Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c8a41261ee915447…

MALICIOUS

Office (OLE)

1.90 MB Created: 2004-05-21 07:18:45 Authoring application: Microsoft Excel First seen: 2020-08-10
MD5: 58f6088ae95fd40abbeb734f5ad22c6d SHA-1: ae02e03c95ae2ce36792bb988be8e76fd5d0ef8a SHA-256: c8a41261ee915447a4f05c5e51e97aab350d9a12a92f44aab39d961d3567bed7
204 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Doc.Dropper.Agent-6355306-0. It contains a Workbook_Open VBA macro that executes obfuscated code, including a CreateObject call and a p-code auto-execution with XMLHTTP, indicating it likely downloads a second-stage payload. The presence of a Workbook_Open macro suggests it was delivered as a spearphishing attachment.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6355306-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6355306-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.fstrf.ru/regions/region/showlist� In document text (OLE body)
    • http://www.gmcgks.ru/index.php?id=21046In document text (OLE body)
    • http://www.gmcgks.ru/index.php?id=21036In document text (OLE body)
    • http://tariff.support/index.php?a=add&catid=67�In document text (OLE body)
    • https://tariff.eias.ru/procwsxls/�In document text (OLE body)
    • https://tariff.eias.ru/procwsxls/In document text (OLE body)
    • https://appsrv02.eias.ru/procwsxls/In document text (OLE body)
    • https://appsrv01.eias.ru/procwsxls/In document text (OLE body)
    • https://eias.fstrf.ru/procwsxls/�In document text (OLE body)
    • https://altai-app.eias.ru/procwsxls/�In document text (OLE body)
    • http://rb-regservices.eias.ru/procwsxls/�In document text (OLE body)
    • https://tariff.eias.ru/procwsxls/�hIn document text (OLE body)
    • https://appsrv02.eias.ru/procwsxls/���#In document text (OLE body)
    • https://eias.fstrf.ru/procwsxls/In document text (OLE body)
    • https://altai-app.eias.ru/procwsxls/��(In document text (OLE body)
    • http://rb-regservices.eias.ru/procwsxls/In document text (OLE body)
    • http://www.eias.ru/templates/In document text (OLE body)
    • https://altai-app.eias.ru/procwsxls/In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
    • http://www.gks.ru/metod/classifiers.htmlIn document text (OLE body)
    • http://base.consultant.ru/cons/cgi/online.cgi?req=doc;base=LAW;n=178809;fld=134;dst=100013;rnd=180312.43506395909935236;;ts=018031221943964948877692�In document text (OLE body)
    • http://base.consultant.ru/cons/cgi/online.cgi?req=doc;base=LAW;n=179370;fld=134;from=179211-102;rnd=180312.9268793507944793;;ts=0180312467623938806355�In document text (OLE body)
    • http://base.consultant.ru/cons/cgi/online.cgi?req=doc;base=LAW;n=139322;fld=134;dst=100008;rnd=180312.45840900391340256;;ts=018031229105898505076766�In document text (OLE body)
    • http://base.consultant.ru/cons/cgi/online.cgi?req=doc;base=LAW;n=186745;fld=134;from=179211-90;rnd=180312.18053538468666375;;ts=01803129223564297426492�In document text (OLE body)
    • http://base.consultant.ru/cons/cgi/online.cgi?req=doc;base=LAW;n=167465;fld=134;dst=100284;rnd=180312.07675228593870997;;ts=0180312020631691208109263In document text (OLE body)
    • http://base.consultant.ru/cons/cgi/online.cgi?req=doc;base=LAW;n=133360;dst=0;ts=976FAE4D17FED02FE84251FA347CBCC1;rnd=0.38204030096458275In document text (OLE body)
    • http://tarif.omskportal.ru/procwsxls/In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1141881 bytes
SHA-256: a0aec76feb63ab3e3c447641e352cb6c2fba1433cf7a4ae65a18866038fe90ea
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)

