Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e61a5f72928fa862…

MALICIOUS

Office (OLE)

175.7 KB Authoring application: Microsoft Excel First seen: 2015-09-15
MD5: 07c2992781d8ac3d0b3e79fdbe086afe SHA-1: d2d18df72ee70958b1e7feddc7e77f1456f9f3d6 SHA-256: e61a5f72928fa8623880969092124099ca9f4632e2ecb178df489114425ee2dd
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an OLE document authored by Microsoft Excel, containing VBA macros. Heuristics indicate the presence of XOR-encoded strings and a reference to the VirtualAlloc API, suggesting code obfuscation and memory allocation for malicious purposes. The VBA macro itself is minimal, but the presence of these indicators strongly suggests it's designed to download and execute a secondary payload. The file's SHA256 hash is included as a primary IOC.

Heuristics 3

  • XOR-encoded strings (key 0xDE) critical SC_XOR_ENCODED
    Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xDE: 'GetProcAddress', 'CreateProcessA', 'ExitProcess', 'CreateFileA', 'CreateFileW'
    Disassembly
    Attempted x86 opcode disassembly
    00010BFD  99                cdq
00010BFE  bbaa8eacb1        mov ebx, 0xb1ac8eaa
00010C03  bd9fbabaac        mov ebp, 0xacbaba9f
00010C08  bbadadde99        mov ebx, 0x99deadad
00010C0D  bbaa8abbb3        mov ebx, 0xb3bb8aaa
00010C12  ae                scasb al, byte ptr es:[edi]
00010C13  8e                .byte 0x8e
00010C14  bfaab69fde        mov edi, 0xde9fb6aa
00010C19  9d                popfd
00010C1A  ac                lodsb al, byte ptr [esi]
00010C1B  bbbfaabb98        mov ebx, 0x98bbaabf
00010C20  b7b2              mov bh, 0xb2
00010C22  bb9fde99bb        mov ebx, 0xbb99de9f
00010C27  aa                stosb byte ptr es:[edi], al
00010C28  98                cwde
00010C29  b7b2              mov bh, 0xb2
00010C2B  bb8db7a4bb        mov ebx, 0xbba4b78d
00010C30  de8dbbaa98b7      fimul word ptr [ebp - 0x48675545]
00010C36  b2bb              mov dl, 0xbb
00010C38  8e                .byte 0x8e
00010C39  b1b7              mov cl, 0xb7
00010C3B  b0aa              mov al, 0xaa
00010C3D  bbacde8cbb        mov ebx, 0xbb8cdeac
00010C42  bfba98b7b2        mov edi, 0xb2b798ba
00010C47  bbde89acb7        mov ebx, 0xb7ac89de
00010C4C  aa                stosb byte ptr es:[edi], al
00010C4D  bb98b7b2bb        mov ebx, 0xbbb2b798
00010C52  de9db2b1adbb      ficomp word ptr [ebp - 0x44524e4e]
00010C58  96                xchg esi, eax
00010C59  bf                .byte 0xbf
00010C5A  b0ba              mov al, 0xba
00010C5C  b2                .byte 0xb2
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 606 bytes
SHA-256: 481031c20227961d1e7d207d0bb17c79a9001efbdb37ac509a4ff93acb047bf0
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.