Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c2121bab391a1f62…

MALICIOUS

Office (OLE)

4.86 MB Created: 2012-03-13 12:40:41 First seen: 2019-02-10
MD5: 71ab4f6303adeca630d12cde87f2f98d SHA-1: c34ddc1ee342436e35a4ff8205491075373f58ce SHA-256: c2121bab391a1f62c8f3ac7e250b7fb48e622caae80e1bcdf8d1b26bf910a4cf
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1190 Exploit Public-Facing Application

The sample contains VBA macros, including a Workbook_Open event, which is a common technique for malware execution. The document body and heuristics indicate a lure to enable macros, suggesting the intent is to bypass security measures. The Workbook_Open macro likely downloads and executes a second-stage payload from one of the embedded URLs, such as http://10.96.96.191:8080/IEPFWebProject/IEPFValidateExcel.wsdl.

Heuristics 4

  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://10.96.96.191:8080/IEPFWebProject/IEPFValidateExcel.wsdl In document text (OLE body)
    • http://www.iepf.gov.in/IEPFWebProject/IEPFValidateExcel.wsdl�In document text (OLE body)
    • http://webservice.iepf.dca21.com�In document text (OLE body)
    • http://10.96.80.52/DCAPortalWeb/wsdl/com/dca21/mydca/userinterface/eforms/prefill/PrefillService.wsdlIn document text (OLE body)
    • http://10.96.80.52/DCAPortalWeb/wsdl/com/dca21/mydca/userinterface/eforms/prefill/Prefil�����$In document text (OLE body)
    • http://10.96.80.52/DCAPortalWeb/wsdl/com/dca21/mydca/userinterface/eforms/prefill/Prefil�In document text (OLE body)
    • http://www.mca.gov.in/DCAPortalWeb/wsdl/com/dca21/mydca/userinterface/eforms/prefill/PrefillService.wsdl��In document text (OLE body)
    • http://prefill.eforms.userinterface.mydca.dca21.commcaH5In document text (OLE body)
    • http://10.96.80.52/DCAPortalWeb/wsdl/com/dca21/mydca/userinterface/eforms/prefill/PrefillService.wsdl.bjectIn document text (OLE body)
    • http://www.mca.gov.in/DCAPortalWeb/wsdl/com/dca21/mydca/userinterface/eforms/prefill/PrefillService.wsdl�In document text (OLE body)
    • http://prefill.eforms.userinterface.mydcaIn document text (OLE body)
    • http://10.96.80.52/DCAPortalWeb/wsdl/com/dca21/mydca/userinterface/eforms/prefill/PrefillService.wsdl.�����In document text (OLE body)
    • http://dto.common.messageinterface.business.mydca.dca21.comIn document text (OLE body)
    • http://dto.eforms.business.mydca.dca21.comIn document text (OLE body)
    • http://dto.eforms.business.mydca.llp.dca21.comIn document text (OLE body)
    • http://10.96.80.52/DCAPortalWeb/wsdl/com/dca21/mydca/userinterface/eforms/prefill/PrefillService.wsdl.�In document text (OLE body)
    • http://www.iepf.gov.in/IEPFWebProject/IEPFValidateExcel.wsdlIn document text (OLE body)
    • http://webservice.iepf.dca21.comIn document text (OLE body)
    • http://www.mca.gov.in/DCAPortalWeb/wsdl/com/dca21/mydca/userinterface/eforms/prefill/PrefillService.wsdlIn document text (OLE body)
    • http://prefill.eforms.userinterface.mydca.dca21.comIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 210061 bytes
SHA-256: ba596d7f35ac06edc29f68dce0f1ef20db467e7ac6a903dd845a71a78f0d1055
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_BeforeClose(Cancel As Boolean)
Dim Answer As String
Dim MyNote As String

'MyNote = "Errors in your sheet?You still want to save."

'errorCounter = 1
'Sheets("Error").Cells.Clear
'rowCount = getRowCount()

'sumCalculate = Calculate()
'isValidAll = ValidateAll()

'If isValidAll = "Stop" Then
    'Answer = MsgBox(MyNote, vbQuestion + vbYesNo, "???")

    'If Answer = vbNo Then
          'Cancel = True
          'ThisWorkbook.Close
          
    'Else
      'ThisWorkbook.Save
    'End If
   
'End If


    'If Not Me.Saved Then
    
    MyNote = "Errors in your sheet?You still want to save."

errorCounter = 1
Sheets("Error").Cells.Clear
rowCount = getRowCount()

sumCalculate = Calculate()
isValidAll = ValidateAll()


If isValidAll = "Stop" Then
        Msg = "Errors in your excel.You still want to save?"
        Ans = MsgBox(Msg, vbQuestion + vbYesNoCancel)
        Select Case Ans
            Case vbYes
                Me.Save
            Case vbNo
                Me.Saved = True
            Case vbCancel
                Cancel = True
                Exit Sub
          End Select
    End If
 ' End If

 If (Worksheets("Investor Details").Range("G2").Value = "" And Worksheets("Investor Details").Range("B2").Value <> "") Then
    Worksheets("Investor Details").Unprotect "pass"
    Worksheets("Investor Details").Range("G2").Value = "BLANK"
    Worksheets("Investor Details").Protect "pass"
    Me.Save
    
 End If
 

  


End Sub

Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)



End Sub

Private Sub Workbook_Open()
   
    Worksheets("Read Me").Activate
     
      
        Worksheets("Investor Details").Protect Password:="pass", UserInterfaceOnly:=True
        Worksheets("Investor Details").EnableOutlining = True
   
        ThisWorkbook.Unprotect
        Worksheets("Sheet3").Visible = xlVeryHidden
     'Worksheets("Sheet3").Visible = True
        
        ThisWorkbook.Protect
        
   

    
    
    
End Sub


Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"

Public isValidateMandatory As String
Public isValidCountry As String
Public isValidState As String
Public isValidDistrict As String
Public isValidInvType As String
Public isAlphaNumeic As String
Public isIndianPincode As String
Public isForgienPincode As String

Public rowCount As Double
Public errorCounter  As Double
Public isPrefillClicked  As Boolean

Sub Validate()

isValidateMandatory = ""
isValidCountry = ""
isValidState = ""
isValidDistrict = ""
isValidInvType = ""
isValidAll = ""
isIndianPincode = ""
isForgienPincode = ""

errorCounter = 1
Sheets("Error").Cells.Clear
rowCount = getRowCount()

strCIN = Trim(Sheets("Investor Details").Range("B2").Text)
strCompanyName = Trim(Sheets("Investor Details").Range("G2").Text)
strDateOfAGM = Trim(Worksheets("Investor Details").Range("L2").Text)


If strCIN = "" Then
   MsgBox "Please enter CIN"
   Worksheets("Investor Details").Protect Password:="pass", UserInterfaceOnly:=True
   Exit Sub
Else
    If strDateOfAGM = "" Then
        MsgBox "Please enter Date Of AGM"
        Worksheets("Investor Details").Protect Password:="pass", UserInterfaceOnly:=True
        Exit Sub
    End If
End If

date_of_agm = DateOfAGM()
'If date_of_agm = "Stop" Then
    'Exit Sub
'End If

sumCalculate = Calculate()
isValidAll = ValidateAll()

If isValidAll = "Stop" Then

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.