MALICIOUS
270
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1219 Remote Access Software
T1059 Command and Scripting Interpreter
T1566.001 Spearphishing Attachment
The sample is an Excel file containing VBA macros, with critical heuristics indicating the use of `WScript.Shell` and `Shell()` calls within an `Auto_Open` macro. This strongly suggests the macro is designed to execute arbitrary commands, likely to download and run a secondary payload. The embedded URL is suspicious and may be related to the payload delivery.
Heuristics 8
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBAMatched line in script
x = Shell("hh.exe " & gstrMPath & "\smxp.CHM", 1) -
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Dim WSH As Object Set WSH = CreateObject("WScript.Shell") MyDocumentsPath = WSH.SpecialFolders("MyDocuments") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Dim WSH As Object Set WSH = CreateObject("WScript.Shell") MyDocumentsPath = WSH.SpecialFolders("MyDocuments") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Call Auto_Open -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.ne.jp/asahi/excel/inoue/ In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 295222 bytes |
SHA-256: e8387d74cc3454cbd8d33d9df406689522368760997143167596ee87382ad686 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub 表示11()
On Error GoTo error_Err
Dim zm As Variant
zm = Worksheets(gstrMS).Range(gstrHyoji(0)).Value
ActiveWindow.Zoom = zm
Range("A1").Select
error_Exit:
Exit Sub
error_Err:
MsgBox Error$
Resume error_Exit
End Sub
Sub 表示12()
On Error GoTo error_Err
Dim zm As Variant
zm = Worksheets(gstrMS).Range(gstrHyoji(1)).Value
ActiveWindow.Zoom = zm
Range("A1").Select
error_Exit:
Exit Sub
error_Err:
MsgBox Error$
Resume error_Exit
End Sub
Sub 明細追加()
On Error Resume Next
Dim intHandan As Integer
Dim intWSCount As Integer
Dim intGyo As Integer, intKoumoku As Integer
Dim intCount As Integer, x As Integer, y As Integer
Dim intT As Integer, intY As Integer
Dim bytMeisai(3) As Byte '変数宣言
Call Auto_Open
bytMeisai(0) = ThisWorkbook.Worksheets.Count 'ワークシート数を調べる
bytMeisai(1) = Range("CE106") '設定値を取得(シートの枚数を取得する)
bytMeisai(2) = Range("CE107") '明細書01の状態を取得(表示時=0 非表示=1)
bytMeisai(3) = bytMeisai(0) - bytMeisai(1) - bytMeisai(2) '制御値を計算
Range(gstrM) = bytMeisai(3) '制御値を制御セルに代入
bytMeisai(3) = Range(gstrM).Value
Application.DisplayAlerts = False '削除メッセージを表示しない
Beep
intHandan = MsgBox("明細書を1枚追加[はい] 削除[いいえ]", vbYesNoCancel + vbInformation + vbDefaultButton1)
Application.ScreenUpdating = False
If intHandan = vbYes Then
If bytMeisai(3) = 0 Then
Worksheets("明細書01").Visible = True
Sheets("明細書01").Select
Range(gstrMP).Value = 1
Range("A1").Select
Sheets(gstrMS).Select
Range(gstrM).Value = 1
Range(gstrSokei(1)).Select
'総計01に明細書01参照の計算式を代入 =IF(ISERROR(明細書01!AB30),0,明細書01!AB30)
Range(gstrSokei(1)).Value = "=IF(ISERROR(明細書01!" & gstrCell(6) & "),0,明細書01!" _
& gstrCell(6) & ")"
Range("CE107") = 0 '明細書01を表示にするときにこのセルの値に0を代入する
