MALICIOUS
110
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is an OOXML document containing a VBA project with a Workbook_Open macro, indicating malicious intent. The presence of a renamed VBA project part and a signed but untrusted certificate suggests evasion techniques. The macro's primary function is likely to download and execute a secondary payload, a common tactic for malware delivery.
Heuristics 5
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: xl/vbaProjectSignature.bin)
-
VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMEDThe VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
Hidden worksheet (veryHidden) low OOXML_HIDDEN_SHEETExcel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
-
VBA project is signed but not by a recognised publisher info VBA_SIGNED_UNTRUSTEDThe VBA project carries a digital signature, but the signer does not chain to a recognised code-signing publisher/CA (self-signed, unknown issuer, or unparseable). A signature alone is not evidence of benignity — malware is routinely self-signed or signed with stolen certificates.
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 40813 bytes |
SHA-256: 72f925b20a473f33c5e41820f83f04e96d4753551d671684c1144ba2da7ecb2e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Arkusz1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "CheckBox2, 49, 1, MSForms, CheckBox"
Attribute VB_Control = "CommandButton6, 48, 2, MSForms, CommandButton"
Attribute VB_Control = "TextBox11, 37, 3, MSForms, TextBox"
Attribute VB_Control = "CommandButton3, 36, 4, MSForms, CommandButton"
Attribute VB_Control = "TextBox10, 34, 5, MSForms, TextBox"
Attribute VB_Control = "Label4, 33, 6, MSForms, Label"
Attribute VB_Control = "CheckBox1, 1, 7, MSForms, CheckBox"
Attribute VB_Control = "Label1, 2, 8, MSForms, Label"
Attribute VB_Control = "ComboBox1, 5, 9, MSForms, ComboBox"
Attribute VB_Control = "TextBox1, 6, 10, MSForms, TextBox"
Attribute VB_Control = "Label3, 7, 11, MSForms, Label"
Attribute VB_Control = "TextBox2, 8, 12, MSForms, TextBox"
Attribute VB_Control = "ComboBox2, 11, 13, MSForms, ComboBox"
Attribute VB_Control = "TextBox3, 12, 14, MSForms, TextBox"
Attribute VB_Control = "Label6, 17, 15, MSForms, Label"
Attribute VB_Control = "TextBox5, 18, 16, MSForms, TextBox"
Attribute VB_Control = "Label7, 20, 17, MSForms, Label"
Attribute VB_Control = "TextBox6, 21, 18, MSForms, TextBox"
Attribute VB_Control = "TextBox7, 23, 19, MSForms, TextBox"
Attribute VB_Control = "Label9, 24, 20, MSForms, Label"
Attribute VB_Control = "TextBox8, 25, 21, MSForms, TextBox"
Attribute VB_Control = "Label10, 26, 22, MSForms, Label"
Attribute VB_Control = "TextBox9, 27, 23, MSForms, TextBox"
Attribute VB_Control = "Label12, 31, 24, MSForms, Label"
Attribute VB_Control = "CommandButton4, 39, 25, MSForms, CommandButton"
Attribute VB_Control = "CommandButton5, 40, 26, MSForms, CommandButton"
Attribute VB_Control = "Label2, 41, 27, MSForms, Label"
Attribute VB_Control = "CommandButton2, 42, 28, MSForms, CommandButton"
Attribute VB_Control = "CommandButton1, 43, 29, MSForms, CommandButton"
Attribute VB_Control = "TextBox4, 44, 30, MSForms, TextBox"
Attribute VB_Control = "Label5, 45, 31, MSForms, Label"
Attribute VB_Control = "Label8, 46, 32, MSForms, Label"
Attribute VB_Control = "ComboBox3, 47, 33, MSForms, ComboBox"
