Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 df196a4d5659df1c…

MALICIOUS

Office (OLE)

50.5 KB Created: 2018-09-25 10:17:08 Authoring application: Microsoft Excel First seen: 2019-09-30
MD5: 9fbd935f45860740af1baefbcd5ecf68 SHA-1: 9fe2b13f5043de7123f8d359861fcb9963b68b68 SHA-256: df196a4d5659df1cd862620fbb7df5aa3bdfa84286ea69bf98e27379f4ae7a8f
320 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains both obfuscated VBA and Excel 4.0 macros, with critical heuristics indicating an auto-exec loader designed to execute code via CreateObject and Shell functions. The presence of both macro types and the obfuscation suggests a downloader or droppper functionality. The ClamAV detection name 'Doc.Malware.Sload-6699713-0' further supports its malicious nature.

Heuristics 8

  • ClamAV: Doc.Malware.Sload-6699713-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Sload-6699713-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 228 bytes
SHA-256: 962aaf1d57f0a7207e98bd37b3a4cfa339dc6a87bd287090a5d69186204feb4a
Preview script
First 1,000 lines of the extracted script
' 0085     12 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Top
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9345 bytes
SHA-256: 8d648aa8d91be24536d59f012004d883aaf3d30ef12c5d6fb7862323b9d49150
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Sub LoadAndPrintBoard()
Dim CurrentBoardMember As CEmployee
Dim PrintBoardMember As CEmployee
Dim arrayBoardMemebrs() As CEmployee
Dim WSBoardMembers As Worksheet
Dim lngTotalRecords As Long
Dim lngRecordCounter As Long
Dim strFullNameAndTitle As String
Set WSBoardMembers = Worksheets(“EmployeeInfo.xlsm”)
lngTotalRecords = WSBoardMembers.UsedRange.Rows.Count
For lngRecordCounter = 1 To lngTotalRecords
Set CurrentBoardMember = New CEmployee
CurrentBoardMember.FirstName = WSBoardMembers.Range(WSBoardMembers.Cells(lngRecordCounter, 1), WSBoardMembers.Cells(lngRecordCounter, 1)).Value
CurrentBoardMember.LastName = WSBoardMembers.Range(WSBoardMembers.Cells(lngRecordCounter, 2), WSBoardMembers.Cells(lngRecordCounter, 2)).Value
CurrentBoardMember.Title = WSBoardMembers.Range(WSBoardMembers.Cells(lngRecordCounter, 3), WSBoardMembers.Cells(lngRecordCounter, 3)).Value
ReDim Preserve arrayBoardMemebrs(1 To lngRecordCounter)
Set arrayBoardMemebrs(lngRecordCounter) = CurrentBoardMember
Set CurrentBoardMember = Nothing
Next lngRecordCounter
For lngRecordCounter = 1 To lngTotalRecords
Set PrintBoardMember = arrayBoardMemebrs(lngRecordCounter)
Debug.Print PrintBoardMember.EmployeeFullInfo()
Set PrintBoardMember = Nothing
Next lngRecordCounter
For lngRecordCounter = 1 To lngTotalRecords
Set arrayBoardMemebrs(lngRecordCounter) = Nothing
Next lngRecordCounter
Set WSBoardMembers = Nothing

End Sub
Private pWorkLogItems As Collection

Public Property Get WorkLogItems() As Collection
    Set WorkLogItems = pWorkLogItems
End Property

Public Property Set WorkLogItems(lWorkLogItem As Collection)
    Set pWorkLogItems = lWorkLogItem
End Property

Function GetHoursWorked(strPersonName As String) As Double
    On Error GoTo Handle_Errors
    Dim wli As WorkLogItem
    Dim doubleTotal As Double
    doubleTotal = 0
    For Each wli In WorkLogItems
        If strPersonName = wli.PersonName Then
            doubleTotal = doubleTotal + wli.HoursWorked
        End If
    Next wli

Exit_Here:
    GetHoursWorked = doubleTotal
        Exit Function

Handle_Errors:
        'You will probably want to catch the error that will '
        'occur if WorkLogItems has not been set '
        Resume Exit_Here


End Function
Sub CalculateRunTime_Minutes()
Dim StartTime As Double
Dim MinutesElapsed As String
StartTime = Timer
  MinutesElapsed = Format((Timer - StartTime) / 86400, "hh:mm:ss")
  MsgBox "This code ran successfully in " & MinutesElapsed & " minutes", vbInformation
End Sub
Sub Advanced_Filtering()

CriteriaLastRow = 4 'Last Row you have in the Criteria range

For i = 3 To CriteriaLastRow 'Loops through until the last Row
  RowsCount = Application.WorksheetFunction.CountA(Range("C" & i & ":F" & i))
  If RowsCount = 0 Then CriteriaRowsSet = i - 1 Else CriteriaRowsSet = CriteriaLastRow 'Checks to see if any row returns 0 and sets it to the row above's number
Next i

Range("C6:F23").AdvancedFilter _
Action:=xlFilterInPlace, _
CriteriaRange:=Range("C2:F" & CriteriaRowsSet), _ CopyToRange:=Sheets("Sheet2").Range("A1:D1")

End Sub
Sub SolverMacro()
' Example Solver VBA Macro
    SolverReset
    SolverOk SetCell:="$B$24", _
             MaxMinVal:=2, _
             ValueOf:="0", _
             ByChange:="$B$16:$B$17"
    SolverSolve userFinish:=True
End Sub
Function Pos_nonalpha() As Integer
  'posted misc 2001-07-23 David McRitchie
  Dim i As Integer
  For i = 1 To Len(cell)
    Dim Number
    Select Case Asc(Mid(cell, i, 1))
        Case 0 To 64, 91 To 96, 123 To 191
           Pos_nonalpha = i
           Exit Function
        End Select
  Next i
  Pos_nonalpha = 0
End Function
Function AgeInYears(start_date As Variant, end_date As Variant) As
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.