MALICIOUS
110
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample is an OOXML file containing VBA macros, specifically an Auto_Open macro that utilizes CreateObject. This indicates an attempt to execute arbitrary code upon opening the document. The presence of VBA macros and the CreateObject call strongly suggest the execution of a malicious script designed to download and run a secondary payload. The document body contains financial data, which could be a lure, but the primary malicious activity is driven by the VBA code.
Heuristics 5
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set oHttp = CreateObject("MSXML2.XMLHTTP") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Public Sub Auto_Open() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://cbr.ru/currency_base/daily.aspx?C_month= In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 15655 bytes |
SHA-256: 8927edc79e54ba14761fe2bbd0f2f8d04a1e890cd3cf83c1b404f609d384f255 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Лист2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Лист3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Public Sub Auto_Open()
Exit Sub
Worksheets(1).Select
ActiveSheet.Range("A1").Select
quest = MsgBox("Обновить данные?", vbYesNoCancel)
If quest = vbYes Then
ActiveWorkbook.RefreshAll
MsgBox "ДАННЫЕ ОБНОВЛЕНЫ"
ElseIf quest = vbNo Then
MsgBox "ДАННЫЕ НЕ ОБНОВЛЯЛИСЬ"
ElseIf quest = vbCancel Then
End If
End Sub
Public Function Substring(Txt, Delimiter, n) As String
' Функция выдает n-ый элемент текстовой строки Txt, где
' символ Delimiter используется как разделитель
Dim X As Variant
If IsNull(Txt) Then
Substring = ""
Else
X = Split(Txt, Delimiter)
If n > 0 And n - 1 <= UBound(X) Then
Substring = X(n - 1)
Else
Substring = ""
End If
End If
End Function
Public Function FND(X, arr1, arr2)
'Поиск значения в массиве arr2 по найденной позиции x в массиве arr1:
'FND = ИНДЕКС(arr2, ПОИСКПОЗ(x, arr1, 0))
On Error GoTo L1
y = Application.WorksheetFunction.Match(X, arr1, 0)
FND = Application.WorksheetFunction.Index(arr2, y)
Exit Function
L1: FND = 0
End Function
Function AmountChrInStr(Str As String, Ch As String)
' Возвращает количество сиволов Ch в строке Str
Dim i As Integer, n As Integer
Do Until InStr(i + 1, Str, Ch) = 0
i = InStr(i + 1, Str, Ch)
n = n + 1
Loop
AmountChrInStr = n
End Function
Public Function ReplaceText(StringTxt, FindTxt, ReplaceTxt)
'Замена текста
ReplaceText = Replace(StringTxt, FindTxt, ReplaceTxt)
End Function
Public Function SUMV(ARR, NARR As Integer) As Variant
'Суммирование по диапазону ARR от начала до элемента с порядковым номером NARR
SUMV = 0
For j = 1 To NARR
SUMV = SUMV + ARR(j)
Next j
End Function
Public Function ALPH(X As Single) As String
'Поиск буквы алфавита по порядковому номеру
If X >= 1 And X <= 52 Then
ALPH = Choose(X, "A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M", _
"N", "O", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "Z", _
"AA", "AB", "AC", "AD", "AE", "AF", "AG", "AH", "AI", "AJ", "AK", "AL", "AM", _
"AN", "AO", "AP", "AQ", "AR", "AS", "AT", "AU", "AV", "AW", "AX", "AY", "AZ")
Else
ALPH = "NA"
End If
End Function
Public Function NU(X As Variant) As Variant
If IsError(X) Then
NU = 0
Else
NU = X
End If
End Function
Public Function NZ(X As Variant, y As Variant) As Variant
If IsError(X) Then
NZ = y
Else
NZ = X
End If
End Function
Public Function Translit(Txt As String) As String
Dim Rus As Variant
Rus = Array("а", "б", "в", "г", "д", "е", "ё", "ж", "з", "и", "й", "к", _
"л", "м", "н", "о", "п", "р", "с", "т", "у", "ф", "х", "ц", "ч", "ш", _
