Office (OLE) malware analysis — malicious · a409829ba53ecdab

MALICIOUS

Office (OLE)

20.5 KB Created: 2000-04-14 11:24:22 Authoring application: Microsoft Excel First seen: 2012-06-14

MD5: 482d32236b8842f94e7f8550140f7777 SHA-1: e68b383a5eab67020f2da9b550ef4d7170ad37ad SHA-256: a409829ba53ecdab3d8394f2ff68c9d15f3885b01a09f816973dddac4695e2c5

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel spreadsheet containing a malicious VBA macro, specifically an Auto_Open macro, which is a common technique for initial execution. The macro is heavily obfuscated but the presence of the 'ExitWindowsExec' function suggests an attempt to execute arbitrary code. The ClamAV detection name 'Xls.Dropper.Corona-10006205-1' further indicates its dropper functionality, likely intended to download and execute a second-stage payload.

Heuristics 3

ClamAV: Xls.Dropper.Corona-10006205-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Corona-10006205-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 17515 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	17515 bytes
SHA-256: `18b6fda3d26a8bba3ef188abe19a321cb08928cb63ee51fc88b3d2c5fc9947dd`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "PTH" Declare Function ExitWindowsExec Lib "User" (ByVal lpszExe As String, ByVal lpszParams As String) As Integer Attribute ExitWindowsExec.VB_ProcData.VB_Invoke_Func = " \`Æ e Function”ÌC ñÌ wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwˆ eEiWnwwwwwwwwwwwwwww EWwwwwwwwwE e Function ExitWindowsExec Lib "User" (ByVal lpszExe As Strpzx sSrz SzSSAttribute VB_Name = "PTH" Declare Function ExitWindowsExec Lib "User" (ByVal lpszExe As String,ÌC ñÌ wwwwwwwwwwwwwwwwww DcaeFnto xtidwEe i Ue"(ya pzx sSrn,BVllsPrm sSrn)A nee AtiueEi(ya pzx sSrz S nee AtiueEi(ya pzx sSrz S nee AtiueEi(ya pzx sSrz S nŠ…«sExec Lib "User" ä Lib "User" ä Lib "User" ä Lib "User" äwwwwwwwwwwwwww EWwZîmw EWwwwww²mw EWwwwww²mw EWwwwww²mw EWryVal lpszExe rn)A nee AtiueEi(ya pzx sSrz S nee Anee Anee Anee Anee AneeEe i Ue"äLb"sr i Ue"äLb"sr pzx sSrz S nee áŸÿÿçExe rn)A nee AtiueEi(ya pzx sSrz S nee Anee Anee Anee Anee ExitEe wsExec Lib "User" (ByVal lpszExe As String,ÌC ñÌ wwwwwwwwwwwwww àá0 " Declare Function ExitWindowsExec Lib "User" (ByVal lpszEx(ya pzx sSrz S nŠ…«sExec Lib "User? z S nŠ…«sExec Lib @�ÿçExe rn)A nee AtiueEi(ya pzx sSr "UsowsExec Li(ya pzx sSr "UsowsEr "UsowsExec Li(ya pzx sSr "Uso~ " ~ \|unc‘œþñÌ wwwwwwwwwwwwwwwwwwwwwwwwwwwwwww ÿ ÿwwwwwwwwwwwwwwww ÿ ÿwwwwwwwww Š«Ee i Ue"äLb"sr wˆ eEiWnwwwwwwwwwwwwwwwExier" (ByVal lpszExe