Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a12d93e65ece6f24…

MALICIOUS

Office (OLE)

2.24 MB Created: 2004-05-21 07:18:45 Authoring application: Microsoft Excel First seen: 2020-08-10
MD5: 8440b3b092c4668946df7eb5dbf3f985 SHA-1: b0bae37c3670914013985f6c110319d58b59483d SHA-256: a12d93e65ece6f24ceed6c8a912469fb23f2391a887226e71282b13aebf4cfa8
204 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel document containing a Workbook_Open macro, which is a common technique for executing malicious code upon opening. The macro uses CreateObject and XMLHTTP, indicating it likely downloads and executes a second-stage payload from one of the embedded URLs. The ClamAV detection 'Xls.Dropper.Agent-7086956-0' further supports its role as a dropper.

Heuristics 7

  • ClamAV: Xls.Dropper.Agent-7086956-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7086956-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.support.eias.ru/* In document text (OLE body)
    • http://www.fstrf.ru/regions/region/showlistLIn document text (OLE body)
    • http://eias.ru/files/shablon/manual_loading_through_monitoring.pdfIn document text (OLE body)
    • http://eias.ru/?page=show_distrsIn document text (OLE body)
    • http://support.eias.ru/…In document text (OLE body)
    • http://www.imagemagick.orgw9yIn document text (OLE body)
    • http://www.imagemagick.org��Q�In document text (OLE body)
    • http://support.eias.ru/�In document text (OLE body)
    • https://tariff.eias.ru/disclo/get_file?p_guid=84687c94-285e-4b12-811b-c388e7014341In document text (OLE body)
    • https://eias.fstrf.ru/disclo/get_file?p_guid=In document text (OLE body)
    • https://tariff.eias.ru/disclo/get_file?p_guid=�In document text (OLE body)
    • https://eias.fstrf.ru/disclo/get_file?p_guid=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXIn document text (OLE body)
    • https://tariff.eias.ru/disclo/get_file?p_guid=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXIn document text (OLE body)
    • https://tariff.eias.ru/procwsxls/In document text (OLE body)
    • https://appsrv02.eias.ru/procwsxls/In document text (OLE body)
    • https://appsrv01.eias.ru/procwsxls/In document text (OLE body)
    • https://eias.fstrf.ru/procwsxls/�In document text (OLE body)
    • http://www.fstrf.ru/regions/region/s�In document text (OLE body)
    • http://www.eias.ru/templates/In document text (OLE body)
    • https://tariff.eias.ru/disclo/get_file?p_guid=In document text (OLE body)
    • https://eias.fstrf.ru/procwsxls/In document text (OLE body)
    • http://www.w.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/rights/In document text (OLE body)
    • http://commons.wikimedia.org/wiki/File:Flag_of_Bryansk_Oblast.png�v�rIn document text (OLE body)
    • http://www.imagemagick.orgIn document text (OLE body)
    • http://commons.wikimedia.org/wiki/File:Flag_of_Kursk_Oblast.png����In document text (OLE body)
    • http://commons.wikimedia.org/wiki/File:Coat_of_Arms_of_Pskov_oblast.pngIn document text (OLE body)
    • http://commons.wikimedia.org/wiki/File:Flag_of_Ivanovo_Oblast.pngIn document text (OLE body)
    • http://commons.wikimedia.org/wiki/File:Baikonur_seal.png��vYIn document text (OLE body)
    • http://commons.wikimedia.org/wiki/File:Flag_of_Saratov_Oblast.pngIn document text (OLE body)
    • http://commons.wikimedia.org/wiki/File:Flag_of_Yaroslavl_Oblast.pngT�In document text (OLE body)
    • http://commons.wikimedia.org/wiki/File:Flag_of_Kostroma_oblast.gif`+��In document text (OLE body)
    • http://commons.wikimedia.org/wiki/File:TomskOblastFlag.png�In document text (OLE body)
    • http://commons.wikimedia.org/wiki/File:Flag_of_Ryazan_Oblast.pngIn document text (OLE body)
    • http://commons.wikimedia.org/wiki/File:Flag_of_Moscow_Oblast.png/m8QIn document text (OLE body)
    • http://alrosa.ru/about/production/social/rikk/2012/In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1380016 bytes
SHA-256: 25a2c0d2927c0867bb2128f20a13c2fd46fb6bfb807bf82229954ca4339cc115
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)

