MALICIOUS
120
Risk Score
Heuristics 3
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA email-worm self-replication (Outlook mass-mailer) critical OLE_VBA_EMAIL_WORM_SELF_REPLICATIONVBA macro drives Outlook to mass-mail itself: it automates Outlook.Application, programmatically creates a mail item, and spreads by attaches a file to the outgoing message, sends the message programmatically. Harvesting recipients from the address book / inbox and auto-attaching the carrier to outgoing messages is the defining behavior of the Melissa / LoveLetter / W97M mass-mailer worm lineage — there is no benign document use, independent of any AV signature.Matched line in script
Set objMail = objOutlook.CreateItem(olMailItem) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set objOutlook = CreateObject("outlook.application")
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5645 bytes |
SHA-256: b990140153d407a3e08c5ba6803cb253d9f20dc1c98ba0813374363ab198f712 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sheet8"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "CommandButton2, 1, 0, MSForms, CommandButton"
Attribute VB_Control = "CommandButton1, 2, 1, MSForms, CommandButton"
Private Sub CommandButton1_Click()
Dim checkdata
checkdata = Cells(4, 3).Value
If checkdata = Null Or checkdata = 0 Or checkdata = "" Then
MsgBox ("船名不能为空,请输入后再发送!")
Exit Sub
End If
checkdata = Cells(4, 6).Value
If checkdata = Null Or checkdata = 0 Or checkdata = "" Then
MsgBox ("航次不能为空,请输入后再发送!")
Exit Sub
End If
checkdata = Cells(5, 3).Value
If checkdata = Null Or checkdata = "" Then
MsgBox ("开始装卸时间不能为空,请输入后再发送!")
Exit Sub
End If
checkdata = Cells(5, 7).Value
If checkdata = Null Or checkdata = "" Then
MsgBox ("港口不能为空,请输入后再发送!")
Exit Sub
End If
checkdata = Cells(6, 3).Value
If checkdata = Null Or checkdata = "" Then
MsgBox ("港序不能为空,请输入后再发送!")
Exit Sub
End If
checkdata = Cells(4, 10).Value
If checkdata = Null Or checkdata = 0 Or checkdata = "" Then
MsgBox ("预计完货时间不能为空,请输入后再发送!")
Exit Sub
End If
Dim shipname
shipname = Cells(4, 3).Value
If shipname = Null Or shipname = 0 Then
shipname = ""
End If
Dim voyno
voyno = Cells(4, 6).Value
If voyno = Null Or voyno = 0 Then
voyno = ""
End If
Dim filen
filen = Application.GetSaveAsFilename(InitialFileName:=shipname + "" + voyno + "" + Cells(2, 3).Value + "" + Format(Now(), "yymmddhhMMss") + ".xls", FileFilter:="工作薄文件(*.xls),*.xls", Title:="当前工作表另存为")
If filen = False Then End
Dim filefmt
If Application.VERSION >= 12 Then
filefmt = 56
Else
filefmt = 43
End If
Application.ScreenUpdating = False
Application.DisplayAlerts = False
ActiveSheet.Copy
ActiveWorkbook.SaveAs Filename:=filen, FileFormat:=filefmt, Password:="", WriteResPassword:="", ReadOnlyRecommended:=False, CreateBackup:=False
ActiveWorkbook.Save
ActiveWorkbook.Close
Application.ScreenUpdating = True
Application.DisplayAlerts = True
End Sub
Private Sub CommandButton2_Click()
On Error Resume Next
Dim objOutlook As Object
Dim objMail As Object
Dim checkdata
checkdata = Cells(4, 3).Value
If checkdata = Null Or checkdata = 0 Or checkdata = "" Then
MsgBox ("船名不能为空,请输入后再发送!")
Exit Sub
End If
checkdata = Cells(4, 6).Value
If checkdata = Null Or checkdata = 0 Or checkdata = "" Then
MsgBox ("航次不能为空,请输入后再发送!")
Exit Sub
End If
checkdata = Cells(5, 3).Value
If checkdata = Null Or checkdata = "" Then
MsgBox ("开始装卸时间不能为空,请输入后再发送!")
Exit Sub
End If
checkdata = Cells(5, 7).Value
If checkdata = Null Or checkdata = "" Then
MsgBox ("港口不能为空,请输入后再发送!")
Exit Sub
End If
checkdata = Cells(6, 3).Value
If checkdata = Null Or checkdata = "" Then
MsgBox ("港序不能为空,请输入后再发送!")
Exit Sub
End If
checkdata = Cells(4, 10).Value
If checkdata = Null Or checkdata = 0 Or checkdata = "" Then
MsgBox ("预计完货时间不能为空,请输入后再发送!")
Exit Sub
End If
MsgBox ("此功能调用OUTLOOK发送邮件,如果不能使用OUTLOOK发送邮件,请使用另存为按钮保存附件后手工发送邮件至report@jlepc.com.cn")
Application.ScreenUpdating = False
Application.DisplayAlerts = False
ActiveSheet.Copy
Dim filen
Dim datefmt
datefmt = Format(Now(), "yymmddhhMMss") + ".xls"
Dim filefmt
If Application.VERSION >= 12 Then
filefmt = 56
Else
filefmt = 43
End If
filen = ThisWorkbook.FullName
Dim shipname
shipname = Cells(4, 3).Value
If shipname = Null Or shipname = 0 Then
shipname = ""
End If
Dim voyno
voyno = Cells(4, 6).Value
If voyno = Null Or voyno = 0 Then
voyno = ""
End If
filen = "c:\" + shipname + voyno + Cells(2, 3).Value + datefmt
ActiveWorkbook.SaveAs Filename:=filen, FileFormat:=filefmt, Password:="", WriteResPassword:="", ReadOnlyRecommended:=False, CreateBackup:=False
ActiveWorkbook.Save
ActiveWorkbook.Close
Set objOutlook = CreateObject("outlook.application")
Set objMail = objOutlook.CreateItem(olMailItem)
With objMail
.To = "report@jlepc.com.cn"
.CC = "ldsctc@jlepc.com.cn;" + "ldsmgm@jlepc.com.cn;" + "ldsgen@jlepc.com.cn;" + "zhangy2@jlepc.com.cn;"
.Subject = shipname + " " + voyno + " " + Cells(2, 3).Value + " 报文信息"
.Body = "船舶发送报文"
.Attachments.Add filen
.Send
End With
Set objOutlook = Nothing
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.