MALICIOUS
258
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1566.002 Spearphishing with Attachment
The sample is an XLSM file containing obfuscated VBA macros, including a Workbook_Open auto-execution loader that uses CreateObject and Shell/exec functions. The document body presents a fake Goods and Services Tax (GST) reconciliation form, indicating a lure for financial information. While no direct payload execution URL was found, the presence of a VBA loader and the invoice lure strongly suggest a phishing or financial fraud attempt.
Heuristics 9
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
External relationship high OOXML_EXTERNAL_RELExternal target in xl/externalLinks/_rels/externalLink2.xml.rels: file:///C:\Users\ashutosh.khaitan\Desktop\Worksheet in SRS_Offline_GSTR10_30052018.xls
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present
-
Hidden worksheet (veryHidden, hidden) low OOXML_HIDDEN_SHEETExcel workbook contains 7 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://www.gst.gov.in/download/returns
- https://github.com/VBA-tools/VBA-JSON
- http://www.vbaccelerator.com/home/VB/Code/Techniques/RunTime_Debug_Tracing/VB6_Tracer_Utility_zip_cStringBuilder_cls.asp
- https://github.com/VBA-tools/VBA-JSON/pull/82
- https://github.com/VBA-tools/VBA-UtcConverter
- http://www.frez.co.uk
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#
- http://www.opensource.org/licenses/mit-license.php
- http://code.google.com/p/vba-json/
- http://msdn.microsoft.com/en-us/library/windows/desktop/ms724421.aspx
- http://msdn.microsoft.com/en-us/library/windows/desktop/ms724949.aspx
- http://msdn.microsoft.com/en-us/library/windows/desktop/ms725485.aspx
- http://support.microsoft.com/kb/269370
- http://www.ietf.org/rfc/rfc4627.txt
- https://support.microsoft.com/en-us/kb/272138
- http://www.opensource.org/licenses/mit-license.php)�
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basd9181be68dd06a6480d64f9918d21cba95fabc95681839faa73ff05dd639f946 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 505088 bytes |
vbaProject_00.bind3a215187ce24c813bdf50881880f66075e80288fa6650a81b8d68b383850033 |
vba-project | OOXML VBA project: xl/vbaProject.bin | 769024 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.