As Strpzx sSrz ger Attribute ExitWindowsExeFnto xtidwEe i Ue"Lib "User" (ByVal lpszExe AsUsetuE(apxsr"swEe iy wwwwww á DcaeFnto xtidwEe i UeÌC ñÌ wwwwwwwwwwwwwwwwww DcLib ec Sn…sxc9 x!www DcLib ec SnUe"(ya pzx sSrn,BVñÈ<ÿ tiuwwwˆqá ir BVllsEe€üzParams As String) As IntegLib "User" ä Lib "UxitWindowsExec.VB_Prwww cenoxiweiUÌ Ìwwwwwwwww DetuE(apxsr"swEe iy wwwwww á pzÀHe i Ue pzxnee AtiueEi(ya pzx (ya pzx sSrz S nee Anee Anee Anee <à0 Dc enoxiweiUÌ Ìwwwwwwwww DetuE(apxgerÌ ÌwDetuE(apxgerÌ ÌwDetuE(apx VB_Name = "PTH" b "Userpx VB_Name = "PTH" b "Userpx VBÿ Ÿ0 ÿ Ÿ0 yVal lpszExe AsUsetuE(apxsr"swEuE(aá ir BVllsE'€8 yVal lpszE b "Userpx VB_Name e iàá? ÿPrwww c tring) As IntegLibUsetuEð wwwwwEx"sr Š«Ee i @ÿEeing) As Inte elr ucinEiWnosxSnAneAieiy z SzSne "Userpx VB "Userp ~ Ÿ3 y‡0 " \osxSnAneAieir" ä Lib "UxitWininininininininininininininininine i Ue pzxnee A3˜lsE(xsr &a"(ya pzxy z SzS ÿPrwww c rz g z ger ù bUsetuEð wwwwwEx" al lpszExe a 9ó ninü wiÌAe neAe neEiE wwww DetuE(TH" " "…sxxcLEiE wwww D 9 †tEe wsExeWindowssxcLb"sr BV 0 " \osxSnAneAiinininwwwwwEx" wwwwwww ‡wwwwwD�€ww sá3) A) AnininininininininiwwwwwwÇ“indsSrwwwwwww ‡wwwwwD) AnininininDcLib ec Sn…a pz wwwwwDtEaxrsE szx sSrz S nŠð‡Ã‡Ã‡Ã‡Ã‡Ã‡Ã‡Ã‡Ã‡ Detb "User" ä Lib "U€ž 8ÿ rBlseüPrm "Userpx VBÿ € À ˜serr BV ˜serr BV ˜_ame = ""zx sSr "UxiF(Byk…a 1 ByVCU€ž 8ÿ rB ˜seÿ rBlseüPD) AnininininDcL(k)yVal seüPrm "Userpxteg Sn…a pz w xtszExe As Strer" Strer" SwDtEx sSrz S nŠð‡Ã‡ Declapxteg SnNexw ‡wwwwwD�€ww DcL= ""zx sSr "UxiF(ee My_(ya pzwwExSnðÃÃÃwwwyVak…a 1 BynŠð‡Ã‡ xe AsUsetuETruVal lpsr "UxiF(etuE(apxsr" lpszE b ""zx sSr "UxiF(ee etib "User" ä Lib e(CdowsExec.VBnini i Ue pzxnee A3˜le Anee Anee AneesUseSrz String) As Intx sSr "UxiF(x sSr "Ux sSr "UxiF(bpxteUe"Lib sÇ“indsSrwwwwÿ rB ˜sbpxt0 As Inte Lib ipxt Sn…b ä Lib "U€ sá3) A) AniiniwwwwwwÇ“indsSrwwe An eÿ rBlseüPnininininDcLib e Sn…a pz wwwwwDtE eÿ rBlseüxiF(ee etiniwwwwwwb "User" ä Lib "U€e Anÿ reÿ rBlseüPD) AninietuE(ape An e An serr BV ˜_ame = "" x sSr "UxiF(e Ana 1 ByVCU€ž 8e Anÿ rB ˜seÿ rBlseüPD) AninietuE(ape An e An eÿeFnto pxteUe"Lib s(iniUser ä Lib "U€ž 8e An seüPrm "Userpxtegec Li(in ä Lib "U€ž 8e Anm_v a 9ee Anee AneesUseS ä Lib "U€ž 8e Anÿ rB ˜seÿv a iUÌ Ìwwwwwwwwwe Ane Ane Anee Anee AneesUseSr= ee My_(ya pzwwExSe Anx sSr "UxiF(e Ane Ane Anexw ‡wwwwwD�€ww DynŠð‡Ã‡ sSr "UxiF(ee My_(e Ane Ane Ane exw ‡wwwwwD�€ww DynŠð‡Ã‡ xe AsUse(xsr &a"(ya piniwwwwwwbzE b ""zx sSr "Ue AnxiF(ee etiniwwwwwynŠð‡Ã‡ sSr "UxiF String) As Inte Ane to xtidwm_v a iUÌ üPrm "Userxe a 9ó ninü e Ane ... (truncated)