    Application.Calculate
    
    modThisWorkbook.ThisWorkbook_Workbook_BeforeSave
    
    On Error GoTo ErrHandler
    
    Dim status As Integer
    status = ThisWorkbook.CustomDocumentProperties("Status")
    If status > 2 Then
      MsgBox "Документ подписан ЭЦП и не может быть изменен", vbExclamation + vbOKOnly, ThisWorkbook.name
      Cancel = True
      GoTo CleanUp
    End If
    
    GoTo CleanUp

ErrHandler:
    MsgBox Err.Description, vbOKOnly + vbExclamation, ThisWorkbook.name

CleanUp:

End Sub

Private Sub Workbook_Open()
  modThisWorkbook.ThisWorkbook_Workbook_Open
End Sub

Private Sub Workbook_BeforePrint(Cancel As Boolean)
  modThisWorkbook.ThisWorkbook_Workbook_BeforePrint
End Sub

Attribute VB_Name = "modChange"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Base 1
Option Explicit

' Инструкция
Public Sub WsInstrChange(Target As Range)
  If Target.Interior.ColorIndex = colorYellow Then
    Application.ThisWorkbook.Worksheets(gstrInstructionSheetName).cmdApplyContactChanges.Enabled = True
    Application.ThisWorkbook.Worksheets(gstrInstructionSheetName).cmdApplyContactChanges.Visible = True
  End If
End Sub

' для стандартных листов
Public Sub WsGeneralChange(Target As Range)
  On Error GoTo ErrWsGeneralChange
  
  Dim wbBook As Workbook
  
  Dim wsSheet As Worksheet
  Dim wsTehSheet As Worksheet
    
  Dim intNRow As Integer
  Dim intNColumn As Integer
  Dim intRowHeight As Integer
  
  Dim rngCell As Range
  Dim rngRange As Range
  
  Dim ISectTA
  
  Dim blnValueEnableEventsLocal As Boolean
  Dim blnValueScreenUpdatingLocal As Boolean
    
  blnValueEnableEventsLocal = Application.EnableEvents
  blnValueScreenUpdatingLocal = Application.ScreenUpdating
  
  Application.EnableEvents = False
  Application.ScreenUpdating = False

  Set wbBook = Me.parent
  Set wsSheet = Target.parent
    
  modServiceModule.UNPROTECT_SHEET wsSheet
  
  intNRow = Target.cells(1, 1).Row
  intNColumn = Target.cells(1, 1).Column
  
  ' если лист "ХХ цены (2)", то необходимо проставить значение единицы измерения в зависимости от вида топлива
  If InStr(1, wsSheet.name, "цены (2)") <> 0 Then
    
    If modServiceModule.IsNameExists(ThisWorkbook, "TariffAllowanceApproved") = False Then
      GoTo ErrWsGeneralChange
    Else
      Set ISectTA = Application.Intersect(Target, wsSheet.Range("TariffAllowanceApproved"))
    End If
    
    If Target.cells(1, 1).Interior.ColorIndex = colorCyan And _
       (Not ISectTA Is Nothing) Then
      
      modServiceModule.UNPROTECT_SHEET wsSheet
            
      If Target.cells(1, 1).value = "да" Then
        modServiceModule.RepaintCellsInRange Target.cells(1, 1).Row, 1, _
                                             wsSheet.Range("colorIndexCellsPrice2")
      Else
        modServiceModule.RepaintCellsInRange Target.cells(1, 1).Row, 1, _
                                             wsSheet.Range("colorIndexCellsPrice2").Offset(1, 0)
        wsSheet.Range("colorIndexCellsPrice2").Offset(Target.cells(1, 1).Row - 1, 0).value = vbNullString
      End If
            
      modServiceModule.PROTECT_SHEET wsSheet, True
    End If
  End If
  
  If Target.cells(1, 1).Row > 6 Then
    If Target.MergeCells Then
      modServiceModule.AutoFitMergedCellRowHeight Target
    Else
      Target.cells(1, 1).EntireRow.AutoFit
      intRowHeight = Target.cells(1, 1).RowHeight
  
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.