MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is an Excel document containing VBA macros, specifically a Workbook_Open macro designed to execute code upon opening. The presence of CreateObject calls and p-code auto-execution indicates an attempt to run arbitrary commands. While the macro code is heavily obfuscated and truncated, its structure strongly suggests it's a downloader or dropper for a secondary payload, typical of macro-based malware delivery.
Heuristics 5
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 20484 bytes |
SHA-256: db4b6debb0e8bf32402d9c845753fa3f3c56be50978f29d721073453546f459e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
hON2A_nUTHCDjnNvg7_.mYxoySaYQq_WXjWAmwOc
Dim KlGSKvtpTZR_34mLISrtLaHtMnjK2rX3Lcs As Worksheet
If "APccCiuD1WDcd6JzS_eOsbW_fJhwlAYvYJl5pznJaWQUHIENp1_wqL9" = "g3W72_7Zy8QDRSNHbZTwUIA5UDSEu6kDKJDBR" Then
Dim vIc6aV1Ev4ZqkVVYlW1ajxp1o3UL2FNLzinISYqnDOPXnCTNqvhp As Date
End If
Dim JzQ8clOhAmMnnMzArK_LoLVTfPKkgFe_hhA_QoppHHlYAksZLS As Worksheet
If "fdpTA8b6ZKYn_3GGEEKzsBeXDei7R5" = "fuXMi_XMgCfTNdOdGrQ3emMUid9QPdXemennNvSF" Then
Dim r2gHSWvAGiWznYX2fCmDAF6Cn_qrykNUXIJmE_AKq8HqFhzL As Date
End If
Dim EuFKGN_k5dcRpCJfSAZcNuvaAaVC7N6EHclCcC As Worksheet
If "MH_hqkjqdnvlV_FV8S9oJo2BmohWIKZFBPwQXoCJ" = "zR6qOT1z9vdQDx2gOB5ABLgQLniEQx7RPxx1sIuRxqWVqHCLXNAVtBGl" Then
Dim tmdktuhIyJAO__xEPkLSxIjDkUpBwjhMoJF_oIgBHMgeFwL As Date
End If
Dim XZ5_GxwwiCY_W_eUNlvix3sYFDJJjlD6wGQk2dYY1VfANIH7m1R3TLXd As Worksheet
If "qd8DmlL78bKOv4ctKVrZVqI74MfrSJkisv3VfUu" = "NIhCv73IsWgp8d7G_SAHY_dmw1ke9_F" Then
Dim LzjcPwmW9ACwTucm_vn3BeKUHn5N4UWJrOTzVAoSU As Date
End If
Dim AGUQI2SLfsTEDqmMSk2Xbml2DDZmOCESgEcC_zdB5qxnylJlKHpDZ6bW As Worksheet
If "dcL_Zp6bl_h8MjMbEycux8Ba2xZFUA2jlEgfmXkNtTAyD" = "LXk5L7kbphfZuLlNyEkF7TFBqyqMN_b7KVoYyJHDPG6gA" Then
Dim K895NYqE1PiMWOVMp_hNWfLYm7fyyXi_k8dON_MgcOx As Date
End If
Dim GN7ux43OabzbntiPP22PaqikYtF9jzAtFrDIoKq55HFgudydnw7 As Worksheet
If "nk9UZoUUCw4nja_T5oYkDI6UQiAy44kSv3UGGUmcSznF_deEoH3" = "xMK2cnlD1meZGJj1q_7LiB5PMeyUwC5Hu_w_jA1beQvywYe5Ylx_r5" Then
