MALICIOUS
248
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1047 Windows Management Instrumentation
The file is an Excel document containing a Workbook_Open macro, which is a common technique for executing malicious code upon opening. The macro utilizes Shell(), CreateObject(), and GetObject() functions, indicating an intent to run arbitrary commands or download additional payloads. The presence of a Workbook_Open macro and the use of these functions strongly suggest a macro-based downloader attack pattern.
Heuristics 7
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEETExcel workbook contains 7 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 188145 bytes |
SHA-256: 7630152c0e235aaa641f95cdfebffc2815aa441e5bfb4e6a51cf249d7749c585 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_BeforePrint(Cancel As Boolean)
Dim asdf, cust, enq, pro, left, right As String
asdf = "Metso Quotation no.: " & Worksheets("Summary").Range("B11").Value & " , rev: " & Worksheets("Summary").Range("B12").Value
cust = "Customer: " & Worksheets("Summary").Range("B7").Value
enq = "Enquiry: " & Worksheets("Summary").Range("B8").Value
pro = "Project: " & Worksheets("Summary").Range("B5").Value
left = cust & Chr(13) & enq & Chr(13) & pro
right = Date & Chr(13) & asdf
ActiveSheet.PageSetup.RightHeader = right
ActiveSheet.PageSetup.LeftHeader = left
End Sub
Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)
If ActiveWorkbook.Names("crm_on_save").RefersToRange.Value <> "" Then
Call run_crm_calculations
End If
End Sub
Private Sub Workbook_Open()
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "AdminTools"
Function ISFORMULAC(rng As Range) As Boolean
ISFORMULAC = 0
If rng.HasFormula = True Then
ISFORMULAC = 1
Else
End If
End Function
Sub updateDataValidationSource()
Dim s As Range
Dim dv As Validation
Dim sList As String
sList = "=" + Application.activeCell.Offset(-1, 0).Value
Set s = Application.activeCell
Set dv = s.Validation
dv.Delete
dv.Add xlValidateList, xlValidAlertStop, xlBetween, sList
End Sub
Sub updateNameElementValue() 'updates named ranges of valid values, these names are used to display valid value lists in import excel template
'(1)USE WHEN ADDING NAMES TO VALID VALUE LIST
Dim s As Range
Dim refersT As String
Dim col As String
Dim n As Name
Dim RangeAddress As String
Set ws = ActiveWorkbook.Worksheets("ValidValues")
'first we delete the named range then we make a newone
Set namesRange = ws.Range("Import_ValidValuesColumnNames")
For Each c In namesRange.Cells
If c.Value = "" Then
'do nothing
Else 'make name
col = c.Address
If c.column > 26 Then
col = left(c.Address(False, False), 2)
Else
col = left(c.Address(False, False), 1)
End If
col = Trim(col)
refersT = "=OFFSET(ValidValues!$" + col + "$4,0,0,COUNTA(ValidValues!$" + col + "$4:$" + col + "$300),1)"
ActiveWorkbook.Names.Add Name:=c.Value, RefersTo:=refersT
End If
Next
End Sub
Sub updateNameElementValue_Nelprof() 'RUN WHEN NEED TO UPDATE OTHER THAN CASE SENSITIVE ON nelprof valid values sheet
'used for gland packing etc
Dim s As Range
Dim refersT As String
Dim col As String
Dim n As Name
Dim RangeAddress, countstring As String
Dim rowCount As Double
rowCount = 0
Set ws = ActiveWorkbook.Worksheets("Nelprof Valid Values")
'first we delete the named range then we make a newone
Set namesRange = ws.Range("Nelprof_valid_values_headers")
For Each c In namesRange.Cells
If c.Value = "" Then
'do nothing
Else 'make name
'col = c.Address
' If c.column > 26 Then
' col = left(c.Address(False, False), 2)
' Else
'
' col = left(c.Address(False, False), 1)
' End If
'
col = Split(c.Address, "$")(1)
col = Trim(col)
'refersT = "=OFFSET('Nelprof Valid Values'!$" + col + "$4,0,0,COUNTA('Nelprof Valid Values
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 470016 bytes |
SHA-256: 05dc9255447b975295885926e8b8f51728cfa661d6efc6eb8c0deb0d452f279e |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.