MALICIOUS
130
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.005 Visual Basic
The sample is an Excel document containing a VBA project and an embedded Equation Editor OLE object, both high-severity findings. The VBA macro code appears to interact with an external XLA file ('DutoanGXD.xla') and potentially execute commands. The presence of the Equation Editor OLE object is a strong indicator of exploitability, often used to deliver malicious payloads. The embedded URL 'http://giaxaydung.vn' is also noted, though its direct role is unclear without further analysis of the macro's execution flow.
Heuristics 6
-
Equation Editor OLE object high OLE_EQUATION_EDITOREmbedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
-
External relationship high OOXML_EXTERNAL_RELExternal target in xl/externalLinks/_rels/externalLink1.xml.rels: file:///C:\Du toan GXD_1012\DutoanMau\DutoanGXD-anh Truong.xlt
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present
-
Embedded OLE object medium OOXML_OLE_OBJECTDocument contains an embedded OLE object
-
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEETExcel workbook contains 32 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://giaxaydung.vn OOXML external relationship
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 31042 bytes |
SHA-256: ca363b9b031a398d0b2e3e66730b89adb35155f41a3ab6b124279bb48f815b5a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_SheetBeforeRightClick(ByVal Sh As Object, ByVal Target As Range, Cancel As Boolean)
On Error Resume Next
If (istpWorkbookOpen("DutoanGXD.xla") = True) Then
Cancel = False
If (ActiveSheet.CodeName = "shDTXD") Then
If Target.Column = ThisWorkbook.Names("DTXD_MH").RefersToRange.Column Or Target.Column = ThisWorkbook.Names("DTTB_MH").RefersToRange.Column Then
Cancel = True
Application.Run "'DutoanGXD.xla'!timkiemdg", 1, 1
Exit Sub
End If
End If
If ActiveSheet.CodeName = "shDGCTXD" Or ActiveSheet.CodeName = "shDGCTTB" Then
If Target.Column = ThisWorkbook.Names("CTXD_DG").RefersToRange.Column Or Target.Column = ThisWorkbook.Names("CTTB_DG").RefersToRange.Column Then
Cancel = True
Application.Run "'DutoanGXD.xla'!RightClick_DGCT", Target.Row, Target.Column
Exit Sub
End If
End If
If ActiveSheet.CodeName = "shTHXD" Or ActiveSheet.CodeName = "shTHTB" Then
If Target.Column = ThisWorkbook.Names("THXD_MSVT").RefersToRange.Column Then
Cancel = True
Application.Run "'DutoanGXD.xla'!GXDPRunTracuu4"
Exit Sub
End If
End If
If ActiveSheet.CodeName = "shVLHTXD" Or ActiveSheet.CodeName = "shVLHTTB" Then
If Target.Column = ThisWorkbook.Names("VLXD_MH").RefersToRange.Column Or Target.Column = ThisWorkbook.Names("VLTB_MH").RefersToRange.Column Then
Cancel = True
Application.Run "'DutoanGXD.xla'!GXDPRunTracuu4"
Exit Sub
End If
End If
If ActiveSheet.CodeName = "shPLVXD" Or ActiveSheet.CodeName = "shPLVTB" Then
If Target.Column = ThisWorkbook.Names("PLVTB_MVT").RefersToRange.Column Or Target.Column = ThisWorkbook.Names("PLVXD_MVT").RefersToRange.Column Then
Cancel = True
Application.Run "'DutoanGXD.xla'!GXDPRunTracuu4"
Exit Sub
End If
End If
If ActiveSheet.CodeName = "Sheet10" Then
If Target.Column = 3 Then
Cancel = True
Application.Run "'DutoanGXD.xla'!TraMaCPVTVB", Target.Row, Target.Column - 1
Exit Sub
End If
End If
If ActiveSheet.CodeName = "Sheet4" Then
If Target.Column = 2 Then
Cancel = True
Application.Run "'DutoanGXD.xla'!TraMaCPVTVB", Target.Row, Target.Column
Exit Sub
End If
End If
If ActiveSheet.CodeName = "Sheet14" Then
If Target.Column = 4 Then
Cancel = True
Application.Run "'DutoanGXD.xla'!SeachDlgDGVB", Target.Row, Target.Column - 1
End If
End If
If ActiveSheet.CodeName = "Sheet11" Then
If Target.Column = 3 Then
Cancel = True
Application.Run "'DutoanGXD.xla'!TraMaCPVTVB", Target.Row, Target.Column - 1
Exit Sub
End If
End If
Application.Run "'DutoanGXD.xla'!RightClickSheet"
End If
End Sub
Attribute VB_Name = "shConfig"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "shTS"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
At
... (truncated)
|
|||
ooxml_oleobject_00.bin |
ooxml-ole-object | OOXML embedded OLE part: xl/embeddings/oleObject1.bin | 2560 bytes |
SHA-256: ea88d9a16d6e50171fb2507acb2e2ccb1df4365fd833297905e93ea19edf82c4 |
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 138240 bytes |
SHA-256: 87c9edb89d61ade833b8cad432f5203d4040ceb4617a0b785a5ef32f26b89162 |
|||
emf_00.emf |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 5532 bytes |
SHA-256: 201a489cbc151425b8dbdf6db55b930c0064ddc83826ca33e1db63a729f83acc |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.