

Heuristics 5

  • ClamAV: Doc.Dropper.Agent-6342201-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6342201-0
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Attribute VB_Name = "Module1"
    Sub Auto_Open()
    Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14"
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://j-walk.com/ss In document text (OLE body)
    • http://www.j-walk.com/ssIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3026 bytes
SHA-256: f5c7a9278384d8d80534519319e60f7b50c38b785d97034b1da6a1a7484a8170
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub Auto_Open()
Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14"
'   If StartDay is blank, enter the next Monday
    Set StartDay = Sheets("TimeSheet").Range("StartDay")
    If IsEmpty(StartDay) Then
        StartDay.Value = Date
        Do Until WeekDay(StartDay) = 2
            StartDay.Value = StartDay.Value + 1
        Loop
    End If
    
'   If EmployeeName is blank, enter user's name
    Set EmployeeName = Sheets("TimeSheet").Range("EmployeeName")
    If IsEmpty(EmployeeName) Then
        EmployeeName.Value = Application.UserName
    End If
    
End Sub

Sub cbProtectSheet_Click()
Attribute cbProtectSheet_Click.VB_ProcData.VB_Invoke_Func = " \n14"
'   Toggles sheet protection
    If Sheets("TimeSheet").CheckBoxes("cbProtectSheet").Value = xlOn Then
        ActiveSheet.Protect DrawingObjects:=True, Contents:=True
    Else
        ActiveSheet.Unprotect
    End If
End Sub

Sub Clear_Click()
Attribute Clear_Click.VB_ProcData.VB_Invoke_Func = " \n14"
    If ActiveSheet.ProtectContents Then
        ActiveSheet.Unprotect
        Range("Timedata").ClearContents
        ActiveSheet.Protect _
            DrawingObjects:=True, _
            Contents:=True
    Else
        Range("Timedata").ClearContents
    End If
End Sub

Sub Help_click()
Attribute Help_click.VB_ProcData.VB_Invoke_Func = " \n14"
    UserForm1.Show
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub CheckBox1_Click()
Insert: Email
End Sub

Private Sub Email_Click()

End Sub

Private Sub TextBox1_Change()

End Sub

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{F251FEAA-CE27-4D58-802E-05209C9844ED}{D5A1DFEC-F095-48F2-8364-5C6D62266B30}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Declare Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hwnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long

Private Sub CommandButton1_Click()
    Unload Me
End Sub

Sub LabelWebSite_Click()
    On Error Resume Next
    Unload Me
    ShellExecute 0&, vbNullString, "http://j-walk.com/ss", vbNullString, vbNullString, vbNormalFocus
    On Error GoTo 0
End Sub