Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a2d327662c3197a8…

MALICIOUS

Office (OLE)

125.5 KB Created: 2005-03-19 08:55:46 Authoring application: Microsoft Excel First seen: 2015-10-02
MD5: c431cd39cf0fe213b9dbefcd7b5cacb4 SHA-1: 5bdcc408306ee4433892dea30d6dfc1d7564b1a0 SHA-256: a2d327662c3197a8d9c553be5067af46065c4cdbb415ed3b651a0e0a26c29c8f
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains critical heuristic firings indicating legacy Excel Formula Macro Virus markers, specifically mentioning 'Classic.Poppy by VicodinES' and 'The Narkotic Network'. It also contains VBA macros. The document body is an athlete registration form, likely a lure to encourage users to enable macros. The presence of XLM macros and VBA code suggests an attempt to download and execute a second-stage payload or establish persistence.

Heuristics 3

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3795 bytes
SHA-256: 0bea8d8765df665c0b6a646cb3e4615d12744abf23a27ccbf29696be759378c3
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Worksheet_BeforeDoubleClick(ByVal Target As Range, Cancel As Boolean)

If ActiveSheet.ProtectContents Then
If ActiveCell.Interior.ColorIndex <> 15 Then
If ActiveCell.Locked Then
   Else
   If ActiveCell.Column > 3 Then
      adr = ActiveCell.Row
      adc = ActiveCell.Column
      If ActiveCell.Value = "√" Then
         ActiveCell.FormulaR1C1 = ""
         Else
         ActiveCell.FormulaR1C1 = "√"
         ydyxms = 0
         If Application.Sheets("Sheet2").Cells(adr, adc).Value <> 1 Then
            For adci = 5 To Application.Sheets("Sheet2").Cells(adr, 2).Value
                If Application.Sheets("Sheet2").Cells(adr, adci).Value <> 1 And Application.Sheets("运动员报名表").Cells(adr, adci).Value = "√" Then
                   ydyxms = ydyxms + 1
                End If
            Next adci
            If ydyxms > Application.Sheets("Sheet2").Cells(adr, 4).Value Then
               MsgBox "当前运动员报名项目数超过规定!", vbInformation, "运动会报名"
               Application.Sheets("运动员报名表").Cells(adr, adc).Value = ""
               Else
               ydyxms = 0
               For adri = adr + 1 To adr + 100
                   If Application.Sheets("运动员报名表").Cells(adri, adc).Value = "√" Then
                      ydyxms = ydyxms + 1
                      Else
                      If Application.Sheets("运动员报名表").Cells(adri, adc).Value <> "" Then
                         Exit For
                      End If
                   End If
               Next adri
               For adrii = 1 To 100
                   If Application.Sheets("运动员报名表").Cells(adr - adrii, adc).Value = "√" Then
                      ydyxms = ydyxms + 1
                      Else
                      If Application.Sheets("运动员报名表").Cells(adr - adrii, adc).Value <> "" Then
                         Exit For
                      End If
                   End If
               Next adrii
               If ydyxms + 1 > Application.Sheets("Sheet2").Cells(adr, 3).Value Then
                  MsgBox "当前项目报名的运动员人数超过规定!", vbInformation, "运动会报名"
                  Application.Sheets("运动员报名表").Cells(adr, adc).Value = ""
               End If
               
            End If
         End If
         

      End If
      Cells(adr, 2).Select
   End If
End If
End If
End If


End Sub

Private Sub Worksheet_SelectionChange(ByVal Target As Range)
If ActiveSheet.ProtectContents Then
If ActiveCell.Interior.ColorIndex <> 15 Then
If ActiveCell.Locked Then
   Else
   If ActiveCell.Column > 3 Then
      If ActiveCell.Value <> "√" And ActiveCell.Value <> "" Then
         ActiveCell.FormulaR1C1 = ""
      End If
   End If
End If
End If
End If
End Sub

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.