Dim SuQ4n8yPPwrUnFWdPpMcqPOEbx_36I As Date
End If
Dim N5YypAvoV2mMA8FZtWg4UGuNMCeKay86TEhv6xZVqjRTybOP8ACkUAxE As Worksheet
If "IJkldjMf4q34YTd67IKuxYXuwNLYvViRQakt" = "Lx2FUvZGiTzmeFnJxCQsuzyNVxsgFil8rtrGQ_XB9PJaWi3oqXdNI29" Then
Dim V8ltgB2_9r25uWe3smNtdnV1w5Dyr_WwzuUI As Date
End If
Dim nTz9EOKsemFPKdtj4Fdrju6l8CQ3SD__B As Worksheet
If "TMXwOmMamTHwvlMTw3rPlh3WM_C8QXZhFN1OUvncOO7Ywy" = "JYDhfJVsXvTAiNjOIM3ipgu78_MM_VkbiXxl3r1" Then
Dim OKVyD4TLX2_EreLGmmEif6GrBI1ZIY7UZUmWRqpBmvyU_O27VOJ8vGTR As Date
End If
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "hON2A_nUTHCDjnNvg7_"
Dim K8ApU4UxR73_DxT9Q_J7i2NJEsG5XU3GqewpdZM4OEbmkTaNvEp7jJf As String
Dim kFYRmxw1qx9eXj9jdnzpaOLCdT14zl9neFixl4ukdUfDF_87uHF As String
Dim E_4CukOrob3HLhSuFJn7n5aikfX1aXsseMy9__Hrf8pBLa_GKTRWU8PImSaMKXOPsIm9rSuEA5YpNYVIfPoF_TVg6oUph4eGqXRBxAX2iKUZhi4M7Qq5sHJWw_BC7DgFYP9yESTe2vf2969V As String
Dim ASSn3v9sszZVjeDgYNAsKiKQ5BlGzGs5DWThdIBIDKAPTUItzdc_7y_ZFAs1Hz3kEeQLJdCOKzn9h57h21QTms8MQ3ZbZJ_LRXIxC7iTaMwEI_2JDI8Qhg7UgC4 As Integer
Function Dmw4C3B94moU2xy67C6tFuruP4C4N9hQ(bqbWhLElUinRLFA9e3ni_uBp6vatntvCYGw2UzF_xZib_ksEDPWz6sSpnuZuuU8kwk3DRHlnuntnKhkSCTpWU5FoxFLiYUMba7ocrov5msDP8odEIErYojN1dLOK5BMYYQLM3FkVgusl1yqH)
Dim QOghNblORpZuxBLkO8FeE5MOXXV_sn61X8z1RMnfEb_ As Worksheet
If "i5Bq_Ynkr35VBQHyElemtiUzJTRASiYmyOpcVn_R9SGeBcxA_xZb6" = "aL_iJfnFmQHcQfukobalKmYZzwqeP6dH6pWBo3KGTJUB9As7CYXU9zswwh" Then
Dim rVyGyqv9gkGs5uORP_QWZyCtb1fHI_6jNFJxRLUnN9cGxScl_oireYF As Date
End If
Dim RDo7Ilyangcxja_DnlGZT55HW4CceLDy9PdMgWdkIAcO As Worksheet
If "yoAmoeD2PpgWHeiNiT6ZbnxS6ufPGeP" = "RaoRq2Yx9HKgRrE_AwNBx_BwI1qp39vtuXN6" Then
Dim bK2VHf6QPFejzpdb2bbMX2GzJr5_UZu3cHkx523PHseCTEzKcS2Q5_fj As Date
End If
Dim n3zbKUyAZ_vIehT4aj4x_iNg9WuoMeybPh_RxGgGZWtc8E2k7GD7rkq_nRcxiIw5NR37gA_RBuWkxth2dHq_a1toz4nenshOjyNoL5D6Ct57M_O4sjRY
Dim CAJYj56zTkFp_pg_iJ_oU_d_2rfBhb7bl_t3pboLwoqs As Worksheet
If "IFvu1rt51N8fEf2W3P1mmDD6mREd21pVuEr" = "ktOptLgtuuVi6wx3Wy_SEBzFglNC9gjt9x" Then
Dim PmmjFYERRIPsIqC8Rfoulh3GGG8duMJkiFfIOvrnMvspz As Date
End If
Dim xag9_NC
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.