'********** データ参照01 **********
intGyo = 113
intKoumoku = 158
intCount = 1
intT = 7
For y = 1 To 23
For x = 1 To 8 '項目の繰り返し処理
Select Case x
Case 1
Cells(intGyo, intKoumoku).Value = 1
Case 2
Cells(intGyo, intKoumoku).Value = intCount
Case 3
intY = 3
Cells(intGyo, intKoumoku).Value = "=明細書01!R" & intT & "C" & intY
Case 4
intY = 21
Cells(intGyo, intKoumoku).Value = "=明細書01!R" & intT & "C" & intY
Case 5
intY = 25
Cells(intGyo, intKoumoku).Value = "=明細書01!R" & intT & "C" & intY
Case 6
intY = 28
Cells(intGyo, intKoumoku).Value = "=明細書01!R" & intT & "C" & intY
Case 7
intY = 33
Cells(intGyo, intKoumoku).Value = "=明細書01!R" & intT & "C" & intY
Case 8
intY = 40
Cells(intGyo, intKoumoku).Value = "=明細書01!R" & intT & "C" & intY
End Select
intKoumoku = intKoumoku + 1
Next x
intT = intT + 1
intCount = intCount + 1
intKoumoku = 158
intGyo = intGyo + 1
Next y
'*************************************
intWSCount = ActiveWorkbook.Worksheets.Count
Range(gstrM).Value = intWSCount - 1
ActiveWindow.ScrollRow = 2
ActiveWindow.ScrollColumn = 2
Range("A1").Select
Beep
ElseIf bytMeisai(3) = 1 Then
Sheets("明細書01").Select
Sheets("明細書01").Copy after:=Sheets(2)
Worksheets("明細書01 (2)").name = "明細書02"
Call 削除3
Range(gstrMP).Value = 2
Range("A1").Select
Worksheets("明細書02").Move after:=Worksheets("明細書01")
Sheets(gstrMS).Select
Range(gstrSokei(2)).Select
'総計02に明細書02参照の計算式を代入 =IF(ISERROR(明細書02!AB30),0,明細書02!AB30)
Range(gstrSokei(2)).Value = "=IF(ISERROR(明細書02!" & gstrCell(6) & "),0,明細書02!" _
& gstrCell(6) & ")"
Range("CE107") = 0 '明細書01を表示にするときにセルの値に0を代入する
'********** データ参照02 **********
intGyo = 136
intKoumoku = 158
intCount = 1
intT = 7
For y = 1 To 23
For x = 1 To 8 '項目の繰り返し処理
Select Case x
Case 1
Cells(intGyo, intKoumoku).Value = 2
Case 2
Cells(intGyo, intKoumoku).Value = intCount
Case 3
intY = 3
Cells(intGyo, intKoumoku).Value = "=明細書02!R" & intT & "C" & intY
Case 4
intY = 21
Cells(intGyo, intKoumoku).Value = "=明細書02!R" & intT & "C" & intY
Case 5
intY = 25
Cells(intGyo, intKoumoku).Value = "=明細書02!R" & intT & "C" & intY
Case 6
intY = 28
Cells(intGyo, intKoumoku).Value = "=明細書02!R" & intT & "C" & intY
Case 7
intY = 33
Cells(intGyo, intKoumoku).Value = "=明細書02!R" & intT & "C" & intY
Case 8
intY = 40
Cells(intGyo, intKoumoku).Value = "=明細書02!R" & intT & "C" & intY
End Select
intKoumoku = intKoumoku + 1
Next x
intT = intT + 1
intCount = intCount + 1
intKoumoku = 158
intGyo = intGyo + 1
Next y
'*************************************
intWSCount = ActiveWorkbook.Worksheets.Count
Range(gstrM).Value = intWSCount - 1
ActiveWindow.ScrollRow = 2
ActiveWindow.ScrollColumn = 2
Range("A1").Select
Beep
ElseIf bytMeisai(3) = 2 Then
Sheets("明細書01").Select
Sheets("明細書01").Copy after:=Sheets(2)
Worksheets("明細書01 (2)").name = "明細書03"
Call 削除3
Range(gstrMP).Value = 3
Worksheets("明細書03").Move after:=Worksheets("明細書02")
Sheets(gstrMS).Select
Range(gstrSokei(3)).Select
'総計03に明細書03参照の計算式を代入 =IF(ISERROR(明細書03!AB30),0,明細書03!AB30)
Range(gstrSokei(3)).Value = "=IF(ISERROR(明細書03!" & gstrCell(6) & "),0,明細書03!" _
