MALICIOUS
378
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains a Workbook_Open macro that utilizes WScript.Shell and CreateObject to execute obfuscated VBA code. This code is designed to download and execute a second-stage payload, as indicated by the critical OLE_VBA_SHELL and OLE_VBA_WSCRIPT heuristics. The presence of multiple suspicious URLs suggests a download infrastructure. The macro's auto-execution and obfuscation point towards a downloader or droppper functionality.
Heuristics 11
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usage
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present
-
External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKSDocument contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: http://www.ofernio.ru/
-
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEETExcel workbook contains 2 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.ofernio.ru/
- http://ofernio.ru/
- http://ofernio.ru/rto_files_ofernio/
- http://ExcelVBA.ru/
- http://ExcelVBA.ru/payments
- http://ofernio.ru/rto_files_ofernio/24434.doc
- https://www.cyberforum.ru/vba/thread1932480.html
- http://botik.ru
- https://vremya-ne-zhdet.ru/vba-excel/sozdaniye-tablits-v-dokumente-word/
- https://www.planetaexcel.ru/forum/index.php?PAGE_NAME=message&FID=1&TID=72043
- http://www.script-coding.com/WSH/Shell.html#3.26
- http://www.sql.ru/forum/740171/ubit-word-iz-excel-zakryt-vse-otkrytye-prilozheniya-word-makrosom-iz-excel
- http://www.script-coding.com/WSH/WshShell.html#3.4
- http://macros-vba.ru/makrosy/excel/159-kak-otkryt-word-iz-excel-makrosom-zapusk-word-iz-excel
- https://vremya-ne-zhdet.ru/vba-excel/sortirovka-tablitsy-diapazona/
- https://coderoad.ru/54159142/%D0%A3%D1%81%D1%82%D0%B0%D0%BD%D0%BE%D0%B2%D0%B8%D1%82%D0%B5-%D1%88%D0%B8%D1%80%D0%B8%D0%BD%D1%83-%D1%81%D1%82%D0%BE%D0%BB%D0%B1%D1%86%D0%BE%D0%B2-%D1%82%D0%B0%D0%B1%D0%BB%D0%B8%D1%86%D1%8B-%D0%B2-%D0%BC%D0%B0%D0%BA%D1%80%D0%BE-Word-VBA
- https://forumvba.ru/index.php?topic=689.0
- https://www.cyberforum.ru/vba/thread1163102.html
- https://coderoad.ru/24515203/%D0%94%D0%BE%D0%B1%D0%B0%D0%B2%D1%8C%D1%82%D0%B5-%D0%BD%D0%BE%D0%BC%D0%B5%D1%80-%D1%81%D1%82%D1%80%D0%B0%D0%BD%D0%B8%D1%86%D1%8B-%D0%B2-Word-%D1%81-%D0%BF%D0%BE%D0%BC%D0%BE%D1%89%D1%8C%D1%8E-VBA
- https://www.cyberforum.ru/vba/thread637207.html
- https://www.cyberforum.ru/vba/thread2175358.html
- http://scriptcoding.ru/2013/12/30/word-vba-selection-metody-1/#
- http://excelvba.ru/
- http://excelvba.ru/payments
- http://www.frez.co.uk
- https://vremya-ne-zhdet.ru/vba-excel/sozdaniye-tablits-v-dokumente-word/���
- http://o@fernio@
- http://excelvba.ru/payments�
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#
- http://ns.adobe.com/xap/1.0/
- http://doi.org/10.12731/ofernio.2009.15064
- http://doi.org/
- https://docs.microsoft.com/ru-ru/office/vba/api/word.selection.insertfile
- https://docs.microsoft.com/en-us/previous-versions/office/developer/office-2003/aa211923(v=office.11
- https://docs.microsoft.com/ru-ru/office/vba/api/word.range.paragraphs
- https://docs.microsoft.com/ru-ru/office/vba/api/word.cell.verticalalignment
- http://wordmacroses.blogspot.com/2009/04/range.html
- http://doi.org/10.12731/ofernio.2009.15064�
Extracted artifacts 30
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.base0feaaed53643f67cae29aa71119b745e6a30c87b4a943e10fdb5affaf382b5c |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 860959 bytes |
vbaProject_00.bin768357bd971a6f8b8e52cd6a042f8e728af5a13c0dc3e40063fbdd887b09eadc |
vba-project | OOXML VBA project: xl/vbaProject.bin | 1339392 bytes |
emf_00.emf58d704204f171ddb124202c22ffefb7ec632b31bfa23fff34f24922b66081cde |
ooxml-emf | OOXML EMF part: xl/media/image28.emf | 1120 bytes |
emf_01.emf872508a0ae096b5dd8306be1a0bb5da26d60cdb56736d6149282cd2e6204a2e1 |
