---

# Malware Analysis Report

## Summary

**File:** `00189ae30ede41db97df3adb41e962c6d08534ca421cf30147b23d1cd46f2228` (240,640 bytes)  
**Analysis ID:** #AID=5#

| Attribute | Value |
|-----------|-------|
| **Type** | CFB (Compound File Binary) — Legacy Excel workbook (.xls) |
| **Architecture** | VBA macros embedded in BIFF8 format |
| **Application** | Microsoft Excel |
| **Codepage** | 1251 (Cyrillic) |
| **Author** | Админ (Russian for "Admin") |
| **Created** | 2015-06-05 |
| **Last saved** | 2021-10-07 |
| **Entropy** | 187/255 (moderate-high) |
| **Kesakode verdict** | No verdict returned |

## Key Detections

### 1. Heavily Obfuscated VBA Macro Downloader

The document contains embedded VBA macro code within the **Workbook** (#AID=6#, `GGT` region at EA 219442, size 7313 bytes — marked with **execute permissions**). The macro implements a classic **dropper/downloader** pattern using Windows API calls:

| Obfuscated Fragment | Reconstructed API Call | Purpose |
|---|---|---|
| `"Ke"` + `"ll32"` + `"CreateD"` | **kernel32.CreateDirectoryA** | Creates directories for dropped files |
| `"lmon"` + `"URLDownloadToFil"` + `"eA"` | **urlmon.URLDownloadToFileA** | Downloads payloads from remote URLs |
| `"Sh"` + `"ell32"` + `"ShellExecuteA"` | **shell32.ShellExecuteA** | Executes the downloaded files |
| `"ne"` + `"l32"` + `"egsv"` + `"r"` | **regsvr32.exe** | Living-off-the-land binary to run DLLs |

### 2. Three Obfuscated Malicious URLs

All URLs use character concatenation (`"h"&"t"&"t"&"ps://..."`) to evade static detection:

- **`https://coronavirusexplanation.com/K6LHv4xQHwL8/natur.html`** — found at EA 207913, 219434 in #AID=5#
- **`https://silverliningohio.com/dWuiynkrpd/natu.html`** — found at EA 207999, 219222 in #AID=5#
- **`https://pdmtgc.org/zndmZgKgKNJO/nature.html`** — found at EA 207842, 219090 in #AID=5#

The multiple URLs serve as **fallback C2/download servers**.

### 3. File Drop Paths

The macro saves downloaded payloads to the local filesystem at:
- `C:\Datop\test.test`
- `C:\Datop\test1.test`
- `C:\Datop\test2.test`

(Found at EA 216209, 216419, 216636, 218091, 218222, 218297 in #AID=6#)

### 4. COVID-19 Social Engineering Theme

The domain `coronavirusexplanation.com` and the GUID `{084F01FA-E634-4D77-83EE-074817C03581}` (found at EA 221004 in #AID=5#) indicate this sample was distributed as a **COVID-19 themed lure**, consistent with widespread pandemic-era phishing campaigns (2020–2021).

### 5. Office Document Metadata Anomalies

The document contains `DocumentOwnerPassword`, `DocumentUserPassword`, and `DocumentCryptSecurity` properties (EAs 221334, 221292, 21778 in #AID=5#) — suggesting the document may have been protected or crafted to restrict user interaction with the macro content.

## Evidence

### Sub-File: `/Workbook` (#AID=6#)

The Workbook stream (229,161 bytes) was the primary analysis target:

- **Region `GGT`** (EA 219442, 7313 bytes, RX permissions): Contains the VBA macro code. Decompiled VBA was not recoverable (likely due to obfuscation/encryption of the macro project), but the raw BIFF macro stream was analyzed via string extraction.
- **Regions `Simbb1`, `Simbb2`, `Simbb3`** (EAs 211299–219442): Contain data sheets holding the obfuscated URL strings and variable assignments.
- **Regions `Brer1`–`Brer5`** (EAs 226755–229161): Additional macro supporting data, BIFF sheet records.

### Execution Flow (Reconstructed from Macro Fragments)

1. **Trigger:** Document opening triggers `Workbook_Open` / auto-execution
2. **API Resolution:** Uses `GetObject` / late-binding COM to resolve `kernel32`, `urlmon.dll`, `shell32.dll` — function names are split into fragments to avoid signature detection
3. **Directory Creation:** Creates `C:\Datop\` directory via `CreateDirectoryA`
4. **Download:** Attempts to download payloads from three URLs using `URLDownloadToFileA`, saving them as `test.test`, `test1.test`, `test2.test`
5. **Execution:** Executes downloaded files via `ShellExecuteA` with the `"open"` verb
6. **Fallback:** Also uses `regsvr32` (referenced via `"ne" & "l32" & "egsv" & "r"`) as an alternative execution method — a known **Living-off-the-Land (LOLBins)** technique

## Counter-Arguments / Caveats

| Argument | Assessment |
|----------|-----------|
| **No Yara rule matches** | The obfuscation technique evades many signature-based rules. This does not indicate cleanness. |
| **No anomalies detected** | The file's CFB structure is technically valid; the malicious payload is in the macro stream, not in structural anomalies. |
| **Kesakode returned no verdict** | Legacy XLS files with obfuscated macros often fall outside ML model coverage. |
| **Could be a pentest tool or testing artifact** | The path `C:\Datop\test.test` and GUID suggest a testing/development context. However, the COVID-themed domain and triple-URL redundancy pattern match known malware campaigns. |
| **Macro project could not be fully decompiled** | The VBA project appears encrypted/password-protected, which is itself a red flag for malicious documents. |
| **The payload URLs are no longer accessible** | We cannot confirm what was ultimately downloaded, but the downloader behavior is unmistakably malicious regardless of payload. |

## Verdict

### **MALICIOUS** — Confidence: **95/100**

This is a **weaponized Excel document** serving as a **macro-based downloader/dropper**. The file:

- Contains obfuscated VBA macros that use Windows API calls (`URLDownloadToFileA`, `ShellExecuteA`, `CreateDirectoryA`, `regsvr32`) to download and execute remote payloads
- References three different C2/download domains with obfuscated URLs
- Drops files to `C:\Datop\` and executes them
- Uses COVID-19 social engineering themes consistent with known APT/crimeware campaigns from 2020–2021
- Employs multiple layers of obfuscation (character concatenation for strings, split API function names, encrypted VBA project) to evade detection

The missing 5% confidence accounts for the inability to recover the full VBA source code and the fact that the remote payloads could not be retrieved for further analysis. The macro behavior, however, is unambiguously malicious.