Attribute VB_Control = "CommandButton7, 53, 34, MSForms, CommandButton"
Private Sub ComboBox1_Change()
If Arkusz1.ComboBox2.Value = "Techniczny" Then
If Arkusz1.ComboBox1 = "Problemy ze strukturą" Then Arkusz1.TextBox3.Value = "A"
If Arkusz1.ComboBox1 = "Problemy z procesem (w tym czas)" Then Arkusz1.TextBox3.Value = "B"
If Arkusz1.ComboBox1 = "Problemy ze schematem" Then Arkusz1.TextBox3.Value = "C"
If Arkusz1.ComboBox1 = "Problemy z dokumentacją" Then Arkusz1.TextBox3.Value = "D"
ElseIf Arkusz1.ComboBox2.Value = "Lakiernia" Then
If Arkusz1.ComboBox1 = "Inne" Then Arkusz1.TextBox3.Value = "A"
ElseIf Arkusz1.ComboBox2.Value = "Magazyn" Then
If Arkusz1.ComboBox1 = "Zlecenie wydane niekompletne" Then Arkusz1.TextBox3.Value = "A"
If Arkusz1.ComboBox1 = "Błędnie wydany komponent" Then Arkusz1.TextBox3.Value = "B"
If Arkusz1.ComboBox1 = "Wydane uszkodzone komponenty" Then Arkusz1.TextBox3.Value = "C"
If Arkusz1.ComboBox1 = "Inne" Then Arkusz1.TextBox3.Value = "D"
ElseIf Arkusz1.ComboBox2.Value = "Mechaniczny" Then
If Arkusz1.ComboBox1 = "Problem z wymiarami" Then Arkusz1.TextBox3.Value = "A"
If Arkusz1.ComboBox1 = "Problem z otworowaniem" Then Arkusz1.TextBox3.Value = "B"
If Arkusz1.ComboBox1 = "Wydane uszkodzone komponenty" Then Arkusz1.TextBox3.Value = "C"
If Arkusz1.ComboBox1 = "Inne" Then Arkusz1.TextBox3.Value = "D"
ElseIf Arkusz1.ComboBox2.Value = "Planowanie" Then
If Arkusz1.ComboBox1 = "Inne" Then Arkusz1.TextBox3.Value = "A"
ElseIf Arkusz1.ComboBox2.Value = "PPP" Then
If Arkusz1.ComboBox1 = "Zlecenie wydane niekompletne" Then Arkusz1.TextBox3.Value = "A"
If Arkusz1.ComboBox1 = "Błędnie wydany komponent" Then Arkusz1.TextBox3.Value = "B"
If Arkusz1.ComboBox1 = "Problem z dokumentacją
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 192512 bytes |
SHA-256: 79d1561c8d5c45e6e2dae2b1dabd029ad795842d219a87762f2ef38f88020ced |
|||
vbaProject_01.bin |
vba-project | OOXML VBA project: xl/vbaProjectSignature.bin | 1992 bytes |
SHA-256: 649959081b8a12e450d3a812cca598794dc64cfa8cee8505ee3d37612945b414 |
|||
emf_00.emf |
ooxml-emf | OOXML EMF part: xl/media/image22.emf | 1380 bytes |
SHA-256: 82ab3e6c42613c6a83ce7772c9543152d04a5daac77244abc9e293b397be667b |
|||
emf_01.emf |
ooxml-emf | OOXML EMF part: xl/media/image23.emf | 2408 bytes |
SHA-256: b170e5b277239bfbd1a3ee65471bdea052adf492242381921e45fd76016d0118 |
|||
emf_02.emf |
ooxml-emf | OOXML EMF part: xl/media/image24.emf | 1368 bytes |
SHA-256: c1b4e19942be53febf625bcc0b5b44661e8913dda589bc80a914362270f8ea54 |
|||
emf_03.emf |
ooxml-emf | OOXML EMF part: xl/media/image25.emf | 2968 bytes |
SHA-256: 1858be651094d0002fdaa28b37eb9b411d6ae25d496ad12bc7b3e03b2d133fd9 |
|||
emf_04.emf |
ooxml-emf | OOXML EMF part: xl/media/image26.emf | 3244 bytes |
SHA-256: ab696625952fcb662c1f7bd98be563ac0014446ae97469dc368488dd73810869 |
|||
emf_05.emf |
ooxml-emf | OOXML EMF part: xl/media/image27.emf | 1380 bytes |
SHA-256: 4487ba075d700486f5226456ade5992272072fdd33f632e7a7d142d4855b0c6a |
|||
emf_06.emf |
ooxml-emf | OOXML EMF part: xl/media/image28.emf | 2732 bytes |
SHA-256: 25d4157c5e98ddec1b77b8b81f8f4a10edbb1c5b0a715ae212ce0e447c55a138 |
|||
emf_07.emf |
ooxml-emf | OOXML EMF part: xl/media/image21.emf | 2408 bytes |
SHA-256: df74ed29a123b19a19a1140f350d825aa1b5d618579994fe632c287d7221c0c5 |
|||
emf_08.emf |
