Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e0a25974a031dcf8…

MALICIOUS

Office (OLE)

2.67 MB Created: 2004-05-21 07:18:45 Authoring application: Microsoft Excel First seen: 2019-10-01
MD5: b90d1d568c8f92665f7c4856f780a4b6 SHA-1: ed8d941a7e5cced900d3f7751f0e49e30dd96e3f SHA-256: e0a25974a031dcf8ed9b437a64a7df2a884d569cdfdeb07d04bacb84191474f0
144 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel document with a Workbook_Open macro that executes obfuscated VBA code. The macro uses CreateObject and XMLHTTP, indicating it likely attempts to download and execute a second-stage payload from a remote source. The document body contains what appears to be a list of regional names and associated numbers, possibly a lure for a phishing or social engineering attack.

Heuristics 6

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.imagemagick.org��Q� In document text (OLE body)
    • http://www.fstrf.ru/regions/region/showlist�In document text (OLE body)
    • http://www.support.eias.ru/In document text (OLE body)
    • http://support.eias.ru/�In document text (OLE body)
    • http://eias.ru/?page=show_distrsIn document text (OLE body)
    • https://tariff.eias.ru/procwsxls/�In document text (OLE body)
    • https://appsrv02.eias.ru/procwsxls/���#In document text (OLE body)
    • https://appsrv01.eias.ru/procwsxls/In document text (OLE body)
    • https://eias.fstrf.ru/procwsxls/�In document text (OLE body)
    • https://tariff.eias.ru/procwsxls/In document text (OLE body)
    • https://appsrv02.eias.ru/procwsxls/In document text (OLE body)
    • http://www.fstrf.ru/regions/region/showlistIn document text (OLE body)
    • http://www.eias.ru/tIn document text (OLE body)
    • https://eias.fstrf.ru/procwsxls/In document text (OLE body)
    • http://www.w.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/rights/In document text (OLE body)
    • http://commons.wikimedia.org/wiki/File:Flag_of_Bryansk_Oblast.png�v�rIn document text (OLE body)
    • http://www.imagemagick.orgIn document text (OLE body)
    • http://commons.wikimedia.org/wiki/File:Flag_of_Kursk_Oblast.png����In document text (OLE body)
    • http://commons.wikimedia.org/wiki/File:Coat_of_Arms_of_Pskov_oblast.pngIn document text (OLE body)
    • http://commons.wikimedia.org/wiki/File:Flag_of_Ivanovo_Oblast.pngIn document text (OLE body)
    • http://commons.wikimedia.org/wiki/File:Baikonur_seal.png��vYIn document text (OLE body)
    • http://commons.wikimedia.org/wiki/File:Flag_of_Saratov_Oblast.pngIn document text (OLE body)
    • http://commons.wikimedia.org/wiki/File:Flag_of_Yaroslavl_Oblast.pngT�In document text (OLE body)
    • http://commons.wikimedia.org/wiki/File:Flag_of_Kostroma_oblast.gif`+��In document text (OLE body)
    • http://commons.wikimedia.org/wiki/File:TomskOblastFlag.png�In document text (OLE body)
    • http://commons.wikimedia.org/wiki/File:Flag_of_Ryazan_Oblast.pngIn document text (OLE body)
    • http://commons.wikimedia.org/wiki/File:Flag_of_Moscow_Oblast.png/m8QIn document text (OLE body)
    • http://www.alrosa.ru/about/production/social/rikk/2012/In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1556173 bytes
SHA-256: fc81522bd31a960c32d858ccfce68270e555482a60e51c8e3ed9d017d1aa1dd6
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)

    Application.Calculate
    
    modThisWorkbook.ThisWorkbook_Workbook_BeforeSave
    
    On Error GoTo ErrHandler
    
    Dim status As Integer
    status = ThisWorkbook.CustomDocumentProperties("Status")
    If status > 2 Then
      MsgBox "Документ подписан ЭЦП и не может быть изменен", vbExclamation + vbOKOnly, ThisWorkbook.name
      Cancel = True
      GoTo CleanUp
    End If
    
