Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 1f02405f0d85e93d…

MALICIOUS

Office (OLE) / .XLS

1.12 MB Created: 2006-09-16 08:00:00 Authoring application: WPS Office First seen: 2026-06-27
MD5: 80c206858252fc4c7f1fa6639c82acff SHA-1: 859fda99a0de7bb650f6b3ac5abfe4f0c8bf1887 SHA-256: 1f02405f0d85e93d0fe98a54af068950b5b47e060f3cdc2ce3cc4d17b72e3ba2
248 Risk Score

Heuristics 6

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
       Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
            S.write H.Responsebody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
            Set H = CreateObject("Microsoft.XMLHTTP")
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3475 bytes
SHA-256: 2e12b22f9afb5f62e4b239118388b0b1a9fee6ddea17fc9c9490ecb5977159ba
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "模块1"
#If Win64 Then
   Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
    Public Declare PtrSafe Function DeleteUrlCacheEntry Lib "wininet" Alias "DeleteUrlCacheEntryA" (ByVal lpszUrlName As String) As Long
    Declare PtrSafe Function DeleteFile Lib "kernel32" Alias "DeleteFileA" (ByVal lpFileName As String) As Long
#Else
    Private Declare Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
    Public Declare Function DeleteUrlCacheEntry Lib "wininet" Alias "DeleteUrlCacheEntryA" (ByVal lpszUrlName As String) As Long
    Declare Function DeleteFile Lib "kernel32" Alias "DeleteFileA" (ByVal lpFileName As String) As Long
#End If

Sub Auto_Open()

    Set Rng = Range("G4")
    Rng.Value = Trim(Rng.Value)
    If Len(Rng.Value) > 0 Then
        Dim nUrl As String, localFilename As String, lastname As String, lngRetVal As Long
        nUrl = Rng.Value
        If (InStr(nUrl, "?") > 0 And InStr(nUrl, "Expires") > 0 And InStr(nUrl, "OSSAccessKeyId") > 0 And InStr(nUrl, "Signature") > 0) Then
            lastname = Mid(nUrl, InStrRev(nUrl, ".", InStrRev(nUrl, "?")), (InStrRev(nUrl, "?") - InStrRev(nUrl, ".", InStrRev(nUrl, "?"))))
        Else
            lastname = Mid(nUrl, InStrRev(nUrl, "."))
        End If
        
        localFilename = ThisWorkbook.Path & "\gep" & lastname
        'lngRetVal = URLDownloadToFile(0, nUrl, localFilename, 0, 0)
        
        'If lngRetVal = 0 Then
        '    DeleteUrlCacheEntry nUrl
        'End If
        Dim H, S
        Set H = CreateObject("Microsoft.XMLHTTP")
        H.Open "GET", nUrl, False
        H.send
        Set S = CreateObject("ADODB.Stream")
        S.Type = 1
        S.Open
        S.write H.Responsebody
        S.savetofile localFilename, 2
        S.Close
        
        With ActiveSheet.Pictures.Insert(localFilename)
            If ((.Height / .Width) > ((Rng.Height / Rng.Width) * 5)) Then
                .Top = Rng.Top
                .Left = Rng.Left + (Rng.Width - .Width * Rng.Height * 5 / .Height) / 2
                .Width = .Width * Rng.Height * 5 / .Height
                .Height = Rng.Height * 5
            Else
                .Left = Rng.Left
                .Top = Rng.Top + (Rng.Height * 5 - .Height * Rng.Width / .Width) / 2
                .Height = .Height * Rng.Width / .Width
                .Width = Rng.Width
            End If
        End With
        Rng.Value = ""
        DeleteFile localFilename
    End If
End Sub

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "模块2"

Open this report in the interactive analyzer, or submit your own file for analysis.