ooxml-emf | OOXML EMF part: xl/media/image20.emf | 1352 bytes |
SHA-256: 3573cae74231229ebe544ba27dd2325a8bc630872f2a8d9f0de713d7b165123e |
|||
emf_09.emf |
ooxml-emf | OOXML EMF part: xl/media/image19.emf | 2408 bytes |
SHA-256: 5fd4d0771fa25717c9d42d75575a1b014b13b0be3a16eb74862b059828814448 |
|||
emf_10.emf |
ooxml-emf | OOXML EMF part: xl/media/image12.emf | 1820 bytes |
SHA-256: 972a10972fe384ef81dacb280b6cce76b3a6ce6da66c302972e45b3b81a3ca33 |
|||
emf_11.emf |
ooxml-emf | OOXML EMF part: xl/media/image13.emf | 4300 bytes |
SHA-256: 15c25ec3e740d223bae6462dd6a885a4de06c93286a4af05abd5703f5ad7ba85 |
|||
emf_12.emf |
ooxml-emf | OOXML EMF part: xl/media/image14.emf | 2584 bytes |
SHA-256: edca792b93a68216220fabc315a39582ab29b5a78c1c7a66d3d52a4c7e52c1be |
|||
emf_13.emf |
ooxml-emf | OOXML EMF part: xl/media/image15.emf | 1416 bytes |
SHA-256: 7da80d67b71a2a10fd660067864fe14a8460dc86c9e8e8543c744463722392b3 |
|||
emf_14.emf |
ooxml-emf | OOXML EMF part: xl/media/image16.emf | 2408 bytes |
SHA-256: 5571811d4b82a70d50fb2a544aabea50bc20f20314f1e8ac097dd6585605b5b8 |
|||
emf_15.emf |
ooxml-emf | OOXML EMF part: xl/media/image17.emf | 2148 bytes |
SHA-256: d68a595874aa99223e9c6c08ea2235f745601c51e740dcfc5d28f22b37517242 |
|||
emf_16.emf |
ooxml-emf | OOXML EMF part: xl/media/image18.emf | 2408 bytes |
SHA-256: 79c027c8bb3797b4d6d2333c1ed2a5ebd82c3b1a6f792e55183074caa146a0a4 |
|||
emf_17.emf |
ooxml-emf | OOXML EMF part: xl/media/image29.emf | 3444 bytes |
SHA-256: 6913ac01b01c1348745e7c8549c35a2da61639cd44c4eed15c03fca193b1eb7a |
|||
emf_18.emf |
ooxml-emf | OOXML EMF part: xl/media/image30.emf | 1820 bytes |
SHA-256: d8ae7b776ac10594ffd92863c5f783381e47f211ff3b1f8e5dcf8ae0e3800bcf |
|||
emf_19.emf |
ooxml-emf | OOXML EMF part: xl/media/image31.emf | 2064 bytes |
SHA-256: 97f2e9d526cd3b78adf6292bf2b0f25e0efa2bdec061345be4105facb9a2c9b3 |
|||
emf_20.emf |
ooxml-emf | OOXML EMF part: xl/media/image32.emf | 1328 bytes |
SHA-256: fed77285a7faab2dc6c4d7a847fb8ca075a7e4b00cb9e50fe233d7d3b0e97aac |
|||
emf_21.emf |
ooxml-emf | OOXML EMF part: xl/media/image33.emf | 4276 bytes |
SHA-256: a01c096881a8cc9b8bd2db9b0a25b24a1a0453b21e53a865092ca33e003ff30b |
|||
emf_22.emf |
ooxml-emf | OOXML EMF part: xl/media/image34.emf | 2688 bytes |
SHA-256: 62862aa2f1fecca9a030e32c14cacb70098652a1744a36621f20ff60388a9a2b |
|||
emf_23.emf |
ooxml-emf | OOXML EMF part: xl/media/image11.emf | 1388 bytes |
SHA-256: 60e51cf0c1c04978d4cf892adc686de6130308b1b41e1664044e0eba6b74009c |
|||
emf_24.emf |
ooxml-emf | OOXML EMF part: xl/media/image6.emf | 1448 bytes |
SHA-256: 31b5f8effba2efb8c7bfa27f0f8272705826f9ebb639d67b3232be98d95fd33d |
|||
emf_25.emf |
ooxml-emf | OOXML EMF part: xl/media/image8.emf | 2100 bytes |
SHA-256: 6481cc72f37dd3d6c667368ff45e11adaf48c2bb30e7dabe8e3ca0a263fd45de |
|||
emf_26.emf |
ooxml-emf | OOXML EMF part: xl/media/image5.emf | 1820 bytes |
SHA-256: 0b49e30c5c919b27b72ad8cb810a16177d1fd2e96ec8e06a4785d28084327964 |
|||
emf_27.emf |
ooxml-emf | OOXML EMF part: xl/media/image2.emf | 2992 bytes |
SHA-256: 207cdb30a3d867c265e9151d049c2ee2861a5e93b2852e0a11b24ebde0966ea0 |
|||
emf_28.emf |
ooxml-emf | OOXML EMF part: xl/media/image3.emf | 1820 bytes |
SHA-256: 63e5fe98e259d90924240810795c07cee2e7811b101d42bf1bd88799d2bddd43 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.