    GoTo CleanUp

ErrHandler:
    MsgBox Err.Description, vbOKOnly + vbExclamation, ThisWorkbook.name

CleanUp:

End Sub

Private Sub Workbook_Open()
  modThisWorkbook.ThisWorkbook_Workbook_Open
End Sub

Private Sub Workbook_BeforePrint(Cancel As Boolean)
  modThisWorkbook.ThisWorkbook_Workbook_BeforePrint
End Sub

Attribute VB_Name = "modChange"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Base 1
Option Explicit

' Инструкция
Public Sub WsInstrChange(Target As Range)
  If Target.Interior.ColorIndex = colorYellow Then
    Application.ThisWorkbook.Worksheets(gstrInstructionSheetName).cmdApplyContactChanges.Enabled = True
    Application.ThisWorkbook.Worksheets(gstrInstructionSheetName).cmdApplyContactChanges.Visible = True
  End If
End Sub

' для стандартных листов
Public Sub WsGeneralChange(Target As Range)
  On Error GoTo ErrWsGeneralChange
  
  Dim wbBook As Workbook
  
  Dim wsSheet As Worksheet
  Dim wsTehSheet As Worksheet
    
  Dim intNRow As Integer
  Dim intNColumn As Integer
  Dim intRowHeight As Integer
  
  Dim rngCell As Range
  Dim rngRange As Range
  
  Dim ISect
  
  Dim blnValueEnableEventsLocal As Boolean
  Dim blnValueScreenUpdatingLocal As Boolean
    
  blnValueEnableEventsLocal = Application.EnableEvents
  blnValueScreenUpdatingLocal = Application.ScreenUpdating
  
  Application.EnableEvents = False
  Application.ScreenUpdating = False

  Set wbBook = Me.parent
  Set wsSheet = Target.parent
    
  modServiceModule.UNPROTECT_SHEET wsSheet
  
  intNRow = Target.cells(1, 1).Row
  intNColumn = Target.cells(1, 1).Column
  
  ' если лист "ТС показатели", то необходимо проставить значение единицы измерения в зависимости от вида топлива
  If wsSheet.name = wbBook.Names("TSphere").RefersToRange.cells(1, 1).value & " показатели" Then
    Set wsTehSheet = wbBook.Names("kind_of_fuels").RefersToRange.parent

    If InStr(1, Target.cells(1, 1).Offset(0, -1).MergeArea.cells(1, 1), "3.2") = 1 Then
         For Each rngRange In wsTehSheet.Range("kind_of_fuels")
           If Target.cells(1, 1).value = rngRange.value Then
             Target.cells(1, 1).Offset(2, 1).value = rngRange.Offset(0, 1).value
           ElseIf Len(Trim(Target.cells(1, 1).value)) = 0 Then
             Target.cells(1, 1).Offset(2, 1).value = ""
             Exit For
           End If
         Next
    End If
  End If
  
  If Target.cells(1, 1).Row > 6 Then
    If Target.MergeCells Then
      modServiceModule.AutoFitMergedCellRowHeight Target
    Else
      Target.cells(1, 1).EntireRow.AutoFit
      intRowHeight = Target.cells(1, 1).RowHeight
      If intRowHeight < 20 Then Target.cells(1, 1).RowHeight = 20
    End If
  End If
    
  modServiceModule.PROTECT_SHEET wsSheet, True
  GoTo CleanUp
  
ErrWsGeneralChange:
  Debug.Print Err.Description
  GoTo CleanUp
  
CleanUp:
  Application.EnableEvents = blnValueEnableEventsLocal
  Application.ScreenUpdating = blnValueScreenUpdatingLocal
  
End Sub

Attribute VB_Name = "modRegionS
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.