MALICIOUS
170
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1140 Deobfuscate/Decode Files or Information
This Excel document contains VBA macros, including an Auto_Open macro, which is a common technique for executing malicious code upon opening. The document body presents a lure related to tax tracking summaries and explicitly instructs the user to enable macros, indicating a social engineering attempt to bypass security. The presence of CreateObject calls and the Auto_Open execution token strongly suggest the macro is designed to download and execute a second-stage payload.
Heuristics 7
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ocsp.thawte.com0 In document text (OLE body)
- http://ts-ocsp.ws.symantec.com07In document text (OLE body)
- http://ocsp.verisign.com0In document text (OLE body)
- http://crl.thawte.com/ThawteTimestampingCA.crl0In document text (OLE body)
- http://ts-aia.ws.symantec.com/tss-ca-g2.cer0In document text (OLE body)
- http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(In document text (OLE body)
- http://logo.verisign.com/vslogo.gif0In document text (OLE body)
- https://www.verisign.com/rpaIn document text (OLE body)
- http://csc3-2010-crl.verisign.com/CSC3-2010.crl0DIn document text (OLE body)
- https://www.verisign.com/rpa0In document text (OLE body)
- http://csc3-2010-aia.verisign.com/CSC3-2010.cer0In document text (OLE body)
- https://www.verisign.com/cps0*In document text (OLE body)
- http://logo.verisign.com/vslogo.gif04In document text (OLE body)
- http://crl.verisign.com/pca3-g5.crl04In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 89966 bytes |
SHA-256: 09912137f566a705e19d102a2ab726535b0473c727720c845c736a9a325a4443 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private Sub Workbook_Activate()
commandBarCreate
End Sub
Private Sub Workbook_BeforeClose(Cancel As Boolean)
Dim myRes As Long, fileName As Variant
On Error Resume Next
If ThisWorkbook.Saved = False Then
'my_Before_Force_Close
If ThisWorkbook.Path = "" Then
myRes = MsgBox("You've updated this workbook. If you want to save your changes, save this workbook now." & vbCrLf & vbCrLf & _
"Later, you can open it in Excel and connect to QuickBooks to update the payroll reports contained" & vbCrLf & _
"in the workbook. You can also re-run the reports (without the changes you just made) from QuickBooks." & vbCrLf & vbCrLf & _
"Do you want to save this workbook?", vbYesNoCancel + vbExclamation)
If myRes = vbYes Then
my_Before_Force_Close False
fileName = Application.GetSaveAsFilename
If fileName = False Then
Cancel = True 'abort the shutdown
Else 'have a file
If Right(fileName, 1) = "." Then
If getAppVerNumber <= 11 Then 'don't do anything with the new XL 2007 or greater
fileName = fileName & "xls"
End If
End If
ThisWorkbook.SaveAs fileName, , , , , , , , True
End If
ElseIf myRes = vbNo Then
my_Before_Force_Close True
ThisWorkbook.Saved = True 'fake it out so it closes silently
ElseIf myRes = vbCancel Then
Cancel = True 'abort the shutdown
End If
Else 'has a path
myRes = MsgBox("Do you want to save the changes you made to this file (" & ThisWorkbook.Name & ")?", vbYesNoCancel + vbExclamation)
If myRes = vbYes Then
my_Before_Force_Close False
ThisWorkbook.Save
ElseIf myRes = vbNo Then 'end yes
my_Before_Force_Close True
ThisWorkbook.Saved = True 'fake it out so it closes silently
ElseIf myRes = vbCancel Then
Cancel = True 'abort the shutdown
End If
End If
ElseIf ThisWorkbook.Saved = True Then
my_Before_Force_Close True
ThisWorkbook.Saved = True 'just in case. Fake it out so it closes silently
End If
End Sub
Attribute VB_Name = "Sheet18"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "formatCode"
Option Explicit
Option Private Module
Sub formatRange(rng As Range, style As String, Optional indent As Long)
Dim cl As Range
If style = "defaultFormat" Then
With rng
.HorizontalAlignment = xlLeft
.IndentLevel = indent
End With
ElseIf style = "dividerRow" Then
With rng
.RowHeight = 5
End With
ElseIf style = "bodyTitleRight" Or style = "bodyTitleleft" Then
With rng
If style = "bodyTitleRight" Then
.HorizontalAlignment = xl
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.