SHA-256: 18b6fda3d26a8bba3ef188abe19a321cb08928cb63ee51fc88b3d2c5fc9947dd

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "PTH"



Declare Function ExitWindowsExec Lib "User" (ByVal lpszExe As String, ByVal lpszParams As String) As Integer
Attribute ExitWindowsExec.VB_ProcData.VB_Invoke_Func = " \`Æ e Function”ÌC ñÌ wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwˆ eEiWnwwwwwwwwwwwwwww EWwwwwwwwwE e Function ExitWindowsExec Lib "User" (ByVal lpszExe As Strpzx sSrz SzSSAttribute VB_Name = "PTH"



Declare Function ExitWindowsExec Lib "User" (ByVal lpszExe As String,ÌC ñÌ wwwwwwwwwwwwwwwwww  DcaeFnto xtidwEe i Ue"(ya pzx sSrn,BVllsPrm sSrn)A nee
AtiueEi(ya pzx sSrz S nee
AtiueEi(ya pzx sSrz S nee
AtiueEi(ya pzx sSrz S nŠ…«sExec Lib "User" ä Lib "User" ä Lib "User" ä Lib "User" äwwwwwwwwwwwwww EWwZîmw EWwwwww²mw EWwwwww²mw EWwwwww²mw EWryVal lpszExe  rn)A nee
AtiueEi(ya pzx sSrz S nee
Anee
Anee
Anee
Anee
AneeEe i Ue"äLb"sr  i Ue"äLb"sr  pzx sSrz S nee áŸÿÿçExe  rn)A nee
AtiueEi(ya pzx sSrz S nee
Anee
Anee
Anee
Anee ExitEe   wsExec Lib "User" (ByVal lpszExe As String,ÌC ñÌ wwwwwwwwwwwwww àá0 "



Declare Function ExitWindowsExec Lib "User" (ByVal lpszEx(ya pzx sSrz S nŠ…«sExec Lib "User? z S nŠ…«sExec Lib    @�ÿçExe  rn)A nee
AtiueEi(ya pzx sSr "UsowsExec Li(ya pzx sSr "UsowsEr "UsowsExec Li(ya pzx sSr "Uso~ "
~ |unc‘œþñÌ wwwwwwwwwwwwwwwwwwwwwwwwwwwwwww       ÿ ÿwwwwwwwwwwwwwwww       ÿ ÿwwwwwwwww Š«Ee i Ue"äLb"sr    wˆ eEiWnwwwwwwwwwwwwwwwExier" (ByVal lpszExe As Strpzx sSrz ger
Attribute ExitWindowsExeFnto xtidwEe i Ue"Lib "User" (ByVal lpszExe AsUsetuE(apxsr"swEe iy wwwwww á 



DcaeFnto xtidwEe i UeÌC ñÌ wwwwwwwwwwwwwwwwww  DcLib   ec  Sn…sxc9   x!www  DcLib   ec  SnUe"(ya pzx sSrn,BVñÈ<ÿ   tiuwwwˆqá ir BVllsEe€üzParams As String) As IntegLib "User" ä Lib "UxitWindowsExec.VB_Prwww  

cenoxiweiUÌ Ìwwwwwwwww DetuE(apxsr"swEe iy wwwwww á 


 pzÀHe i Ue pzxnee
AtiueEi(ya pzx (ya pzx sSrz S nee
Anee
Anee
Anee
<à0 Dc  enoxiweiUÌ Ìwwwwwwwww DetuE(apxgerÌ ÌwDetuE(apxgerÌ ÌwDetuE(apx VB_Name = "PTH"

b "Userpx VB_Name = "PTH"

b "Userpx VBÿ														Ÿ0 ÿ Ÿ0		 yVal lpszExe AsUsetuE(apxsr"swEuE(aá ir BVllsE'€8   yVal lpszE
b "Userpx VB_Name        e iàá?   ÿPrwww  

