Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c596251b56131bfb…

MALICIOUS

Office (OLE)

807.0 KB Created: 2000-05-26 16:45:09 Authoring application: Microsoft Excel First seen: 2020-05-25
MD5: 344edacfe9c60fb6be90c42bca33f323 SHA-1: 87ab73766cefd7ee0bfb0ada240071fc6adb0246 SHA-256: c596251b56131bfb8931ef6586b928659625df4c3205d17b0130216c2edd903e
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file contains both Excel 4.0 (XLM) macros and VBA macros, indicating a macro-based attack. The XLM macro sheet is particularly large, suggesting complex functionality. The ClamAV detection as 'Xls.Malware.Generic-6680536-0' further supports its malicious nature. The document body contains what appears to be construction or material cost-related text, which is likely a lure.

Heuristics 3

  • ClamAV: Xls.Malware.Generic-6680536-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Generic-6680536-0
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 596973 bytes
SHA-256: 8cfbae807592e74a974a33d5ecb8523753260e504d706c0929e45e6fe3c72dc7
Preview script
First 1,000 lines of the extracted script
' 0085     15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Du toa
' 0085     24 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Phan tich vat t
' 0085     23 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Tong hop vat t
' 0085     22 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Gia tri vat t
' 0085     25 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Chenh lech vat t
' 0085     26 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Chi phi van chuye
' 0085     26 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Gia giao VL den H
' 0085     21 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Gia VL den H
' 0085     24 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Don gia chi tie
' 0085     15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Du tha
' 0085     25 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Tong hop kinh ph
' 0085     19 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  QD 957-200
' 0085     21 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Cong van 175
' 0085     23 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Tu van Thiet k
' 0085     24 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Tong hop DTXD C
' 0085     20 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Du toan XDC
' 0085     21 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Tong hop CPX
' 0085     21 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Tong hop CPT
' 0085     20 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Tong hop CP
' 0085     24 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Tien do thi con
' 0085     19 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Bia du toa
' 0085     16 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden -  Tro giu
' 0085     19 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Thuyet Min
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Confi
' 0085     15 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Config
' 0018     26 LABEL : Cell Value, String Constant - COTTUVAN len=3 ptgInt 3 
' 0018     34 LABEL : Cell Value, String Constant - CPVLHTXL len=11 ptgArea3d  *INCOMPLETE FORMULA PARSING* Remaining, unparsed expression: b'\x04\x00\x00\x00\xff\xff\x01\x00\x12\x00'
' 0018     23 LABEL : Cell Value, String Constant - DIALOG len=2 ptgBool FALSE 
' 0018     32 LABEL : Cell Value, String Constant - DONGTIEUDEBANG len=3 ptgInt 40 
' 0018     27 LABEL : Cell Value, String Constant - DONGTUVAN len=3 ptgInt 51 
' 0018     74 LABEL : Cell Value, String Constant - Dutoan2001 len=7 ptgRef3d  Phan tich vat t!A1 
' 0018     21 LABEL : Cell Value, String Constant - Gia len=3 ptgInt 500 
' 0018     31 LABEL : Cell Value, String Constant - GIATB len=11 ptgArea3d  *INCOMPLETE FORMULA PARSING* Remaining, unparsed expression: b'\x03\x00\x00\x00\xff\xff\x01\x00\x06\x00'
' 0018     26 LABEL : Cell Value, String Constant - GIATRITB len=3 ptgInt 400 
' 0018     29 LABEL : Cell Value, String Constant - GIATRITUVAN len=3 ptgInt 550 
' 0018     26 LABEL : Cell Value, String Constant - GIATRIXL len=3 ptgInt 550 
' 0018     28 LABEL : Cell Value, String Constant - GIATRIXLTB len=3 ptgInt 950 
' 0018     21 LABEL : Cell Value, String Constant - Gib len=3 ptgInt 1000 
' 0018     31 LABEL : Cell Value, String Constant - NHOMCONGTRINH len=3 ptgInt 1 
' 0018     27 LABEL : Cell Value, String Constant - Nia len=9 ptgNum FLOAT 0.015400 
' 0018     27 LABEL : Cell Value, String Constant - Nib len=9 ptgNum FLOAT 0.010500 
' 0018     27 LABEL : Cell Value, String Constant - built-in-name 6 ? len=11 ptgArea3d  *INCOMPLETE FORMULA PARSING* Remaining, unparsed expression: b'\x02\x00\x00
... (truncated)
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8732 bytes
SHA-256: 666058ae70451137942d0df27d6aaad533470bccf4ffd0fa9cd050d499d7d411
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Declare Function WritePrivateProfileString Lib "Kernel32" Alias "WritePrivateProfileStringA" (ByVal lpApplicationname As String, ByVal lpKeyName As Any, ByVal lsString As Any, ByVal lplFilename As String) As Long
Private Declare Function GetPrivateProfileInt Lib "Kernel32" Alias "GetPriviteProfileIntA" (ByVal lpApplicationname As String, ByVal lpKeyName As String, ByVal nDefault As Long, ByVal lpFileName As String) As Long
Private Declare Function GetPrivateProfileString Lib "Kernel32" Alias "GetPrivateProfileStringA" (ByVal lpApplicationname As String, ByVal lpKeyName As String, ByVal lpDefault As String, ByVal lpReturnedString As String, ByVal nSize As Long, ByVal lpFileName As String) As Long
Private Declare Function GetWindowsDirectory Lib "Kernel32" Alias "GetWindowsDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
Private Declare Function GetSystemDirectory Lib "Kernel32" Alias "GetSystemDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
Private Declare Function Dbf_CloseAll Lib "DBF1" () As Long
Private Declare Function Dbf_OpenAsHandle Lib "DBF1" (ByVal FileN As String, ByVal Mode As Integer, ByVal DbfType As Integer, ByVal HandleF As Integer) As Integer
Private Declare Function Dbf_Close Lib "DBF1" (ByVal Hl As Integer) As Integer