"щ", "ъ", "ы", "ь", "э", "ю", "я", "А", "Б", "В", "Г", "Д", "Е", _
"Ё", "Ж", "З", "И", "Й", "К", "Л", "М", "Н", "О", "П", "Р", _
"С", "Т", "У", "Ф", "Х", "Ц", "Ч", "Ш", "Щ", "Ъ", "Ы", "Ь", "Э", "Ю", "Я")
Dim Eng As Variant
Eng = Array("a", "b", "v", "g", "d", "e", "jo", "zh", "z", "i", "j", _
"k", "l", "m", "n", "o", "p", "r", "s", "t", "u", "f", "kh", "ts", "ch", _
"sh", "sch", "''", "y", "'", "e", "yu", "ya", "A", "B", "V", "G", "D", _
"E", "JO", "ZH", "Z", "I", "J", "K", "L", "M", "N", "O", "P", "R", _
"S", "T", "U", "F", "KH", "TS", "CH", "SH", "SCH", "''", "Y", "'", "E", "YU", "YA")
For i = 1 To Len(Txt)
с = Mid(Txt, i, 1)
flag = 0
For j = 0 To 65
If Rus(j) = с Then
outchr = Eng(j)
flag = 1
Exit For
End If
Next j
If flag Then outstr = outstr & outchr Else outstr = outstr & с
Next i
Translit = outstr
End Function
Sub UnproAll()
Application.ScreenUpdating = False
n = Sheets.Count
SheetPos = ActiveSheet.Name
For i = 1 To n
On Error Resume Next
Worksheets(i).Select
ActiveSheet.Unprotect
Next
Sheets(SheetPos).Select
Application.ScreenUpdating = True
End Sub
Sub ProAll()
Application.ScreenUpdating = False
n = Sheets.Count
SheetPos = ActiveSheet.Name
For i = 1 To n
On Error Resume Next
Worksheets(i).Select
ActiveSheet.Protect DrawingObjects:=True, Contents:=True, Scenarios:=True _
, AllowFormattingColumns:=True, AllowSorting:=True, AllowFiltering:=True _
, AllowUsingPivotTables:=True
Next
Sheets(SheetPos).Select
Application.ScreenUpdating = True
End Sub
Sub FormulaToData()
Call UnproAll
n = ActiveWorkbook.Sheets.Count
Sheets(1).Select
For j = 1 To n
Cells.Select
Range("A1").Activate
Selection.Copy
Selection.PasteSpecial Paste:=xlPasteValues, Operation:=xlNone, SkipBlanks _
:=False, Transpose:=False
Selection.Font.ColorIndex = 0
Range("A1").Select
If j < n Then ActiveSheet.Next.Select
Next j
Sheets(1).Select
End Sub
Sub BlueFormula()
Call UnproAll
n = ActiveWorkbook.Sheets.Count
Sheets(1).Select
For j = 1 To n
Cells.Select
Selection.Font.ColorIndex = 0
Selection.SpecialCells(xlCellTypeFormulas, 23).Select
Selection.Font.ColorIndex = 55
Range("A1").Select
If j < n Then ActiveSheet.Next.Select
Next j
Sheets(1).Select
End Sub
Public Function DWeek(DDate As Variant) As Integer
If Not IsNull(DDate) Then
DWeek = DatePart("ww", DDate, vbMonday, vbFirstFourDays)
Else
DWeek = 0
End If
End Function
Public Function Mondays1(Monnum As Integer) As Integer
Mondays1 = Choose(Monnum, 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31)
End Function
Public Function TLE(Rus As Variant) As String
Dim SR As String, SE As String, xi As Integer
If IsNull(Rus) Or IsEmpty(Rus) Then
TLE = ""
Exit Function
End If
For jw = 1 To Len(Rus)
SR = Mid(Rus, jw, 1)
xi = Asc(SR)
Select Case xi
Case 168
SE = Chr(89) & Chr(111)
Case 184
SE = Chr(121) & Chr(111)
Case 192 To 197
RL = Array(192, 193, 194, 195, 196, 197)
el = Array(65, 66, 86, 71, 68, 69)
j = -1
Do
j = j + 1
Loop Until RL(j) = xi
SE = Chr(el(j))
Case 198
SE = Chr(90) & Chr(104)
Case 199 To 213
RL = Array(199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213)
el = Array(90, 73, 73, 75, 76, 77, 78, 79, 80, 82, 83, 84, 85, 70, 72)
j = -1
Do
j = j + 1
Loop Until RL(j) = xi
SE = Chr(el(j))
Case 214
SE = Chr(84) & Chr(115)
Case 215
SE = Chr(67) & Chr(104)
Case 216
SE = Chr(83) & Chr(104)
Case 217
SE = Chr(83) & Chr(99) & Chr(104)
Case 218, 220
SE = Chr(39) & Chr(39)
Case 219, 221
RL = Array(219, 221)
el = Array(89, 69)
j = -1
Do
j = j + 1
Loop Until RL(j) = xi
SE = Chr(el(j))
Case 222
SE = Chr(89) & Chr(117)
Case 223
SE = Chr(89) & Chr(97)
Case 224 To 229
RL = Array(224, 225, 226, 227, 228, 229)
el = Array(97, 98, 118, 103, 100, 101)
