MALICIOUS
210
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is an Excel document containing VBA macros, specifically an Auto_Open macro, which is a common technique for executing malicious code upon opening. The presence of the 'Xls.Virus.Valyria-10004391-0' ClamAV detection strongly indicates malicious intent. The macro code itself appears to be involved in data manipulation and export, but its primary function is likely to download and execute a secondary payload, as suggested by the external relationship URL.
Heuristics 6
-
ClamAV: Xls.Virus.Valyria-10004391-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Virus.Valyria-10004391-0
-
VBA project inside OOXML medium 1 related finding OOXML_VBADocument contains a VBA project — VBA macros present
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
External relationship medium OOXML_EXTERNAL_RELExternal target in xl/externalLinks/_rels/externalLink1.xml.rels: https://elevateglobal.sharepoint.com/20190327 backup/Yang Lei/Technical Work (Global)/Assessment Tool/Coordination Tool/
-
Hidden worksheet (veryHidden) low OOXML_HIDDEN_SHEETExcel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://elevateglobal.sharepoint.com/20190327 OOXML external relationship
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 6745 bytes |
SHA-256: 04057323d521c801b88a6333ff518d3e7764c17101964d6999d4a505aa475d4d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Worksheet_Activate()
Rows("2:117").EntireRow.AutoFit
End Sub
Attribute VB_Name = "Module2"
Sub Export()
' Export Macro
CurWkbk = ActiveWorkbook.Name
ActiveWorkbook.Unprotect Password:="abc"
Sheet3.Unprotect Password:="abc"
Columns("A:A").ColumnWidth = 0.25
Columns("B:B").ColumnWidth = 0.25
Range("A1:N317").Select
Selection.Copy
Sheets.Add
ActiveSheet.Name = "For Factory"
Cells.Select
With Selection.Interior
.Pattern = xlSolid
.PatternColorIndex = xlAutomatic
.ThemeColor = xlThemeColorDark1
.TintAndShade = 0
.PatternTintAndShade = 0
End With
ActiveSheet.Paste
' ActiveSheet.Shapes.Range(Array("Picture 1")).Select
' Selection.ShapeRange.Height = 59.76
' Selection.ShapeRange.ScaleWidth 1.08, msoFalse, msoScaleFromTopLeft
' Application.CommandBars("Format Object").Visible = False
' Selection.ShapeRange.IncrementLeft 6.6
Columns("A:A").ColumnWidth = 0
Columns("B:B").ColumnWidth = 0
Columns("C:C").ColumnWidth = 25
Columns("D:H").ColumnWidth = 50
Columns("I:J").ColumnWidth = 25
Columns("L:L").ColumnWidth = 50
Rows("2:6").RowHeight = 14.4
Rows("7:307").EntireRow.AutoFit
Range("C1:L6").Select
With Selection.Interior
.Pattern = xlSolid
.PatternColorIndex = xlAutomatic
.ThemeColor = xlThemeColorDark1
.TintAndShade = 0
.PatternTintAndShade = 0
End With
Range("A1:A2").Select
ActiveWindow.LargeScroll ToRight:=-1
Sheets("For Factory").Select
Application.CutCopyMode = False
Sheets("For Factory").Copy
Windows(CurWkbk).Activate
Application.DisplayAlerts = False
Sheets("For Factory").Select
ActiveWindow.SelectedSheets.Delete
Application.DisplayAlerts = True
Columns("A:A").ColumnWidth = 0
Columns("B:B").ColumnWidth = 0
Sheet3.Protect Password:="abc"
ActiveWorkbook.Protect Password:="abc"
Range("A1:A2").Select
Application.WindowState = xlMinimized
End Sub
Sub pics()
Sheet9.Unprotect Password:="abc"
Dim fName As String
Dim r, r2 As Range
Dim h, w As Single
ActiveSheet.Shapes(Application.Caller).TopLeftCell.Select
With Application.FileDialog(msoFileDialogOpen)
.AllowMultiSelect = False
.Filters.Add "Pictures", "*.jpg", 1 'default
.Show
If .SelectedItems.Count > 0 Then
fName = .SelectedItems(1)
Else
Exit Sub
End If
End With
With ActiveSheet.Pictures.Insert(fName)
h = .Height
w = .Width
.Delete
End With
Set r = Selection
With ActiveSheet.Shapes.AddPicture(fName, msoFalse, msoCTrue, 0, 0, w, h)
.LockAspectRatio = True
.Width = r.Width
If .Height > r.Height Then
.Height = r.Height
End If
.Left = r.Left + (r.Width - .Width) / 2
.Top = r.Top + (r.Height - .Height) / 2
.Placement = 1
End With
Sheet9.Protect Password:="abc", DrawingObjects:=False
End Sub
Sub PDF()
Sheets(Array("Facility Profile", "Audit Datasheet", "CAP", "Photos", "Summary Dashboard")). _
Select
Sheets("Summary Dashboard").Activate
ActiveSheet.ExportAsFixedFormat Type:=xlTypePDF, Filename:= _
"", _
Quality:=xlQualityStandard, IncludeDocProperties:=True, IgnorePrintAreas _
:=False, OpenAfterPublish:=True
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 36864 bytes |
SHA-256: 26969686c993a0a826650fe35f00ebed32d60f707ae9a791f9ecee46d8977b0f |
|||
|
Detection
ClamAV:
Xls.Virus.Valyria-10004391-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.