ooxml-emf | OOXML EMF part: xl/media/image27.emf | 2432 bytes |
emf_02.emfca158ebca16b260d19d76c45c28af9c9381a792abe06cabde2b0fdc436b800ef |
ooxml-emf | OOXML EMF part: xl/media/image26.emf | 1104 bytes |
emf_03.emf7b0ab3a5af11086b14edcdaae177dc9ddffa9e0be36a517ed76d3f39e8e58d86 |
ooxml-emf | OOXML EMF part: xl/media/image25.emf | 2448 bytes |
emf_04.emfd85834f28dc69073c894de2cd6d9caa9a45f124f7a2c60ca9865b358e2c58c7f |
ooxml-emf | OOXML EMF part: xl/media/image24.emf | 1200 bytes |
emf_05.emf7283f3f539ebbc5f364d6dc716f7666f55d21bd2fc669ccb8b47c6e91a1cfdcd |
ooxml-emf | OOXML EMF part: xl/media/image23.emf | 2516 bytes |
emf_06.emf26bfecdeecb69c60598cda14ad6a0e561ed05da0a6cf9a8464b7b4849f916354 |
ooxml-emf | OOXML EMF part: xl/media/image22.emf | 1388 bytes |
emf_07.emfc05c39df06269ca8f0a5db9748098ae312e142fdfc06cb03a21eb1edcef2d7f2 |
ooxml-emf | OOXML EMF part: xl/media/image21.emf | 3048 bytes |
emf_08.emfd33cfc75d57266bb1fc8514ef0e08ea5f66664683d628cc6a9af5bbe663286c1 |
ooxml-emf | OOXML EMF part: xl/media/image20.emf | 3016 bytes |
emf_09.emfdad5874b7c248e19a11faf4d962dc3c8362f29eb2c0625bff22abbd6f66dba0a |
ooxml-emf | OOXML EMF part: xl/media/image29.emf | 2448 bytes |
emf_10.emfa6330f21b76446244274b5ca90f990cc0916f2aa6660e141d0af15431b0174b5 |
ooxml-emf | OOXML EMF part: xl/media/image19.emf | 3132 bytes |
emf_11.emf7bb58ff07fb4cbfbfb67346f8157e56fda454e873e10498f24f0f8ce2998e9a4 |
ooxml-emf | OOXML EMF part: xl/media/image3.emf | 3332 bytes |
emf_12.emf5f4c821950d3b27c83e0e04b2cb718b9feea5bb78691743219ebf7f529a41354 |
ooxml-emf | OOXML EMF part: xl/media/image9.emf | 3612 bytes |
emf_13.emf625567b1796cb76d8420066deaa8b12b19add2ab4ccf991cb7605985a1e8d8a0 |
ooxml-emf | OOXML EMF part: xl/media/image10.emf | 2508 bytes |
emf_14.emfc39af2f7b5aefe5ea1de61edf215b152c800538d11350e87906e0f2b4fd8b066 |
ooxml-emf | OOXML EMF part: xl/media/image2.emf | 3132 bytes |
emf_15.emf298c67da40f87843191214c92d0f983554c418dda5f32490fca9889cf9743ff2 |
ooxml-emf | OOXML EMF part: xl/media/image12.emf | 2672 bytes |
emf_16.emfc8abedd934e69b27fd9f1cfcd26b8659579ade540de810b8997534fe43d5aa80 |
ooxml-emf | OOXML EMF part: xl/media/image11.emf | 2948 bytes |
emf_17.emf7b26af00735de478c9de99b83c3475ff7f928a61ffa03cbf36d1fb8b31ac5338 |
ooxml-emf | OOXML EMF part: xl/media/image7.emf | 3376 bytes |
emf_18.emf8af15f648ab5b87c9ed699cf1ffc0dc444ddf226020a24a7441d66930a9b4468 |
ooxml-emf | OOXML EMF part: xl/media/image18.emf | 3280 bytes |
emf_19.emf189588edab00bd3c421ccdc6e95b080405f1663503094c72847174c22781f93f |
ooxml-emf | OOXML EMF part: xl/media/image4.emf | 2656 bytes |
emf_20.emf2c671403ddf6d9ba9a48e14c57fd9758e7e4ba2c306363c89737ee62160ea64b |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 3232 bytes |
emf_21.emf4098ec5068fba62cc6cd9d3e9d2a35f8f4d03953f8275ea3a01c80d176f40d4d |
ooxml-emf | OOXML EMF part: xl/media/image6.emf | 1392 bytes |
emf_22.emfc76cb2365c6e2fe554192d2a63773a013e8abc38d683754236fc9e63abfe8729 |
ooxml-emf | OOXML EMF part: xl/media/image5.emf | 2276 bytes |
emf_23.emf6dc9f8e328b50f8b20cf282dab30a584f54023a15f16e16cf02a5ecf07213796 |
ooxml-emf | OOXML EMF part: xl/media/image13.emf | 2700 bytes |
emf_24.emfbaefb401ba3d14fb58b8e8c42ca883ee501429cb97bda52fd7c3602825caf9d3 |
ooxml-emf | OOXML EMF part: xl/media/image17.emf | 2528 bytes |
emf_25.emf0661b4d5b50598a44114c1e2f0b92ffbd27353cf611f107d56cac5e9e1b1c104 |
ooxml-emf | OOXML EMF part: xl/media/image14.emf | 2584 bytes |
emf_26.emff3d95cc85e2c4d81f394c4c1c5699e1ffae7ff60367b29ac493fb96f20525437 |
ooxml-emf | OOXML EMF part: xl/media/image16.emf | 2656 bytes |
emf_27.emf1534c8e9fd01209251dc91f3e64f7cf7656a6d428cd0880a5c5df8cefc2d0eba |
ooxml-emf | OOXML EMF part: xl/media/image15.emf | 2584 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.