MALICIOUS
322
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The critical heuristic 'OLE_VBA_BASE64_SHELL_COMMAND_STAGER' indicates the presence of a Base64-encoded PowerShell command stager. The 'workbook_open' macro is triggered upon opening the Excel file, which then executes this stager. This stager is designed to download and execute a secondary payload, a common technique for initial compromise.
Heuristics 8
-
ClamAV: Xls.Malware.Valyria-6923307-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Valyria-6923307-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
VBA Base64-decoded Shell command stager critical OLE_VBA_BASE64_SHELL_COMMAND_STAGERVBA auto-exec macro decodes Base64 string literals into command or script-launch text and executes the result with Shell. This catches cmd/cscript/PowerShell/VBS launchers hidden from plain keyword matching.
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 19111 bytes |
SHA-256: efd32a46670e67deef36351b0fee6d9fa179f9df1e05529450dfec17fe5a13a5 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
B_r5CId.hgjYnY8kkCdl7EV92Ka8
Do Until "nu6EEWImUlg" <> "eN_nHyhHS_tS4bYHy1C"
Dim V6talwkcSOOSO9e8V2aLIRCF34ZAmpNSuQ As CheckBox
Dim Ojuwa1gTN2CtcTXcBPWn3C2lgrUiylA6h7r4LiYioxCIDGY_lIm75FXKrGN As Worksheet
Loop
Do Until "se8dk1FJflcOb1x8D9qhYQO6o9C_" <> "ZheK_SoCpRZR66"
Dim bH3IEFGSL_iyZOAylwFt8EQJHJtPugXkbXvwv As CheckBox
Dim x73RMRKdcMwocxeyK4VzrA4Uzgnj8VBbMCwyMZsv As Worksheet
Loop
Do Until "pn66kPs2vOdY6CwB" <> "faonjfFKTaZ_okuIitBU"
Dim XMP4qJEgBP99wp8DGdIgtkIzrLJdSyJAZDFLXs2T_nQJaA14vE As CheckBox
Dim aO2xLwDYKd_kLK_7hsi As Worksheet
Loop
Do Until "tnWlxf_R9XqT" <> "PqMW5HkzRH8gWSWa__"
Dim caGSAZClCQFd_AcHs48xHx62OkpzNdHmL34NL6pwSQESrxC6CMjcbP5oeOD As CheckBox
Dim XtLWhHcPJEN6 As Worksheet
Loop
Do Until "wLJc1rkHZgsv_4nJ58Nr61PB" <> "E3gJNg2zx"
Dim QvOPvD64Elz_ZVmcQTL1e955GV7IY3 As CheckBox
Dim o37rFW3H3QxyMZAoe3q6Kn9 As Worksheet
Loop
Do Until "RQzTHYE" <> "vdKsIFbnf_XKRhpHpdEqZPr6qA"
Dim nYOCtrweSl As CheckBox
Dim dO4L1Ukg9UYkGIyBroduOAHLwMPBnbeBVeJNKci4EXqocCPELq_FAgVcEpX As Worksheet
Loop
Do Until "m_h3" <> "fyWNl8jy"
Dim MEiozScst6Ix6bWAxGqGe_6ygeIy_wnGl1vAZ2fHk6mp4t6CZVYcOaS As CheckBox
Dim GItGTHnm7PBJDpUj6khehaN4vhFWrWJ1Igm1otK97QpX As Worksheet
Loop
Do Until "h2VDub2p6up4yTuBO5hEJAfBd4JX" <> "ihOtzCMpsR64QIMu66zY"
Dim Y6qVFQpgTSi As CheckBox
Dim PbFWd5DvE_R6 As Worksheet
Loop
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "B_r5CId"
Dim Ymh7evQkgbfwIFaIG_jrWcrRaUH_p9pHZPB_mCFfGfWkDeyfoDOS1xs55OeIlP5hvWV2_VeD7DizEFM5fkTkrUPlgEIVg73zkxxpH6aQgJVwM As String
Function nw_vtEgCu9lz2mgVpTYsDlyCzO(NfSt8B5baJNIJTlEUAeExUQgtsrbyiOJqnYVGp5J4Fkvn3Czx_ap5WC3Mv_NRam24Dbe4N7oESKpse3zp2nsFiOSjfGUpp1acr1iZf5iGvijKVHr3HgZw4uTwG4VEk8YbsL_mRYH6DkS9nGMWYagG)
Do Until "vFWULmfSfsrxiEdu1sM6P1LnD2CdD" <> "RXtpUPK2LUOq7yx4wHF__kgk2d"
Dim rPSiANMT8FMyR3nW8NRBWtOr5cDpzG As CheckBox
Dim wzUQH5Booqkc6o4QqF7ImlJ2e8Aj As Worksheet
Loop
Do Until "mgJfdySWb_trURi" <> "kY4wjwmu6spdJocuI4Z"
Dim AFeD8FUfxpVMwTBhakJZv_uMvxSGq9Niw4 As CheckBox
Dim Pa_U5pMPyDie2IGEBH9cnAUPPIvLyyavY3Cjc_pdKeIpnP5I_k6_jSOO As Worksheet
Loop
Do Until "ExDt3_Z9lw_8Egl6bcQGznl" <> "NkLL2UJElvdo_5jJ"
Dim DIDzK6Da9_kEBFYZJ_eQwLFOk8URC75g3EDojvwQgtM1sDDeVCc5YR As CheckBox
Dim WzCwNLjtXA_DL5CszXPMsB9Nff3z59b9GirLlvfipwT As Worksheet
Loop
Dim DwslV4MytJYWv4YbehMiaZA_wAK8x3BrQ2vmBhUOxxv1meTWLO6E2vAlunyUrN_1HpE4GuZ7K8ulnHaQowuh76ydzI1Vr_fiw5r7XYOZx834AW8lKgo4ba3LzjD73DMJZKxrZd
Do Until "KunzHamK_mJiT1wPqRtxXhE6m" <> "KyED1qf6pvc1otWQwVT"
Dim VUydxO685morL6lfGM6nln_SYBhVfkKt_mycPhBZj8tGwGbxtt As CheckBox
Dim nHWPVqPd_vqhZSa4q As Worksheet
Loop
Do Until "iEHNhJdDn36ePitku6CVrOFLvcOsA" <> "fZp3Z3qkdE73LrxS9wL77nVWg8"
Dim R96b_5uBFbNlzpB9Pz_befR2woCvC1CRTaiqoA_BGIjT_U7f47WeRDbupC As CheckBox
Dim oX289OX6QXESR As Worksheet
Loop
Do Until "NzCTT67vZre1_cg9O8wAkTjI" <> "HJT5HDgYinGoNsGy"
Dim rONpUF3v16AYQRq3N3JHjBmVIEQZT1sez
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.