Ave Maria RAT – .xls, ADS, and EQNEDT32!

Life is like a malicious document. You never know what you’re going to get. Or not. Either way, this document was really quite interesting with its twists and turns. We will be working off of this document right here: https://app.any.run/tasks/ce33bea3-9f2d-4507-ae43-2a96bb814bc5

A picture is often worth a thousand words. I mapped out the document, files, and processes into a single picture below. We’ll have to see if this picture simplifies the explanation or is the cause of a great number of words.



Using oledump.py, we can see that this document contains some macros (A3) and a few oleObject binaries (B2, C2, and D3). All of them need to be investigated.



The only macro worth looking at is Module1. The first few lines contain what looks like some base64 encoded strings. We can also see that a lot of strings are being added to variable s.


Variable x contains a path to C:\programdata\asc.txt.


In line 185, we can see that the text file asc.txt is going to get created, with an additional alternate data stream called script1.vbs. Line 195 writes the contents of s into script1.vbs.


And finally, line 200 contains the part that uses cscript to run asc.txt:script1.vbs.



The two most important lines in this script are base64 encoded strings in lines 2 and 3. They decode to the URL and the name of the executable to download.


fsdfdsfs = http[:]//5[.]199[.]143[.]127/bin.exe
yulkytjtrhtjrkdsarjky = bin.exe

Line 130 contains the command to download the executable and line 133 executes it.


You’ll see from the any.run output, that while this macro is executed, it never makes a successful connection to But that’s okay, the oleobject binaries were successful.


This binary contains a file called xx which gets dropped in the temp location (C:\Users\[user]\AppData\Local\Temp\xx). More on this later.


This binary contains a file called yy which also gets dropped in the temp location (C:\Users\[user]\AppData\Local\Temp\yy). Again, more on this later.


This is where the secondary process really kicks off. Here’s what this binary contains:


The equation editor (EQNEDT32.exe) take a hold of that string and executes it. This renames file yy to y.js and then executes it.

cmd /c ren %tmp%\yy y.js&CSCRipt %tmp%\y.js


Upon execution, this file changes file xx to xx.vbs (line 11 and function ChangeFileName). It then executes xx.vbs in line 12 and deletes y.js in line 15.



Structurally, xx.vbs is very similar to asc.txt:script1.vbs. The top contains the same base64 encoded strings. They run through functions to decode them. The end of the script downloads the binary and executes it.


fsdfdsfs = http[:]//5[.]199[.]143[.]127/bin.exe
yulkytjtrhtjrkdsarjky = bin.exe


In this case, xx.vbs actually did download .bin. Upon execution, it copied and renamed itself to C:\Users\[user]\AppData\Roaming\images.exe. It even adds itself to HKCU\SOftware\Microsoft\Windows\CurrentVersion\Run for persistence.

And when it executes, it reaches back out to

Thanks for reading!