Dim WinPath As String
Dim WinSysPath As String
Const MAX_PATH = 260

Function Getini(lpAppName As String, lpKeyName As String, lpDefault As String, lpFileName As String) As String
Dim ret As Long
Dim Temp As String * 256
Dim Temp1 As String
    Dim rtn As Long
    Dim buffer As String
    Dim i As Integer

buffer = Space(MAX_PATH)

rtn = GetSystemDirectory(buffer, Len(buffer))   'get the path
WinSysPath = Left(buffer, rtn)                                  'parse the path into the global string
rtn = GetWindowsDirectory(buffer, Len(buffer))
WinPath = Left(buffer, rtn)

lpDefault = ""
lpFileName = WinPath & "\dtacitt.ini"

ret = GetPrivateProfileString(lpAppName, lpKeyName, lpDefault, Temp, Len(Temp), lpFileName)

If ret = 0 Then
    Getini = ""
Else
    Temp1 = ""
    For i = 1 To Len(Trim(Temp))
        If Asc(Mid(Trim(Temp), i, 1)) <> 0 Then
        Temp1 = Temp1 & Mid(Trim(Temp), i, 1)
        End If
    Next
    Getini = Temp1
End If
End Function

Function Writeini(lpAppName As String, lpKeyName As String, lpString As String, lpFileName As String) As Integer
Dim ret As Long
    Dim rtn As Long
    Dim buffer As String

buffer = Space(MAX_PATH)

rtn = GetSystemDirectory(buffer, Len(buffer))   'get the path
WinSysPath = Left(buffer, rtn)                                  'parse the path into the global string
rtn = GetWindowsDirectory(buffer, Len(buffer))
WinPath = Left(buffer, rtn)

lpFileName = WinPath & "\dtacitt.ini"
ret = WritePrivateProfileString(lpAppName, lpKeyName, lpString, lpFileName)

If ret = 0 Then
End If
End Function
Private Sub Workbook_SheetActivate(ByVal Sh As Object)
bang = ExecuteExcel4Macro("GET.NOTE(""R1C1"")")

If bang = "Du toan" And Getini("DUTOAN", "DTinfRUN", "", "") = "2" Then
Application.ScreenUpdating = False
Application.Run Macro:="dt972000.xla!nap_DBF"
ret = Writeini("DUTOAN", "DTinfRUN", "0", "")
Sheets("Du toan").Select
Application.ScreenUpdating = True
End If

End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.