Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c574343c5d9f332b…

MALICIOUS

Office (OLE)

51.5 KB Created: 2009-09-03 07:32:24 Authoring application: Microsoft Excel First seen: 2021-07-02
MD5: 2da408ccb10dd20583c2b570ae43895a SHA-1: 7e5a8b7bd9b12cfbc537cb4221caeb39eec2efb8 SHA-256: c574343c5d9f332bc22a7cf4c44a1b00d365e932c06506c79ce0da16b57a1013
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel document containing a Workbook_Open VBA macro. This macro triggers the display of a user form ('Form1') with input fields such as 'txtDomain' and 'txtGroup'. The script attempts to construct an LDAP distinguished name, suggesting it may be designed to query Active Directory or collect domain-related information. The Workbook_Open execution and the presence of a user form strongly indicate a credential harvesting or information gathering attack.

Heuristics 4

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3532 bytes
SHA-256: ae26d0ccae8b3060746e3f717c6f3b6398669a217368957154edbca62d7afd02
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
    Form1.Show vbModal
End Sub



Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Attribute VB_Name = "Form1"
Attribute VB_Base = "0{B11AF574-D9BC-482D-87AD-47E8DC721978}{1DEFE8E2-7838-48F9-A705-3B4CCDCDC7D3}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub cmdExit_Click()
    Unload Me
End Sub

Private Sub cmdOK_Click()
    Start
End Sub

Private Sub TextBox3_Change()

End Sub

Attribute VB_Name = "Module1"
Sub Start()

    On Error GoTo Err
    
    Dim sDomain() As String
    Dim sDom As String
    sDomain = Split(Form1.txtDomain.Value, ".")
    sDom = ""
    For j = 0 To UBound(sDomain)
        sDom = sDom & ", dc=" & sDomain(j)
    Next j
    
    If Form1.txtGroup.Value <> "" Then
        strDomainDN = "ou=" & Form1.txtGroup.Value & sDom 'сюда же можно вложить логин и пароль соединения с доменом
    Else
        If Len(sDom) > 0 Then
            strDomainDN = Right(sDom, Len(sDom) - 2)
        End If
    End If
    
    'для поиска в локальном каталоге домена:
    strBase = "<LDAP://" & strDomainDN & ">;"
    
    'для поиска в глобальном каталоге:
    ' strBase   =  "<GC://" & strDomainDN & ">;"
    'MsgBox (strBase)
    strFilter = "(&(objectclass=user)(objectcategory=person));"
    strAttrs = "sAMAccountName,name,department,description;"
    strScope = "subtree"
    
    
    Set objConn = CreateObject("ADODB.Connection")
    objConn.Provider = "ADsDSOObject"
    'Stop
    If Form1.txtLogin.Value <> "" Then
        objConn.Properties("User ID") = sDomain(0) & "\" & Form1.txtLogin.Value
        'objConn.Properties("User ID") = Form1.txtLogin.Value
        objConn.Properties("Password") = Form1.txtPassword.Value
        objConn.Properties("Encrypt Password") = False
        objConn.Open "Active Directory Provider", sDomain(0) & "\" & Form1.txtLogin.Value, Form1.txtPassword.Value
    Else
        objConn.Open "Active Directory Provider"
    End If
    Set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)
    Dim i As Long
    i = 2
    objRS.MoveFirst
    While Not objRS.EOF
        If Form1.chkAddDomain.Value = True Then
            Worksheets(1).Cells(i, 1).Value = sDomain(0) & "\" & objRS.Fields(0)
        Else
            Worksheets(1).Cells(i, 1).Value = objRS.Fields(0)
        End If
        Worksheets(1).Cells(i, 2).Value = objRS.Fields(1)
        Worksheets(1).Cells(i, 3).Value = objRS.Fields(2)
        Worksheets(1).Cells(i, 4).Value = objRS.Fields(3)

        objRS.MoveNext
        i = i + 1
    Wend

    Unload Form1
    Exit Sub
Err:
    MsgBox ("Ошибка: " & Err.Description)
End Sub