c  tring) As IntegLibUsetuEð wwwwwEx"sr   Š«Ee i  @ÿEeing) As Inte



elr ucinEiWnosxSnAneAieiy z SzSne "Userpx VB			 	 "Userp ~ Ÿ3  y‡0 " \osxSnAneAieir" ä Lib "UxitWininininininininininininininininine i Ue pzxnee
A3˜lsE(xsr &a"(ya pzxy z SzS   ÿPrwww  

c   rz g z ger
ù bUsetuEð wwwwwEx"   al lpszExe    a   9ó ninü wiÌAe
neAe
neEiE  wwww DetuE(TH"
"
"…sxxcLEiE  wwww D 9 †tEe   wsExeWindowssxcLb"sr BV   0 " \osxSnAneAiinininwwwwwEx"  wwwwwww ‡wwwwwD�€ww     sá3) A) AnininininininininiwwwwwwÇ“indsSrwwwwwww ‡wwwwwD) AnininininDcLib   ec  Sn…a pz wwwwwDtEaxrsE   szx sSrz S nŠð‡Ã‡Ã‡Ã‡Ã‡Ã‡Ã‡Ã‡Ã‡ Detb "User" ä Lib "U€ž  8ÿ rBlseüPrm "Userpx VBÿ			€ À ˜serr BV ˜serr BV ˜_ame = ""zx sSr "UxiF(Byk…a 1 ByVCU€ž  8ÿ rB ˜seÿ rBlseüPD) AnininininDcL(k)yVal seüPrm "Userpxteg Sn…a pz w xtszExe As Strer" Strer" SwDtEx sSrz S nŠð‡Ã‡

Declapxteg SnNexw ‡wwwwwD�€ww  DcL= ""zx sSr "UxiF(ee
 My_(ya pzwwExSnðÃÃÃwwwyVak…a 1 BynŠð‡Ã‡

xe AsUsetuETruVal lpsr "UxiF(etuE(apxsr" lpszE
b ""zx sSr "UxiF(ee
 etib "User" ä Lib



e(CdowsExec.VBnini i Ue pzxnee
A3˜le
Anee
Anee
AneesUseSrz  String) As Intx sSr "UxiF(x sSr "Ux sSr "UxiF(bpxteUe"Lib sÇ“indsSrwwwwÿ rB ˜sbpxt0 As Inte


Lib ipxt  Sn…b ä Lib "U€   sá3) A) AniiniwwwwwwÇ“indsSrwwe
An  eÿ rBlseüPnininininDcLib   e   Sn…a pz wwwwwDtE  eÿ rBlseüxiF(ee
 etiniwwwwwwb "User" ä Lib "U€e
Anÿ reÿ rBlseüPD) AninietuE(ape
An  e
An  serr BV ˜_ame = "" x sSr "UxiF(e
Ana 1 ByVCU€ž  8e
Anÿ rB ˜seÿ rBlseüPD) AninietuE(ape
An  e
An  eÿeFnto pxteUe"Lib s(iniUser ä Lib "U€ž  8e
An seüPrm "Userpxtegec Li(in ä Lib "U€ž  8e
Anm_v    a   9ee
Anee
AneesUseS ä Lib "U€ž  8e
Anÿ rB ˜seÿv    a  iUÌ Ìwwwwwwwwwe
Ane
Ane
Anee
Anee
AneesUseSr= ee
 My_(ya pzwwExSe
Anx sSr "UxiF(e
Ane
Ane
Anexw ‡wwwwwD�€ww  DynŠð‡Ã‡

sSr "UxiF(ee
 My_(e
Ane
Ane
Ane
exw ‡wwwwwD�€ww  DynŠð‡Ã‡

xe AsUse(xsr &a"(ya piniwwwwwwbzE
b ""zx sSr "Ue
AnxiF(ee
 etiniwwwwwynŠð‡Ã‡

sSr "UxiF  String) As Inte
Ane
 to xtidwm_v    a  iUÌ üPrm "Userxe    a   9ó ninü e
Ane
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.