& gstrCell(6) & ")"
Range("CE107") = 0 '明細書02を表示にするときにセルの値に0を代入する
'********** データ参照03 **********
intGyo = 159
intKoumoku = 158
intCount = 1
intT = 7
For y = 1 To 23
For x = 1 To 8 '項目の繰り返し処理
Select Case x
Case 1
Cells(intGyo, intKoumoku).Value = 3
Case 2
Cells(intGyo, intKoumoku).Value = intCount
Case 3
intY = 3
Cells(intGyo, intKoumoku).Value = "=明細書03!R" & intT & "C" & intY
Case 4
intY = 21
Cells(intGyo, intKoumoku).Value = "=明細書03!R" & intT & "C" & intY
Case 5
intY = 25
Cells(intGyo, intKoumoku).Value = "=明細書03!R" & intT & "C" & intY
Case 6
intY = 28
Cells(intGyo, intKoumoku).Value = "=明細書03!R" & intT & "C" & intY
Case 7
intY = 33
Cells(intGyo, intKoumoku).Value = "=明細書03!R" & intT & "C" & intY
Case 8
intY = 40
Cells(intGyo, intKoumoku).Value = "=明細書03!R" & intT & "C" & intY
End Select
intKoumoku = intKoumoku + 1
Next x
intT = intT + 1
intCount = intCount + 1
intKoumoku = 158
intGyo = intGyo + 1
Next y
'*************************************
intWSCount = ActiveWorkbook.Worksheets.Count
Range(gstrM).Value = intWSCount - 1
ActiveWindow.ScrollRow = 2
ActiveWindow.ScrollColumn = 2
Range("A1").Select
Beep
ElseIf bytMeisai(3) = 3 Then
Sheets("明細書01").Select
Sheets("明細書01").Copy after:=Sheets(2)
Worksheets("明細書01 (2)").name = "明細書04"
Call 削除3
Range(gstrMP).Value = 4
Worksheets("明細書04").Move after:=Worksheets("明細書03")
Sheets(gstrMS).Select
Range(gstrSokei(4)).Select
'総計04に明細書04参照の計算式を代入 =IF(ISERROR(明細書04!AB30),0,明細書04!AB30)
Range(gstrSokei(4)).Value = "=IF(ISERROR(明細書04!" & gstrCell(6) & "),0,明細書04!" _
& gstrCell(6) & ")"
Range("CE107") = 0 '明細書03を表示にするときにセルの値に0を代入する
'********** データ参照04 **********
intGyo = 182
intKoumoku = 158
intCount = 1
intT = 7
For y = 1 To 23
For x = 1 To 8 '項目の繰り返し処理
Select Case x
Case 1
Cells(intGyo, intKoumoku).Value = 4
Case 2
Cells(intGyo, intKoumoku).Value = intCount
Case 3
intY = 3
Cells(intGyo, intKoumoku).Value = "=明細書04!R" & intT & "C" & intY
Case 4
intY = 21
Cells(intGyo, intKoumoku).Value = "=明細書04!R" & intT & "C" & intY
Case 5
intY = 25
Cells(intGyo, intKoumoku).Value = "=明細書04!R" & intT & "C" & intY
Case 6
intY = 28
Cells(intGyo, intKoumoku).Value = "=明細書04!R" & intT & "C" & intY
Case 7
intY = 33
Cells(intGyo, intKoumoku).Value = "=明細書04!R" & intT & "C" & intY
Case 8
intY = 40
Cells(intGyo, intKoumoku).Value = "=明細書04!R" & intT & "C" & intY
End Select
intKoumoku = intKoumoku + 1
Next x
intT = intT + 1
intCount = intCount + 1
intKoumoku = 158
intGyo = intGyo + 1
Next y
'*************************************
intWSCount = ActiveWorkbook.Worksheets.Count
Range(gstrM).Value = intWSCount - 1
ActiveWindow.ScrollRow = 2
ActiveWindow.ScrollColumn = 2
Range("A1").Select
Beep
ElseIf bytMeisai(3) = 4 Then
Sheets("明細書01").Select
Sheets("明細書01").Copy after:=Sheets(2)
Worksheets("明細書01 (2)").name = "明細書05"
Call 削除3
Range(gstrMP).Value = 5
Worksheets("明細書05").Move after:=Worksheets("明細書04")
Sheets(gstrMS).Select
Range(gstrSokei(5)).Select
'総計05に明細書05参照の計算式を代入 =IF(ISERROR(明細書05!AB30),0,明細書05!AB30)
