MALICIOUS
212
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
This Excel file contains obfuscated VBA macros, including a Workbook_Open auto-exec loader that uses CreateObject and execution sinks. The macros appear to be designed to download and execute a second-stage payload. The document body content relates to tax reporting, suggesting a lure for financial fraud or tax evasion.
Heuristics 8
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/2001/XMLSchema In document text (OLE body)
- http://www.w3.org/2001/XMLSchema-instanceIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 104133 bytes |
SHA-256: df3cc41c0df40bba3dcfb8ad93ad0ec0f1a8df09b8f80a8f91c9fadc2e87b14e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Image1, 12, 0, MSForms, Image"
Attribute VB_Control = "VCommandButton1, 9, 1, MSForms, CommandButton"
Attribute VB_Control = "eDoc, 11, 2, MSForms, ComboBox"
Private Sub eDOC_Change()
'Зміна форми документа та виділення-затінення потрібних полів
Dim J_F As String, nc_doc As String
On Error GoTo handle_err
c_doc = GetValFromExcel("C4")
J_F = Left(c_doc, 1)
nc_doc = Mid(c_doc, 2, 5)
Call PrepareDoc(J_F, nc_doc)
On Error GoTo 0
Exit Sub
handle_err:
Call MsgBox(Err.Description, vbCritical + vbOKOnly)
End Sub
'Підготовка форми вводу в залежності від поточного коду документа
Private Sub PrepareDoc(J_F As String, nc_doc As String)
Call HiddenAllHRanges
Select Case J_F
Case "F"
Call NameRangeShowRows("DOC_01_151")
Call NameRangeShowRows("DOC_04_F")
Case "J"
Select Case nc_doc
Case "02151"
Call NameRangeShowRows("DOC_01_151")
Case "02092"
Call NameRangeShowRows("DOC_01_092")
Case "02942"
Call NameRangeShowRows("DOC_01_942")
Case "02851"
Call NameRangeShowRows("DOC_01_851")
End Select
Call NameRangeShowRows("DOC_04_J")
End Select
End Sub
' Зховати всі іменовані діапазони що ховаються або показуються
Private Sub HiddenAllHRanges()
Call NameRangeHideRows("DOC_01_151")
Call NameRangeHideRows("DOC_01_092")
Call NameRangeHideRows("DOC_01_942")
Call NameRangeHideRows("DOC_01_851")
Call NameRangeHideRows("DOC_04_J")
Call NameRangeHideRows("DOC_04_F")
'...
End Sub
'Процедура, що показує описаний діапазон
Private Sub NameRangeShowRows(NameRange As String)
Dim rng As Range
Application.GoTo NameRange
Set rng = Selection
rng.Rows.Hidden = False
End Sub
'Процедура, що ховає описаний діапазон
Private Sub NameRangeHideRows(NameRange As String)
Dim rng As Range
Application.GoTo NameRange
Set rng = Selection
rng.Rows.Hidden = True
End Sub
Private Sub VCommandButton1_Click()
If Worksheets("список").Visible = xlSheetVisible Then
Worksheets("список").Visible = xlSheetHidden
Else
Worksheets("список").Visible = xlSheetVisible
End If
End Sub
Attribute VB_Name = "Module1"
Private lTypes As XSDTypeList
Private blockLen As Long
'Формуваня повного імені коду документа
Function FormFullNameDoc(c_doc As String)
sFullCodDoc = c_doc + "09"
FormFullNameDoc = sFullCodDoc
End Function
'Настройка переліку полів поточного документа
Private Function SettingListXSDTypes() As XSDTypeList
Set SettingListXSDTypes = CreateXSDTypeList()
doc = GetValFromExcel("C4")
SettingListXSDTypes.Add "HZ", "CH", "G7", "H"
SettingListXSDTypes.Add "HZN", "CH", "G8", "H"
SettingListXSDTypes.Add "HZU", "CH", "G9", "H"
If doc = "J02092" Then
SettingListXSDTypes.Add "HSG", "CH", "DOC_01_092.(3,8)", "H"
SettingListXSDTypes.Add "HLG", "CH", "DOC_01_092.(4,8)", "H"
SettingListXSDTypes.Add "HRB", "CH", "DOC_01_092.(5,8)", "H"
End If
SettingListXSDTypes.Add "HZY", "I", "C39", "H", True
SettingListXSDTypes.Add "HZKV", "I", "D39", "H"
SettingListXSDTypes.Add "HZM", "I", "E39", "H"
SettingListXSDTypes.Add "HZYP", "I", "C42", "H"
SettingListXSDTypes.Add "HZKVP", "I", "D42", "H"
SettingListXSDTypes.Add "HZMP", "I", "E42", "H"
If doc = "F02151" Then
Sett
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.