Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bfebe1cd49535681…

MALICIOUS

Office (OLE)

251.0 KB Created: 2019-08-30 09:14:50 Authoring application: Microsoft Excel First seen: 2020-02-04
MD5: 0add4c263ab0e40d87d8f269e740067f SHA-1: 64280bc2f070fe710c31128e1bf8987648bb65d9 SHA-256: bfebe1cd495356817963cdf48ecb0b05656adfc2696031eef23f90feba3906e5
88 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an Office document that contains an embedded PE executable. The presence of the VirtualAlloc API reference suggests the embedded executable is likely designed to allocate memory for malicious code execution. The VBA macros themselves appear to be empty, but the critical heuristic firing for an embedded PE executable indicates a high likelihood of a second-stage payload being dropped and executed.

Heuristics 3

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1179 bytes
SHA-256: 8dd1db1b7f9f49da68c4496b0be2773b2f4712e367df49ba0cb2687a2528a631
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "wbO"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'Macro code was removed by Symantec Disarm

Attribute VB_Name = "Page1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
'Macro code was removed by Symantec Disarm

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{54658FBA-83F3-476F-A741-48619E46126D}{F34A0AA4-6EB1-444F-9E5F-E476F3FEE925}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
'Macro code was removed by Symantec Disarm

Attribute VB_Name = "Module2"
'Macro code was removed by Symantec Disarm
embedded_office_00018e19.exe embedded-pe Office MZ+PE at offset 0x18E19 155111 bytes
SHA-256: 065dd0e1a256e4e46d276c6ed429fe2cbcdd21d3957873b0b6fe96e340685723
ole10native_00.bin ole-package OLE Ole10Native stream: MBD005CEEB8/Ole10Native 152905 bytes
SHA-256: b82e33e5348d80a77c4fe40bb534a80d1bce00367754818359343bb7622076e6

Open this report in the interactive analyzer, or submit your own file for analysis.