Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 cd4144c9a155f1c5…

MALICIOUS

Office (OLE)

946.5 KB Created: 2019-08-30 09:14:50 Authoring application: Microsoft Excel
MD5: bc721ab278a70dd7a13c4e0583489190 SHA-1: 63454ae1f2ef4b3ee368666f6371da324672ea58 SHA-256: cd4144c9a155f1c5d9596aee010769371e78cacdfa5757a022f8699b6528bdde
400 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1218.011 Signed Binary Proxy Execution: Rundll32 T1105 Ingress Tool Transfer

The sample is an Excel document containing VBA macros that leverage Windows Script Host and API calls like VirtualAlloc, LoadLibrary, and GetProcAddress. A critical heuristic indicates the presence of an embedded PE executable, and another critical heuristic flags a Shell() call within the VBA. This suggests the macro is designed to extract and execute the embedded payload. The ClamAV detection of 'Win.Dropper.Hideproc-6663113-0' further supports its nature as a dropper.

Heuristics 10

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Dropper.Hideproc-6663113-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Dropper.Hideproc-6663113-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.microsoft.com0
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
    • http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0Z
    • http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
888c70d21f83f913161586d9572083be4266d3106ae0f87526fc31f336071aa6		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 14358 bytes
embedded_office_000044f1.exe
6502d765b1d1fc564e58d51618f90cdcc217ca18d74d04eb4b75d92ba55b634e		 embedded-pe Office MZ+PE at offset 0x44F1 951567 bytes
Detection
ClamAV: Win.Dropper.Hideproc-6663113-0
Obfuscation or payload: unlikely
ole10native_00.bin
9dc5a0bfb900a50933edcd585ffcbc4bed2af044e653c6df90ad0229c5fd64db		 ole-package OLE Ole10Native stream: MBD00059305/Ole10Native 618013 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.