Range(gstrSokei(5)).Value = "=IF(ISERROR(明細書05!" & gstrCell(6) & "),0,明細書05!" _
& gstrCell(6) & ")"
Range("CE107") = 0 '明細書04を表示にするときにセルの値に0を代入する
'********** データ参照05 **********
intGyo = 205
intKoumoku = 158
intCount = 1
intT = 7
For y = 1 To 23
For x = 1 To 8 '項目の繰り返し処理
Select Case x
Case 1
Cells(intGyo, intKoumoku).Value = 5
Case 2
Cells(intGyo, intKoumoku).Value = intCount
Case 3
intY = 3
Cells(intGyo, intKoumoku).Value = "=明細書05!R" & intT & "C" & intY
Case 4
intY = 21
Cells(intGyo, intKoumoku).Value = "=明細書05!R" & intT & "C" & intY
Case 5
intY = 25
Cells(intGyo, intKoumoku).Value = "=明細書05!R" & intT & "C" & intY
Case 6
intY = 28
Cells(intGyo, intKoumoku).Value = "=明細書05!R" & intT & "C" & intY
Case 7
intY = 33
Cells(intGyo, intKoumoku).Value = "=明細書05!R" & intT & "C" & intY
Case 8
intY = 40
Cells(intGyo, intKoumoku).Value = "=明細書05!R" & intT & "C" & intY
End Select
intKoumoku = intKoumoku + 1
Next x
intT = intT + 1
intCount = intCount + 1
intKoumoku = 158
intGyo = intGyo + 1
Next y
'*************************************
intWSCount = ActiveWorkbook.Worksheets.Count
Range(gstrM).Value = intWSCount - 1
ActiveWindow.ScrollRow = 2
ActiveWindow.ScrollColumn = 2
Range("A1").Select
Beep
ElseIf bytMeisai(3) = 5 Then
Sheets("明細書01").Select
Sheets("明細書01").Copy after:=Sheets(2)
Worksheets("明細書01 (2)").name = "明細書06"
Call 削除3
Range(gstrMP).Value = 6
Worksheets("明細書06").Move after:=Worksheets("明細書05")
Sheets(gstrMS).Select
Range(gstrSokei(6)).Select
'総計06に明細書06参照の計算式を代入 =IF(ISERROR(明細書06!AB30),0,明細書06!AB30)
Range(gstrSokei(6)).Value = "=IF(ISERROR(明細書06!" & gstrCell(6) & "),0,明細書06!" _
& gstrCell(6) & ")"
Range("CE107") = 0 '明細書06を表示にするときにセルの値に0を代入する
'********** データ参照06 **********
intGyo = 228
intKoumoku = 158
intCount = 1
intT = 7
For y = 1 To 23
For x = 1 To 8 '項目の繰り返し処理
Select Case x
Case 1
Cells(intGyo, intKoumoku).Value = 6
Case 2
Cells(intGyo, intKoumoku).Value = intCount
Case 3
intY = 3
Cells(intGyo, intKoumoku).Value = "=明細書06!R" & intT & "C" & intY
Case 4
intY = 21
Cells(intGyo, intKoumoku).Value = "=明細書06!R" & intT & "C" & intY
Case 5
intY = 25
Cells(intGyo, intKoumoku).Value = "=明細書06!R" & intT & "C" & intY
Case 6
intY = 28
Cells(intGyo, intKoumoku).Value = "=明細書06!R" & intT & "C" & intY
Case 7
intY = 33
Cells(intGyo, intKoumoku).Value = "=明細書06!R" & intT & "C" & intY
Case 8
intY = 40
Cells(intGyo, intKoumoku).Value = "=明細書06!R" & intT & "C" & intY
End Select
intKoumoku = intKoumoku + 1
Next x
intT = intT + 1
intCount = intCount + 1
intKoumoku = 158
intGyo = intGyo + 1
Next y
'*************************************
intWSCount = ActiveWorkbook.Worksheets.Count
Range(gstrM).Value = intWSCount - 1
ActiveWindow.ScrollRow = 2
ActiveWindow.ScrollColumn = 2
Range("A1").Select
Beep
ElseIf bytMeisai(3) = 6 Then
Sheets("明細書01").Select
Sheets("明細書01").Copy after:=Sheets(2)
Worksheets("明細書01 (2)").name = "明細書07"
Call 削除3
Range(gstrMP).Value = 7
Worksheets("明細書07").Move after:=Worksheets("明細書06")
Sheets(gstrMS).Select
Range(gstrSokei(7)).Select
