Office (OLE) malware analysis — malicious · f7fc3d72a3300286

MALICIOUS

Office (OLE)

4.42 MB Created: 1999-09-22 19:57:12 Authoring application: Microsoft Excel First seen: 2018-07-14

MD5: c8dead51eb05795965e558c1468e6e04 SHA-1: 385c51e03b9381f41ca25b71299f6ae1c9c60a53 SHA-256: f7fc3d72a330028648dff533e59bbab25c29fe90c34f64b94dae1d0cf6c518ca

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel document containing a Workbook_Open VBA macro, which is a common technique for malicious documents. The macro is designed to hide sheets named 'PMCHECK' through 'PM95' and unhide the 'CONTROL' sheet, suggesting an attempt to manipulate the user's view of the document's content. The 'SE_CALLBACK_LURE' heuristic indicates the document may prompt the user to call a phone number in a context related to billing or security, further supporting a social engineering attack.

Heuristics 3

VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
Callback phishing phone lure medium SE_CALLBACK_LURE

Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 154216 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	154216 bytes
SHA-256: `365a6a12a4460748d3abe149f18c80f1df171bbd1ebf286e7090a1990ea86b66`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Module14" Sub HIDEMPMP() ' ' Macro recorded 27-12-2003 by Colin Graham ' This Macro Hides the MPMP part of the FIR by performing the following steps ' Turn Off Screen Updates ' Hiding Schedules PM90 to PM95 ' Turn On Screen Updates ' Flagging file as Submitting FIR ONLY ' Message Box to appear Dim Msg4, Style4, Title4, Help4, Ctxt4, Response4, MyString4 Msg4 = "This will hide the MPMP Schedules. The FIR ONLY will be considered submitted when this file is emailed to the Ministry. REMEMBER: This file must be used to submit BOTH FIR and MPMP in future, and ALL previously sent FIR data will be OVERWRITTEN." ' Define message Style4 = vbOKCancel + vbInformation + vbDefaultButton1 + vbApplicationModal ' Define buttons Title4 = "FIR ONLY Set-Up" ' Define title 'Help = "DEMO.HLP" ' Define Help file Ctxt4 = 1000 ' Define topic ' context ' Display message Response4 = MsgBox(Msg4, Style4, Title4, Help4, Ctxt4) If Response4 = vbOK Then ' User chose OK MyString4 = "Ok" ' Perform the following . . . ' Screen Updates not visible onscreen Application.ScreenUpdating = False ' Unhide sheets for MPMP Schedules PM90 to PM95 Sheets("PMCHECK").Visible = False Sheets("PM90").Visible = False Sheets("PM91").Visible = False Sheets("PM92").Visible = False Sheets("PM93").Visible = False Sheets("PM94").Visible = False Sheets("PM95").Visible = False 'Unhide CONTROL Sheet Sheets("CONTROL").Visible = True Sheets("CONTROL").Select ActiveSheet.Unprotect ("--") ' Change Submit Flag to F for FIR ONLY Range("G42").Value = "F" ' Protect and Hide the CONTROL Sheet ActiveSheet.PROTECT "--", DrawingObjects:=True, Contents:=True, Scenarios:=True Sheets("CONTROL").Visible = False ' Go to COVER Sheet Cell A1 Sheets("02").Select Range("A1").Select ' Screen Updates visible onscreen Application.ScreenUpdating = True Else ' User chose CANCEL - No Actions performed MyString4 = "Cancel" End If ' Screen Updating On (Not turned off) End Sub Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Activate() DeleteAllShortcuts DisableControls End Sub Private Sub Workbook_BeforeClose(Cancel As Boolean) EnableControls End Sub Private Sub Workbook_Deactivate() EnableControls End Sub Private Sub Workbook_Open() DeleteAllShortcuts DisableControls End Sub Attribute VB_Name = "Sheet38" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet37" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet5" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module9" Sub MPMP() Attribute MPMP.VB_Description = "Macro recorded 26-12-2001 by MAH" Attribute MPMP.VB_ProcData.VB_Invoke_Func = " \n14" ' ' Macro recorded 27-12-2001 ... (truncated)

SHA-256: 365a6a12a4460748d3abe149f18c80f1df171bbd1ebf286e7090a1990ea86b66

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Module14"
Sub HIDEMPMP()
'
' Macro recorded 27-12-2003 by Colin Graham

' This Macro Hides the MPMP part of the FIR by performing the following steps
     ' Turn Off Screen Updates
     ' Hiding Schedules PM90 to PM95
     ' Turn On Screen Updates
     ' Flagging file as Submitting FIR ONLY


   '  Message Box to appear
    Dim Msg4, Style4, Title4, Help4, Ctxt4, Response4, MyString4
    Msg4 = "This will hide the MPMP Schedules.  The FIR ONLY will be considered submitted when this file is emailed to the Ministry.  REMEMBER:  This file must be used to submit BOTH FIR and MPMP in future, and ALL previously sent FIR data will be OVERWRITTEN."    ' Define message
    Style4 = vbOKCancel + vbInformation + vbDefaultButton1 + vbApplicationModal  ' Define buttons
    Title4 = "FIR ONLY Set-Up"    ' Define title
    'Help = "DEMO.HLP"    ' Define Help file
    Ctxt4 = 1000    ' Define topic
    ' context
    ' Display message
    Response4 = MsgBox(Msg4, Style4, Title4, Help4, Ctxt4)
    
    If Response4 = vbOK Then    ' User chose OK
    MyString4 = "Ok"    ' Perform the following . . .
        
    ' Screen Updates not visible onscreen
    Application.ScreenUpdating = False
            
        
        ' Unhide sheets for MPMP Schedules PM90 to PM95
        Sheets("PMCHECK").Visible = False
        Sheets("PM90").Visible = False
        Sheets("PM91").Visible = False
        Sheets("PM92").Visible = False
        Sheets("PM93").Visible = False
        Sheets("PM94").Visible = False
        Sheets("PM95").Visible = False
        
        'Unhide CONTROL Sheet
        Sheets("CONTROL").Visible = True
        Sheets("CONTROL").Select
        ActiveSheet.Unprotect ("*--*")
        
        ' Change Submit Flag to F for FIR ONLY
        Range("G42").Value = "F"
        
        ' Protect and Hide the CONTROL Sheet
        ActiveSheet.PROTECT "*--*", DrawingObjects:=True, Contents:=True, Scenarios:=True
        Sheets("CONTROL").Visible = False
        ' Go to COVER Sheet Cell A1
        Sheets("02").Select
        Range("A1").Select


        ' Screen Updates visible onscreen
        Application.ScreenUpdating = True
     

    Else    ' User chose CANCEL - No Actions performed
    MyString4 = "Cancel"
    
    End If
    
    ' Screen Updating On (Not turned off)

End Sub

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Activate()
DeleteAllShortcuts
DisableControls
End Sub

Private Sub Workbook_BeforeClose(Cancel As Boolean)
EnableControls
End Sub

Private Sub Workbook_Deactivate()
EnableControls
End Sub

Private Sub Workbook_Open()
DeleteAllShortcuts
DisableControls
End Sub


Attribute VB_Name = "Sheet38"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet37"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module9"
Sub MPMP()
Attribute MPMP.VB_Description = "Macro recorded 26-12-2001 by MAH"
Attribute MPMP.VB_ProcData.VB_Invoke_Func = " \n14"
'
' Macro recorded 27-12-2001
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.