j = -1
Do
j = j + 1
Loop Until RL(j) = xi
SE = Chr(el(j))
Case 230
SE = Chr(122) & Chr(104)
Case 231 To 245
RL = Array(231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245)
el = Array(122, 105, 105, 107, 108, 109, 110, 111, 112, 114, 115, 116, 117, 102, 104)
j = -1
Do
j = j + 1
Loop Until RL(j) = xi
SE = Chr(el(j))
Case 246
SE = Chr(116) & Chr(115)
Case 247
SE = Chr(99) & Chr(104)
Case 248
SE = Chr(115) & Chr(104)
Case 249
SE = Chr(115) & Chr(99) & Chr(104)
Case 250, 252
SE = Chr(39) & Chr(39)
Case 251, 253
RL = Array(251, 253)
el = Array(121, 101)
j = -1
Do
j = j + 1
Loop Until RL(j) = xi
SE = Chr(el(j))
Case 254
SE = Chr(121) & Chr(117)
Case 255
SE = Chr(121) & Chr(97)
Case Else
SE = SR
End Select
TLE = TLE & SE
Next jw
End Function
Public Function FIOS(FIO As Variant) As String
If (IsNull(FIO) Or IsEmpty(FIO) Or FIO = "") Then
FIOS = ""
Else
FIO = Trim(FIO)
FL = InStr(1, FIO, " ", vbTextCompare) - 1
On Error Resume Next
FIOS = Left(FIO, FL)
FI = InStr(FL + 2, FIO, " ", vbTextCompare)
FIOS = FIOS & " " & Mid(FIO, FL + 2, 1) & "."
End If
End Function
Public Function AsciCode(X As String) As Integer
AsciCode = Asc(X)
End Function
Public Function ChrCode(X As Long) As String
ChrCode = Chr(X)
End Function
Sub GetDollar()
Dim sURI As String
Dim oHttp As Object
Dim htmlcode, outstr As String
Dim inpdate As Date
Dim d, m, y As Integer
inpdate = CDate(InputBox("Введите дату в формате ДД.ММ.ГГГГ", _
"Курс доллара", Date))
d = Format(inpdate, "dd")
m = Format(inpdate, "mm")
y = Format(inpdate, "yyyy")
sURI = "http://cbr.ru/currency_base/daily.aspx?C_month=" & m & "&C_year=" _
& y & "&date_req=" & d & "%2F" & m & "%2F" & y
On Error Resume Next
Set oHttp = CreateObject("MSXML2.XMLHTTP")
If Err.Number <> 0 Then
Set oHttp = CreateObject("MSXML.XMLHTTPRequest")
End If
On Error GoTo 0
If oHttp Is Nothing Then
Exit Sub
End If
oHttp.Open "GET", sURI, False
oHttp.Send
htmlcode = oHttp.responseText
outstr = Mid(htmlcode, InStr(1, htmlcode, "USD") + 87, 7)
Set oHttp = Nothing
outstr = Replace(outstr, ",", ".")
ActiveCell.Value = outstr
End Sub
Sub GetEuro()
Dim sURI As String
Dim oHttp As Object
Dim htmlcode, outstr As String
Dim inpdate As Date
Dim d, m, y As Integer
inpdate = CDate(InputBox("Введите дату в формате ДД.ММ.ГГГГ", _
"Курс доллара", Date))
d = Format(inpdate, "dd")
m = Format(inpdate, "mm")
y = Format(inpdate, "yyyy")
sURI = "http://cbr.ru/currency_base/daily.aspx?C_month=" & m & "&C_year=" _
& y & "&date_req=" & d & "%2F" & m & "%2F" & y
On Error Resume Next
Set oHttp = CreateObject("MSXML2.XMLHTTP")
If Err.Number <> 0 Then
Set oHttp = CreateObject("MSXML.XMLHTTPRequest")
End If
On Error GoTo 0
If oHttp Is Nothing Then
Exit Sub
End If
oHttp.Open "GET", sURI, False
oHttp.Send
htmlcode = oHttp.responseText
outstr = Mid(htmlcode, InStr(1, htmlcode, "EUR") + 81, 7)
Set oHttp = Nothing
outstr = Replace(outstr, ",", ".")
ActiveCell.Value = outstr
End Sub
Sub ОшибкаВНоль()
Dim cl As Range
On Error Resume Next
For Each cl In Selection.Cells
If cl.Errors.Item(xlEvaluateToError).Value = True Then
clfrm = Right(cl.Formula, Len(cl.Formula) - 1)
cl.FormulaLocal = "=если(еошибка(" & clfrm & ");0;" & clfrm & ")"
End If
Next
End Sub
Attribute VB_Name = "Лист4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Лист5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Лист6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Лист8"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 52736 bytes |
SHA-256: 5e79e59bd56b6c53cfbfd0d26c3f53cb79abf5d8790f663424562fdf7afc8390 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.