'総計07に明細書07参照の計算式を代入 =IF(ISERROR(明細書07!AB30),0,明細書07!AB30)
Range(gstrSokei(7)).Value = "=IF(ISERROR(明細書07!" & gstrCell(6) & "),0,明細書07!" _
& gstrCell(6) & ")"
Range("CE107") = 0 '明細書07を表示にするときにセルの値に0を代入する
'********** データ参照07 **********
intGyo = 251
intKoumoku = 158
intCount = 1
intT = 7
For y = 1 To 23
For x = 1 To 8 '項目の繰り返し処理
Select Case x
Case 1
Cells(intGyo, intKoumoku).Value = 7
Case 2
Cells(intGyo, intKoumoku).Value = intCount
Case 3
intY = 3
Cells(intGyo, intKoumoku).Value = "=明細書07!R" & intT & "C" & intY
Case 4
intY = 21
Cells(intGyo, intKoumoku).Value = "=明細書07!R" & intT & "C" & intY
Case 5
intY = 25
Cells(intGyo, intKoumoku).Value = "=明細書07!R" & intT & "C" & intY
Case 6
intY = 28
Cells(intGyo, intKoumoku).Value = "=明細書07!R" & intT & "C" & intY
Case 7
intY = 33
Cells(intGyo, intKoumoku).Value = "=明細書07!R" & intT & "C" & intY
Case 8
intY = 40
Cells(intGyo, intKoumoku).Value = "=明細書07!R" & intT & "C" & intY
End Select
intKoumoku = intKoumoku + 1
Next x
intT = intT + 1
intCount = intCount + 1
intKoumoku = 158
intGyo = intGyo + 1
Next y
'*************************************
intWSCount = ActiveWorkbook.Worksheets.Count
Range(gstrM).Value = intWSCount - 1
ActiveWindow.ScrollRow = 2
ActiveWindow.ScrollColumn = 2
Range("A1").Select
Beep
ElseIf bytMeisai(3) = 7 Then
Sheets("明細書01").Select
Sheets("明細書01").Copy after:=Sheets(2)
Worksheets("明細書01 (2)").name = "明細書08"
Call 削除3
Range(gstrMP).Value = 8
Worksheets("明細書08").Move after:=Worksheets("明細書07")
Sheets(gstrMS).Select
Range(gstrSokei(8)).Select
'総計08に明細書08参照の計算式を代入 =IF(ISERROR(明細書08!AB30),0,明細書08!AB30)
Range(gstrSokei(8)).Value = "=IF(ISERROR(明細書08!" & gstrCell(6) & "),0,明細書08!" _
& gstrCell(6) & ")"
Range("CE107") = 0 '明細書08を表示にするときにセルの値に0を代入する
'********** データ参照08 **********
intGyo = 274
intKoumoku = 158
intCount = 1
intT = 7
For y = 1 To 23
For x = 1 To 8 '項目の繰り返し処理
Select Case x
Case 1
Cells(intGyo, intKoumoku).Value = 8
Case 2
Cells(intGyo, intKoumoku).Value = intCount
Case 3
intY = 3
Cells(intGyo, intKoumoku).Value = "=明細書08!R" & intT & "C" & intY
Case 4
intY = 21
Cells(intGyo, intKoumoku).Value = "=明細書08!R" & intT & "C" & intY
Case 5
intY = 25
Cells(intGyo, intKoumoku).Value = "=明細書08!R" & intT & "C" & intY
Case 6
intY = 28
Cells(intGyo, intKoumoku).Value = "=明細書08!R" & intT & "C" & intY
Case 7
intY = 33
Cells(intGyo, intKoumoku).Value = "=明細書08!R" & intT & "C" & intY
Case 8
intY = 40
Cells(intGyo, intKoumoku).Value = "=明細書08!R" & intT & "C" & intY
End Select
intKoumoku = intKoumoku + 1
Next x
intT = intT + 1
intCount = intCount + 1
intKoumoku = 158
intGyo = intGyo + 1
Next y
'*************************************
intWSCount = ActiveWorkbook.Worksheets.Count
Range(gstrM).Value = intWSCount - 1
ActiveWindow.ScrollRow = 2
ActiveWindow.ScrollColumn = 2
Range("A1").Select
Beep
ElseIf bytMeisai(3) = 8 Then
Sheets("明細書01").Select
Sheets("明細書01").Copy after:=Sheets(2)
Worksheets("明細書01 (2)").name = "明細書09"
…
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.