    Application.Calculate
    
    modThisWorkbook.ThisWorkbook_Workbook_BeforeSave
    
    On Error GoTo ErrHandler
    
    Dim status As Integer
    status = ThisWorkbook.CustomDocumentProperties("Status")
    If status > 2 Then
      MsgBox "Документ подписан ЭЦП и не может быть изменен", vbExclamation + vbOKOnly, ThisWorkbook.name
      Cancel = True
      GoTo CleanUp
    End If
    
    GoTo CleanUp

ErrHandler:
    MsgBox Error.Description, vbOKOnly + vbExclamation, ThisWorkbook.name

CleanUp:

End Sub

Private Sub Workbook_Open()
  modThisWorkbook.ThisWorkbook_Workbook_Open
End Sub

Private Sub Workbook_BeforePrint(Cancel As Boolean)
  modThisWorkbook.ThisWorkbook_Workbook_BeforePrint
End Sub


Attribute VB_Name = "modChange"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Base 1
Option Explicit

Public Sub WsInstructionChange(Target As Range, _
                               ByRef cmdApplyContactChanges As CommandButton)
  
  If Target.Interior.ColorIndex = colorYellow Then
    cmdApplyContactChanges.Enabled = True
    cmdApplyContactChanges.Visible = True
  End If

End Sub

Public Sub WsTitleChange(Target As Range)
  
  On Error GoTo ErrWsTitleChange

  Dim wsSheet As Worksheet
  Dim intCounter As Integer
  Dim intColumnCounter As Integer
  Dim strMRName As String
  Dim strMOName As String
  Dim strOKTMOValue As String
  Dim strNameLineCode(8) As String  ' список кодов строк, содержащих формулы
  Dim wbBook As Workbook
  Dim wsTechSheet As Worksheet
  Dim wsWorkSheet As Worksheet
  Dim rngRange As Range
  Dim rngTempRange As Range
  Dim ISect

  Application.EnableEvents = False
  Application.ScreenUpdating = False

  Set wbBook = Me.Parent
  Set rngRange = wbBook.Names("MR_LIST").RefersToRange
  Set wsTechSheet = rngRange.Parent

  Set wsSheet = Target.Parent
  
  ' Признак филиала
  Set ISect = Application.Intersect(Target, wsSheet.Range("fil_flag"))
  If Not ISect Is Nothing Then
    
    modServiceModule.UNPROTECT_SHEET wsSheet
     
    If Target.cells(1, 1).value = "да" Then
      wsSheet.Range("fil").cells(1, 1).Select
      Selection.Interior.ColorIndex = colorCyan
      wsSheet.Range("fil").cells(1, 1).EntireRow.Hidden = False
      Selection.Locked = False
    Else
      wsSheet.Range("fil").cells(1, 1).Select
      Selection.ClearContents
      Selection.Interior.ColorIndex = colorWhite
      wsSheet.Range("fil").cells(1, 1).EntireRow.Hidden = True
      Selection.Locked = True
    End If
      
    Target.Select
    
    modServiceModule.PROTECT_SHEET wsSheet, True
    
    GoTo CleanUp
    
  End If
  
  ' ВЫБОР МР
  Set ISect = Application.Intersect(Target, wsSheet.Range("mr"))
  If Not ISect Is Nothing Then
    
    modServiceModule.UNPROTECT_SHEET wsSheet
    intCounter = 2
    Do While intCounter <= rngRange.Rows.Count + 1
      If wsTechSheet.cells(intCounter, 4).value = Target.cells(1, 1).value Then
        strMOName = wsTechSheet.cells(intCounter, 5).value
        Exit Do
      End If
      intCounter = intCounter + 1
    Loop
    wsSheet.Range("oktmo").Select
    Selection.ClearContents
    wsSheet.Range("mo").Select
    Selection.ClearContents
    Selection.Validation.Delete
    If Len(strMOName) > 0 Then
      With Selection.Validation
                    .Add Type:=xlValidateList, _
                         AlertStyle:=xlValidAlertStop, _
            
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.