Malicious Office (OLE) — malware analysis report

Heuristics 25

• Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
  Reference to URLDownloadToFile API
• Shell() call in VBA critical OLE_VBA_SHELL
  Shell() call in VBA
• WScript.Shell usage critical OLE_VBA_WSCRIPT
  WScript.Shell usage
• URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
  URLDownloadToFile in VBA
• VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
  VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
• VBA ActiveX event runs worksheet-decoded XLM formulas critical OLE_VBA_ACTIVEX_XLM_CELL_STAGER
  VBA code attached to an ActiveX/UserForm event reconstructs formula text from worksheet constants using Split/Replace/Mid or character shifting, then executes it through ExecuteExcel4Macro or Run. This is a high-confidence malware stager that hides XLM formula execution in sheet cells; it is not a document-parser CVE.
• VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
  VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
• Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
  Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
• VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER
  The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.
• x86 GetPC stub (CALL $+5; POP EBP) high SC_GETPC_CALL
  x86 GetPC stub (CALL $+5; POP EBP)
• Reference to CreateProcess API high SC_STR_CREATEPROCESS
  Reference to CreateProcess API
• Reference to ShellExecute API high SC_STR_SHELLEXEC
  Reference to ShellExecute API
• Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
  Suspicious cmd.exe invocation with execution flag
• Reference to Windows Script Host high SC_STR_WSCRIPT
  Reference to Windows Script Host
• Workbook_Open macro high OLE_VBA_WBOPEN
  Workbook_Open macro
• CreateObject call high OLE_VBA_CREATEOBJ
  CreateObject call
• GetObject call high OLE_VBA_GETOBJ
  GetObject call
• CallByName call high OLE_VBA_CALLBYNAME
  CallByName call
• cmd.exe reference in VBA high OLE_VBA_CMD
  cmd.exe reference in VBA
• VBA instantiates a COM class by raw CLSID high OLE_VBA_GETOBJECT_CLSID_EVASION
  VBA uses GetObject("new:{CLSID}") to instantiate a COM class by raw CLSID rather than a CreateObject ProgID — an uncommon bypass of name-based macro detection.
• Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
  Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
• Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
  One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
• VBA macros detected medium OLE_VBA_MACROS
  Document contains VBA macro code
• Environ() call (env variable access) low OLE_VBA_ENVIRON
  Environ() call (env variable access)
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://howsmyssl.com/a/check

  • https://ExcelVBA.ru/
  • http://excelvba.ru/programmes/Parser�������
  • http://excelvba.ru/updates/download.php?addin=Parser
  • http://excelvba.ru/programmes/Parser�
  • https://excelvba.ru/programmes/Parser/manuals
  • https://excelvba.ru/programmes/Parser/order
  • https://ExcelVBA.ru/programmes/Parser/manuals
  • https://ExcelVBA.ru/�
  • https://ExcelVBA.ru/programmes/Parser/actions
  • http://bbs.vbstreets.ru/viewtopic.php?p=6659672#p6659672
  • https://ExcelVBA.ru/programmes/Parser/samples/test�
  • https://ExcelVBA.ru/themes/excelvba/parser.css
  • https://github.com/VBA-tools/VBA-JSON/blob/master/JsonConverter.bas
  • https://excelvba.ru/resources/
  • https://ExcelVBA.ru/programmes/Parser/actions/
  • https://betacode.net/12473/javascript-url-encoding
  • https://askdev.ru/q/kak-ya-mogu-url-kodirovat-stroku-v-excel-vba-42634/
  • https://excelvba.ru/programmes/Parser/manuals/ExtraSetupOptions
  • https://rucaptcha.com?from=2405413A@�
  • https://excelvba.ru/programmes/Parser/manuals/errors/WinHTTP_TLSA@
  • https://excelvba.ru/programmes/Parser/manuals/interface/settings/main
  • https://excelvba.ru/programmes/Parser/manuals/interface/settings/extraA@
  • https://excelvba.ru/programmes/Parser/manuals/interface/settings/captchaA@
  • https://excelvba.ru/programmes/Parser/manuals/interface/settings/proxyA@
  • https://excelvba.ru/programmes/Parser/manuals/interface/settings/pluginsA@
  • https://ExcelVBA.ru/programmes/Parser/manuals/captcha/RuCaptchaSetupA@
  • https://excelvba.ru/programmes/Parser/manuals/proxy
  • https://excelvba.ru/programmes/Parser/manuals/interface/editor/SourceDataTabA@
  • https://excelvba.ru/programmes/Parser/manuals/interface/editor/MainInfoTabA@
  • https://excelvba.ru/programmes/Parser/manuals/interface/editor/OutputTab/ColumnList
  • https://excelvba.ru/programmes/Parser/manuals/interface/editor/OutputTab/ExtraA@
  • https://excelvba.ru/programmes/Parser/manuals/interface/editor/OutputTab/SheetOptions
  • https://excelvba.ru/programmes/Parser/manuals/sourceA@
  • https://excelvba.ru/programmes/Parser/manuals/interface/editor/DownloadTabA@
  • https://excelvba.ru/programmes/Parser/manuals/interface/editor/ExtraTab/options
  • https://excelvba.ru/programmes/Parser/manuals/interface/editor/ExtraTab/ActionSetsA@
  • https://excelvba.ru/programmes/Parser/manuals/interface/editor/ExtraTab/macro
  • https://excelvba.ru/programmes/Parser/manuals/interface/editor/ExtraTab/errorsA@
  • https://excelvba.ru/programmes/Parser/manuals/interface/editor/ExtraTab/captcha
  • https://excelvba.ru/programmes/Parser/manuals/interface/editor/ExtraTab/proxy
  • https://excelvba.ru/programmes/Parser/manuals/interface/editor/ExtraTab/fileA@
  • https://excelvba.ru/programmes/Parser/manuals/interface/editor/ExtraTab/other
  • https://excelvba.ru/programmes/Parser/manuals/proxy/setup
  • https://excelvba.ru/programmes/Parser/manuals/interface/editor/OutputTab/ColumnSetupA@
  • https://excelvba.ru/programmes/Parser/manuals/ActionSets/events
  • https://excelvba.ru/programmes/Parser/manuals/SpecialVariables
  • https://excelvba.ru/programmes/Parser
  • https://xn--80abwmlfh7b4c.xn--p1ai/?a=
  • https://xn--80abwmlfh7b4c.xn--p1ai/

  +121 more URL(s)

Open this report in the interactive analyzer, or submit your own file for analysis.