Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ec8ffbe989aca31f…

MALICIOUS

Office (OLE)

20.89 MB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2021-07-13
MD5: 071e8474261465bb750be91f523aef04 SHA-1: cfcf6d405e032252fa5ddf08a4434cb31b07ce78 SHA-256: ec8ffbe989aca31f814abee4c9423c288a756d14427346b0e5c402a1871e847d
190 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file contains both Excel 4.0 macros and VBA macros, with a Workbook_Open event and CreateObject calls indicating execution intent. The presence of an embedded URL within an XLM cell array suggests the macro is designed to download and execute a second-stage payload. The document body's content related to invoices and tax rates serves as a lure to encourage user interaction with the malicious macros.

Heuristics 7

  • URL reconstructed from XLM cell array (1 URL) critical OLE_XLM_CELL_ARRAY_URL
    Excel 4.0 macro sheet stages its payload URL across the BIFF8 Shared String Table (one quoted-char SST entry concatenated with & at runtime), across individual numeric cells (one ASCII charcode per cell), or split across multi-char fragment cells a download formula concatenates by reference (=A1&A2&… / CONCATENATE(...)). The reconstructed URL is invisible to literal-bytes URL extraction because it is never contiguous in the workbook stream. URLs were recovered by walking the BIFF8 record stream and decoding SST entries, LABELSST/RK/NUMBER cells, and FORMULA cell-reference concatenation in token order.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://github.com/VBA-tools/VBA-JSON Referenced by macro
    • http://www.vbaccelerator.com/home/VB/Code/Techniques/RunTime_Debug_Tracing/VB6_Tracer_Utility_zip_cStringBuilder_cls.aspReferenced by macro
    • https://github.com/VBA-tools/VBA-UtcConverterReferenced by macro
    • https://www.gst.gov.in/download/returnsReferenced by macro
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by macro
    • http://ns.adobe.com/xap/1.0/Referenced by macro
    • http://ns.adobe.com/xap/1.0/mm/Referenced by macro
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#Referenced by macro
    • http://www.opensource.org/licenses/mit-license.php)�Referenced by macro
    • http://code.google.com/p/vba-json/Referenced by macro
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms724421.aspxReferenced by macro
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms724949.aspxReferenced by macro
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms725485.aspxReferenced by macro
    • http://support.microsoft.com/kb/269370Referenced by macro
    • http://www.ietf.org/rfc/rfc4627.txtReferenced by macro
    • https://support.microsoft.com/en-us/kb/272138Referenced by macro
    • http://www.opensource.org/licenses/mit-license.phpReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 373725 bytes
SHA-256: 6ad4b1044092f0ce5748c1f20509eca5c2065d05b26407c6f3c09ecf337164c5
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

Private Sub Workbook_Activate()
    Call CommonUtil.ToggleCutCopyAndPaste(False) 'Disable Crtl + X
    'Call CommonUtil.HideorShowErrorSheets
End Sub

Private Sub Workbook_Open()
    Call CommonUtil.ToggleCutCopyAndPaste(False) 'Disable Ctrl + X
    'Call CommonUtil.HideorShowErrorSheets
End Sub

Attribute VB_Name = "Sheet7"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True




Attribute VB_Name = "Sheet5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "B2BURMod"
Option Explicit

Public Sub loadB2BURData(jsonData As Object)
    Dim invoiceList As Dictionary, invoice As Dictionary, Item As Dictionary
    Dim i As Integer: i = START_ROW
    Do Until Trim(Sheets("4C(B2BUR)").Cells(i, 2).Value & vbNullString) = vbNullString
        i = i + 1
    Loop
    If jsonData.Exists("b2bur") Then
        For Each invoice In jsonData("b2bur")
           ' For Each invoice In invoiceList("inv")
                For Each Item In invoice("itms")
                    
                    Sheets("4C(B2BUR)").Cells(i, 2).Value = invoice("inum")
                    Sheets("4C(B2BUR)").Cells(i, 3).Value = invoice("idt")
                    Sheets("4C(B2BUR)").Cells(i, 4).Value = invoice("val")
                    If Trim(invoice("pos") & vbNullString) <> vbNullString Then
                        Sheets("4C(B2BUR)").Cells(i, 5).Value = Application.VLookup(invoice("pos") & "C", Worksheets("master").Range("pos_map"), 2, False)
                    End If
                    If Trim(invoice("sply_ty") & vbNullString) <> vbNullString Then
                        Sheets("4C(B2BUR)").Cells(i, 6).Value = Application.VLookup(invoice("sply_ty"), Worksheets("master").Range("sply_ty_map"), 2, False)
                    End If
                    Sheets("4C(B2BUR)").Cells(i, 7).Value = Item("itm_det")("rt")
                    Sheets("4C(B2BUR)").Cells(i, 8).Value = Item("itm_det")("txval")
                    'Sheets("4C(B2BUR)").Cells(i, 9).Value = Item("itm_det")("iamt")
                    'Sheets("4C(B2BUR)").Cells(i, 10).Value = Item("itm_det")("camt")
                    'Sheets("4C(B2BUR)").Cells(i, 11).Value = Item("itm_det")("samt")
                    Sheets("4C(B2BUR)").Cells(i, 12).Value = Item("itm_det")("csamt")
                    Sheets("4C(B2BUR)").Cells(i, 14).Value = "Added"
                    
                    i = i + 1
            
... (truncated)